Original URL: http://www.theregister.co.uk/2008/02/25/phorm_isp_advertising/

ISP data deal with former 'spyware' boss triggers privacy fears

Don't worry, 'that was a long time ago'

By Christopher Williams

Posted in Broadband, 25th February 2008 13:57 GMT

More than ten million customers of the UK's three largest ISPs will have their browsing habits sold to a company with roots in the murky world of spyware.

The deal has sparked fears over privacy, but today Phorm, the firm behind the new advertising system, strongly rejected such concerns.

BT, Virgin Media, and Carphone Warehouse have agreed to feed data on their subscribers' web activities to Phorm. Data will be fed into the Open Internet Exchange, Phorm's advertising network, where advertisers will pay to target interest groups. Frequent visits to the BBC's Top Gear site might result in being served up more car ads, for example.

In exchange, the ISP trio will get a cut of new revenue. Analysts estimate BT's cut will be £85m in 2010.

There's no word on when BT, Virgin Media and Carphone Warehouse will begin sending customers' browsing information; but now that the broadband business is a high-volume, low-margin business, it's no surprise the providers are hungry for extra cash flow. Their choice of partner is ringing alarm bells in some quarters, however.

Phorm is run by Kent Ertegrul, a serial entrepreneur whose past ventures include selling joyrides on Russian fighter jets. Previously, his most notable foray online was as the founder of PeopleOnPage, an ad network that operated earlier in the decade and which was blacklisted as spyware by the likes of Symantec and F-Secure.

Security firm F-Secure describes PeopleOnPage's software here.

It says: "The spyware collects a user's browsing habits and system information and sends it back to the ContextPlus servers. Targeted pop-up advertisements are displayed while browsing the web.

"Each installation is given a unique ID, which is sent to the ContextPlus server to request a pop-up advertisement." ContextPlus was the rootkit that PeopleOnPage used to harvest data and hide its presence.

The similarities between this business model and that which will be kicked off by Phorm in the coming months are striking.

Phorm, under its previous name 121Media, floated on AIM in December 2004.

The accompanying announcement (pdf) explained how it envisaged its relationship with ISPs and their customers:

The company's business model revolves around distributing its PageSense technology to as many users as possible and showing users as many advertisements as possible, without causing negative reaction, to maximise response.

121Media currently acquires most of its users by integrating its PageSense Desktop technology with consumer software products known as distribution applications, which are offered free of charge to internet users in exchange for their permission to display advertisements.

PageSense Javascript can be embedded by a variety of partners, such as Internet Service Providers, serving pages to those connecting to the internet through them.

Sounds quite familiar, doesn't it? The difference between 121Media/Phorm and PeopleOnPage is that the newer company buys its targets direct from ISPs, rather than persuading people to download spyware. It aims to make its money strictly from legit advertisers and publishers, avoiding the sort of operators that gave pop-up advertising such a bad name in the early noughties.

In a telephone interview today, Phorm said its technology is actually a privacy improvement on current advertising targeting datatbases run by Google and others, because data is only stored while it is needed to serve an ad and then discarded.

A spokesman rubbished the links to PeopleOnPage that have worried some Reg readers. "The previous company was involved in the adware space, but that was a long time ago," he said. "We're actually setting a whole new gold standard in online privacy." He said Privacy International had given the technology the thumbs-up.

Phorm obviously feels it has a PR battle to win. When the tie-ups with BT, Virgin Media and Carphone Warehouse were trumpeted earlier this month, the majority of reports were window-dressed with bumf about a sideline in security. Webwise, the branding consumers will see Phorm's ad system under, will have anti-phishing technology built in. The in-browser warnings may have a laudable goal, but are irrelevant to what the company's actual business is and what it could mean for the millions of people being sold into it by their ISP.

Indeed, all the members of this four-way agreement to change what an ISP is for are keen to play down people's natural privacy worries. As with PeopleOnPage, net users will be identified only by an anonymised number. Phorm has also contracted accounting firm Ernst and Young to audit its privacy policies (read the report here [pdf]). Auditors found the firm "provides reasonable assurance" that it conforms to privacy standards.

That reasonable assurance is good enough for BT. "The simple answer is 'yes'," a spokesman replied when asked today if it is aware of Phorm's provenance and is happy to sell data to it.

A statement continued: "BT has carried out extensive commercial, legal and technical due diligence on Phorm and Webwise, and is confident that customer confidentiality and security is wholly protected. Webwise doesn't collect any personal information, or keep IP address, website addresses, keywords or search terms - it simply analyses web pages visited by BT customers and matches them against pre-defined categories of interest to advertisers.

"Detailed customer research by BT has shown that once customers are aware of the benefits of Webwise, they are overwhelmingly in favour of the free security features and more relevant advertising during web browsing. All BT customers will be able to switch Webwise on or off as they see fit."

A spokesman for Virgin Media said: "We are aware of Phorm's background and are comfortable that we have conducted the due diligence."

Carphone Warehouse has not returned our call.

Some ISP customers remain unconvinced on the privacy questions. On the Digital Spy forums, "Bruce1" pointed out that sharing so-called anonymised data has caused big privacy problems before. "After all, remember that both AOL and Netflix have released similar anonymised data where identifying info was replaced with an assigned number... and it didn't take long for both sets of data to be de-anonymised" he wrote.

As well as being private, Phorm says its database will be a boon for consumers, ISPs, publishers, and advertisers. Net users will benefit from more relevant advertising, the firm reckons. How relevant ISP-level targeting will be in homes where the whole family uses the same connection is open to question, however. Nonetheless, Phorm's stock has surged on AIM this year.

All parties involved point out that having your data sent to Phorm will be optional. Phorm says an opt-out could work by accepting a cookie from its website, but that its trio of ISP partners will be consulting on whether to have an opt-in or an opt-out system.

It would be polite if BT, Virgin Media, and Carphone Warehouse consulted their customers as part of that process. ®