Phorm launches data pimping fight back
CEO Kent Ertegrul on spyware, bullshit and opting-out
Interview A week is a long time in internets. Last Friday we all felt like we were shouting at the bins about Phorm and its deals with BT, Virgin Media, and Carphone Warehouse.
Now, you can't move for stories about data pimping and the massive change in people's relationship with their ISP Phorm represents, not to mention the new legal turf we're being dragged on to.
The advertising targeting firm has now launched an impressive rearguard action aimed at soothing the controversy, with CEO and former MIG joyride salesman Kent Ertegrul pimping himself out across any media outlet that takes any notice of what the online public cares about (see Bootnote). We met up with him and Phorm's top boffin Marc Burgess on Wednesday afternoon at Phorm HQ (just around the corner from El Reg's new digs).
We're told Ertegrul did his own video webcast last night (here), but it doesn't seem to have been archived, so in what follows you'll have to imagine his Bond villain mid-Atlantic accent for yourself. There's four pages to slog through, but we hope you'll agree it's worth it.
El Reg: Can you explain the history of Phorm and how you were linked to what security experts describe as spyware?
Kent Ertegrul: We started off creating a toolbar. The toolbar was kind of a social browsing concept. Wherever you browsed it would show you people who browsed to the same website. And then what you would do is click and chat with those people, so it was like social networking based on where you were browsing.
Kent 'I am not the Prince of Darkness' Ertegrul,
with friend (artist's impression)
We concluded that the best way to monetise that was advertising. And because we were aware through the toolbar where people were browsing we started building an ad server that allowed you to show ads based on that.
That grew very well and then we saw an opportunity to take the ad technology that we built and bundle it with freeware applications. So that's how we got into the adware business - as opposed to the spyware business.
Things grew more and we went public, in fact we were the only public adware business, with shareholders like Fidelity and Morgan Stanley. Our [non-executive] chairman is the former chairman of Microsoft UK [David Dornan]. There's nothing shady.
But what happened was it became very clear to us that there was no distinction in people's minds between adware - which is legitimate - and spyware. So we did something unprecedented which was we turned around to our shareholders and we shut down all our revenues. We weren't sued, we weren't pressed by anyone, we just said "this is not consistent with the company's core objectives".
So PeopleOnPage was the original toolbar. When we took that public we were 121Media. When we decided to shut that down we became Phorm.
That's how we got into the adware business - as opposed to the spyware business.
Explain for our readers how Phorm's profiling system works.
Marc Burgess: What the profiler does is it first cleans the data. It's looking at two sets of information: the information in the request that's sent to the website and then information in the page that comes back.
From the request it pulls out the URL, and if that URL is a well known search engine such as Google or Yahoo! it'll also look for the search terms that are in the request.
And then from the information returned by the website, the profiler looks at the content. The first thing it does is it ignores several classes of information that could potentially be sensitive. So there's no form fields, no numbers, no email addresses (that is something containing an "@") and anything containing a title like Mr or Mrs.
Aren't you collecting the first three characters?
MB: Because of a peculiarity of the tokenisation, numbers three digits or shorter aren't collected anyway, they're too short so there's no numbers at all. If you have a mixture of letters and numbers - a compound - that would be potentially collected.
Say, for example, the start of postcode?
KE: But as you'll see it's irrelevant anyway.
MB: So we do this basic cleaning process and then we take a look at the key words that have come from the page and we eliminate "noise words" that have a low intrinsic meaning. So what we're left with is a clean version of the key words in the page which we then basically do a chart of the ten most commonly occurring words.
This process has the effect of largely eliminating personally identifiable information [PII] from the web page because it would have to contain PII that didn't match any of our criteria and also appeared repeatedly in the page.
The profiler takes this "data digest" and it passes it through the box we call the anonymiser and into the box we call the channel server. The channel server has got a database of advertising categories that we call channels - things like sport, health and beauty, travel, luxury cars, etc. The channels are global to the whole system [across ISP networks]. Via the Open Internet Exchange advertisers are able to specify the channels they want to target.
The channels are controlled in the content they can have. We don't have adult advertising, no medical channel, no tobacco, no gambling. The channels are also designed so they always match a minimum number of unique users - 5,000. A channel has to be sufficiently broad so that it doesn't just reduce to one or two users.
As soon as that match has been made the data digest, which has only ever been in memory, is immediately deleted. It never goes to disk.
KE: This is the single most important piece of this because this is a big story but it's not the story that you think it is...
[EDIT: We emailed Marc Burgess after the interview to ask what effect the system will have on the performance of your broadband. He replied: "The system is designed not to have any adverse impact on the connection performance, with no difference whether you are opted in or out."]
The Golden Child
I don't think it's a privacy story per se.
KE: It is actually a privacy story. But it's not the privacy story you think it is.
I don't think it's a privacy story.
KE: The privacy story that it is is about how you can run an advertising service and store nothing. Look at what's happening with Google and the debate about storing stuff for a year or two - we've come up with a way of storing nothing! If you're concerned about privacy this is the best thing that's happened. There's no data mine here.
When we've been to see the EU and the Information Commissioner's Office what we've said to them is "look, this is how we do it". They actually welcome it because it gives them an example of how you can actually not store data and improve privacy.
Like I say, I don't actually think it's a privacy story as such - like you say Google stores masses of data. But a big difference I see between what you're doing and what Google does is that people feel that they're getting a service from Google. I don't think people feel they'll be getting a service from you.
KE: When you actually poll people and you say to them "what are the things that irritate you most about the internet?" they'll say two things: being bombarded with the amount of irrelevant advertising, and online dangers.
Surely the answer you get with that kind of polling is entirely down to the question you ask. If you ask people 'do you hate irrelevant advertising?' they'll say 'yes'.
KE: Ok, forget relevance. Let's talk about the sheer amount of advertising on the internet. You get advertising on the internet in such quantities because the advertisers have no idea of who they're talking to. They'll throw 1,000 ads against the wall to see what will stick. Ninety-nine per cent won't and aren't relevant and have no value to people.
That's what irritates them. Why is there pop-up advertising? Because it has no idea what you're interested in the only way it can get you to react is by getting in your way. Right now everyone is hardwired to believe that being bombarded with ads is an inherent part of the internet. It doesn't have to be.
This idea that we don't provide a service by doing this is as far from the truth as it's possible to be.
This idea that we don't provide a service by doing this is as far from the truth as it's possible to be. We have the opportunity to significantly reduce the amount of advertising you see online by making it more relevant and more valuable. People are concerned that there's going to be more advertising. It's not more, it's less. It's demonstrably less.
Surely it'll be the same amount of advertising, just advertising that knows about you. How would it be less?
KE: Well, if you're a website that can show 10 million untargeted ads at 10 pence per ad or you can show 100,000 at £1 per ad or £10 per ad, you'd rather do the latter.
So we can expect The Guardian and Financial Times to show less advertising?
KE: Yes, I think that most sites in due course will show less advertising. They know it gets in the way of the content.
Most websites don't make any money. but imagine you were able to show your audience an ad based on anything they've done on the internet. Right now all you know is that they're reading your page.
The amount of money you would make would be much higher. This is good for blogs, it's good for the whole long tail. It's good to think about this and what it means long term for the internet - it's the great democratiser of revenue.
It makes the internet safer - and I'm not just making that up - it really does.
Look, if we had anything to hide we wouldn't invite you in here. We'd give you some bullshit statement saying "no comment".
KE: Because our privacy is better. It has got an on/off switch. There's a place consumers can go and say "off".
They can't do that right now. The only thing they can do is disable all cookies, in which case the internet doesn't work, or go to each and every site that drops a cookie on them and say "don't do this". That's like trying to stop 15,000 leaks in the dam. You can't do it.
This centralises control of the user's privacy in their hands.
And yours, surely?
KE: Look, if we had anything to hide we wouldn't invite you in here. We'd give you some bullshit statement saying "no comment".
Were you working with BT last summer when Register readers noticed suspicious redirects to sysip.net?
KE: We've been working with BT for quite some time. The announcement wasn't the product of a couple of weeks' discussions.
The BT engineers evaluated our system, but I can't comment on the exact nature of any evaluation that they did.
I understand that BT has said it's looking into exactly what happened when people were seeing sysip.net [see here for the original story] and I think that what you're going to find is that it will respond shortly but we have to defer to them.
[Hello BT press office. You have our number. It's good to talk.]
Ok, but one thing that has come across from our readers is that people think the way it's being sold to them as ISP customers is slightly underhand in that they're being told it's an anti-phishing technology.
KE: It's not being sold to anybody. All we've said is "this is what we're doing". There's nothing underhanded about that at all. Very often there's quite a big difference between what things appear to be and what they actually are.
Well exactly. BT have got their on/off page up already (here) and it says nothing about your browsing being passed to a third party.
KE: It's important to understand the distinction between actually recording stuff and concluding stuff. All of our systems sit inside BT's network. Phorm has no way of going into the system and querying "what was cookie 1000062 doing?". And even if we did we have no way of knowing who 1000062 was. And even if we did all we could pull out of it is product categories. There's just no way of understanding where you've been, what you've done, what you've searched for.
I'm not interested in fobbing you off.
So if I'm opted out, data passes straight between me and the website I'm visiting? It doesn't enter Phorm's systems at all?
MB: What happens is that the data is still mirrored to the profiler but the data digest is never made and the rest of the chain never occurs. It ought to be said that the profiler is operated by the ISP, not us.
One of our sources has suggested that during discussions with the ISPs last year, Phorm was pushing the idea of actively injecting advertising into the data stream. Is that true?
The only thing your going to get direct from the ISP is something telling you you're about to screw up and gve up your credit card details.
KE: If you go back in history, when we first started this we were talking about an interstitial ad [effectively a pop-up, except injected into the main browser window]. We soon understood that's just a non-starter so we dropped it. Now this is only about showing ads inside websites.
Ad injection is not going to happen. The only thing you're going to get direct from the ISP is something telling you you're about to screw up and gve up your credit card details.
Right, so the anti-phishing stuff - this is just a sideline isn't it? It has nothing to do with your actual business.
KE: It's the same technology. We have one of our channels maintain a list of known phishing sites.
Yes, there are solutions out there that guard against phishing and so on, but you've got to download it, you've got to update it. Ours is a real time method of stopping any phishing site. It actually interrupts your browsing and says "wait a minute, are you sure you want to do this?".
There are options in Firefox and IE that do that already.
KE: I know, but how many people do you think actually use that?
MB: This is a way of helping people who aren't necessarily tech-savvy.
KE: You could argue that we're so evil why would we bother, but the reality is quite a few people, the least tech-savvy, are the most likely to give up their bank details to phishing sites.
BT and the ISPs feel legitimately that they can improve the customers' experience by protecting them. The main response from the market research on this was "why aren't they doing this automatically anyway?".
Because there's been no money in it for them.
KE: Well, of course this is a commercial opportunity for them. The anti-phishing and the ad-targeting - both need to see where you go.
But again, say a disgruntled Phorm employee broke into the system and stole all the data, what is it they would have? A series of random numbers, some product categories, and time stamps. That's literally all there is.
So now the core issues seem to be whether it's safe and whether people are getting anything out of it.
Coming to America
But by adding any more entry points to a network you're inevitably adding more potential vulnerabilty, correct?
MB: I'm not sure. If it's as secure or more secure than the existing network it doesn't necessarily reduce the security, no.
KE: As far as our system is concerned, again, if you were to break in and get all the data there's nothing stored there. That's surely the best form of security you can have. It's not lock all the doors and windows, it's that there's nothing to steal.
But at the heart of all this is the trust issue that people have with you. They entered into a relationship with their ISP, not Phorm. You accept that concern?
KE: Yes, yes. That's why we're talking to you. The best way to find out whether to trust someone is to talk to them. If people come away from this interview thinking we're these slimy people, then we can't make an impact.
Putting aside the privacy stuff, how well do you think the ISPs have handled this announcement? Our readers have been getting some very confused responses from customer services.
KE: I think you're going to see them handle it very differently when they actually deploy. We've come out with this and it's caused controversy, but if we hadn't said anything, everyone would have said "wooo, secret plot", but the ISPs are the ultimate keeper of the relationship with their customer. They'd be stupid to mishandle that relationship.
When they actually deploy they'll message their customers in many different ways. When it launches the first thing you'll see is a browser window telling you it's switched on.
It'll be automatically switched on then?
KE: The conversation over opt-in/opt-out is blurred by the one about transparency. They want to always be aware about whether something is on or off.
So we're going to do something unprecedented, and you'll never see this anywhere. Which is, as they continue to browse periodically you're going to see in an ad space "Webwise is on" or "Webwise is off", so it's more like a feature. Frankly, it's bad business to have people feel like something is being forced on them. Google stores everything you search, but it never says, "look, by the way we're storing all this and we keep it for a year".
This is not about a bunch of flim-flam artists trying to push something on the public. We couldn't do that. It would be stillborn if we even tried. We're very happy to talk about how everything works and what it means.
Broadly speaking, do you think the profit squeeze that ISPs are suffering now has created the gap for you? It's interesting that it's the UK market that's first with this.
KE: It's not just the UK market, by the way. It's first but that doesn't mean we haven't been speaking to other ISPs in other countries for a very long time.
And it's a great commercial opportunity for them. It would be ridiculous to suggest this is ISPs setting up a non-profit to reduce the amount of advertising online. That's obviously not what's happening - this is a business. It happens to be something that corresponds to what consumers want, like most good businesses.
Long term, we believe if you're opted-out the experience you're going to get is quite crappy because you're going to get bombarded with ads. Of course, the ISPs benefit too from the additional revenue. That's not evil.
We're speaking to a number of very large ISPs and websites there. We're very optimistic in the US.
So what reaction are you getting in the US at the moment?
KE: Same thing, very positive. We're speaking to a number of very large ISPs and websites there.
But presumably the sensitivities are even greater there because of the ongoing net neutrality row? US ISPs are already under a lot of pressure.
KE: Net neutrality is fascinating. Basically, the websites are at opposite ends of the discussion. What Phorm does is make the ISP the greatest partner a website can have. We think this resolves the tension between websites and ISPs that is the function of net neutrality. It brings both onto the same side.
We're very optimistic in the US. ®
So there you have it, for now. Seems Phorm is here to stay. It has promised to keep talking, and respond to your concerns, so go ahead and post below in the knowledge Kent and co. are at least reading.
It's been noted at Vulture Central and by our commenters that the Phorm story finally blew up yesterday, with stories from The Guardian, The Telegraph, Radio 4, The Evening Standard, and gosh, even the BBC technology website.
The well-deserved exposure the issue now has is thanks to the way you, as discerning Reg readers, have gotten involved over the last two weeks. So bravo.