Phorm, formerly known as 121Media, is a digital technology company based in London, New York, and Moscow. The company drew attention when it announced it was in talks with several United Kingdom ISPs to deliver targeted advertising based on user browsing habits by using deep packet inspection. It is one of several companies developing Behavioral Targeting advertising systems, seeking deals with ISPs to enable them to analyse customers' websurfing habits in order to deliver targeted advertising to them. Others include NebuAd and Front Porch.
Phorm is working with major US and British ISPs including British Telecom, Virgin Media, and TalkTalk on a targeted advertisement service to monitor browsing habits and serve relevant advertisements to the end user. Phorm say these deals will give them access to the surfing habits of 70% of British households with broadband.
The service, which will be marketed to end-users as "Webwise", would work by categorising user interests and matching them with advertisers who wish to target that type of user. "As you browse we're able to categorise all of your Internet actions", said Phorm COO Virasb Vahidi. "We actually can see the entire Internet."
It is claimed that data collected would be completely anonymous, and that Phorm will never be aware of the identity of the user or what they have browsed. By monitoring users' browsing, Phorm also offers protection against online fraud and phishing, just like any modern web browser. If users try to access a phishing site that is listed on a database available to Phorm, a warning will appear on the browser, although phishing sites not on the database won't trigger any warning.
It is said that users will be able to opt-out of Phorm's service. However, according to a spokesman for Phorm, the way the opt-out works means the contents of the websites visited will still be mirrored to its system. All computers, all users, and all http applications used by each user of each computer will need to be configured (or supplemented with add ons) to opt out.. It has since been declared by the Information Commissioner's Office that Phorm would only be legal under UK law if it were an opt-in service.
121media, the former name of Phorm, has had its products described as spyware. As 121Media it distributed a program called PeopleOnPage, which was classified as spyware by F-Secure. PeopleOnPage was an application built around their advertising engine called ContextPlus. ContextPlus was also distributed as a root kit called Apropos, which used tricks to prevent the user from removing the application and sent information back to central servers regarding a user's browsing habits.
In November 2005 the Center for Democracy and Technology in the US filed a complaint with the Federal Trade Commission over distribution of what it considered spyware, including ContextPlus. They stated that they had investigated and uncovered deceptive and unfair behaviour. This complaint was filed in concert with the Canadian Internet Policy and Public Internet Center, a group that was filing a similar complaint against Integrated Search Technologies with Canadian authorities.
In May 2006 ContextPlus shut down its operations and stated "[Contextplus are] no longer able to ensure the highest standards of quality and customer care". The shutdown came after several major lawsuits against adware vendors had been launched. Phorm has countered this with an admission of a company history in adware and the closing down of a multi-million dollar revenue stream as people confused adware with spyware.
Kent Ertugrul - "The problem for newspapers is that a story headlined 'Two Dead in Baghdad' isn't very product-friendly" said Kent Ertugrul, chief executive of Phorm, a behavioral targeting company working with British newspapers. "But if you know who is looking at the page, that's where the opportunity is.
Initial reaction to the proposed service highlighted deep concerns with regards to individual privacy and property rights in data. Phorm has defended its technology in the face of what it called "misinformation" from bloggers claiming it threatens users' privacy.
Security firms are split about whether they will classify Phorm's targeting cookies as adware. Kaspersky Lab, whose anti-virus engine is licensed to many other security vendors, said it would detect the cookie as adware. Trend Micro said there was a "very high chance" that it would add detection for the tracking cookies as adware. PC Tools echoed Trend's concerns about privacy and security, urging Phorm to apply an opt-in approach. Specialist anti-spyware firm Sunbelt Software also expressed concerns, saying Phorm's tracking cookies were candidates for detection by its anti-spyware software.
Ross Anderson, professor of security engineering at Cambridge University, said: "The message has to be this: if you care about your privacy, do not use BT, Virgin or Talk-Talk as your internet provider." He added that, historically, anonymising technology had never worked. Even if it did, he stressed, it still posed huge privacy issues. During the week beginning March 10, 2008, privacy concerns began to have an impact on the stock price of the company, which dropped 30%, indicating that shareholders might also be concerned about the issues being raised. By 27 March 2008 the stock price had dropped 45% over the month, and as of May 17, 2008, Phorm's stock has fallen over 85%, effectively collapsing.
Phorm has engaged a number of public relations advisers including Freuds, Citigate Dewe Rogerson and ex-House of Commons media adviser John Stonborough in an attempt to save its reputation, and has engaged with audiences via moderated online webchats. Full transcripts of these interviews can be found at http://www.webwise.com/how-it-works/chat.html
In response to customer concerns, TalkTalk (The Carphone Warehouse) issued a statement that its implementation will be "opt-in" only and won't use the same method as BT, meaning those that don't "opt-in" will have their traffic split, avoiding contact with a WebWise (Phorm) server.
The creator of the World Wide Web, Tim Berners-Lee, has criticized the idea of tracking his browsing history saying that "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return." He also said that he would change ISP if they introduced the Phorm system.
Simon Davies, a privacy advocate and founding member of Privacy International, said "Behavioural advertising is a rather spooky concept for many people." In a separate role at 80/20 Thinking, a consultancy start-up, he was engaged by Phorm to look at the system. He said: "We were impressed with the effort that had been put into minimising the collection of personal information.. He was subsequently quoted as saying "[Privacy International] DOES NOT endorse Phorm, though we do applaud a number of developments in its process." (original capitals) "The system does appear to mitigate a number of core privacy problems in profiling, retention and tracking... [but] we won't as PI support any system that works on an opt-out basis.".
Kent Ertugrul later claimed he was confused when he suggested Privacy International had endorsed Phorm. "This was my confusion I apologise. The endorsement was in fact from Simon Davies, the MD of 80 / 20 who is also a director of Privacy International.
After initial denials that they had done so, BT confirmed they ran a small scale trial at one exchange of a "prototype advertising platform" in 2007 and are said to be developing an improved non-[cookie|cookie] based opt-out of Phorm, BT customers will be able to opt-out of the trial, but no decision has been made as to their post-trial approach.
It was reported that BT ran an earlier secret trial in 2006, in which it intercepted and profiled the web browsing of 18,000 of its broadband customers. The technical report states that customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience.
Digital rights lawyer Nicholas Bohm, of the Foundation for Information Policy Research, has said that trials of an online ad system carried out by BT involving more than 30,000 of its customers were potentially illegal. Channel 4's Krishnan Guru-Murthy interviewed BT's head of value added services, Emma Sanderson, about their trials
It has since been revealed that BT's 2007 trial involved some tens of thousands of end users.
BT's third trial of Phorm's Webwise system has repeatedly slipped. The trial was to last for approximately two weeks on 10,000 subscribers, and was originally due to start in March 2008 then April 2008, and now the latest date of the end of May 2008 has passed.
British Telecom is facing legal action over trials of Phorm which were carried out without user consent.
On Tuesday, the 2nd of September 2008 City of London Police investigating a complaint made by anti-phorm protestors, met with BT representatives to informally question them about the secret Phorm trials.
On the 25th September 2008 The City of London Police announced that there will be no formal investigation of BT over its secret trials of Phorm in 2006 and 2007. According to Alex Hanff, one of the chief campaigners the police said "There was no criminal intent on behalf of BT and that there was implied consent because the service was going to benefit customers,"
Nicholas Bohm, a lawyer with thinktank Foundation for Information Policy Research, said the police response was "absurd". "A driver who kills someone when drunk has no criminal intent. It is not a necessary ingredient of a crime," he said. "As for the idea that consent is implied on the grounds that some people would like a service, that is not good enough at all," he added.
On the 29th of September 2008, it was announced in BT's support forum that their trial of Phorm's Webwise system would commence the following day, the 30th of September 2008. BT press officer Adam Liversage stated that BT is still working on a network-level opt-out, but that it will not be offered during the trial. Opted-out traffic will pass through the Webwise system but will not be mirrored or profiled. The final full roll-out of Webwise across BT's national network will not necessarily depend the completion of the work either.
Civil liberties campaigners The Open Rights Group are urging BT's customers not to participate in the BT Webwise trials, pointing out that BT Webwise's “anti-fraud” feature is unlikely to give you anything more than the features already built into web browsers.
The trial still uses the opt-out method and is therefore illegal in the UK according to the Information Commissioner's Office.
Richard Clayton, a Cambridge University security researcher and member of the Open Rights Group and FIPR, attended an on-the-record meeting with Phorm, and published his account of how their advertising system works.
Phorm explained the process by which an initial web request is redirected three times (using  responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else's website.
Richard Clayton notes in his analysis that Phorm's system stores a tracking cookie for each domain visited on the user's PC, each containing an identical copy of the user's unique Phorm tracking ID. Where possible, Phorm's system strips its tracking cookies from http requests before they are forwarded across the internet to a website's server, but it cannot prevent the Phorm UID being sent to websites using . This would allow websites to associate the unique Phorm tracking ID to any details the website collects about the visitor.
It should also be noted that the Phorm system cannot strip its tracking cookie from a computer that is moved from the ISP's network to another network, for example when a user takes his or her notebook computer to a public Wi-Fi hotspot. In this case, all of Phorm's tracking cookies will be present when the computer is using an ISP not associated with Phorm.
The Guardian has withdrawn from its targeted advertising deal with Phorm. In an email to a reader, advertising manager Simon Kilby stated "It is true that we have had conversations with them [Phorm] regarding their services but we have concluded at this time that we do not want to be part of the network. Our decision was in no small part down to the conversations we had internally about how this product sits with the values of our company."
In response to an article published in The Register on the 26 March 2008, Phorm has stated that Myspace has not joined OIX as a Publisher.
The Financial Times has decided not to participate in Phorm's impending trial.
Concerns have been raised about the financial impact Phorm's system could have on businesses such as online shops, since phorm will look at the content viewed by a visitor and add it to their user profile, allowing competing businesses to target advertisements at the user, based on the products that they have looked at on the shop's website, potentially diverting sales away from the original shop..
Some web-masters plan to block or restrict users of Phorm's system, or ask them to opt-out, to protect their content, and have been developing systems to detect Phorm users.
David Evans of the British Computer Society has questioned whether the act of publishing a website on the net is the same as giving consent for advertisers to make use of the site's content or to monitor the site's interactions with its customers..
Phorm is considering offering an incentive other than the phishing protection it originally planned as a means to convince end-users to opt-in to its Webwise system. The alternate incentives suggested in a Toluna.com market research survey carried out on behalf of phorm included phishing protection, a donation to charity, a free technical support line, or one pound off opted-in users' monthly broadband subscription.
The UK Home Office has indicated that Phorm's proposed service is only legal if users give explicit consent. The Open Rights Group (ORG) raised questions about Phorm's legality and asked for clarification of how the service would work. The Foundation for Information Policy Research (FIPR) has argued that Phorm's online advert system is illegal in the UK. Nicholas Bohm, general counsel at FIPR, said: "The need for both parties to consent to interception in order for it to be lawful is an extremely basic principle within the legislation, and it cannot be lightly ignored or treated as a technicality." His open letter to the Information Commissioner has been published on the FIPR web site.
The Conservative peer Lord Northesk has questioned whether HM Government is taking any action on the targeted advertising service offered by Phorm in the light of the questions about its legality under the Data Protection and Regulation of Investigatory Powers Acts. Richard Clayton, a Cambridge University security researcher, has produced a technical analysis (released on April 4th 2008) which confirms the FIPR's view that the final deployment of Phorm will be illegal on the grounds that no consent is obtained from webmasters to profile the pages sent to users.
On April 9 2008, the Information Commissioner's Office ruled that Phorm would only be legal under UK law if it were an opt-in service. The Office stated it will closely monitor the testing and implementation of Phorm, in order to ensure data protection laws are observed.
The Register reported in May 2008 that Phorm's logo strongly resembled that of an unrelated UK company called Phorm Design. They quoted the smaller company's owner, Simon Griffiths: "I've had solicitors look at it and they say we'd have to go to court. [Phorm are] obviously a big player with a lot of clout. I'm a small design agency in Sheffield that employs three people.
European Union communications commissioner Viviane Reding has said that the commission was concerned Phorm was breaching consumer privacy directives and called on the UK Government to take action to protect consumer's privacy.
The European Commission wrote to the UK government on 30 June 2008 setting out the context of the EU's interest in the controversy and asked detailed questions ahead of possible Commission intervention. It required the UK to respond to the letter one month after it was sent. A spokeswoman for the Department for Business, Enterprise and Regulatory Reform (BERR) admitted on the 16 August 2008 that the UK had not met the deadline. "UK.gov misses deadline on EU Phorm probe"
Unsatisfied by the UK government's eventual response, the European Commission wrote to the UK again on the 6th of October. Martin Selmayr, spokesman for commissioner Viviane Reding's Information Society and Media directorate-general said, "For us the matter is not finished. Quite the contrary."