Computers, Privacy & the Constitution
CompPrivConst » ArchivedMaterial » OldPapers » JulianMPaperI

Phorm Over Function

Phorm, formerly 121Media, is a technology company based in Moscow which became the subject of much scrutiny upon announcing that it was in talks with three UK ISPs representing 70% of the country’s broadband users, to deliver a "Behavioral Targeting" advertising system to track surfer’s habits using "Deep Packet Inspection." They compete with NebuAd, Front Porch, Adzilla, and Project Rialto [hereinafter, collectively "Phorm"]. Unchecked, they represent an ugly development for privacy on the Internet.

* DISCLAIMER * Please note, this is a work in progress, and not intended for review (just yet). I'm just experimenting with the editor, and using this to collect links/extracts which might be helpful. I'll remove this notice as soon as it is complete!

Targeted advertising is nothing new. Offline advertisers have been focusing campaigns for decades, and their online progeny have long used persistent cookies to track repeat visitors to their sites, geodata from IP headers to approximate their location, and data from search histories, emails, and the content of requested pages to provide contextual adverts.

  • Cookies, search data, geodata
  • Deep packet inspection
  • Be careful to distinguish between 'anonymous' tracking, and tying to personal data
  • Distinguish behavioral from contextual, demographic, geographic,
  • Difference between site-based, and network based behavioral tracking
  • Leaks UID’s to https sites
  • Distinguishing between 'anonymous', personal, and sensitive data

Proponents argue that these behavioral tracking systems provide several benefits to consumers. First, they point out that Phorm's servers provide some protection from fraud and "phishing"; by blocking access to a blacklist of sites known to be harmful. Second, targeted adverts are offered as the quid pro quo required to keep content free, when revenue from more traditional advertising is drying up. Third, it is suggested, users may prefer targeted to random adverts, an analogy being drawn to the referral systems employed by NetFlix and Amazon to recommend DVDs based on past viewing history, and complimentary or substitute products based on the shopping history of customers with similar tastes. Fourth, much of this information is already being retained by ISPs in compliance with legislation like the EU Data Retention Directive, or the Communications Assistance for Law Enforcement Act. Similarly, browser add-ons such as the Yahoo! Toolbar have been aggregating and reporting on browsing history for some time. Finally, we are told that users can opt-out an anytime, by downloading a simple cookie onto their machines, and that at any rate, consumer outrage—as was recently expressed over the Facebook Beacon system—should mitigate against any egregious conduct.

The rhetorical equivalent of being told to “look at the monkey” before being jabbed with a needle, these ‘justifications’ are little more than irrelevant distractions.

First, whether or not these platforms incorporate an anti-phishing layer is of no consequence. Not only is this already a standard feature of most modern browsers, Google’s search engine flags these sites with similar warnings. Given the availability of client-based solutions, is it by no means clear that this should be done at the server level. This feeds into a larger complaint about the complete lack of transparency with regard to which sites will appear on these list [controversy over blackballed domains], the lexicon of the so-called ‘sensitive terms’ which will be precluded from profiling, and the lack of details about the ‘anonymizing algorithm’ or ‘profile categories’ which will be used.

Secondly, most consumers are likely to be completely unaware that any of this is happening, even if they blithely agree once to a EULA. Ironically, the proposed opt-out method, accepting a cookie from faireagle.com, means that privacy savvy users who have disabled third party cookies (as everyone should), will not be opted-out, nor will any user who has blacklisted that domain using DNS, Adblock and so forth.

Third, the notion that the threat of consumer outrage is sufficient to prevent future abuse is absurd. Privacy statements change overnight, and failed companies have an unpleasant to tendency to offer their client records free of such encumbrances to the highest bidder. Aggregation of information on this scale just compounds the problem, there is no way notify consumers of an updated policy ex post, and in the absence of reliable data that advertisers will value this information that much more than less invasive contextual advetrs, there must be a huge temptation to expand the uses of this information. [search for cures and your premium goes up]. The ethical integrity of a firm known to rewrite its own wikipedia entry, and conduct secret trials of tens of thousands of unwitting customers, is zero.

Finally, we need to recognize the unique role of ISPs as the gatekeepers of the Internet, one which between application specific bandwidth throttling and a walled garden approach to mobile services, is increasingly questionable. A comparison with

  • Industry self regulation * Opt-in / Opt-out, and transparency * Differences in approach between Phorm and its competitors
  • New York Bill * Supported by microsoft, probably as a dig against Google (but potential acquisition of yahoo?)
  • FTC Proposed Guidelines

Word Count: ??? (ex. Abstract / Further Reading)

Further Reading

The Register, The Phorm Files: All Yer Data Pimping News in One Place

Phorm: Official Site

Wikipedia, Diagram illustrating how Phorm Works

New York Times, Louise Story, A Push to Limit the Tracking of Web Surfers’ Clicks, Mar. 20 2008

Cornell Law School, Right To Personal Information

Louise Story, How Do They Track You? Let Us Count the Ways, New York Times, Mar. 9 2008

Neil McIntosh, Letting it all hang out, The Guardian, Mar. 18 2008

Third Party Internet Advertising Consumer's Bill of Rights Act of 2008

Blog, James Edwards, Unblocking Adblock, Feb. 5 2008

Blog, Tim Tobin (Partner at Proskauer Rose), Privacy Law Blog, Consumer Advocates Target Online Behavioral Advertising: Broad Regulation Threatens to Impede Delivery of Relevant Advertising and Business Models for Free Online Content, Mar. 27 2008

Text of the Dec 2007 FTC Statement

David Bender (Senior Privacy Counsel and DLA Piper), Do Behavioral Ads Endanger Your Privacy?, Law.com, Apr. 2 2008

Conn. HB05765 (2008) (somewhat narrower than the New York bill)

Greg Sandoval, Failed Dot-Coms May be Selling Your Private Information, CNET, June 29 2000

US Companies which Meet EU Safe Harbor Provisions

Richard Clayton (Cambridge Computer Laboratory), The Phorm 'WebWise' System, Apr. 23 2008

Google Watch

Paul Boutin, You Are What You Search: AOL's Data Leak Reveals the Seven Ways People Search the Web, Slate.com, Aug. 11 2006

Ernst & Young Privacy Audit of Phorm

Nicholas Bohm (FIPR), The Phorm 'Webwise' System - A Legal Analysis, Apr. 23 2008

Foundation for Information Policy Research

 

Navigation

CompPrivConst CompPrivConst

Webs Webs

r8 - 16 May 2008 - 18:39:16 - JulianM
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM