UK ISPs To Start Tracking Your Surfing To Serve You Ads

from the pirvacy-please dept

Mon, Feb 18th 2008 10:08am — Mike Masnick

For years now, ISPs have been searching for alternative revenue streams to avoid just being "dumb pipes." A few years ago, they picked up on the fact that they have a tremendous amount of data about what you (yes, you!) do online. A bunch of ISPs then started selling your clickstream data to companies that could do something useful with it (though, those ISPs probably neglected to tell you they were doing this). Late last year, we heard about a company that was trying to work with ISPs to make use of that data themselves to insert their own ads based on your surfing history -- and now we've got the first report of some big ISPs moving into this realm. Over in the UK three big ISPs, BT, Carphone Warehouse and Virgin Media have announced plans to use your clickstream data to insert relevant ads as you surf through a new startup called Phorm.

While Phorm claims that it keeps your data private "by tracking individual users with an assigned number only," that's hardly assuring. After all, remember that both AOL and Netflix have released similar anonymized data where identifying info was replaced with an assigned number... and it didn't take long for both sets of data to be de-anonymized. While it's no surprise that ISPs would want to get into the advertising business, and to think that they could better target ads thanks to their knowledge of your entire surfing history, it's going to freak some people out (and potentially cause some serious privacy problems). All the more reason to figure out how encrypt your traffic and hide your activities from your ISP.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: advertising, clickstream data, isps
Companies: bt, carphone warehouse, virgin media

32 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Panaqqa, 18 Feb 2008 @ 10:31am

Hmmm... copyright violation anyone?
After all, if I operate a website and British ISPs are inserting ads into content I serve up, then aren't the ISPs creating unauthorized derivative works?

On a different note, I guess "https://" as the default for web surfing is just around the corner.
[ link to this | view in thread ]
Satiricohen, 18 Feb 2008 @ 10:32am

If the government is your
Big Brother, what does that make your ISP - your "Big Cousin"?
[ link to this | view in thread ]
Peet McKimmie (profile), 18 Feb 2008 @ 10:38am

More worryingly...
...since your ISP has full control over the data reaching you, they could replace any image on an html page with an ad without changing the apparent source, thus getting round pretty much all ad-blocking software.
[ link to this | view in thread ]
Bill W, 18 Feb 2008 @ 10:41am

Hmmm, what about multiple users?
What, as is the case, my wife and I are behind a router. How does it separate our clickstreams? What if she got an ad that was based on MY surfing? Eee gads! ;-)
[ link to this | view in thread ]
hater, 18 Feb 2008 @ 10:45am

phorm
mike,

you'll love the story behind phorm. they are actually an old spyware outfit that's changed their name a few times to hide their past.

phorm is the new name of 121media which made the contextplus rootkit infector. just google it.
[ link to this | view in thread ]
Matt Bennett, 18 Feb 2008 @ 10:52am

I actually have way less problem with their knowledge of my surfing history than I do the idea of their inflicting ads upon me.
[ link to this | view in thread ]
Anonymous Coward, 18 Feb 2008 @ 11:23am

so...
how long until the ISPs over here in the U.S. start trying to play this game?
[ link to this | view in thread ]
Dementter, 18 Feb 2008 @ 12:02pm

Seems to me that this has been going on awhile now
[ link to this | view in thread ]
claire rand, 18 Feb 2008 @ 1:16pm

offended...
wait until something 'adult' or otherwise offensive comes through, photograph it and sue them.

of course peoples definitions of offensive vary, make yours wide in this case.

and in this country the #1 crime is to cause offence, e.g. a advert for pork products being seen by a muslim rules out pork product advertising, films? well anything other than a 'U' is out.

I dare say it will all be financial type ads.

I can't think of a better reason to start using encrypted traffic. https:// indeed

no one seems to have twigged, makes ads relevent and target correctly, you know make it stuff I may actually be interested in, not stuff you've shown me god alone knows how many times before, or i already have, or plain don't care about.

also you wanna play hardball? hope your tracking how many images i download or block, cus i'll turn all media 'off' and load images one by one if need be.

oh and change the images on *my* website without me knowing and a court case will be headed your way very soon for copyright infringement.

ISPs.. put down the can of worms and walk away slowly.
[ link to this | view in thread ]
Brian Fearns, 18 Feb 2008 @ 2:00pm

ADVERT TARGETING
THERE MAYBE SOME GOOD POINTS TO BEING TRACKED ON THE
INTERNET, FOR FILTH DOWN LOADERS BEWARE. I HAVE SPENT MUCH TIME ON MY COMPUTER LOOKING AT SPYWARE AND FACINATED JUST
HOW THE PROTECTION INDUSTRY WORKS WHILE MY WIFE IS ACTUALLY ENJOYING HER PC. I CAN'T STAND CREDIT CARD
ADVERTS."WHAT'S IN YOUR POCKET?" WILL BE "WHAT'S IN YOUR PC?" I FEEL AT ALL TIMES I AM BEING WATCHED, BUT I HAVE SO MANY INTERESTS IN ALMOST EVERYTHING IT COULD BE VERY CONFUSING AS TO WHO AND WHAT I AM. IT IS SO GOOD TO READ A BOOK IN PRIVICY WHO'S GOING TO TARGET ME THEN! WHILE I'M HERE I HAVE TRIED TO UNDERSTAND WHY THE LIKES OF THE SOME WANT TO DESTROY THE INTERNET. OUR BELOVED PET COULD BECOME A MUCH FEARED MONSTER. MUST SAY I HATE ADVERTS ON TV AND PC. SO UNLESS THEY WANT TO PAY ME DON'T BOTHER.
[ link to this | view in thread ]
Anonymous Coward, 18 Feb 2008 @ 3:48pm

Assigned Numbers
While Phorm claims that it keeps your data private "by tracking individual users with an assigned number only," that's hardly assuring.

Isn't a social security number or other national ID an example of "an assigned number"? Yeah, that sounds real private.
[ link to this | view in thread ]
Anonymous Coward, 18 Feb 2008 @ 3:51pm

Time to start running a TOR exit node on my surfing hosts, just too totally fuck up their stats
[ link to this | view in thread ]
Peet McKimmie (profile), 18 Feb 2008 @ 4:28pm

Re: ADVERT TARGETING
Ooooh, I didn't know there were still any Apple ][s on the internet! Respect, Brian!
[ link to this | view in thread ]
Peet McKimmie (profile), 18 Feb 2008 @ 4:28pm

Re: ADVERT TARGETING
Ooooh, I didn't know there were still any Apple ][s on the internet! Respect, Brian!
[ link to this | view in thread ]
Anonymous Coward, 18 Feb 2008 @ 5:29pm

Re:
Time to start running a TOR exit node on my surfing hosts, just too totally fuck up their stats

How about a little vacation in Gitmo?
[ link to this | view in thread ]
Punter, 18 Feb 2008 @ 11:28pm

Advert targeting
Surely this model will enable the ISP's to offer quality broadband for free, totaly susidised by these targeted ad's. And after all, if the end user doesn't want that, or is worried about be "de-anonymised" then opt out. it aint rocket science. Pay over the odds for your broadband, and dont take the system.
( And the anonymity of the system has been tested by Ernst & young, and some other privacy group)

To Claire Rand- the obvious adult sectors are ignore ( Gmabling, Viagra, Porn, etc etc)

( I own shares in 1 or more of the companies listed in this article)
[ link to this | view in thread ]
KD, 19 Feb 2008 @ 1:14am

Another example of why more competition is needed
This is just another example of why more competition in broadband internet service is needed.

When there are only the phone company and the cable company to choose from, or in many place, only one or the other of them, they can get away with all sorts of diddling with your service. We need to find a way to establish true competition in internet service.

If everyone had a choice of ten or so service providers, it is unlikely that all of them would show their customers such lack of respect, and the ones that do would suffer from customers fleeing to more respectful providers.
[ link to this | view in thread ]
Flipside, 19 Feb 2008 @ 5:31am

I like pirvacy and indulge frequently ;)

Seriously though, I agree that these companies will simply lose their more intelligent customers wholesale, which is good, because it means more responsible ISP will have the brighter browsers and Virgin and BT can deal with situations like 'I unplugged the modem lead and now my Internet doesn't work!'

If it had been smaller companies, I'd be more inclined to understand their reasons but for large ISP's such as this, it is purely greed.
[ link to this | view in thread ]
mike allen, 19 Feb 2008 @ 6:29am

all
Images on our site are there to inform the visitor of who we are what we offer services and products. any thing added by someone else is an infringment of our rights an ad could be for a rival company. Watch out ISPs you want to do this then you need MY PERMISSION AND APPROVAL OF ALL ADS. OTHERWISE LAWYERS WILL BE CALLING.
[ link to this | view in thread ]
Rupskin, 20 Feb 2008 @ 5:57am

hmmm
interesting, i know of these companies and im pretty sure that they dont just hijack pages and insert ads where there were non previously. All advertising is done in conjunction with the publisher who will obviously benefit from the increased prices that advertisers are willing to pay for a more qualified audience.

Techdirt could even benefit from the increased advertising revenues..

Will be interesting to see how this plays out...
[ link to this | view in thread ]
Bob W, 21 Feb 2008 @ 5:20pm

Re: Advert targeting
E&Y's report on Phorm's system - Page 5, second last paragraph, first sentence -

"Because of inherent limitations in controls, error or fraud may occur and not be detected."

http://www.phorm.com/user_privacy/EY_Phorm_Exam.pdf

Bob W
[ link to this | view in thread ]
Techteam at Phorm, 22 Feb 2008 @ 3:01am

Relevance and Privacy protection
Hello Mike, I’m a member of the Tech team at Phorm. You know - there’s no way the AOL situation would happen with our technology. The OIX throws away raw data instantaneously so there’s no click stream history to be inadvertently released. I know what we're doing seems out of the ordinary from what’s been seen previously in the online Ad space - so I just wanted to make a couple of points to clarify how the technology works. After all it is counterintuitive to claim that you can present consumers with more relevant ads without collecting and storing personal information - but that is exactly what our system does. If a subscriber agrees to participate – maybe because they are tired of receiving ads that have no relevance to the products and services they want to buy – they get a random number. So they are anonymous to the OIX. As they browse anonymously they match advertising channels that have been defined by patterns of URLs, keywords and search terms. But what’s so neat, is that even before each page loads the information observed from that page is deleted. The only data left in the system is just a random number and the channel it matched. In addition the OIX only looks at information relevant to the ad channels - so it doesn’t scan names, numbers, emails, secure pages and form. Nor does it allow ad Channels to be constructed for a range of sensitive areas like adult content, alcohol, medical - so again browsing behaviour in these areas simply isn’t observed. Since there’s no personal data stored – nothing can be traced to an individual and there’s no information to reverse engineer. There’s no interface or database in the system where a UID can be entered to retrieve profile information. We understand that even with all these safeguards - users may not want to participate, and that's alright. There's a simple option for users to opt out on webwise.com. We even tell them to how to block the domain for a more permanent option. The team here has really worked hard over many years to build the system from the ground up with privacy at its core. We’ve also worked closely with user privacy groups in the UK to make sure that we did this right, and that user's privacy is protected. I'd be happy to discuss any further questions you may have. Pop over a note and I'll send over my contact information. Cheers, Tech team
[ link to this | view in thread ]
Bob W, 22 Feb 2008 @ 5:25pm

Re: Relevance and Privacy protection
As a customer of one of the three ISP's mentioned, I'd be very interested to know how your system can ignore data without first scanning that data to establish it's relevance. Your employers website contradicts your statement that the system does not scan names, numbers etc.

"Phorm technology does not view any information on secure (HTTPS) pages, and ignores strings of numbers longer than three digits to ensure that we do not collect credit card numbers, phone numbers, National Insurance or other potentially private information."

It's a neat trick if your system doesn't scan the data before ignoring it, enlighten me please.

"If a subscriber agrees to participate" - that would seem to indicate an opt-in system, but what is described on your employers website is an opt-out system, which as I understand it would breach the Data Protection Act in the UK.

IANAL
Bob W
[ link to this | view in thread ]
brianlj, 25 Feb 2008 @ 8:41am

Re:
"I unplugged my modem and..."

VirginMedia would *love* to get thousands of people like that! They charge the caller 25 p / minute for support calls.
[ link to this | view in thread ]
tobyjugg2, 27 Feb 2008 @ 4:16pm

Re: Re: Relevance and Privacy protection
The opt out appears to be to allow them to place a cooky on your system which tells them to ignore you

The mind boggles that you have to opt in to their cookies to opt out
[ link to this | view in thread ]
Paul`, 28 Feb 2008 @ 1:38am

Re: ADVERT TARGETING
4mm. You have to move your pinky finger 4mm and press the Caps Lock button for people to actually care what you're saying.
[ link to this | view in thread ]
WTF, 3 Mar 2008 @ 2:17pm

Can't Understand New Technology
Could people please read how the system operates before engaging mouth and spewing rubbish.

The system does not place ads willy nilly, so ISP will not not be placing ads willy nilly.

The system works when you visit a website that serves ads from a Phorm server, and these ads will be the targeted ones instead of untargeted ads.

Now, what really should happen is that there should be an opt-in system, as automatically opting people in is wrong as 99% of those who are automatically opted in will not kbow they have been opted in in the first place.
[ link to this | view in thread ]
Pete, 5 Mar 2008 @ 3:05pm

Dephormation
See link below for 'add on' for FF2 that sets the Webwise 'opt out' cookie, overwrites the Webwise UID with a randomised string, and does so after each and every page load.

Download it here
http://www.planetsaturn.pwp.blueyonder.co.uk/dephormation.xpi

Works with FF2, pure Javascript so should work on all FF2 operating systems. Unzip the XPI for code details.

That's not to say this makes Phorm acceptable. Its not. And to make it opt out using cookies is simply taking the 'peas'.
[ link to this | view in thread ]
Toby Jugg, 9 Mar 2008 @ 6:41am

Regarding the E&Y report on phorm ROFL
excerpt :

quote:

Because of inherent limitations in controls, error or fraud may occur and not be detected.
Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the Service or controls, the failure to make needed changes to the Service or controls, or a deterioration in the degree of effectiveness of the controls.

end quote
[ link to this | view in thread ]
phormwatch, 12 Mar 2008 @ 5:12pm

Keeping track of Phorm-participants
Hello all, I've started a blog to keep track of those ISPs, websites, ad-agencies, and companies which make use of this invasive Phorm technology.

You can visit the website here:

http://phormwatch.blogspot.com/

Please send information about participants to this address.

phormwatch at fastmail.net

Thank you!
[ link to this | view in thread ]
RM, 25 Feb 2009 @ 5:27pm

Phorm
I think you're all off base. Privacy is dead. At least Phorm is trying.

Bob, they can simply scan the data without observing the ID that's attached to it. If the data is sensitive then they never observe the ID.

Not exactly a neat trick.
[ link to this | view in thread ]
Bob W, 10 Oct 2009 @ 5:12pm

Re: Phorm
"Bob, they can simply scan the data without observing the ID that's attached to it. If the data is sensitive then they never observe the ID.

They still scan the data, which is the question I posed, trusting them to ignore/ not match to the ID is another matter..

Not exactly a neat trick."

As I said, it would be if Phorm ignored sensitive data without first scanning.
[ link to this | view in thread ]