Phorm Did Track IP Addresses, Replaced Charity Ads With Behavioral Ads

from the how-nice-of-them dept

Phorm, the extremely controversial former adware company that reinvented itself as a behavioral advertising firm that would work with ISPs to look at your clickstream data and serve you special ads instead of the ones you were supposed to see, has been working overtime to defend its program as being perfectly legitimate and no risk to anyone's privacy. Of course, that's not satisfying many, as it later came out that, despite claims of openness, BT and Phorm had secretly tested the service without letting anyone know their clickstream data was being used this way. Even worse, after this news came out, BT and Phorm downplayed the test, only to later have it come out that it was quite extensive.

And, now, it gets even worse. More information has been leaked out about that test. As for it being super duper secret without your IP address ever being compromised? Well, not so much. It turns out that an internal BT analysis found that IP addresses were likely used as the identifier, which is the exact opposite from what Phorm has insisted. And, as for how well the system works? Well, it was successful in covering up ads for various charities and replacing them with "targeted" behavioral ads instead. Wouldn't want those darn charities to have anyone see their ads.

Update: A representative of Phorm has gotten in touch to note that there were some incorrect statements in the original report on this. Specifically, it appears that Phorm purchased the original charity ads that were replaced -- so it's not as though the charity lost anything here. It's easy to understand why the original interpretation of the BT report would make one think this was not the case, as it stated: "The advertisements were used to replaced [sic] a 'default' charity advertisement (one of Oxfam, Make Trade Fair or SOS Children's Villages) when a suitable contextual or behavioural match could be made by the PageSense system." It does not appear to say that the ads were purchased by Phorm -- at least not in that same section. At this time, there is still no indication whether or not the charities knew their ads were going to be "covered up" in this manner. None of this, of course, answers the questions about whether or not this test was legal.

Update 2: And now BT has also gotten in touch with us to complain -- though they falsely accuse us of making false statements, saying that the headline still says they "hijacked" charity ads. It does not and has not. It has always said "replaced" which, I'll remind BT, is the exact word used in their own report. Unless BT was falsifying its own report, the word "replace" is correct. The mistake was in suggesting that Phorm had not purchased that ad space -- and that has already been corrected quite clearly. BT also is upset that we accused them of "misleading ICO." The only problem: we made no such statement. Finally, BT complains that no personal information was used in the trials -- which is a point that is still disputed. The original researcher who researched the report claims that IP addresses were passed to Phorm's proxy server and that personal info was requested on a web form. BT notes that the IP addresses were not stored -- but that doesn't mean they weren't used, which was what was in question. Also, to both Phorm and BT, the comments on this post are open, and you are free to make your case here where anyone else can see it. Contacting me personally, with vague, slightly threatening and sometimes incorrect statements is certainly less effective that making your case to the public. Part of the reason you're in this PR situation is because of your secrecy. Being a bit more open might help.

Filed Under: advertising, clickstream tracking, ip addresses, isps, privacy, uk
Companies: bt, phorm

Behavioral Targeting May Be Illegal

from the smells-like-wiretapping dept

A bunch of ISPs have been experimenting with systems such as Phorm and NebuAd that monitor their users' online behavior and create profiles that help third parties create more targeted advertisements. Back in March we noted that behavioral advertising may be illegal under UK law. And last week we reported that Congress was asking some tough questions about the plans. CNet's Declan Declan McCullagh has an in-depth look at American law, and concludes that such systems are probably illegal here too. The problem is that what Phorm and NebuAd do sounds a lot like wiretapping, and wiretapping is illegal under several federal laws. At least three federal laws govern when electronic communications providers can disclose their customers' communications to third parties. One of the key questions Declan looks at is consent: the law generally allows eavesdropping with customer consent, but the exact nature of the consent isn't clear. ISPs have tended to be very secretive about their use of these systems, so at the very least, privacy laws would require that ISPs disclose what they're doing and give consumers a way to opt out. But Declan suggests that this might not be sufficient. Some of the legal experts he talked to think the law would require the ISPs to obtain the affirmative consent of customers before commencing the use of these programs. Since it's hard to imagine customers being enthusiastic about having their ISPs eavesdrop on them, such a requirement might make these programs non-starters.

Filed Under: behavioral targeting, clickstream data, privacy, wiretapping
Companies: nebuad, phorm

Marketers Freak Out About Mandates To Make Clickstream Tracking Opt-In Only

from the but-what-about-our-data? dept

With all of the fuss finally being raised concerning clickstream tracking by companies like Phorm and NebuAd, there's an effort underway to force ISPs to make any such tracking strictly opt-in. That is, users would have to proactively agree to allow their data to be used in this manner. In response, various marketers are complaining about how much data they would lose, claiming it would be an "armageddon" for the industry. Don't believe them. This is the same thing marketers warned about when the US instituted a "Do Not Call" system, and it's hardly decimated the marketing industry. Instead, it's improved marketing by making firms focus less on intrusive telemarketing and more on useful marketing. The same would happen if ISPs were required to make this an opt-in instead of opt-out setup. It would force the ISPs and companies like Phorm to make sure that the services really benefited customers in meaningful and noticeable ways so that customers would be happy to make use of the services. By whining about an opt-in solution, all these firms are really admitting is that they do not add value to the surfing experience of users.

Filed Under: clickstream tracking, marketers, opt-in, opt-out
Companies: nebuad, phorm

Anti-Spyware Companies Debate Blocking ISP-Injected Advertising

from the the-battle-continues dept

With a growing number of ISPs using services from companies like Phorm and NebuAd to inject ads into your web browsing based on your surfing habits, anti-spyware companies are starting to take notice and debate whether or not they should start blocking some of these activities. While there's no downloaded software, these services all use cookies to track your surfing habits, and anti-spyware offerings could certainly step in and block those cookies or more proactively warn users that their surfing data is being used in this manner. Considering how hard Phorm has worked to shed the "spyware" label it had been given in a previous life, the company can't be too pleased to hear about this development. Of course, it's probably more concerned with questions being raised about whether or not its service is even legal.

Filed Under: anti-spyware, behavioral advertising, clickstream treacking, spyware
Companies: nebuad, phorm

Growing Number Of ISPs Injecting Own Content Into Websites

from the this-is-not-a-good-trend dept

With growing concerns over companies like Phorm and NebuAd enabling ISPs to insert their own ads into your web surfing, some researchers decided to see if this is already happening -- and were surprised to find it more prevalent than they expected. It's still not a huge number, but in tests, they found that there definitely are some ISPs already using such technology to inject ads, though they tend to be smaller "no name" ISPs. The one big exception was XO Communications -- though XO claims that any ad injections must be done by downstream resellers of its wholesale service. Either way, this ought to raise some questions about what rights ISPs have to get in the middle and alter the data that you requested and which was served by a third party.

Filed Under: ads, clickstream, isps
Companies: nebuad, phorm

Phorm Edits Negative History Right Out Of Wikipedia

from the and-gets-called-on-it dept

Phorm, the controversial "former" adware company that is aggressively defending its new ads-based-on-your-clickstream program, despite some serious questions about its legality apparently became a little "overzealous" in its defense, editing its own Wikipedia page to erase many of the negative stories about the company. Of course, doing that backfired pretty quickly, as the company got called out on it (and the edits got reverted). While first suggesting that it was merely trying to correct "inaccuracies" (such as questions over its legality?), the company admitted it was a bit too aggressive, and was unfamiliar with the rule that you're not supposed to edit your own Wikipedia entry.

Filed Under: clickstream tracking, controversy, wikipedia
Companies: phorm, wikipedia

Turns Out BT's Phorm Tracking Tests Were More Extensive Than Previously Reported

from the transparency? dept

Last month, we noted that BT had secretly tested Phorm's tracking system without telling customers in the summer of 2007. This gave users no way to opt-out as they had no idea their surfing was being tracked. However, now it's being reported that BT's tests were even more extensive than originally reported, and the two companies secretly tracked the internet usage of 18,000 customers back in 2006, before Phorm was even called Phorm. That's back when Phorm was known as 121 Media and considered by many to be in the sneaky adware business. In fact, the BT internal report on the test noted that: "121Media [Phorm] will take action (both technical and public relations) to avoid any perception that their system is a virus, malware or spyware and to show that in effect it is a positive web development." Perhaps that explains Phorm's recent charm offensive. It's part of it's deal with BT.

Filed Under: clickstream treacking, isps, uk
Companies: bt, phorm

NY Legislator Looks To Outlaw Behavioral Targeted Ads Without Opt-In

from the a-bit-late-for-that dept

A New York Assembly member is pushing to outlaw targeted advertising without opt-in approval. Given the scrutiny facing companies like Phorm in the UK, this isn't all that surprising. However, the complaints around Phorm are that it tracks all of your surfing activity and generates ads based on that aggregate info. The bill that is being discussed in New York would apparently apply to websites that do targeted advertising within the site. That seems both extreme and unnecessary. Even though the law would technically only apply to New York, since it would be difficult to figure out who's in NY and who's elsewhere, it would force many providers to get rid of targeted advertising. It seems a bit extreme to think that targeted advertising should be banned entirely, without an initial opt-in. By this point, most people probably expect basic targeting to take place, and when done right, such targeted ads should be more effective. The real problem comes in when such targeting presents a privacy violation, but the focus then should be on privacy laws, not specifically targeting a single activity such as targeted ads.

Filed Under: new york, opt-in, permission, targeted advertising
Companies: google, microsoft, phorm

Questions Raised Over Phorm's Legality As BT Admits It Tested The Service Secretly

from the transparency,-transparency,-tranparency dept

While Phorm has gone on a charm offensive to try to convince people that its efforts are not as bad as some are making them out to be (including, by the way, using my post as a de facto forum), it appears that the effort still isn't convincing skeptics. Tim Berners-Lee made some news last week for suggesting he would switch ISPs if his started using a service like Phorm, but the bigger backlash may be coming from the legal arena. First, there was the news that BT (who had originally denied this) tested Phorm's technology, without letting users know, last summer. That has resulted in some people threatening a lawsuit. And, speaking of lawsuits, a bunch of scholars and think tankers are pointing out that Phorm may actually be illegal based on current UK laws, if it's used without first getting users to "opt-in."

Filed Under: clickstream data, tim berners-lee, uk, user tracking
Companies: bt, phorm

Phorm Goes On The Offensive To Defend Its Ad Program On Privacy Questions

from the but-do-you-believe-them dept

Last month, we wrote about the plan by a variety of UK-based ISPs to use all of your clickstream data to target ads to you as you surfed. That is, if you were surfing a golf site and then went and checked CNN, the system would still know that you liked golf and might serve up golf ads on CNN. At least that's the benign version of it. There are some serious questions raised by this. First of all, many people are likely to be uncomfortable with the idea that their ISP is watching what they do and then using it to target ads. Even worse, the company that the ISPs were partnering with to do all of this had previously been known as a spyware firm.

Phorm is now aggressively defending its reputation, insisting once again that it will keep all of the data it collects anonymized. However, while it says this and explains how it will try to anonymize the data, the company fails to address the fact that just about every time a company has tried to create an anonymized data set, it doesn't take long for someone to de-anonymize it. The company just assumes that it really can keep the data anonymous, when there are serious doubts as to whether or not that's really possible.

To its credit, the company isn't ignoring some of the complaints and has just done interviews with both the BBC and The Register to answer some of the concerns raised. Thankfully, both interviews do probe fairly deeply and ask some tough questions, and the Phorm execs answer each question directly. They claim that they were never "spyware" providers, only adware, but admit that the definition got blurred, which was why (they claim) they got out of the business. That sounds good until you look at some of the details about the company's former products, and the fact that it made a rather nasty rootkit injector.

That said, the execs do answer a bunch of questions about the privacy issues, noting that they're being audited by two separate firms to ensure they live up to the privacy promises. The clickstream data is immediately deleted and all the profiling is done at the ISP, not by Phorm, who is merely serving up the ads based on the profile kicked back by the ISP. While it's good to see the execs from Phorm willing to answer these questions, the company's history and the entire concept of what's being done still seems rather questionable. Phorm's insistence that this will actually decrease advertising seems like little consolation (and difficult to believe).

Filed Under: behavioral advertising, clickstream data, uk
Companies: phorm