Skip to content
Science, Maths & Technology

Why you might end up paying for privacy

Updated Friday, 18th April 2008

The emergence of Phorm, the targeted advertising company, has given ISPs and internet users a stark choice between privacy and price.

This page was published over five years ago. Please be aware that due to the passage of time, the information provided on this page may be out of date or otherwise inaccurate, and any views or opinions expressed may no longer be relevant. Some technical elements such as audio-visual and interactive media may no longer work. For more detail, see our Archive and Deletion Policy

Despite what you might think, being in the Internet business isn’t a guaranteed road to riches. In fact Britain’s Internet Service Providers (ISPs) are in a brutal fight for market share; companies have repeatedly cut their monthly charges to customers, but the ISPs’ own costs have been falling much more slowly. So whilst we might be enjoying low cost Internet access, it has been at the expense of profits that could have been invested in customer service, the speed of connections and the necessary investment in new technologies. Price cutting has reached such levels that many ISPs are only marginally profitable and many have been bought up by their larger rivals. Every company is desperate to find a new source of income and they’ve been looking to the almighty Google for inspiration.

Google is fabulously rich, in fact it is one of the richest companies in history, and much of that wealth is built on advertising. When you use Google to search for information, say ‘PlayStation games’; you not only get pages telling you about games for the PlayStation; but also on the right-hand side of the page, a set of ‘sponsored links’ advertising games and game stores. Companies pay Google to place these links on the search results page. Every time a user clicks on one of these links, Google receives a small amount of money from the advertiser. Although each click only brings in a tiny amount of money and only a small fraction of users bother to click on the sponsored links, Google handles hundreds of millions of searches every day – and earns millions of dollars in the process. Part of Google’s success lies in the relevance of the adverts it shows users. When we search for ‘PlayStation games’, Google responds with adverts for games for the PlayStation – not for the Nintendo Wii, Sega Dreamcast or other types of game entirely such as football. Because the results are so precise, we’re more likely to click one of the adverts and Google will get its money. The more precisely the adverts are targeted the more likely people are to click on the links.

And here’s where your ISP comes into the picture. Recently, the three largest UK ISPs; BT Broadband, Virgin Media and Carphone Warehouse’s TalkTalk; entered into agreements with a small company called Phorm which is in the targeted advertising business. Phorm promises ISPs a share of advertising revenues by adding targeted advertising to web pages belonging to their partners in the Open Internet Exchange (OIX) advertising network; every time the user clicks on one of these adverts, a small amount of money goes straight to the ISP.

Phorm’s software uses a feature of your Internet browser known as cookies. These are nothing more than small files placed on your computer by web sites as you browse the Internet. Cookies are not like worms and viruses and cannot harm your computer. They have hundreds of uses, for example, a web site might use a cookie to store your name so when you revisit a site it can greet you personally, or they might be used to hold the contents of a shopping trolley as you browse an Internet store.

Web browser address bar Copyrighted  image Icon Copyright: The Open University

When a customer of a Phorm-related ISP first opens their browser, they will see a pop-up window from a so-called ‘Layer 7 Switch’ at their ISP asking if they want to use the Phorm system. If they say yes, a cookie will be placed on their machine containing a unique random 16-figure user number. From then on, all of their requests for pages will first pass through special Phorm computers installed at the ISP. If the user declines to use Phorm, a different ‘opt-out’ cookie is placed on their computer which tells the Layer 7 Switch to direct their browsing straight to the requested sites.

Supposing the user opts in to Phorm; the switch directs their request to a second computer called the Data Mirror which fetches the requested page and sends it to the user’s computer. Simultaneously, the data mirror passes a copy of the page to yet another machine known as the Profiler, and here’s where Phorm really gets to work.

The purpose of the Profiler is analyse the contents of the page. After removing information that could identify the user – such as names, titles, postcodes, email addresses and the like; the Profiler extracts the most frequent ‘interesting’ words describing the content of the article.  These words are used to assign the page to one of a number of advertising categories. This information is then stored in Phorm’s database along with the unique user number taken from the cookie.

When the user next visits a site belonging to OIX (such as the Daily Telegraph, the Financial Times or iVillage), the Phorm system extracts the user number from their cookie and matches it against the record held in the Phorm database. It reads the user’s record to see which categories they have previously browsed; then selects appropriate adverts for those interests. Finally, the targeted adverts are pasted into the webpage seen by the user. If two users with different interests visit the same page they will each see different adverts tailored to their tastes that will hopefully encourage them to click for more information. More advertising clicks, more money for the ISP.

Phorm cannot have expected the uproar their proposal has caused amongst Internet users. The response has been almost universally hostile and although some of the user reaction was sensationalist and paranoid, the situation was not helped by Phorm’s secrecy and the incompetent public relations employed by the ISPs – especially BT, of which more later. In the last few weeks’ Phorm has become more open about its system and it is now possible to say what the system can, and cannot do.

Firstly, Phorm cannot read the content of any page protected by encryption. You use these pages when shopping or banking online and reading email on some sites. These pages always have an address beginning https:// and your browser window will show a small padlock. Phorm also does not read the content of some online forms and it will not read any pages from the most popular web mail sites. Phorm has also promised not to advertise sensitive materials that may offend some users. Phorm does attempt to preserve the anonymity of users by using random user IDs, rather than names or emails. It does not keep the addresses of web sites users have visited, nor does it keep information on those people who do not wish to use the service.

So, the user community was wrong and Phorm was right?


I’m not so sure.

I have a couple of issues with Phorm and the ISPs. The first regards their so-called ‘common carrier’ status which is nothing more than a fancy way of saying the ISPs don’t read everything that passes through their system. ISPs have been vociferous in claiming that they are common carriers and cannot be expected to police the Internet for pirated software, video and music; and nor can they be expected to check every email message for libellous or illegal content. Their policy is so strong that the police must obtain permission to look for material relating to terrorism or child pornography. However, Phorm shows the hollowness of this argument; the ISPs are prepared to examine Internet traffic and categorise it. If they can do it for advertising, why can’t they intercept pirated movies or child pornography? In allowing Phorm, the ISPs might just open the floodgates to ambitious politicians who have long craved the mass surveillance of the Internet. Such surveillance might prevent or detect crimes, but it could also endanger our freedom of speech and expression.

The second issue I have with Phorm is that it may well be illegal under United Kingdom law. The turgidly-named Regulation of Investigatory Powers Act – RIPA - (2000) was passed by the present government in an attempt to formalise the procedure of obtaining material needed in civil or criminal cases. RIPA makes it illegal to intercept a communication without a legal warrant; or the explicit permission of the person sending or receiving the message. Some experts  in Internet law believe that Phorm is performing an interception by diverting users’ browsing through their computers, and if this is the case then the law may well have been broken. Certainly, the growing consensus from government bodies is that users must deliberately ‘opt-in’ and grant permission for Phorm to read their data.

And this opt-in might well be the single biggest blow to Phorm’s ambitions. By default, all users of a participating ISP are opted-in to Phorm; they must choose to opt-out. However, it has recently been revealed that over the last two years BT has conducted secretive trials of Phorm technology on up to 108,000 BT Internet customers. All of these customers were automatically opted-in to the trials with no ability to opt-out; nor were they informed about the trials. If (and it is still only an ‘if), Phorm’s operation only complies with RIPA when customers opt-in, then BT may be in very hot legal water and facing potentially unlimited fines. BT appears to realise it is in murky waters as it plans to change the legal terms and conditions of its Internet service before Phorm (which they call WebWise) can be deployed to all users later this year.

Certainly, Phorm hasn’t benefitted from the controversy. Its share price has halved since the announcement of its tie-up with the ISPs. A number of advertisers in OIX have refused to take part in the scheme, and TalkTalk has said it will make its use of Phorm an opt-in service. It is entirely possible that Phorm will not survive, but it’s not the only company trialling this type of technology, only the best known. In the United States, a number of similar companies have been secretly tracking the browsing habits of more than 100,000 Internet users for some time now and see no reason to stop doing so. Clearly targeted advertising is an attractive proposition to ISPs and unless it is deemed illegal in the UK, we’re going to see a lot more of it.

If Phorm, and Phorm-like systems are not deployed, then the underlying problem for ISPs remain – the current consumer charge for broadband is too low. If we want good quality, high-speed Internet access and investment in new technologies then we will have to pay for it; either by higher monthly charges, a charge per megabyte we use, or through advertising revenues.

At the end of the day, we each have to make a choice – do we want truly anonymous, more expensive Internet; or cheaper surfing where the advertisers know all about us?





Related content (tags)

Copyright information

For further information, take a look at our frequently asked questions which may give you the support you need.

Have a question?