The Phorm storm

Update: An interim Privacy Impact Assessment (PIA) has now been published by Phorm. You can read it here [pdf]. The PIA, produced by 80/20 Thinking Ltd, predicts the media and public backlash against Phorm, and leaves several questions unanswered, including “Can an external attacker gain access to the required information to re-link [an] individual [with their] unique identifier?”. This document, which is dated 10 February 2008, anticipates the publication of a full PIA “in March 2008”. As yet none has been forthcoming.

Over the last few weeks, the story that BT, Virgin and TalkTalk are signed up to trial a new technology called Phorm, which tracks users’ online surfing habits in order to target ads at them, has caused a storm all over the internet.

Here’s what we’ve been told about the workings of Phorm so far. Phorm assigns a user’s browser a unique identifying number, which, it is claimed, nobody can associate with your IP address, not even your ISP. It then uses information about your surfing habits, gathered by searching the URLs you request and the websites you visit for key words, to assign that unique number to various “channels” (for example “golf”, “travel” or “handbags”). When you visit a website which has a “Phorm please put an ad in here” tag, Phorm serves an ad from a channel where your unique number appears.

Phorm says that it does not write data about the content you are viewing to disc in “the production system”, getting rid of it as soon as the operation to assign your unique number to a channel is complete. In a separate system (used for “research and debugging”) that data is stored for 14 days, then deleted.

Despite some significant investigative work, in particular from The Register and the Political Penguin blog, several technical questions remain unanswered. The confusion is compounded by a Privacy Impact Assessment of Phorm that was conducted by 80/20 Thinking Ltd, whose core staff includes the director of Privacy International, Simon Davies. Davies has gone on record stating that “Phorm does advance the whole sector of protecting personal information by two to three steps”. Yet despite the focus on Davies’ involvement, the privacy impact assessment conducted by 80/20 is yet to be published.

On top of this, question marks are beginning to appear over Phorm’s compliance with the law. Can ISPs’ employment of Phorm comply with the Data Protection Act? Is intercepting traffic in this manner an offence under section 1 of RIPA (the Regulation of Investigatory Powers Act)? The Information Commissioner has issued a statement (pdf) saying his office is making inquiries – but is this enough?

A petition asking the Government “to stop ISPs from breaching customers’ privacy via advertising technologies” has now collected over 2,500 signatures. Phorm could, as Simon Davies has claimed, represent an advance in online privacy. But because it is being applied to target ads at us, based on activity we have not asked and may not want to be tracked – the websites we visit – it is not surprising that people are shouting “keep your mitts off my bits!”.

Until we know exactly how Phorm works – and across whose networks our data will flow – speculation about the privacy implications of Phorm will only continue. The ISPs involved with Phorm, as well as the company itself, should take their lead from the Government, who last week published the controversial and critical Crosby Review of ID cards after much delay. They should publish 80/20’s impact assessment and full details of how Phorm will work now and let us see for ourselves the real privacy implications of Phorm.

Some resources:












  • 80/20 Privacy Impact Assessment of Phorm – forthcoming?