November 23, 2024

Bad Phorm on Privacy

Phorm, an online advertising company, has recently made deals with several British ISPs to gain unprecedented access to every single Web action taken by their customers. The deals will let Phorm track search terms, URLs and other keywords to create online behavior profiles of individual customers, which will then be used to provide better targeted ads. The company claims that “No private or personal information, or anything that can identify you, is ever stored – and that means your privacy is never at risk.” Although Phorm might have honest intentions, their privacy claims are, at best, misleading to customers.

Their privacy promise is that personally-identifiable information is never stored, but they make no promises on how the raw logs of search terms and URLs are used before they are deleted. It’s clear from Phorm’s online literature that they use this sensitive data for ad delivery purposes. In one example, they claim advertisers will be able to target ads directly to users who see the keywords “Paris vacation” either as a search or within the text of a visited webpage. Without even getting to the storage question, users will likely perceive Phorm’s access and use of their behavioral data as a compromise of their personal privacy.

What Phorm does store permanently are two pieces of information about each user: (1) the “advertising categories” that the user is interested in and (2) a randomly-generated ID from the user’s browser cookie. Each raw online action is sorted into one or more categories, such as “travel” or “luxury cars”, that are defined by advertisers. The privacy worry is that as these categories become more specific, the behavioral profiles of each user becomes ever more precise. Phorm seems to impose no limit on the specificity of these defined categories, so for all intents and purposes, these categories over time will become nearly identical to the search terms themselves. Indeed, they market their “finely tuned” service as analogous to typical keyword search campaigns that advertisers are already used to. Phorm has a strong incentive to store arbitrarily specific interest categories about each user to provide optimally targeted ads, and thus boost the profits of their advertising business.

The second protection mechanism is a randomly-generated ID number stored in a browser cookie that Phorm uses to “anonymously” track a user as she browses the web. This ID number is stored with the list of the interest categories collected for that user. Phorm should be given credit for recognizing this as more privacy-protecting than simply using the customer’s name or IP address as an identifier (something even Google has disappointingly failed to recognize). But from past experience, these protections are unlikely to be enough. The storage of random user IDs mapped to keywords mirroring actual search queries is highly reminiscent of the AOL data fiasco from 2006, where AOL released “anonymized” search histories containing 20 million keywords. It turned out to be easy to identify the name of specific individuals based solely on their search history.

In the least, the company’s employees will be able to access an AOL-like dataset about the ISP’s customers. Granted, distinguishing whether particular datasets as personally-identifiable or not is a notoriously difficult problem and subject to further research. But it’s inaccurate for Phorm to claim that personally-identifiable information is not being stored and to promise users that their privacy is not at risk.

Comments

  1. Jik T. Chu says

    Hello,

    Let me introduce myself. I have been Phorm’s consultant in Korea for past 2 years. I worked hard to make a large Korean ISP to test Phorm’s system beating their arch rival from the US, Nebuad.

    Kent Ertugrul, CEO and Founder of Phorm, established Phorm Korea office, hired a local manager, introduced by me, and promptly fired me. I think Phorm is about to run out of cash, and Kent is trying to save as much cash as possible.

    However, I think it is unethical to cut me off as soon as they have their foot in the door of a Korean ISP. However, I think it is up to them and they can do whatever they see fit with their fund. What really made me angry was what happened after Kent called me in Jan. and told me that he is going to fire me.

    I am attaching a couple of email he and I exchanged since that time:

    –quote–

    —- Original Message —–
    From: ???
    To: Kent Ertugrul

    Sent: Monday, March 09, 2009 8:13 AM
    Subject: Re: Jik Chu Termination
    Second Request

    Please send your courier service receipt of the Termination Notice to

    Jik Chu
    8F, Kric B/d,
    #80 Susong-dong,Jongro-ku,
    Seoul110-733
    Korea

    or,

    forward (not copied or attached) your Jan., 22nd. 2009 email to me.

    If I receive either of above items, I will consider the matter closed.

    best,
    —– Original Message —–
    From: ???
    To: Kent Ertugrul

    Sent: Wednesday, March 04, 2009 8:59 AM
    Subject: Re: Jik Chu Termination

    Kent,

    I have shown email exchanges below to my lawyer.

    He said in your email:

    From: Kent Ertugrul
    Sent: 22 January 2009 15:32
    To: Jik T. Chu ()
    Subject:

    does not show date of the week (Thursday) on the
    Sent: 22 January 2009 15:32– line, as most of forwarded email show,
    and it does not look like the original message was forwarded but rather copied and attached.

    The lawyer asked me to ask you that you forward original copy of above email, and send to us either receipt, or undelivered receipt of the hardcopy of the Termination Notice, to the wrong address.

    best,

    —– Original Message —–
    From: ???
    To: Kent Ertugrul

    Sent: Wednesday, March 04, 2009 6:33 AM
    Subject: Re: Jik Chu Termination

    Kent,

    Jik Chu
    8F, Kric B/d,
    #80 Susong-dong,Jongro-ku,
    Seoul110-733
    Korea

    I have moved from above address, 2 years ago, to which you said you sent hard copy of the Termination Notice.

    My current address, as appearing in the Consulting Agreement signed by me on May 1st, 2008, and counter signed by Mr. Vahidi on May 27th., 2008, is:

    Hyosung 12-102
    Banpo 591-1
    Seoul, Korea 137-040

    Please resend the Termination Notice and any future agreements to above address.

    My email inbox has no record of receiving your Jan. 22nd., 2009 email attached to your March 4th.,2009 email below.

    If your proposed, new “disparagement” agreement is offering shares in the Phorm, Inc., I decline, as I have no interest in receiving those shares.

    I will give you my last “advice”:

    To a Korean businessman, straight talk and building trust are most important.

    I wish you good luck in your future endeavor.

    all the best,
    —– Original Message —–
    From: Kent Ertugrul
    To:
    Sent: Wednesday, March 04, 2009 12:08 AM
    Subject: Jik Chu Termination

    Dear Jik,

    In accordance with the Termination Clause in the Consulting Agreement, we terminated your employment and consulting arrangement with us via written notice on 22nd January, 2009 per the email below. The same notice was sent to you via hard copy to:

    Jik Chu
    8F, Kric B/d,
    #80 Susong-dong,Jongro-ku,
    Seoul110-733
    Korea

    Pursuant to this note, your arrangement with the Company was terminated as of that date and, consequently, we do not owe you for any services or expenses incurred subsequent to 22 January 2009. I have been informed that your November-December 2008 expenses have been paid.

    I am very sorry that I was unable to meet with you on my last trip but since I hadn’t heard from you following our official notice of your cancelled contract, I incorrectly assumed that you did not wish to remain in contact. I would however, like to reiterate that I have the highest regard for you and would very much be interested in keeping in touch, including a drink the next time I am in Seoul.

    Best regards,

    Kent
    ————————————————————————————————————————————————————————————————————————————————————————————————————————————-
    From: Kent Ertugrul
    Sent: 22 January 2009 15:32
    To: Jik T. Chu ()
    Subject:

    Hi Jik,

    I’m sorry for the delay in getting back to you. I wanted to let you know that after further deliberation we have come to the conclusion that we will need to terminate our advisor relationship with you per our earlier conversation. While we’re not in a position keep you on as an advisor, we are willing to provide you with the following equity opportunities that I outlined on the phone.

    The agreement setting forth the above described terms will also include a release and mutual non-disparagement clause. The non-disparagement clause will provide for the termination of our agreement to provide you with any shares in the event you speak negatively about Phorm. We will send you a draft of the agreement shortly.

    While we’re not obligated to offer you these benefits, we are doing so in recognition of your efforts to-date. We greatly appreciate your commitment to Phorm and look forward to jointly reaping the benefits of our future success.

    Thank you again and I look forward to meeting up in person on my next visit to Seoul.

    Regards,

    Kent
    Kent Ertugrul
    Founder & CEO
    Phorm, Inc.
    London M: +44 (0)7788 718 770
    New York M: +1 646-709-4800

    http://privacy.phorm.com/email_confidentiality.php

    —– Original Message —–

    From: ???
    To:

    Sent: Friday, February 27, 2009 6:44 PM
    Subject: Termination — Jik T. Chu

    Hi Kent,

    Since you called me earlier in Jan., and informed me your wish to terminate my service, after some discussion, you asked me to write you an email, which I did. I have not received any reply to date.

    I wrote, if you recall, that I have a special event in Phorm’s behave for the ISP scheduled in March; and if no positive outcome results from such effort I would leave Phorm on my own cognizance.

    I learnt from Dr. Choi, Dong Hoon that you visited Seoul earlier this week, but missed seeing me due to your busy schedule. It was especially disappointing since it should have given both of chance to sit down, even for a moment, and discuss termination of my service. To me, it is a simple business courtesy.

    I don’t want to be left feeling like leaving wash-room without washing hand. I rather make a clean break if we must, like good businessmen.

    I have looked into the Termination clause in the Consulting Agreement:

    — Quote —

    5. Term. This Agreement shall commence on the Effective Date and continue until terminated in accordance with this Section (the “Term”). The parties agree that either the Company or Consultant through written notice may terminate Consultant’s engagement under this Agreement at any time for any reason or for no reason. The Company and Consultant agree that Consultant is an “at will” consultant and upon termination of this Agreement, the Company shall have no further obligation to Consultant, other than to pay Consultant for all accrued and unpaid compensation and expenses.

    — end of Quote —

    Please consider this email as the written notice by me to terminate the Consulting Agreement as of Feb. 28th., 2009.

    I’d expect my pending invoices for the service provided for Feb. 2009 and expenses occurred in Nov. – Dec., 2008 to be paid immediately according to the Clause, in red above in “Terms”.

    I forego all of my vested equity position in Phorm, Inc.

    I will immediately start informing my contacts in the ISPs, and the party who is organizing the special even with the ISP that I have terminated my service with Phorm, so there shall be no confusion.

    all the best,

    jik

    –end of quote–

    It is obvious that Kent is trying to avoid paying the consulting fee for Feb., which is due if the Consulting Agreement is terminated on Feb. 28th., as I wrote on Feb. 27th. Kent wrote to me in March saying that he wrote to me on termination in Jan., and a hard copy was sent. I have received none. Therefore, asked Kent to send either courier receipt of the hard copy of the Termination notice, or forward the email he said he sent in Jan. To date, I have not heard from him. How long does it take to forward an email you have previously sent?

    It seems that he created the email termination notice he said he sent to me in Jan. and attached it to his email to me in March. The Sent: line does not show the date of the week which always appear on forwarded messages. It is shocking if Kent, CEO of Phorm, stooped that low to forge an email to save a small amount of cash. He recently fired most this board members and CEO of the Phorm, US, along with 90+ of his staff in the US. He also fired his COO in UK and CFO in UK. I think he is really desperate, and only thing he could think of now is his own survival.

    But I really think that in business, straight talk and mutual trust are more important than simple business success and failure, especially in Korea.

    Well, I think I rambled too long. But I spent the time to write this piece to alert people who are working for Kent in UK and US to be aware of this man’s true nature, and also alert those Korean who will come in contact with him that he is not to be trusted.

    I will appreciate if you find time to post it.

    all the best,

  2. One more point about the opt-out. As I understand it the cookie does not opt the user out from the search of their browsing history. It opts the user out of receiving targeted ads.

    An analogy of this service is with “snail mail”. I pay the Post Office (or courier company) to send a letter. I do not expect them to open the letter, scan it for possible keywords then insert appropriate advertising material. Some online services will do this (e.g. Gmail) but then if I use this service I understand that I am receiving a service for free because of the advertising. In this case the ISP is making money from something I have paid for, and feel I have a reasonable expectation will remain private, without providing any additional benefit to me.

  3. In the second response in the is thread, Marc wrote: “Phorm, in case you don’t know yet is opt-in by design. When rolled out at your ISP you won’t need to do a thing, it will just be on.” If you are signed up without doing anything and need to do something to sign out, this is “opt-out”. From an internet user’s point of view, Phorm is “opt-out” by design. (And the “out” is really another kind of “in”, it seems.)
    You could say that the ISP opts in for all of its users, but that’d be stretching a point. I’d be interested in how a lawyer reads the contract between ISP and consumer; I should hope that the typical ISP is not authorized to subscribe its customers to this service without individual confirmation.

  4. Harlan Yu says

    Joe: There could be a measurable difference in how much effort it would take to identify a specific individual, and from a research perspective, it’s interesting to think about how one would go about measuring that. This seems like a difficult task though since we can’t even determine whether a particular dataset is fully depersonalized (i.e. one end of the scale for whatever metric is used). In comparing the Phorm and AOL datasets, advertisers are defining the Phorm categories, presumably arbitrarily, so they might be more similar than we would think.

  5. With an “opt-out” cookie as well as ID information, Phorm is building a really high-quality infrastructure for others as well as themselves to track the surfing habits of all of an ISP’s customers.

    (Oh, and the estimate of 5000 users per channel appears to be a total-users number, not a number at any given moment. So individual tracking should be perfectly plausible in sparse geographic regions or during low-usage times.)

  6. Tony Lauck says

    All web sites that have any concern about privacy ought to accept SSL/TLS connections. A very important web site in this regard is Google, for exposure of searches provides broad privacy leakage. Unfortunately, connecting to Google with HTTPS results in a redirection to HTTP.

    If you are responsible for a web site, does it accept HTTPS connections?

    ENFORCE THE END-TO-END ARGUMENT WITH END-TO-END ENCRYPTION!

  7. Anderer Gregor says

    I don’t care what they say they will store or not. What I care about is that they scan the URL of each web site I am looking at (or my browser prefetches, or whatever). Because my ISP spies into my TCP packets, searches for HTTP requests, and looks at the GET field, and sends them to phorm, together with a UID, be it a random number, my SSN, or whatever. This is unacceptable.

  8. The second protection mechanism is a randomly-generated ID number stored in a browser cookie that Phorm uses to “anonymously” track a user as she browses the web.

    This cookie should be easily detectable. Thus ISPs cannot hide the fact that they use Phorm, putting consumers in a position to build “name and shame” lists of Phorm-equipped ISPs. Anyone bothered by the sale of their private data can exercise their free market choice and move their money to a non-Phorm ISP.

    Has anyone got a quick and easy detection procedure?

  9. Anonymous says

    @Joe

    I’m not sure Phorm even keep the actual keywords. I thought they had category definitions that had to match at least 5000 users before ads could be served – this was mentioned in TheRegister article. So all they retain is my UID and a match with the “Paris vacation” category. This category might have the keywords “Paris” “vacation” “holiday” “hotel” “flight” and some URLs and your search or the web page you visit might only match some of these keywords or URLs. So even though they know you match the “Paris vacation” category, they may not know why, or which particular keywords or URLs triggered your match. It would be interesting to see if a data set like that could actually be deanonymised.

  10. Hi Harlan, don’t you think that there is a measurable difference in privacy impact between the AOL case and the Phorm case (that is, between keywords and raw search queries)? Would be neat to calculate some uniqueness and specificity metric for each case’s users and use that to make conclusions about identifiability.

  11. A cookie like that will register as a tracking cookie as far as anti-spyware apps are concerned. It wouldn’t be too difficult to block it from coming back once you know where it’s coming from.

    On the other hand, researchers for traditional media like Nielson compensate willing participants in exchange for monitoring their viewing habits. I don’t see why new media should be any different. It’s more work, but doing things properly usually is.

  12. Michael Donnelly says

    I assume they’re using cookies to identify said customers because, honestly, they have no other way of doing it. Although an IP address as a method to lookup opt-outs seems fair, it may result in some people appearing to be opted out when they are actually not. Not a problem for consumers, quite probably a problem for Phorm.

    Back to the key point, it is surprising to see that they didn’t learn from the AOL fiasco – or if they did, they simply accept the risk and choose not to be stupid about the data. Still, any method to tie multiple searches together, even a random ID, can be easily used to back into actual identities. The searches have to not be tied together to a person – but that limits their usefulness as a marketing tool.

    I give it a 4 on the Mike D 1-9 scale. It’s a small company and it’s under a lot of scrutiny, but it still makes second tier on the This Innocuous Data Collection Will Become A Curse rule that has been applied so many times.

  13. This is not acceptable.

    Noble rhetoric there, Marc.

    But do you mean it?

    Or do you merely strut and fret your hour upon the stage? Thence to be heard no more? Your tale is full of sound and fury. What does it signify?

    Even though large tracts of Europe and many old and famous States have fallen or may fall into the grip of the Gestapo and all the odious apparatus of Nazi rule, we shall not flag or fail. We shall go on to the end, we shall fight in France, we shall fight on the seas and oceans, we shall fight with growing confidence and growing strength in the air, we shall defend our Island, whatever the cost may be, we shall fight on the beaches, we shall fight on the landing grounds, we shall fight in the fields and in the streets, we shall fight in the hills; we shall never surrender, and even if, which I do not for a moment believe, this Island or a large part of it were subjugated and starving, then our Empire beyond the seas, armed and guarded by the British Fleet, would carry on the struggle, until, in God’s good time, the New World, with all its power and might, steps forth to the rescue and the liberation of the old.Winston S. Churchill.

    During the crypto wars, the powsers decried strong encryptation as a munition of war. You have been handed a weapon. Will you use it to defend your ancient freedom? Will you fight?

  14. Phorm cites two major advantages for the customer;

    1. Irrelevant adverts will be replaced with relevant adverts.
    2. Phorm helps to protect users from phishing attacks.

    Whilst both of these points are currently receiving plenty of media scrutiny at present, something I feel that is evading the spotlight somewhat is how Phorm let users opt-out.

    Phorm, in case you don’t know yet is opt-in by design. When rolled out at your ISP you won’t need to do a thing, it will just be on. To unsubscribe every browser (not user, an important distinction) must goto the Phorm owned webwise.com website and manually opt-out, this means telling each browser to retain a small amount of information called a cookie that will be sent to every website it loads subsequently. Phorm will watch out for that cookie and ignore that particular browser as long as it detects that cookie.

    This is sufficient you might think, but let us be clear on an assumption many people have, when you opt-out of something you expect only to do it once. If you make a subscription, to cancel it you get in touch with the company and tell them you no longer wish to receive your subscription. You do this once, end of story.

    With Phorm things are a little less simple, you see if your browser doesn’t send that cookie then as far as the Phorm system is concerned you are a willing participant, a subscriber, so should your browser ever forget about that cookie, you automatically become opted back into Phorm.

    The problem with this is that cookies were not designed or indeed ever indented to provide persistent storage on the browser, which is why it is so easy to clear them. Clearing ones cookies is perfectly rational and acceptable behaviour, many users and software alike pro-actively clear cookies, the net effect of doing so is clear and links that browser had with any websites, effectively performing a mass log-out of any websites that browser had visited.

    Clearing the cookies in a browser is perfectly reasonable, common and indeed innocuous user behaviour. The commonly understood effect of clearing cookies is that it performs a mass unsubscribe, and ties that had been created by a browser and any websites it had visited are broken. A cookie indicates a subscription, a clear desire to be remembered or identified by a website, to be remembered. When a user clears their cookies they have a desire to break this association.

    Phorm uses cookies in reverse, when a user clears their cookies they opt-into Phorm.

    So even if a user has chosen to opt-out of Phorm, the innocuous and common action of clearing the cookies in your browser instantly re-enrols you back into the Phorm system.

    The developers of Phorm know this well, it means that the user has to make a constant and concerted effort to stay unsubscribed and it ensures ensure maximum user participation, even amongst users who have previously chosen to opt out, there is a good chance at some point in the future they will inadvertently opt-back in without realising it.

    This is not acceptable.

  15. Harlan,

    It’s too late to be content with mere talk.

    Instead of metaphorically wringing your hands about intolerable user tracking, teachpeople how to actively resist.

    AFAIK, Tor is a complete defense to Phorm.