Bits: Phorm’s All-Seeing Parasite Cookie

Back to front page »

By Saul Hansell

Cookies have gotten a bad rap. They are a little bit of Internet technology that has been associated in some strands of popular discussion with the darkest strains of Big Brother online. In fact, cookies do help some Internet companies track some information about users, but there have been significant limitations on what they could see.

One interesting aspect of the plans by Phorm, a company building an advertising targeting system, is that it has found a way to make cookies do what so many feared they could: track every page you visit on the Internet.

Phorm has deals to work with the three largest Internet service providers in Britain, and it is trying to establish similar arrangements in other countries including the United States. Because Phorm’s system can actually watch all the traffic to and from your computer, it can modify cookies in ways that haven’t been used before.

The point of all this is to follow users around the Web without tapping into the I.S.P.’s database of user names and other personal information. I wrote earlier today about how NebuAd, a Phorm rival more active in the United States, uses Internet protocol addresses for the same purpose. It is worth getting these technical details on the record because the debate about what these systems should do is bounded by the sort of information they can and can’t get access to.

First a little background on cookies: A cookie is a very small bit of text that a Web site you visit puts on your hard drive and can read again. Usually the cookie is simply an identification number, although sometimes it holds actual information. It lets sites identify all the pages visitors see, and helps with remembering items in a shopping cart, for example, or other forms of personalization.

Cookies were not meant to tell one site what you did on other sites. By definition, a Web site can only read the cookies that it left, not those left by other sites. And the site can only read those cookies when the browser is reading information from that site.

As companies have wanted to track online behavior, they have found some ways around this. Any single Web page you see may have information drawn from several Web servers, each of which gets to put its own cookie on your computer and to check if it has left a cookie there before. Increasingly, advertising networks, like AOL’s Advertising.com, place invisible, one-pixel-square images on Web pages of sites they work with, in order to use cookies to keep track of which users have visited the network’s sites and under what circumstances. But this is still fragmented information. Advertising.com only can build a file of behavior on sites that choose to enable its invisible cookie.

Phorm gets around these restrictions by piggybacking its cookies on the backs of those left by other sites. Phorm installs equipment at the I.S.P. that intercepts the user’s browser when it visits a Web site for the first time. It redirects the browser to Phorm’s own site. That way it can place and read its own cookie with a Phorm identification number. It then appends this number onto the cookie of the other site, say Google or Yahoo. It does this without the permission of that other site.

The point of this odd exercise is to be able to monitor users but not slow them down. Once a user’s cookie from a given site, say Yahoo, is marked with Phorm’s own number, the next time the user visits Yahoo, Phorm can record that information without having to read its own cookie. (By the way, Phorm strips this extra number off of the cookie before it is sent back to Yahoo, so sites don’t know their cookies are being used this way.)

If you follow all this, it raises troubling and heretofore unexplored questions about who has rights to do what with cookies. Is it acceptable for Phorm to ride, almost like a parasite, on a cookie set by another company without its permission?

Kent Ertugrul, Phorm’s chief executive, says it is acceptable, because the users are notified about Phorm’s system and given the opportunity to opt out, and it is their computer on which these cookies reside.

There are a couple of other interesting aspects of Phorm’s system that I’ll get to in another post.

The most acute parasitic effect comes from the effect on web sites that carefully author, edit, structure, organise, and present their texts.

Phorm’s vile parasitic software gathers information about the visitors who view that data, and then uses it to assist lazier competitors advertise their offerings.

†Posted by Pete

Choose an ISP who doesn’t snoop on you for its own financial gain…

The differentiators between ISPs are about to become more marked.

It’s not just about levels of reliability, speed, bandwidth and price, but now also the sanctity of your private browser data. Some ISPs want to snoop on your browsing to line their own pockets, using the browsing history you create and that should belong to you.

You know what to do: ditch them immediately, and exchange them for an ISP that respects your private data.

†Posted by Ged Stephens

Well done for raising the issue. We don’t want it in the UK, and it’s coming your way soon!

You can follow the debate here :-

http://www.badphorm.co.uk/page.php?2

Look for the links under news. We think this is clearly illegal under UK and EU law, and the markets seem to agree!

http://www.iii.co.uk/investment/detail?code=cotn:PHRM.L&display=chart&it=le

†Posted by Mark V

The act of intercepting the cookie in the first place, is illegal under UK law

The act of intercepting the clickstream data is also illegal.

See http://www.inphormationdesk.org/

For more info on the phorm system.

However the bottom line is that NOBODY has the right to intercept my website data, change my work and gain a profit from it.

It is not right and needs to be stopped now.

†Posted by colin stone

Are we foolish enough to think that anything we do online is truly private?

Remember “Carnivore”?

†Posted by George

Ged Stephens has a very good comment, but where that logic fails is when ISPs have a local monopoly on internet services. In such circumstances, any consumer protections that would arise from a free market are essentially nullified: it’s either buy their service, or don’t and stay off the internet. And this situation is not as uncommon as one would hope, especially in more rural areas. Users in these areas have no alternative but to put up with what their service providers subject them to.

I personally live in an area in which Comcast has a local monopoly, and I know that I would feel better if there were some legislation in place regulating the practices of ISPs.

†Posted by Bryan Gillespie

Overreaching commercial interests will ultimately fail due to their own flawed business plans. Unfortunately, most companies believe the average person’s apathy relative to privacy, means they can keep taking and taking and taking. I believe we are reaching the breaking point where people are going to revolt (likely figuratively, not literally) against both government and commercial interests that have misappropriated their private information. Everyone needs to start pushing back now, before we lose what little privacy we have left.

†Posted by Jack G

Wouldn’t there be easy ways to workaround this cookie? Like by disabling all cookies in IE or Firefox, or using a private browser. Although it is a serious violation of my privacy, I would do my best to find my way around the cookie and avoid giving my info out to advertisers, because that’s the last thing the internet really needs, smart, informed advertisers.

†Posted by Eric

Whether it’s legal or illegal is immaterial. They’re doing it, and no one is stopping them. In the US, the FCC is far more interested in Janet Jackson’s wardrobe malfunction than in regulating privacy behavior. The Justice Department (now there’s a joke!) is busy firing Democrats.

There may be prodigious breakage of laws but if there is no mechanism of enforcement, then what does it matter? The Roman Empire has already declined.

†Posted by Ted Kanter

Anyone with an “open” mind will look past the histrionics of those posting here and elsewhere who seem to want to add Internet access to the ‘rights’ they believe they earn as citizens, along with free health care and other entitlements.

ISP service is NOT a right. It takes billions of dollars of investment to create, maintain and expand the worldwide web. Phorm, to its credit, has devised a technology that allows the ISPs to make a return on their investments that does not — repeat does not — violate the privacy of its customers.

Actually the Phorm system is both brilliant and simple. Some people hate it because it is so good. Phorm crimps the revenues of some existing Internet companies who stand to lose big time from the change. These entrenched companies are no more consumer friendly than Phorm, they simply are better known and therefore seem less spooky.

I recently read in the Times that Apple is now the #1 music seller in the United States. It got there by being more innovative and offering consumers a better experience. Some people hate Apple for that.

Phorm, too, will push past this period when people fear it and competitors wish to crush it. Soon, it will be one of the great Internet success stories of 2008-2009 and people will be singing a new tune: How Phorm used innovation to improve the Internet and help ensure its systemic health.

†Posted by Ken Harrison

Your headline is really quite wrong. Phorm’s technology is not an “all-seeing” cookie. It doesn’t see your IP address. It doesn’t see any Personal Identifiable Information. It doesn’t see your credit card information or your name or your email address or anyone else’s email address. It doesn’t see your interest in pornography or health issues or political sites or gambling sites.

In fact, Phorm is really quite blind to all but three pieces of very, very benign information. 1. That “a” user — it doesn’t know who, is… 2. interested in a topic that matches one advertisers desire….3. and when that user demonstrated that interest.

That is all the Phorm cookie sees. NebuAd sees much, much more. Google sees infinitely more.

Given how heated this issue is and how misinformed readers already are, your headline only adds heat — not light, to the discussion.

†Posted by Sandra Harwood

Privacy? If it was not invaded there would be no need for tools like:

http://downloads.zdnet.com/download.aspx?&q=cookie&docid=222749

Now we need tools for Phorm Zapper!

Although I’m not sure if it gets as simple as deleting cookies on exit from IE7 functionality, because then it would always be the first time you visit an specific site.

†Posted by VHMP01

This raises some serious privacy implications. Not all users of a computer will have the opportunity to vote themselves out of this system, or even realize that Phorm is intercepting and monitoring their communications. Once this is in place, it becomes only a policy change between “being informed and given the opportunity to opt out” and “mandatory participation.” I strongly disapprove of third-party interception of my data under any and all circumstances.

This brings up (again) the concept of “half-VPN” services that will create a secure, encrypted connection between your PC and their unmodified network, for a price. These services didn’t fare well years ago when they were first market tested, but maybe it’s time for them to return. It ultimately leads to the question: Should I have to pay for my privacy?

†Posted by John Todd

Turn on cookie management in your browser and don’t accept cookies unless you have to make something work, like a purchase or login.

Many web sites already put cookies on your system from 2o7.net and other companies that are used to track which sites you’re going to. Reject these cookies and you’ll foil this particular plot

†Posted by Alan Brown

Are you guys aware that Phorms predecessor company (121 Media) was involved with a Rootkit? This has been confirmed by Phorm’s current CEO, who was also involved with 121 Media.

Can you trust a company with these origins? - I wont!

†Posted by Cris Page

Whoa! Who owns my cookies? Certainly not Yahoo!, Amazon, Google and other web sites that place them on my browser. (Yes, it is “my” broswer folks.)

Here is the irony. Google puts a cookie on my browser and hence learns everything about me and stores it forever. (That information can be compromised alone with your privacy.)

Phorm “intercepts” the Google cookie and 100% anonymizes it. (That information is worthless in the hands of hackers and others of ill will. It contains no personal information.)

And when Phorm critics realize they can’t win the argument saying this is bad for consumers like me, they find a new argument: this is bad for those Phorm competitors who’ve worked so hard to put their cookies on my personal web browswer.

Boo, hoo. The equation is very simple. You want privacy? You want Phorm. You want someone to know everything, ever and forever about you? Stay with Google and other such cookie “bakers.”

As for Phorm being parasitic, how wrong, how double wrong can you be? A parasite “receives support, advantage, or the like, from another or others without giving any useful or proper return…”

Phorm gives users back their privacy. It sticks it to those other companies who exploit privacy. It lets users control their IP addresses and personal identifiable information. It helps ISPs earn the kind of monies required to keep the Internet working, without compromising privacy. It results in less Internet advertising and what advertising it does generate is more relevant.

Those are not the actions of a parasite. They are the well-planned actions of a 21st Century innovator. If only there were more like them.

†Posted by Brad Wright

Ken Harrison you are wrong. ISP service IS a right when I am damn well paying for it. I pay for the internet access I have and nothing gives Phorm and my ISP the right to illegally wiretap my internet connection just to push “more relevant adverts.”

They have broken laws already in the UK with the BT/Phorm secret trials of 2006 and 2007 which they did not have consent for.

†Posted by Stazi Republic Of Phormistan

”

Your headline is really quite wrong. Phorm’s technology is not an “all-seeing” cookie. It doesn’t see your IP address. It doesn’t see any Personal Identifiable Information. It doesn’t see your credit card information or your name or your email address or anyone else’s email address. It doesn’t see your interest in pornography or health issues or political sites or gambling sites.

In fact, Phorm is really quite blind to all but three pieces of very, very benign information. 1. That “a” user †it doesn’t know who, is… 2. interested in a topic that matches one advertisers desire….3. and when that user demonstrated that interest.

That is all the Phorm cookie sees. NebuAd sees much, much more. Google sees infinitely more.

Given how heated this issue is and how misinformed readers already are, your headline only adds heat †not light, to the discussion.

†Posted by Sandra Harwood”

Ok. This is (judging from the technical documentation I have seen) wrong.

The Phorm software DOES see all the information mentioned in ther article, and it (supposedly) disregards pretty much everything apart from a random number (to identify the user) and keywords. I say “supposedly” because the only assurances I have seen that the system does that are from Phorm themselves (who, in a previous incarnation, distributed a root kit to install and hide spyware) and people Phorm seem to have hired. Sorry, but I consider people a company has hired to say something to be Sales people, and certainly aren’t independent.

I am open minded. If it brings a demonstrable benefit (from what I have seen, “webwise” doesn’t do anything that the anti-phishing filters in modern browsers don’t, so that is not a benefit), is clearly explained to the users (including a disclaimer that browsing habits are monitored) and is opt in, rather than opt out, then I have no problem with it.

After all, if Webwise is a benefit, people will opt in even if they know the system will monitor them.

†Posted by Stuart Castle

Even if you ‘opt-out’ from phorm, they will *still* be able to see ALL your traffic/data on *all ports* as it passes though their profiler system and is ‘ignored’ and wont send you any ads. so it’s not a true opt-out.

†Posted by Kevin

Many users may not see or ever be aware of an “opt-out” system. If Phorm’s pervasive tracking system were implemented by my ISP, I would want to have it as an “opt-in” system. Phorm should also have to explain to me what benefit I accrue by allowing them to collect this information about me.

†Posted by Robert Angelo

Ken Harrison writes

“Anyone with an “open” mind will look past the histrionics of those posting here and elsewhere who seem to want to add Internet access to the ‘rights’ they believe they earn as citizens, along with free health care and other entitlements.

ISP service is NOT a right.”

No sir, but privacy is. This debate is about privacy.

†Posted by Skeptic

I note that the “supporters” of Phorm have arrived on the blog attempting to convince us that it is a Good Thing.

ISPs who wish to survive should offer a good service at a fair price, not resort to spying on their own customer’s private browsing so that they can sell that information for their own benefit.

If people’s browsing is to be snooped on and monetised, the people themselves should be the ones benefiting.

What the heck has it got to do with the ISP? It’s not their data to sell!

Face it, no one trusts these data snoopers, and with good reason. They want to sell your data for their own benefit, not for yours.

Look at this: http://en.wikipedia.org/wiki/Phorm#Marketing_Team_Admits_Tampering_With_Wikipedia_Entry

Would you trust these guys?

†Posted by Garry

“These entrenched companies are no more consumer friendly than Phorm, they simply are better known and therefore seem less spooky.” :Ken Harrison

They are more consumer friendly, they offer more to the end user for their data be it a free email service or cheaper prices or “money off” rewards. Phorm offer none of these benefits and instead try to pass off a phishing service which is embedded withing all modern browsers and targeted advertising as huge benefits for being able to see everything you do online.

“It doesn’t see any Personal Identifiable Information. It doesn’t see your credit card information or your name or your email address or anyone else’s email address. It doesn’t see your interest in pornography or health issues or political sites or gambling sites.”: Sandra Harwood

This is also untrue. The Phorm software installed at the ISP sees all of this info and while they currently say they discard such info, changing it so it *does* track this info would be simple and easy to do.

†Posted by No Phorm

#18 Stuart Castle, writes: “The Phorm software DOES see all the information mentioned in their article, and it (supposedly) disregards pretty much everything apart from a random number (to identify the user) and keywords. I say “supposedly” because the only assurances I have seen that the system does that are from Phorm themselves (who, in a previous incarnation, distributed a root kit to install and hide spyware) and people Phorm seem to have hired. Sorry, but I consider people a company has hired to say something to be Sales people, and certainly aren’t independent.”

Stuart, may I direct you to a report written by Dr. Richard Clayton of Cambridge University, an avowed critic of Phorm. Dr. Clayton and a colleague visited with Phorm last week and then wrote a 10-page report on his findings. Yes, he still hates Phorm. But he also wrote, “Phorm argue (sic), with some justification, that their system does not permit them to identify individuals and that they meet and exceed all necessary Data Protection regulations — producing a system that is superior to other advertising platforms that profile internet users.”

You should read Dr. Clayton’s entire report. While he openly dislikes Phorm, he cuts through a lot of the fog and hype and shows that most of Phorm’s critics do NOT have their facts straight.

No one will have to take Phorm’s word on privacy. The company has agreed to allow its biggest critics, such as Dr. Clayton, to drop in and inspect Phorm’s technology when they like.

Will Google do this to ensure privacy? Will Yahoo! Will The New York Times?

Elsewhere on this blog someone refers to “Phorm supporters” weighing in here. I suppose they intend that to include me. But I’m NOT a Phorm supporter. I’m a supporter of free and fair enterprise. So long as Phorm plays fairly, it should be allowed to compete. Those who think Phorm is the biggest threat to personal privacy on the Internet have either not done their homework or simply don’t want to let the truth get in the way of their rants.

†Posted by Sandra Harwood

The commenters using the names Ken Harrison and Sandra Harwood above are posting from the same IP address. Sandra Harwood and the person using the name Brad Wright both have e-mail addresses at the same obscure e-mail provider. Readers are encouraged to evaluate their comments accordingly. Commenters are encouraged to disclose their affiliations when relevant.

†Posted by David F. Gallagher N.Y. Times

Comments are moderated and generally will be posted if they are on-topic and not abusive. For more information, please see our Comments FAQ.

All NYTimes.com Blogs »

Can the Wireless Industry Handle Hip?

Almost everyone at the CTIA conference last week seemed to be musing about how mainstream the wireless industry was becoming.

Mitsubishi’s New LaserVue TVs: First Impressions

Mitsubishi created a side-by-side view-off with comparably sized high-end LCD and plasma sets to show off its LaserVue rear projection TV technology. The screens were brighter, but will that be enough to lure consumers?

Phorm’s All-Seeing Parasite Cookie

Phorm, the Internet company that wants to display advertising based on where people surf, has developed a variation on the cookie — code numbers stored by Web browsers — that can help track far more information than cookies have before.

Is Yahoo’s Letter the First Concession?

In its latest letter to Microsoft, Yahoo doesn’t even try to argue it will be better off as an independent company. It simply demands more money.

NebuAd Observes ‘Useful, but Innocuous’ Web Browsing

NebuAd says it has deals to monitor the Web surfing activity of 10 percent of the people in America. It is building a file that will associate each of those users–identified by the Internet Protocol address–with 1,000 potential interests.

Bits offers news and analysis on the technology industry throughout the day with posts about the inventors and dealmakers trying to master and profit from the digital age. We cover start-ups, giant enterprises, government policies and the way technology is used around the world.

Tell us what you like, dont like and want to read more about.

Send us e-mail with your comments

For news tips and press announcements, please use the e-mail links on the blog home page to reach our writers and editors. Feeds   Home World U.S. N.Y. / Region Business Technology Science Health Sports Opinion Arts Style Travel Jobs Real Estate Autos Back to Top Copyright 2008 The New York Times Company Privacy Policy Search Corrections RSS Help Contact Us Work for Us Site Map var gtrackevents=false; var gdcsid="dcs591klg00000c97pblfraeo_7p3p"; var gfpcdom=".nytimes.com"; var gdomain="wt.o.nytimes.com";

Tag Cloud

External Information

Additional Information

Where Am I?