Video: Phorm CEO rejects allegations of 'big brother' tracking

Next Story

Kleiner Perkins Announces $100 million iFund for iPhone Applications

Yesterday I recorded a half hour video interview with Kent Ertugrul, the founder and CEO of Phorm, the AIM-listed ‘behavioural targeting’ company which will track users at an ISP level for the purposes of targeting advertising. ISPs signed up, but yet to launch with Phorm integration, include BT, TalkTalk, and Virgin Media. Publishers will include, iVillage, Universal McCann, MGM OMD and Unanimis.

The launch of the company’s product has been hugely controversial amongst privacy advocates, given that it is using a technology known as ‘deep packet inspection’ to literally follow the customers of its ISP partners around on the web, serving advertising based on the user’s surfing habits. At the core of the Phorm product is a cookie which Phorm says users can openly opt in and out of, and which – they say – is incapable of identifying the user. However, the company has come in for widespread criticism, with The Register and The Guardian both looking closely at the company’s claims, to put it mildly. They cite commentators who say that users could be identified by Phorm’s technology. There is even a petition on the Prime Minister’s web site against Phorm.

In order to give Phorm a right of reply I put many of these questions to Ertugrul in the interview. The video is available here and embedded above.

  • Armand Rousso

    Very Close friend of Kent, I really enjoyed understanding his vision of the Future. Armand Rousso

  • John K

    A pity the interviewer did not seem to understand the real issues. It is the ISPs that breach RIPA, not Phorm. It seems the ISPs send your browsing history to Phorm even if you have opted out.
    This includes the content of webmail and any other private or sensitive info on the web pages you view. You have to entrust all this personal information to a man who appears as the top hit in a google search for ‘former spyware boss’ He promises that he will only use it to serve up ads to you.

  • Mark Thompson

    A good interview. I’m still very far from convinced though. Maybe I can never be convinced, my core belief is that on principle alone this is just wrong. Even if what we are being told is true, then I still have issues with profiling based upong customers browsing habits whether anonymous, unhackable, untracable etc. It just seems wrong.

    As the person who started the online petition it was interesting to see Kent’s take on this. To a certain extent my anger is more with the ISP’s rather than Phorm, although I do find the technology distateful. I’m not sure I agree with his analysis that those who sign are split into 2 camps, those who dislike adverts and those who are concerned with privacy. I myself am concerned with both advertisements and privacy. I also think that if this system were to become a success we would find more and more adverts being piped into us so the claim that we would see more ‘relevant’ advertising may have some truth, but it fails to address the problem with regards to the volume of advertising, whether relevant or not.

    I also have grave concerns at the way this product is now being marketed as almost a security product, I think this is misrepresenting the true nature of the product.

    At the end of the day I still have so many concerns about the technology, the way it is being implemented, what it means for the future with regards to internet usage and customer privacy. But to keep it simple, I as an individual will be leaving Virgin Media and going with an ISP that has nothing to do with Phorm unless the following criteria is met:

    1). The system becomes an opt in system with no reliance on having to have a cookie on my machine in order to bypass the Phorm process.

    2). Receive assurances on the security side, my preference would be for a full review of this technology to be held looking at the technical side and not just the procedural side.

    3). Receive assurances on the future direction of this technology including the scope for expansion with regards to the data gathered, data retention methods and intervals, growth of advertising catagories. To sum up, I’m seeking assurance on where this will go in the future.

    4). See technical proof that the system in no way comprimises performance whilst browsing. It seemed as though this issue was rather skimmed over, how can they possible say there is no performance impact. If all this data processing and profiling is being done before web content is delivered to me then surely it must slow things down ? What happens if any of the Phorm equipment breaks down, will this be another link in the chain that can cause potential loss of internet connectivity or performance degredation etc ?

  • PhormUKtechteam

    Kent Ertugrul – Phorm CEO online interview

    There’s been quite a lot of interest and discussion following the announcement of the Open Internet Exchange (OIX) and Webwise from Phorm. The company’s CEO, Kent Ertugrul will be available to answer your questions in a live web chat via the Webwise site at on 6 March 2008.

    Between 8.30 pm and 9.30 pm tonight, Kent will cover recent announcements from Phorm and give you a chance to ask the founder exactly how Phorm is revolutionising the Internet through more effective anti-fraud technology, more relevant advertising and a new gold standard in privacy. For further information, please visit or

  • Pete

    So many questions to ask your ISP;

    1) Ask your ISP why you can’t opt in
    2) Ask your ISP to publish Phorm’s ‘white list’ of the user agents
    3) Ask your ISP to publish a list of the websites excluded from Phorm
    4) Ask your ISP to disclose the specification of the Phorm UID cookie
    5) Ask your ISP when your ‘opt out’ cookie expires, it is not perpetual
    6) Ask your ISP how blocking ‘opt out’ cookies will protect you from opting in
    7) Ask your ISP not to process your personal information for direct marketing

    Until this stops, or gets stopped, you can get limited protection from Phorm by using a Firefox plug in.

    Don’t let your ISP do this to you.

  • Marc Porcelli

    I have been blogging about Phorm and ISP based advertising on and wrote again about this today. I will include the post as readers of this story may find it interesting.

    ISP Targeting Ad Company Phorm Gets Targeted
    March 23, 2008 – 1:37 pm

    Phorm, which is an ISP targeted advertising company in the UK, is looking to expand into the US market. The New York Times last week ran an update on the company’s efforts in the US market stating “[Phorm] is trying to negotiate deals with telephone and cable companies, like AT&T, Verizon and Comcast, that provide broadband service to millions”.

    In the UK, Phorm already has partnerships with three major Internet service providers covering some 70% of British households. In the US, the challenges will be far greater. Companies like AT&T and Comcast are not going to be so eager to open up their networks for several reasons. First the technology is in its infancy and is largely unproven. Secondly, it’s controversial and after Facebook’s disastrous efforts with Beacon, companies will think twice before targeting users’ personal, although arguably in Phorm’s case none identifiable information. Lastly, companies like AT&T and Verizon simply don’t need the revenue. The risks outweigh the potential (unproven) gains.

    Regardless of the current US conditions related to ISP targeting there are organizations out there that have employed and are actively using this technology. Phorm argues that it has technology that protects web users privacy by associating a random number with a user’s Web surfing usage. This random number acts as the identifier through a cookie placed on a person’s computer and saves the users number to be placed into an advertising category to target ads towards. Advertising can then target ads based on the individual’s usage and Phorm categorization.

    These are sold as “micro-targeted” or “ISP-Based Behavioral Targeting” with the promise of higher CPM’s for publishers and higher CTR’s for advertisers. These “highly relevant” ads have proved themselves ineffective. Advertisers can expect to pay anywhere from $4.00 – $12.00 for this “cutting edge” technology which delivers no greater CTR’s and only higher CPM’s.

    The only success to date is the fact they have generated controversy but little if any actual, quantifiable results.

  • phormwatch

    I recently came across a comment on Slashdot which I think many users might find interesting and informative. It was written by a user called ‘anticypher’. It is not my own.
    Here is the post:


    Here are the notes I took from a sales pitch to a client. Although NDAs were passed around, all of the technical and business consulting staff refused to sign them, so this information is freely available and can in no way be considered a trade secret. Some of my notes come from other people’s observations in the ensuing PR war. Phorm’s sales teams have been aggressively targeting large ISPs with low margins around Europe and the US in the last year or so. They only pitch to board level decision makers, and like to avoid providing any technical detail whenever possible.

    Phorm has hired a specialty PR company, Citigate Dewe Rogerson [] to alter public perception of any complaints found in blogs, news programs, and on technical sites. They have been aggressively pasting boilerplate responses about the legality of the system, using carefully sanitized language to obfuscate the debate. The company specialises in mastering public opinion as part of crisis management during corporate fiascos. They may be employing a few companies like this, I’ve seen Dutch, German and French language follow-up posts in the last few weeks.

    Phorm has addressed the main part of pesky privacy laws in Europe by “gifting” the collection equipment to the ISP using a standard 5 year depreciation schedule. The interception and initial filtering kit officially becomes property of the ISP, but is installed, maintained, configured and run by Phorm’s technical team. If the equipment stays 5 years in the ISP’s premises, then it becomes the full property of the ISP. The ISP can claim to privacy oversight groups that the equipment belongs to them, and that all the personal information hasn’t left their network should post-analysis show the customer has “opted-out” of passing the information to Phorm’s China-based servers. The data is still captured and analyzed, just not all of it is passed to Phorm.

    The Phorm collectors sit inside the ISP’s network, and collect all internet traffic from all clients all the time. Web traffic is directed to machines that analyze the request, and respond with some HTML code redirecting the browser to one of the many domains operated by Phorm. The code can be customised depending on browser string to put an invisible iframe or other HTML structure surrounding the subsequent web pages. The redirect is to trick the browser into sending cookies associated with one of the many Phorm domains, and to accept new cookies. Once the cookies are read and re-written, more HTML code is sent to once again redirect the browser to try the original request, which then passes through the ISP’s network to the internet. This is how Phorm claims to read the opt-out cookies should they exist. No cookies returned is considered opt-in at this point.

    The problem I, and others, had with Phorm’s plan was that they leave some kind of HTML trick code running in the browser session to track all subsequent web traffic and to allow them to intercept anything they believe to be relevant.

    As an example, let’s take an ordinary, un-intercepted session to The browser sends an HTML request to the slashdot servers, which respond with code asking about cookies which can be used to display a customised page for logged-in slashdot users. The browser can’t be tricked by slashdot’s servers to return cookies from digg or google.

    With Phorm, the initial HTML request to gets intercepted by the Phorm equipment, which respond with a 302 redirect to, the browser then does a lookup and redirect to the new site. Note, that at this point, no traffic has managed to escape the ISP and get to the internet. At this point, the Phorm interceptor machine can also respond to the DNS lookup for with the correct address for, to prevent any kind of local firewalling based on known bad networks. The browser tries to get to with the new address, and once again the Phorm equipment returns some HTML code. This is where the serious trouble begins, the code can be just about anything, javascript, iframes, cross-site scripting attack, activeX exploits. The code can be used to read and set cookies, add some javascript in an iFrame to survive no matter where the user browses to, etc. It’s a malware writer’s wet dream, to have complete control over the TCP stream the browser sees before the user ever gets to the internet.

    Once the browser has been sufficiently hijacked, another 302 temporary redirect can be injected into the browser session using the original HTTP request, so the user sees only a slight delay before reaching their intended website. Given the glacial speeds most UK networks operate at, an extra half second delay is not going to be noticed by non-technical types.

    More fun is now to be had, as the page returned from the website can also be copied and analyzed by the Phorm intercept kit. If you log onto a private website, the Phorm kit can see the entire contents. This means a user checking their webmail on the local ISP’s server (without an SSL session since it isn’t going over the internet) can have the contents read and analyzed by Phorm.

    Where the storm of controversy comes from is that technically apt people (like slashdot’s readership) are beginning to understand just what an internet stream hijack implies. It means that Phorm can not only read all your web traffic, they can intercept all the traffic near the headend of your broadband connection and read anything. They can read your IM sessions, they can read your email, they can get it all.

    Now, at this point, the über-technically adept point out encryption, certificates, Man-in-the-Middle attacks and the like. True, https sessions, encrypted IM, TLS protected POP&IMAP and other protected protocols give some protection from snooping on the content, but not much “signals analysis” protection. They can still snoop on your DNS traffic, even if you run your own local caching server or use OpenDNS or AlterDNS. They can still see what the end points of your encrypted tunnels are. Sure, you could tunnel all your traffic to a remote VPN server, but how many of you do that now? How many average users would even bother?

    I was going to insert a long analysis of how they analyze and claim to anonymize the data collected, but this post has gone way too long for slashdot. Maybe another post another time.

    I will add that the people behind Phorm have been developing and selling malware and adware for a number of years, and apparently made enough money off of an impossible to uninstall adware toolbar to fund this latest push into malware distribution. Their programmers are mostly Saint Petersburg based, home to the Russian Business Network []. Their servers are kept only in Saint Petersburg and China, so no ISP customer data is ever stored in the UK. Any personally identifying information they obtain about UK citizens can never be seen or purged using existing UK Data Protection Laws. They run under dozens of different domain names, the name of the company has changed from PeopleOnPage to 121media and recently changed from to Phorm. This is typical of a company that knows it will have to shed it’s tarnished brand every year to stay ahead of public outcry. I expect they already have their next brand lined up when they need to burn the Phorm brand.

    Sir Tim Berners-Lee has seen their presentation, and held a press conference yesterday to try to stop the practice cold. Even if Phorm is stopped dead tomorrow, the business conditions and legal loopholes are still present to encourage ISPs to try this again and again, and it will certainly be much worse in the US where there is absolutely no legal protections at all, and a ready market for personal data.

    the AC

  • coach bags 2010

    Very Close friend of Kent, I really enjoyed understanding his vision of the Future. Armand Rousso

blog comments powered by Disqus