“Have form?” That’s the phrase that popped into mind when I first saw the name of this new “Phorm” company that’s recently found itself on the uncomfortable side of Internet privacy debates. I don’t know if the phrase is all that common, but if you grew up watching The Bill you probably know what I’m taking about, I think it’s Pommie police slang. Anyway, back to Phorm, It turns out they do have “form” … they even changed their name over it, from “121Media.” Under their earlier moniker they distributed something called “PeopleOnPage” which was widely proclaimed to be “spyware” (though some, including Phorm, debate that it is really just “adware” – I’ve made no attempt to determine whether I think it is one or the other myself, though based on the removal instructions it seems somewhat benign at least.)

What’s the story now? It turns out that they dumped the so-called spyware in favour of moving the spying to ISPs. (They have an “ain’t we good” story about how they bravely dumped the adware business, risking the potential wrath of their shareholders.) What’s more they’ve already signed on all the major UK providers, and have even run live integration tests! This leaked out recently and has caused quite a stir, first with The Register and now it’s even hit the mainstream news (thanks somewhat to The Netfather, Berners-Lee, expressing concern about it.) Phorm are also chasing deals in the US (not that people in the US have any privacy left to loose) and I’m sure Australia will be on the list too (and then the world! Murwahahahaarrr!)

Phorm’s executive did a pretty open and revealing interview with The Register, and on the face of it the technology seems pretty “privacy safe.” But a) would you really believe it’ll be flawless? And b) what’s the guarantee it’ll stay that way? The idea is that keywords are extracted from the URLs you request (i.e. search string) and the response data, this is filtered to remove “sensitive” content (sure, I bet that is really reliable – though if you’re sending sensitive data over a non-HTTPS connection you get what you deserve.) These keywords are used to categorise the browsing session, then ad delivery is tuned for this categorisation. I’m unclear as to whether they’re going to inject ads into pages (ick!) or if the information will only be used to tune ads on pages that use Phorm as an ad source.

All in all it’s somewhat interesting, but ads are ads and my ad filter means I never see the things anyway. How about this “you are being watched” aspect then? Frankly, it surprises me that anyone would think they can expect much privacy in their online wanderings. Every page you visit has embedded ads from a small handful of providers, do you think they don’t track some sort of “profile” and can track your transitions between the pages of their vast number of clients? (Check your cookies sometime and note the likes of “adclick”, and probably even things like “sextracker”!) Note that this sort of cookie technique will make even something like tor fairly useless in hiding your online “profile.”

What’s most amusing is that Phorm claim is be creating a revolution in privacy? Golly, I wish I had the time to research further into exactly how they explain that one. “Doesn’t store any personally identifiable information,” we’ve heard that before and even when it’s said in good conscience it can turn out to be far more identifiable than expected (remember the AOL search queries release that gave enough information for reporter to track someone to their home?) They seem to claim to not store any information at all, which sounds hopeful and would be good … but it doesn’t seem like much of a revolution! I think they may have been better off being open about things but not going to far as to put on the mangle of Internet freedom fighters, this just makes them a juicy target.

Anyway, if you do want some privacy, with caveats that I don’t have time to go into, then:

1. Use tor
2. Disable cookies

It’s fun to see how much of the web doesn’t work without cookies though! Or you could make them “always ask”, and find out how annoying that is. It could be nice to disallow cookies for any site other than the one displayed in your URL-bar (i.e. disallow for iframes, popups too would make sense), I don’t know if there’s a browser plugin for this though (sounds like we might need one.)

Personally, I mostly gave up on the “ad tracking” privacy issue a long time ago. I don’t expect that noisy privacy advocates, or even legislation, will change things much. Much like many other online security issues it is the very nature and design of the Internet that makes these things possible; want to redesign the whole Internet? Anyone? (Yes, I know people are trying, etc.) When it comes to the legal enforcement of these things it always seems to break apart at international borders, little surprise there. Finally, the tighter control schemes that may have some effect get the privacy advocates screaming as well! I.e. moving monitoring, ads (i.e. Phorm), security, and similar measures to the ISP – net neutrality anyone? And why is some random ISP any more trustworthy than doubleclick anyway?

All that said, I do personally bounce all my web browsing through a foreign end-point (but I don’t bother with tor) and I use a cookie blacklist. (The bounce is mainly because proxying via a machine somewhere in Europe, using an SSH port-forward, is actually faster than direct browsing over my Talk Talk connection. Yes, it’s insane.) Ultimately, I don’t think there’s any privacy to be had or expected when it comes to the “web”, as sad as that seems. That said, you can and should expect that data sent to sites (via HTTPS) is kept safe and secure – when this expectation is broken, then is it worth raising all kinds of hell!

It’s a wild world out there on the ‘net … it allows the bad guys to do bad, but also allows the good guys to do good, and, really, this is the way I like it. Some are a kind of geek equivalent to cowboys and know how to look after themselves, everyone else? Easy targets… who we should try to protect and educate.

[For the record: Personally, I don’t like the Phorn idea and I’d prefer them to be shown the door and thoroughly booted out of ISPs. But, realistically, I don’t think this would improve (or degrade) anyone’s privacy. I’m not so keen on the “we own our browsing” history argument from the privacy advocates though. Everything seems to turn to ownership eventually, I suspect this is one of the great problems with the way humans see the world. Things, even the metaphysical, must belong to someone.]