Deep packet inspection gear has long had the ability to peer inside users' datastreams to pull out all sorts of interesting information, but a UK company called Phorm is taking DPI to the next level by using it to sell ads. The company's ambitious goal: segment users into small and highly-accurate "channels" by reading the URLs they visit, the search terms they use, and the content of the pages they visit. The resulting channels are then sold to advertisers who are salivating at the thought of better targeting. Actual users are predictably less thrilled, however, and a row over the issue has erupted in Britain.

Phorm made its announcement on Valentine's Day. The company said that it had inked deals with the three largest ISPs in the UK: BT, Talk Talk, and Virgin Media. The ISPs will place Phorm's gear inline on their networks, where it will have access to the datastream of all users. Phorm charges advertisers for access to highly-targeted customers, and it splits this revenue with the ISP. In addition to offering the benefit of more relevant ads, the company says that its gear will also warn users if they happen to visit phishing sites. So everyone wins, in theory.

But plenty of users don't see it that way. Web sites like BadPhorm have already sprung up, encouraging users to take action by pressuring their MPs and by complaining to ISPs.

The story has gained significant traction in the UK this week, with multiple pieces in the major UK media outlets. The Register even had the chance to interview Phorm's CEO on Friday at the company's London offices, and CEO Kent Ertegrul made clear that Phorm has nothing to hide. In fact, it welcomes scrutiny and has opened its system up to inspection by groups like Privacy International. Phorm claims that its system is far better for privacy than, say, Google's AdSense, since the analysis of the datastream is done in memory and only the user's "data digest" (stripped of all identifying information) is retained.

The real story of Phorm is "how you can run an advertising service and store nothing," Ertegrul told The Register. He's also convinced that raising the value of online ads will actually lead to less advertising on the sites that use Phorm's Open Internet Exchange (OIX), since web site operators know that ads interfere with content. We'll see.

Ertegrul knows that he needs to overcome consumers' gut reactions to the idea of advertisers targeting them based on clickstream data, but Phorm isn't helped in that work by having once been an adware (not spyware, it insists) provider. Before changing its name to Phorm last year, the company was known as 121Media, and it offered adware services including PeopleOnPage, which would show you others who were browsing a web page and allow you to chat with them (while showing you ads).

Also controversial is the idea that ISPs would simply opt all of their users into the scheme. Final announcements haven't been made, but this does seem the only real way to ensure enough participation to make the whole exercise worthwhile. Fortunately, opting out is as simple as blocking Phorm's cookie, and the company promises that no bandwidth throttling or other consequences will follow.

Where's the win-win?



All eyes are on Phorm and the UK's top ISPs to see if users will eventually acquiesce to the idea of being tracked online. The likelihood of the system staying on the right side of the law seems great to us, but only if Phorm's claim that this technology is AdSense-like is upheld.

The bigger issue is customer reaction. When one thinks back to the launch of Gmail, which was really the first time that AdSense came in for a beating owing to some folks' concern over a machine reading their e-mail and serving ads based on them, the majority of users didn't sweat it. That had a lot to do with Gmail being a win-win situation: you got a great web-based e-mail client and (then an unheard of) 1GB of space. Most people overlooked the privacy issue and didn't think too deeply about it.

With Phorm's plan, there doesn't appear to be a win-win aside from perhaps some phishing alerts, which frankly doesn't get us too excited. Without that win-win, users will scrutinize the deal more heavily, even if it is truly machine-based like AdSense is.

Further reading:

