Privacy bears its fangs for Phorm

Newcomer Phorm has ignited a row about online privacy. It’s an old debate that’s being brought back into the news by new technology, but the impact on Phorm’s share price demonstrates the power of privacy concerns.

Phorm is an AIM-listed company that has achieved something that has eluded other companies in the highly-competitive field of online advertising: persuading a number of key ISPs to reveal user’s browsing profiles in return for the provision of targetted advertising. Users with BT, Virgin Media and Talk Talk, who between them have over 10m customers, will have all their activities in http (port 80) monitored by Phorm’s servers and used to profile the users.

It’s clear that Phorm has given a lot of thought to the privacy implications of this service, which are potentially huge: after all, Phorm’s servers will know everything about a user’s online habits, including their browsing, posting, webmail and downloads. Phorm has stated that it has tight privacy controls including:

  • all users can opt-out of the service;
  • the system can only look at http (port 80), so secure services on the likes of https are not scrutinised;
  • no personally identifiable information about the user is gathered or stored either on the servers or in cookie form;
  • users will be warned if they visit a known phishing site (this is the user benefit of Phorm).

Seems reasonable? Well, Phorm went further and had the system audited by Ernst & Young to confirm that it does what it says on the tin. They then brought in the Privacy International team to check it out. The service received a clean bill of health.

Despite all that, Phorm has attracted widespread criticism from multiple sources. Many say that the service should be ‘opt-in’ rather than ‘opt-out’, but most of the criticism is based upon concerns about the potential for data leakage or function creep. Users are concerned that Phorm will gather more data than they claim, and are not being reassured by independent oversight. The hangover of mistrust from the likes of Google / Doubleclick has hit Phorm hard.

So great has been the concern that Phorm’s share price has dropped by nearly 50% since the deal with the ISPs was announced. The company has had to issue shareholder statements to assure shareholders that there is no commercial reason for the fall. Content management companies are threatening to treat Phorm’s traffic as spyware.

This is a tough commercial demonstration of the power of privacy. An organisation may comply with the requirements of the Data Protection Act, and all other legislation and regulations, but that won’t keep the privacy incidents away. And when they happen, they can hit the bottom line. It remains to be seen how this argument will pan out, and Phorm’s share price is rising again, but it’s a warning to anyone rolling out a privacy-sensitive system: remember, privacy can bite back when you least expect.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

As a Virgin Media customer I am a tad concerned about this. As far as I am aware, the 2nd audit you refer to above wasn't carried out by Privacy International. It was performed by a couple of the guys from PI (one was Simon Davies) but they were acting in an independent capacity. It would seem that Phorm is trying to pull a bit of a fast one. The press release is very carefully worded "Privacy Impact Assessment undertaken by Simon Davies, MD of 80/20 Thinking and Director of Privacy International."
you state that: "They then brought in the Privacy International team to check it out. The service received a clean bill of health." When in fact they did not bring in Privacy International, they brought in the 80/20 thinking team. The clean bill of health has so far not surfaced. If you have the clean bill of health then please publish it with this article.
I too would be very interested in seeing the report form Ernst and Young and also 80/20. No ammount of websearching has brough either of these reports to light. If I told you that my browsing tracking advert system which I was going to run on your ISPs servers was legit you'd want proof too! Just for the record for me it's not a hangover from the mistrust of google/doubleclick it's a complete mistrust of a company whose predecessor has a bad history of adware and rootkit, and who are planning on intercepting data.
Phorm has not received a clean bill of health from PI at all, in fact the report has never been published. It was carried out idependantly of PI, it was a couple of their people but it did not follow the proper PI channels. This is Phorm putting out more of their spin and blatant untruths. Phorm have been posting under the name of PhormUKTechteam in many forums and blogs to try and counter the controversy, but the guys doing the posting have been discovered to work for their PR agency and do not work for Phorm. They promised on some forums, and on Labour MP Bob Piper's blog, to provide more technical details and diagrams over a week ago but have not done so. In fact, the UKTechteam have gone surprisingly quiet since they were discovered to work for the PR agency. There are some excellent articles on the following sites:,1000000567,10007508o-2000331777b,00.htm as well as on and
The reference to PI was lifted directly from the article in the Guardian; clearly somewhere between 80/20 putting out the message, and what's been published, there have been some misunderstandings about who has approved what. I'd be interested to see those audit reports as well, and hopefully Phorm will release them. This does demonstrate the problem of working as a privacy advocate and earning a living in the corporate world. I've known Simon for some years, and we have worked together on similar system audits (see I can't imagine Simon working for a company he had a problem with, so let's see what Phorm does next to resolve this situation.
Toby, please do some research before you post, I recomend you visit if you want the facts on phorm. So far most of the big sites, i.e. the BBC have been publishing innacurate data. I can see that the PI reference is confusing as it came from Phorm and they even posted this as an RNS to the stock market using spun language.
Thanks Simon. I'm particularly interested in the point on that points out that TalkTalk (Carphone Warehouse's ISP) has changed from an 'opt-out' to an 'opt-in' model. This is significant: TalkTalk has been successful as a result of its aggressive marketing techniques, so they must either see some compelling end-user benefit arising from the opt-in model, or a major commercial risk causing reputational damage Can anyone shed more light on that decision?
From reading more on one of the moderators there have posted a link to the E&Y audit. As you will find out from reading the report it's not quite as squeaky clean as Phorm would have you believe. here's the link to the relevant page on badphorm: direct link to the pdf report from E&Y: rather than regurgitate the report I'll let you read it for yourself and make your own judgements.
Sir Tim Berners-Lee - 'the greatest living Englishman' - appeared on BBC Breakfast TV today. "It's [web traffic] mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return." It's also interesting to see that a petition on the Downing Street website has already notched up nearly 5,000 signatures. BT has admitted that it tested Phorm's service last summer without informing customers, and there is still some debate about where that testing took place: This is going to ratchet up the debate a little...
Open Letter to the IC on the legality of Phorm's advertising system RELEASE: 17 March 2008 The Foundation for Information Policy Research (FIPR) has today released the text of an open letter to Richard Thomas, the Information Commissioner (IC) on the legality of Phorm Inc's proposal to provide targeted advertising by snooping on Internet users' web browsing. see press release and open letter
The 80/20 team are about to go public with their report:
here's the interim report from 80/20.. courtesey of The Guardian reporter Charles Arthur direct link to report here: