Privacy bears its fangs for Phorm

Newcomer Phorm has ignited a row about online privacy. It’s an old debate that’s being brought back into the news by new technology, but the impact on Phorm’s share price demonstrates the power of privacy concerns.

Phorm is an AIM-listed company that has achieved something that has eluded other companies in the highly-competitive field of online advertising: persuading a number of key ISPs to reveal user’s browsing profiles in return for the provision of targetted advertising. Users with BT, Virgin Media and Talk Talk, who between them have over 10m customers, will have all their activities in http (port 80) monitored by Phorm’s servers and used to profile the users.

It’s clear that Phorm has given a lot of thought to the privacy implications of this service, which are potentially huge: after all, Phorm’s servers will know everything about a user’s online habits, including their browsing, posting, webmail and downloads. Phorm has stated that it has tight privacy controls including:

  • all users can opt-out of the service;
  • the system can only look at http (port 80), so secure services on the likes of https are not scrutinised;
  • no personally identifiable information about the user is gathered or stored either on the servers or in cookie form;
  • users will be warned if they visit a known phishing site (this is the user benefit of Phorm).

Seems reasonable? Well, Phorm went further and had the system audited by Ernst & Young to confirm that it does what it says on the tin. They then brought in the Privacy International team to check it out. The service received a clean bill of health.

Despite all that, Phorm has attracted widespread criticism from multiple sources. Many say that the service should be ‘opt-in’ rather than ‘opt-out’, but most of the criticism is based upon concerns about the potential for data leakage or function creep. Users are concerned that Phorm will gather more data than they claim, and are not being reassured by independent oversight. The hangover of mistrust from the likes of Google / Doubleclick has hit Phorm hard.

So great has been the concern that Phorm’s share price has dropped by nearly 50% since the deal with the ISPs was announced. The company has had to issue shareholder statements to assure shareholders that there is no commercial reason for the fall. Content management companies are threatening to treat Phorm’s traffic as spyware.

This is a tough commercial demonstration of the power of privacy. An organisation may comply with the requirements of the Data Protection Act, and all other legislation and regulations, but that won’t keep the privacy incidents away. And when they happen, they can hit the bottom line. It remains to be seen how this argument will pan out, and Phorm’s share price is rising again, but it’s a warning to anyone rolling out a privacy-sensitive system: remember, privacy can bite back when you least expect.