Phorm technicalities, misinphormation

March 17, 2008

It is apparent that Kent Ertugrul still has a massive problem with telling the truth.The truth is, there is no proprietary system in use for monitoring your browsing. The phorm system *MUST* be compatible with web browsers, which means it *MUST* use predefined web standards to do what it does. They may use any proprietary system they want for analysing the data, but not when dealing with the web browsers.

If we take Kent at his word that you can opt out by blocking cookies from oix, then he is lying about inserting cookies into other domains. A cookie set for is set for and is not blocked by any lock on oix cookies.

If we take him at his word on injection of cookies into other domains, then he is lying about being able to opt out by blocking oix cookies.

They are either injecting cookies into other domains, using 302 redirection headers, or inserting an image/iframe/javascript element into all returned pages (something else they deny).
If they are completely ignoring all opt out methods, then they could also simply copy every single page.
These are the 4 possible methods, none of them are proprietary, and only the 302 method would allow the opt out method they suggest while being able to not store a copy of the page.
The 302 method can break your entire internet browsing in some circumstances, and potentially opens up all 10 million customers to a very nasty attack in which DNS poisoning would allow an attacker to know every single URL you visit as well as your phorm cookie, regardless of opt out status.
The same attacker could easily redirect your browser to phishing sites, completely undermining the anti-phishing this is being sold on the back of.

Almost confirming that 302 is the method in use, Marc Burgess answered last night that POST requests are not touched by the system. POST requests cannot be redirected without breaking them. Combining 302 headers with POST requests would kill all login forms, forum postings, online ordering systems etc. The other methods could all be made to work with POST requests.

While stating they were injecting cookies into other domains, Kent made a very big screw up. Apart from the fact it cannot be true if their opt out system works (and they really need it to work to comply with the DPA), if you visit a domain for the first time and have no cookies set for that domain, the phorm system would have no way to identify you from your cookie ID. Generating a random ID each time would mean that your browsing history is a series of unlinked matches, and the phorm system would only be able to use the matches it found on the current page. This is no different in advertising terms than serving up adverts relevant to the site rather than the user, and it does not require the massive invasion of privacy to achieve. It does not even require the use of cookies. It’s the most basic and non-invasive form of web advertising there is when done correctly.
Of course, they could be lying again. If they have a way to identify the account that is visiting the site, they can link the current cookie to the previous matches. This goes against everything they’ve said about protecting your privacy.

Kent also claims in various places that it is impossible to link a cookie to personal data, and considers IP addresses as personal data. When combined with the claim that ads are served in the normal way, we have another inconsistency.
When you have your data analyzed at the ISP end, they may not have an IP address to tie the cookie to, but once you pull an ad from their site they operate exactly as any other ad broker. The very nature of TCP/IP demands that they know your IP when you send the “anonymous” cookie.

There are many completely incompatible “facts” being spread about this system by both Kent and the phorm “tech team” (who are actually a hired P.R firm with no knowledge of the system). Some are incompatible with each other, some are incompatible with the underlying architecture of the internet.

They are relying on the average user not understanding this. It’s the reason they ask if you’d mind them giving you phishing protection, rather than asking if you mind them copying every single page you visit. They need the masses to stay uninfomed

2 Responses to “Phorm technicalities, misinphormation”

  1. Phorm Comms Team Says:


    I work on behalf of Phorm here in the UK. Whilst we certainly welcome the ongoing debate into internet privacy, there is a number of points in this piece that need addressing.

    Firstly we totally and categorically refute the accusation that Kent has been lying. We have been consistently clear on the points surrounding opting out from the system – when you opt out — or switch the system off — it’s off. 100%.

    Secondly, to be clear: Webwise doesn’t store personally identifiable information, doesn’t store IP addresses or browsing histories.

    The technology simply observes anonymous behaviours and draws a conclusion about the advertising category that’s most relevant. All the data leading to that conclusion is deleted by the time each web page is loaded.

    Thirdly, we have gone to significant lengths to provide consumers with a wde range of information on this service. There is an ongoing blog at and a video Q&A on Youtube, and a full transcript of two prior webchat interviews via – to suggest we are trying to keep user uninformed is simply wrong.

    If you have any further queries, please do not hesitate to cotnact us either via the email address or visit

  2. fortuzero Says:

    Thank you for commenting. I have temporarily obfuscated this entry so that, whilst I remain slightly suspicious, at least I will check the points you address and (re) consider accordingly.

    Still, on a fundamental level, I do not like the insidious use of public technology for scavengers, marketing drones, and people whom I generally despise and hold low opinion of in a deperate attempt to make even MORE money. Do these leeches not make enough already? They don’t think that we buy enough SHIT yet?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: