Patching is too important to be neglected
Tailoring adverts to web users' interests may make good commercial sense, but make sure you don't go too far.
When you talk to people about advertisements, most claim they don't like them. Yet numerous studies show that they are an effective marketing tool. So it's hardly surprising that the internet is an ad-rich environment. Indeed, advertising is one of the few ways to make real money on the web. Websites don't come free, so it is only reasonable to see operators make every effort to claw back some money for the free access they offer.
These days the smart money is on smart adverts: instead of randomly picking what is displayed, they use technological solutions to tailor the ad stream to the viewer. So rather than see adverts for fancy perfume I'm unlikely to buy, I would get those for expensive canned tuna and luxurious cat beds. If you accept adverts are a necessary evil, it seeing some related to your interests makes sense.
Enter Phorm, a company that promotes a tailored advertising system for the web. Phorm plans to anonymously profile web users and, if a profiled user visits a website signed up with its service, display adverts that are likely to interest them.
This all sounds very innocent and commercially astute, but the devil is in the details. Phorm plans to monitor web access at the ISP's network with a variety of “black box” systems. Thanks to HTTP cookies and the judicious and technically dubious use of server redirection, your web access will be associated with a unique and, at least initially, anonymous identifier.
This magic number gets passed along to websites hosting adverts, so they know that user X is interested in cat treats, while user Y prefers to buy expensive cars. Dr Richard Clayton of the Foundation for Information Policy Research (FIPR) has produced an excellent technical summary at www.cl.cam.ac.uk/~rnc1/ 080404phorm.pdf.
Although Phorm makes impressive claims about its commitment to privacy, confidence in such promises isn't helped by a chairman with roots in the spyware business, previously having worked for PeopleOnPage. The operation of the black box that monitors traffic is also problematic, as performance can be affected due to the back-and-forth cookie traffic and redirection.
There are also issues with Phorm accidentally profiling potentially sensitive data, such as web-based email. Its solution is to ignore known webmail sites, but that approach is hardly foolproof.
For the truly pessimistic, an attacker who compromised Phorm's internal systems could gain access to a huge volume of web traffic and very quickly strip away the protection provided by the anonymous identifiers.
The legal situation regarding Phorm's plans is subject to debate. FIPR has published a list of concerns (www.fipr.org/080423phormlegal.pdf), but online legal firm Pinsent-Masons has a more favourable view (www.out-law.com/default.aspx?page=9090).
The legal problems recently came to a head when BT revealed that it trialled Phorm's system on thousands of unknowing users to evaluate the technology. One of the affected users reported the matter to the police as he, not unreasonably, believed a crime may have been committed by intercepting his data. Somewhat bizarrely the police responded by saying it was a matter for the Home Office, which then issued its own interpretation of the law, saying there was no problem. Traditionally the police, not the Home Office, investigate suspected crimes and the courts rule on interpretation of legal fine print.
However, with the level of bad publicity around Phorm it seems possible it may be dead before it starts. Several ISPs are trying to distance themselves already, and others are no doubt considering it.
Advertising is a necessary evil, and targeted adverts are a potential improvement to the default “blunderbuss” approach. However if you want to do this by snooping on someone's web traffic, it is essential to seek their informed consent first – if not for legal reasons, at least for public relations purposes.
Privacy, you might say, is the new black. The industry should really try to stay fashionable.
Nick Barron is a security consultant. He can be contacted at firstname.lastname@example.org