Phorm's underlying problem - and how to fix it

We're in the middle of what will become another classic case study for MBA students. Ex-adware company Phorm has done deals with lots of ISPs to install monitoring services within those ISPs, the better to target advertising at customers. It works by collecting information about how the customers use the Web - sifting out keywords from requests and responses alike - and then tuning advertising accordingly.

Unsurprisingly, users feel this is an invasion of privacy, a feeling enhanced by the opaqueness of Phorm's systems. Not at all, says the company, which has launched a full-on media onslaught by putting its CEO out for interview by anyone who asks. That's smart, especially since most non-specialist journalists will be easily diverted by the technicalities.

But Phorm's big problem isn't technical. Phorm's big problem, articulated most clearly by Charles Arthur (who covers the issue here and has a good 30 minute audio interview with Phorm's CEO here), is that it's selling precisely targeted users to advertisers at the same time that it's assuring those users that they can't be identified. People feel instinctively that targetting implies identification.

Here we dive into some complex semantics. What is identification? Phorm says that it cannot say that user Fred - or IP address 1.2.3.4 - has been looking at a particular class of sites for a particular sort of information, because its computers do not collect the name of Fred or Fred's ID address. Instead, it makes a big play that a 'random number' is used to generate a unique cookie for a user - more precisely, a particular installation of a browser -- and that cookie is used to gather information about the sites that browser visits. Phorm uses the connections between that cookie and those sites to target advertising.

As anyone who's worked in espionage knows, not knowing your target's exact ID doesn't prevent you profiling them and knowing what they do - and that once you've got enough information, it doesn't really matter that you've never directly had your target flash their ID card at you. AOL found that out last year when it released a ton of anonymised search requests with the user IDs replaced by random numbers; it had to withdraw the list in haste as it became embarrassingly obvious that users could be identified from that information alone.

By any sensible definition, Phorm is identifying the users. The fact that it's making a big play about its equipment being installed entirely within the ISP's infrastructure is acknowledgement of the fact. This neatly sidesteps the obvious legal issues, because your ISP can be expected to know who you are and what you're doing. It doesn't sidestep the moral and practical ones.

And so, a practical moral solution is required. That's surprisingly simple, and quite possibly already in place. Instead of asking the question of what third parties are allowed to do with a user's online activities, ask instead who owns those activities. The answer is clear: the user.

Say you're typing an email in an online email system. That email is your copyright. You own it. You might subsequently relinquish some of those rights, either because your email system provider has included a 'everything you do here belongs to us' clause in the terms and conditions or because you publish the email in some way, but it's yours. GMail, for example, uses your email to target adverts at you, but that's part of the contract. It's well understood, it's a deal with a particular company for a particular service.

You have no such contract with your ISP over the set of things you create by using the Web - your stream of browsing requests. The ISP doesn't have the right to do with that what it will.

Now, it could be that you choose to change that in exchange for some benefit. Up to you. But it's your material.

In that light, how Phorm - or BT, or Virgin, or whoever comes up with a similar idea - does what it does is irrelevant. There are plenty of other issues, of course, but they're additional.

That means that the "opt-out" default of Phorm, where it'll take your information and use it commercially until you tell it not to, is prima face wrong. If it's got a commercial proposition for you, then its up to the company or its clients to present that commercial proposition for you to decide.

The problem for Phorm, of course, is that opt-in is far harder to make work. People will want to know what they're signing up for, and how it benefits them, and most will choose not to sign up, thanks. And if they don't sign up, then advertisers won't be interested.

That's not our problem, and Phorm cannot make it so.