The URL History Hoax

Another of the phrases Phorm repeat is this; "We don't know where you've been - we don't store browsing histories" (source, sadly now unavailable).

So lets examine how valid that is.

This is what Phorm tell advertisers; (source)

Phorm allows advertisers to target audiences using URLs. To do this, Phorm must have recorded the URLs that you have visited, at least long enough to allow them to place an ad when you next visit an OIX partner.

How long do they retain the record of the 'trigger URLs' you have visited? According to Out-Law.com; (source)

    An advertiser can be very specific about what will be displayed at a site like FT.com. For instance, Canon could instruct Phorm to deliver adverts for its latest digital camera to anyone who visited a web page identified by Canon as giving a glowing review the previous week. It can narrow that request even further: Canon can tell Phorm only to deliver the ad to anyone who read that review and also visited more than two other pages that mentioned the model name, e.g. IXUS 970, within the past three days.

    I put this hypothetical to Phorm. It stressed that Canon would have to provide at least 10 URLs in its targeting instructions, not just one review page. This, said Phorm, is part of its privacy protection; though it seems to me that there is nothing to stop Canon providing nine URLs that it knows nobody will ever visit.

Phorm must record the page history for up to a week, how else could they complete the match?

According to Richard Claytons analysis,

    The maximum period permitted for targeting rules is six months, hence no records will ever be more than six months old.

No records will ever be more than six months old?

Do Phorm get to see the URLs? According to Richard Claytons analysis,

    The Anonymiser passes the record {URL/search/UID/words} across to another machine called the "Channel Server". The Profiler and the Anonymiser are controlled by the ISP, albeit running software supplied by Phorm, but the Channel Server is controlled by Phorm. One instance of the Channel Server function is provided at each of the participating ISPs.

The browsing URL data is given to Phorm. Phorm can know where you've been. Even if you believe Phorm's assertion that they obfuscate that data, it is recorded for up to six months.

Conclusion

Contrary to their assertions, Phorm clearly do have an interest in identifying the pages you visit, and recording that history of visits for some time.

Phorm do have access to the URLs you visit, and may change the way they target you once the system is operational.

You have no visibility of the resulting data they will hold about you. And you are being asked to trust a company with alleged links to malicious software, who have tested their software in secret in 2006 and 2007 on hundreds of thousands of unsuspecting BT customers.

 

Why would you?