back to article American ISPs already sharing data with outside ad firms

Multiple American ISPs are sharing customer data with outside firms that deal in so-called behavioral ad targeting, and according to one of these firms, the Silicon Valley-based NebuAd, roughly 10 per cent of all US web surfers are affected. These ad companies, which also include the Sonora, California-based Front Porch, won't …


This topic is closed for new posts.
  1. Alex
    Thumb Up

    el Reg - The mouse that roared

    they say if America sneezes then the rest of the world catches a cold, well lets hope that the US and their zelous legal system is geared up to find a cure for what is already looking to be a greed virus infecting the central nervous system of the Internet.

    Well done el Reg, keep up the good work!

  2. Anonymous Coward

    A note to All ISP's

    I bloody well pay you to carry my data and not to manipulate or meddle with it.

    Image if it were a private phone conversation with my girlfriend in which we were planning sex in the evening and then all of a sudden a voice joins in and advertises condoms because this is the scenario you expect us do deal with if you bring in this Phorm type crap.

    Quoting Churchill:

    we shall fight on the seas and oceans,

    we shall fight with growing confidence and growing strength in the air, we shall defend our Island, whatever the cost may be,

    we shall fight on the beaches,

    we shall fight on the landing grounds,

    we shall fight in the fields and in the streets,

    we shall fight in the hills;

    we shall never surrender

    Who the hell do these people think they are !

  3. Anonymous Coward
    Dead Vulture

    SSL Search engines

    Can anyone tell me, are there any ssl search engines out there and would this stop the bitches getting my requests. Sure the search engine would be able to log the searches but would it stop this lot from targeting me. I mean if i got a case of the old itchi-nacka I wouldnt want my nine year child being presented with the best rub on solutions.

    posted anonymously for obvious reasons, not that I'm paranoid, it's just the B*****s are out to get me, I'm sure him two desks over looked at me funny and her from accounts is talking about me, oh no their coming aaaarrrgh

  4. sotar

    The rise and fall of the WWW?

    Didn't realise this was already up and running in the USA; stupid really there was bound to be more than just Phorm.

    Does anyone have any technical information on how the NebuAd, FrontPorch, etc. systems operate? Do they, like Phorm, look at the contents of webpages?

    As a webmaster/publisher I haven't been asked if what is published on my sites can be used by them. I would be interested to know how I can go about opting out of their system, or if necessary restricting/blocking their access to my sites.

    Will the last one leaving the WWW please switch off the light.

    P.S. Loved this bit on the Front Porch site - - if they had much more control you might as well just sit in front of the screen while they fed you what they wanted (like TV but just 1 channel).

  5. Steve Renouf
    Paris Hilton


    There's one thing that's puzzling me in all this business...

    Now, perhaps I'm unique in my use of this inter-thingy-wotsit but, when I go to the internet for browsing, my browser starts up with what I have set as my "homepage" and it has never been, nor ever will be, my ISPs "homepage". That being the case, how would I ever see that notice in order to be able to opt-out?? This is yet another reason why it MUST be OPT-IN ONLY!

    Are there really that many people who have their ISPs "homepage" set in their browser. I never have any valid reason to go to my ISPs homepage - unless I want to check latest mobile/phone/services/prices or something - which are always notified in writing anyway if it's any changes to services I am already signed up for.

    Perhaps my ISP isn't as big a scumbag as some of these others are?!? Although that could always change... Although there are still other issues - such as the 50 - 1 contention ratio!

    PH because she's always confused ;-)

  6. Anonymous Coward
    Thumb Down

    Fuckers .....

    ... by any other name!

    Just stay clear of our data. Note the 'our'.

  7. Spleen


    "With a one-way hash, we turn your IP address and other data into an anonymous profile, and we use that to see if you qualify for innocuous categories. We can track someone looking for a luxury car, not just a car - someone searching not just for travel but travel to the south of France or Las Vegas."

    How the fuck is my earning power (which defines what sort of car I look for) "innocuous". I can't think of a more intrusive, private fact about me apart from my sexual orientation. My travel ambitions aren't much lower down the list.

    These people just do not understand what identity is, what it feels like from inside one. They have no souls. I am neither exaggerating nor being metaphorical.

  8. Steve

    A minor correction

    "...Phorm - the behavioral advertising firm..."

    Interesting, I thought it was spelled "criminal, snooping douchebags".

  9. Anonymous Coward

    Two endings

    a) The British Way: Write to your MP (or appropriate representitive in your respective countries). Wait 9 months for a reply. Find the issue wasn't raised. Take shafting in the rear, without lube.

    b) The French Way: Take to the streets. Set fire to local exchanges. Demonstrate by the hundred and throw bricks through the windows of offices responsible for the outcry.

    Can't do that, though. There are too many terrorists out there, and Maddy McCann hasn't been found, Princess Dianna WAS killed unlawfully, and Britney Spears is mentally incompetant. Plus, there's a new episode of Lost out this evening...

  10. Anonymous Coward

    I can do better

    I've been thinking about this targeted advertising thing - I reckon I can get higher correlations between people's browsing activities and the advertisements they receive without storing any personal information. I'll just display pr0n. We all know that the biggest use of the Internet is to display pr0n, so why not just make the advertising all the more targeted?

  11. Paul

    It's been building for ages

    The entire concept that advertising on the internet should make people money has been entrenched for *years*. Ever since you got people selling the concept that ad's are a good thing online our rights to privacy have been erroded.

    Up until now, it's been possible for a concientious, technically minded user to avoid them but now it's reached the point where even we can't keep our information secure.

    As an interesting test, I blocked the most common root domains for advertising sites with my firewall. After just a week I had over 3,000 blocked connections logged and that's after a few hours surfing and most pages I visted had a clear "this site has been blocked" segment somewhere on them.

    However, I can't see it ever ended, companies make money off joe public, the same people who keep spam going either by forwarding "joke" emails, or responding to viagria ad's. There's *always* going to be someone dumb enough to respond to an advertisment, just because it's there and unless we kill that behaviour it'll never get any better.

    As an aside, I play on an MMORPG that's annouced it'll soon be included adverts in game. Unlike systems like Phorm, this has been well recieved because it included an up front statement about what it'll be harvesting and included a clear opt-out procedure that removed the textures from the game. I can live with this kind of advertising, in the same way I can tolerate a simple banner ad, because all it does is record that a unique view took place.

  12. Alex

    Why on earth doesn't...

    an ISP stand up and say, pay us £50.00 pcm and we will guarantee that none of your usage is tracked, offer a secure proxy with unlimited up/down speeds?

    it's what a sizable chunk of the market are interested in!

    they could even refer to themselves as "Internet Service Providers" rather than the more popular modern offering of "Value Added Single Channel Advertising Stream Providers"


  13. Chris Jones-Gill

    Pay me, not the ISP - but only if I consent to being stalked

    Assume I opt-in (not gonna happen, but lets play the game)...

    If my surfing habits, et all, are of value then I deserve to be compensated for allowing my actions to be monitored. Give me cash-back on my surfing.


    ISP's can give me the option of free broadband with targeted stalkertising, or I pay for access and keep my privacy. I know what I would choose.

    Most non-technical people understand that nothing is really free (as in beer), so this would highlight to the majority that *something* was not right.


    Dear Sir/Madam,


    Sign up to this service, that doesn't do anything bad at all - really - it is for YOUR BENEFIT only, and makes your online experience better. Click OK to accept, and you will NO longer be CHARGEd for your BROADBAND access.

    Yours faithfully,

    Money-grabbing stalker.


    A normal response to this...


    Darling fascist bully-boy,

    Get out of my private details, you bastards.


    May the seed of your loin be fruitful in the belly of your woman,



  14. Ash


    Because they already did something very similar by calling their service "Unlimited". People believed them, paid the £50, and used the "Unlimited" functionality to watch videos, download software and music, and play games. the problem is that with so many people (3%, apparently) using this "Unlimited" connection speed, other people were losing out and getting slow connections. Somewhere along the line, "Unlimited" became "Unlimited, apart from when you hit this LIMIT on how MUCH you can download, at which point we will LIMIT how FAST you can download. Oh, and you get to pay more for the privilage."

    When that didn't work, they went with this advertising gamble. Their point of view is that the 3% who use it to capacity (read: those who know anything about computers) will kill their contracts, and the problem will solve itself. Those 3% will go elsewhere, the bandwidth defecit will disappear, and they can make money selling advertising data from the remaining 97%.


  15. Werner McGoole

    New anti-spyware business opportunity?

    There's bound to be loads more of this new breed of spyware appearing. Probably the computer security companies who specialise in anti-spyware, etc. need to start looking at a new product for those who run web sites.

    National laws might (I hope) protect end users from their own ISPs and there's always the option of switching ISP. But web site owners will inevitably have to cope with an international free-for-all as they have no real control over who accesses their data. The counter-measures against this sort of spying are bound to escalate into an arms race and require frequent updating. This sits rather well with the existing anti-spyware (and anti-virus/anti-spam/anti-adware) business model, so come on guys - get coding!

  16. anarchic-teapot

    What I don't get how they can target ads at you if it's all completely anonymous. How can you track someone if you don't know who they are (i.e. don't have some sort of identifier which at any point can be traced to a particular machine), let alone serve the poor buggers "relevant" ads based on their browsing history?

    Sounds like someone is being economical with the vérité.

  17. Curtis W. Rendon

    ip addys?

    Any known ip addresses that can be blocked?

  18. DanO

    Safari does it?

    In the Guardian today, it says that Safari, unlike other browsers, automatically blocks such ads. Is this true? If so, let's all get Macs!

  19. Eduard Coli
    Black Helicopters

    Very smelly

    Private data and public data is a matter of semantics (pun!).

    That they "notify" and let you "opt-out" now may be not so later if it is indeed true now.

    There is no happy middle in this stuff because once it is accepted then generally market forces eventually create a surveillance system out of a little innocent ad-ware.

    If the ad-ware company and ISP are going to profit then it has to be private data and should be treated as such.

  20. Jason Bloomberg Silver badge
    Paris Hilton

    The underlying problem ...

    Notionally, what Phorm & Co are proposing is logical and perhaps not really that bad in concept, no more so than supermarket loyalty cards tracking purchases made to tailor offers to customers ( though that doesn't seem to have materialised as planned ). Would email spam be quite as bad if it were actually something we were interested in ?

    The problem is the opt-in choice and consent plus how the data is collected and then used.

    Supermarket tracking avoidance is easy; don't use the loyalty cards and that works even if one were opted-in by default, if supermarkets did use credit card details for purchase tracking, pay cash or by cheque, likewise if (when?) credit card companies start tracking.

    Notably loyalty card opt-in is coupled with reward, something Phorm & Co don't offer in any substantial form, although I can see ISP's offering two-tier usage, a discount for Phorm opt-in, in reality a surcharge-come-penalty if one won't.

    I don't see the problem with getting targeted advertising - no different really to the non-targeted ads I ignore now - but I am concerned about what else Phorm and ISP's will be doing with the tracking data.

    Tracking is likely to become a reality no matter what if there's money to be made and those doing the tracking will want to maximise profit from that. No matter what Phorm and ISP's promise it's near worthless and without legislative protection end-users will have none. Righteous indignation only goes so far in stopping its inevitable progress.

    Unfortunately we live in societies and have governments which believe in a surveillance culture and tracking so, IMO, we have to face that fact, and the key is in getting a legislative framework in place to protect those users who do not want to opt-in and where "go somewhere else" is not a viable option. Let people opt-in ( as they will by the drove if loyalty cards are evidence ) but protect the rights and do not penalise those who do not wish to.

    The fight is currently with the wrong people. Phorm or some other reincarnation will always be proposing to do this tracking - it's viable, it makes sense to those who see benefits in that, it's not evil per se. The issue is what government allows to be done with a 'couldn't give a toss for the citizens' attitude. Sadly, it could ultimately be another case of "resistance is futile" until the long-awaited revolution arrives.

    Paris : 'cos I'd opt-in for a bit of that.

  21. Anonymous Coward

    Its the content, stupid!

    Companies like Virgin Media and Sky see 'broadband' as just another channel down which to stream their 'content'. And make no mistake by content they do not mean Battlestar Galactica or Lost. What they mean is advertising, which is where they make their money. Unfortunately in the UK nearly all the ISPs have been snaffled up into these multi-channel media companies, whose objective is not to enable us to participate in the 'Information Superhighway', but to be passive recipients of whatever junk companies will pay them to stream at us. Thus dirt cheap broadband joins 'free' mobile handsets as the primary means to ensnare us into their spied on, profiled, customer-unfriendly consumerverse.


  22. Derek Hellam
    Jobs Halo


    Yes Safari blocks Phorm cookies

    But you don't need a Mac to get it as there is Safari for windows too. But getting a Mac would be a good idea anyway.

  23. MS
    Paris Hilton


    How can you be anonymous if each profile is tied to an IP address? ISP's have logs of who gets what IP address. This database isn't anonymous at all except in the fact that your name won't be in the database itself. Instead, theres a unique identifier in the database, that can be tied to your name in a different database.

  24. Chris iverson

    all right, enough is enough

    IT is time that we all start using proxy's and SSL sites. fuck these guys and stay right the fuck away from my habits

  25. Christophano


    Yeah, I've been trying Safari for windows for a few weeks, and it is a nice browser, although not without it's problems.

    The bonus on it is that it's default setting is to only only cookies from sites you go to, not the 3rd party ones.

    For example, if I went to (a site which makes use of googleanalytics ads) it will allow a cookie from but you won't get any cookies from google etc.

    Ideally Firefox would introduce the same default settings (or at least the ability to change to those settings) as it is the better browser overall.

    Well, the most ideal situation would be to beat Phorm into bancruptcy and send the message that our browsing histories are not for sale... Not now, not ever!

  26. Herby

    If they did this to the postal mail...

    Everyone would be VERY upset. It might go like this:

    Oh, we are from a nice company and are going to open your mail to see what you do. We will then send you ads based on what you send and receive. Oh, and we are going to open the packages from UPS and FedEx to see what you order, and target ads there as well. By the way, the price of a stamp is going up.

    What needs to be done is classify ISPs as common carriers. They can't do anything with the contents of the stuff they send without a court order.

  27. Bernard Mergendeiler

    SSH tunneling services are available

    When my ISP, Cavtel a/k/a Cavalier Telephone, "partnered"* with Google, I signed up for SSH tunneling to a proxy server. The service I use also provides disposable email addresses, all for a reasonable fee. Every packet my ISP sees, including POP3 and SMTP, is encrypted and uses nonstandard port numbers.

    *Cavalier Telephone has apparently become too cheap to provide its own email servers and so sells out its customers to Gmail, AdSense, and all the rest of the crud. which goes with it.

  28. Anonymous Coward

    I think everyone needs to calm down

    I'm a web developer and I've studied up on the various processes used by these companies. So as someone with what I'd like to think of as more than a little knowledge on the internal workings of these targeting systems i can tell you a few thing about it.

    First you can't block most of them because they are actively sniffing your data stream, they don't use cookies, and what gets fed back to you is usually sent from your ISP. So you want to "block" something, you would more than likely need to block your ISP. Yes you could firewall the ad companies sites.

    Second, it's session based so when you disconnect (I know, hard to do with cable modems or DSL) the session info is thrown out.

    From a "user" perspective, I'm already getting slapped silly with ads on the sites I visit and I just simply ignore them. I could care less if they are "tuned" by the fact that i just went to a motorbike site, I'm still going to ignore them. They claim they dont track anything that could "embarrass" you, who knows. What I do know is that is if I go looking for nudie pics of Paris Hilton one day (god only knows why) and the next day my wife gets served ads for porno vids because of that, I'll be a bit peeved.

    When it comes right down to it there's really no difference between this and what you get at any internet cafe for free access.

  29. Anonymous Coward

    safari browser

    Not enough is known about the difference between browsers. The suspicion is that the only reason Safari is on the "can't use" list is that it does not accept httpOnly cookies which means that a website can read the Phorm set cookie just by using a client side script.

    For other browsers, the script that reads httpOnly cookies has to be server side. As the 'black box' strips out the cookie from the headers sent to the server, a server side script will never see it.

    So, only browsers that enable the hiding of the phorged cookie can be used by the profiler.

    As this Safari 'bug' is likely to be fixed in a new release, it make more sense to use a browser where you can set your own user agent and have better control over 3rd party content.

    It does not matter what the marketers call these new advertising platforms, they are nothing more than spyware written by a rootkit hosted at the ISP.

    Anyone who knows anything about deep packet inspection systems recommends that you don't use an ISP that uses this technology because it can do anything to your internet traffic and you will never know what has been added or what has been censored.

    Thanks to El Reg for picking up on the US side of the profilers. I have been commenting about them for the last month and the silence returned left me wondering if I was in a sound proof room.

    When the El Reg reporters start to catch up with how the profilers are working in Asia, maybe then the extent of the battle ahead will be more apparent. FrontPorch have been around for years - what were they doing in the early days?

    Are all the players former rootkit / malware / spyware / adware merchants? If they are then we all have a very good idea of just how expensive and difficult it is to remove their spying off our systems.

  30. Brian Milner
    Thumb Down


    When I was young my family went to a Shakespeare play. At one point someone in the audience shouted "MURDER!" very loudly. I asked Mum why, and she said they'd missed out or changed a line from the original script.

    Let me leave it to the reader to percieve how my story applies to this article.

  31. Anonymous Coward

    Safari - cookies - adblocking - doesn't solve the real problem.

    There was a version of that Guardian/Charles Arthur/Phorm article on Tuesday which had comments, including a comment which explained in simple terms why the article was misleading because there's little point blocking cookies etc.

    Cookies don't help, Safari doesn't help, adblockers don't help, if your concern is that Phorm and your ISP are still intercepting and processing and analysing and recording details of your private personal Internet traffic.

    The fact is that all that happens with Phorm if you use safari, or otherwise "opt out" using cookies, is that you don't see the targeted ads.

    But the targeted ads aren't the real issue anyway.

    The real issue is the unlawful interception and processing of personal private data, and the cookies don't figure in that part of the Phorm business model, customer data is intercepted and processed whether they are opted in or opted out. Your only reliable "opt out" is to opt for an ISP that doesn't do deals with Phorm.

    Please, if you hear anyone else spouting rubbish about cookie-blocking or ad-blocking being of any use in stopping Phorm processing your personal data, put them right.

    Here are the relevant comments from that article (with their author's permission, and including their link back to El Reg :) ):

    The cookies might disable the delivery of the adverts (there are other ways of doing that too) but users' traffic is still passing through (and being processed by) the Phorm-managed kit installed on the ISP's core network, which really ought to be a much greater concern (not that there's ever been any guarantee of privacy on the Internet, but there are *laws* about what can and can't legally be intercepted).

    Let's look at a postal analogy, which perhaps may help.

    The Royal Mail signs a deal with a 3rd party to deliver extra-targeted adverts to RM customers. The 3rd party has a machine in the sorting office which gets to open everybody's mail, and reads it, unless it's encrypted. The machine records details of the content of the mail, and uses that record to add "carefully selected targeted direct mail" when the postman delivers your post (targeted direct mail = your web adverts). The advertisers whose extra-carefully-targeted ads are being delivered get to pay for the service, obviously (these people initially included The Guardian, remember?).

    The mail targeting service isn't described as such to the end user customer, it is described as an "enhanced privacy service", which the end user can opt out of, but by default you are opted in.

    If you do choose to "opt out", your mail still passes through the subcontractors mail-opener-reader, and mail content details are still recorded. The only difference opting out makes is that you get a post-it note attached to your letterbox that says "standard junk-mail only" (post-it note = cookie) so you don't get the personally profiled adverts, just the default ones.

    Taking the analogy a tiny bit further, the Royal Mail's Chief Technology Officer would have been involved in the running of an illegal mail-interception trial whose existence was repeatedly denied at the time, and after the trial the RM CTO leaves to go and be CTO at the company doing the interception. Some two years later the truth begins to emerge...


  32. Bobby

    He's a good man.

    Thursday 10 April 2008

    Dear Paul Goodman,

    I have read the revised ICO report on the ‘public versus Phorm invasive

    technology’ argument and I am satisfied that the ICO have done a good

    job in clarifying the ‘opt in’ option as being the only legal way to

    move forward with this advert system however I have to express my

    concerns regarding the planned trials of this system.

    I think anyone would agree that such a system could be open to abuse so

    surely some rules should be applied in the early stages. The real

    danger is that Phorm/Bt may rig the trials in favour of themselves by

    showing you limited interceptions and minimum adverts. These actions

    will possibly make the system look like a good option to all concerned

    but will this be consistent in the long term? My real fear is they will

    step up the intrusions as the system progresses and our browsers may be

    turned into bulging shopping trolleys forced on to us at our cost. I

    say if Bt/Phorm cannot guarantee consistency of the trial model through

    to the full working model then it must be prohibited.

    I have to add that I am truly disgusted by the sheer amount of secrecy

    involved in this Bt/Phorm venture and I cannot condone the huge level

    of anger and disrespect aimed at our government by all parties in the

    dispute. The net results of this only serves to frighten people off

    using the internet therefore I would suggest the government play a more

    direct role in assuring they are acting in a more protective mode on

    behalf of all honest internet users.

    Yours sincerely,

  33. kain preacher

    Damn you brits

    Keep phorm on your on shores

  34. George Johnson

    Where will it end?

    I have Moblock and Peerguardian on all my boxes, I have Adblock plus and FlashBlocker on all my Firefox installs! I have spyware blockers on the Windows boxes. Now the ad blockers are too good for the bastards, they just won't leave me alone, they now want to collect the info direct from my "streams" as I surf. Occasionally I consider jacking my Internet connection in at home, if it wasn't for the need to catch up on the Reg and a connection to do my on call support for my work place. Perhaps a change of career might be in order, forest warden in the Outer Hebrides sounds awfully inviting right now?

  35. John

    Pay by the MB?

    I wonder why an ISP hasn't come about that bills like other service companies do, based on usage. My electric and water bills vary every month depending upon how much i run the lights and shower.

    Selling off users privacy to make up for a shoddy business model is unacceptable.



  36. Anonymous Coward
    Anonymous Coward

    re: SSL Search engines

    Scroogle scraper -

  37. Anonymous Coward
    Jobs Halo

    By all means get a mac but...

    ... although Safari lets you block pop-ups, restrict the source of cookies, and with Safariblock block the display of all ads, you can achieve exactly the same on a PC using Firefox with Adblock. And of course you can always run the (free) Windows version of Safari on a PC - download from

  38. Christopher

    Knew this was the way it was

    Heck I had just set up a new account with Sprembarq and not 20 minutes after I got off the phone and the account was fully activated in their system I was getting spam. Not just any spam either, but spam that used my full name. I was livid to be sure.

  39. PM
    Gates Halo

    Poor old website owners.

    Why pay website owners who only get a fraction of the *eyes*, when you can pay these ad companies who get (virtually) all of the *eyes*. This is going to put alot of websites that rely on adverts out of business.

    P.S. If the ISPs and ad companies are allowed to do this, why not ole' Bill. His browser really does get all of the eye. "IE 9, now with targeted and tracked browsing."

  40. Anonymous Coward

    legal question..

    Heres a question...If someone opted in on one of these companies looks at my website and is fed an overlayed advertisement over my page, am I entitled to charge Phorm/whoever for that advertising over my page? Infact, if they overlay their advertising over one that I have put on the website, thus reducing the chance of a click payment, Can I send an invoice to Phorm asking for payment to advertise on my site?

  41. Anonymous Coward
    Anonymous Coward

    RE: SSL Search engines, avoiding adds and privacy

    @ Anonymous Coward Thursday 10th April 2008 12:45 GMT


    Scroogle Scraper (SSL)

    for direct searches, or use the instructions for customising the built in search boxes of various browsers on its home page here:


    The easiest way to avoid wasting bandwidth on irritating ads is to modify the hosts file. This handy little utility (for windows) will do it all for you and its blacklists are customisable are updated regularly:

    HostsMan from

    I haven't seen an ad in years through a combination of this and other anti-malware programs.

    Now I have a question for all of you in the know out there. Is there a encryption tunnel out there for bypassing ISPs subject to the EU's police state Data Retention Directive such as that provided by a popular Swedish website, but that accepts payment through direct cash transfer rather than paying by credit card, which defeats the object of the exercise (and paypal need some kind of ID also)?

  42. Paul Stimpson
    Thumb Up


    There are still good ISPs out there who will provide a premium service with no traffic management for a fair price rather than cutting the monthly price so low they have to resort to things like throttling and Phorm to stay in business. I'm with IDNet and I'm happy. I pay a bit more a month than I did with my old ISP but I get what I pay for.

  43. Anonymous Coward

    The *real* privacy invasion: Hitwise

    They buy your clickstream from most US, UK, and Australian ISPs already. The ISPs, apparently, *do* include information about your address. As a bonus, Hitwise is now owned by Experian, the credit reporting company. This means they can connect your online browsing activity with your offline financial activity. As best I can tell Hitwise's techniques are not obviously documented on the web; even their wikipedia page is bland corporate stuff.

    Firstly, I'd like to ask The Register's crack team to do a full investigation of Hitwise, so we can start seeing what's really going on here.

    Secondly, I'd like to say that there IS something you can do... TOR is a technology which allows your requests to be routed through other computers, and other requests to be routed through yours. Unfortunately, it's pretty slow right now... they need more relay nodes!

    Posting anonymously because I work for a company that provides online advertising services...

  44. Ineedmoreice

    Back to BBS?

    To heck with it. I'll be heading back to "old" days now . . .

    Too bad all this advert driven junk has taken over.

    Mine is the one with the "take this net and shove it" membership card in the pocket.

  45. RW

    The Emperor Has No Clothes

    Leaning back and meditating on the why, I realized there's a Big Lie behind all this. To wit, that all this snooping on web browsing habits and nosing around, contrary to marketers' claims, doesn't do a damned thing to increase sales of ANYTHING.

    To claim that targeted advertising online makes a difference is just a ploy by the marketers to suck more money out of the pockets of advertisers and thereby keep themselves in a job.

    Disbelief? Did I just hear a snort of disbelief from one of the El Reg readers? Well just stop and consider: how many times have you bought something because of online advertising? About the only exception I can think of is Amazon's (and other sites') "other customers who bought this also bought X, Y, and Z" suggestions.

    So in the end we have yet another confirmation that marketers are professional liars. Not only do they lie in the advertisements they create, they lie to their own customers about the efficacy of advertising.

    Liars! Do your mothers know what you do for a living?

  46. Lou Gosselin

    This has gone too far.

    As a professional, I had absolutely no idea that any traffic monitoring was occurring in the US. 10% is a staggering number if true. I really am not sure if my own data has been sold now. Is there a list of these ISPs somewhere?

    I know very well that the "there is no privacy issue" arguments being pushed are total non-sense. That is what makes this infuriating. Both the user, and don't forget the web site owners too, do have a reasonable expectation that the data between the browser and the web site is not being routinely sold to 3rd parties.

    This is very analogous to AT&T monitoring our telephone calls and saying "don't worry we've removed identifying information".

    Whether or not they claim it is personally identifiable is irrelevant.

    1. It isn't always possible to remove identifying information. Even hashed data can point a finger. If they can disprove it was anyone else, it was obviously you.

    2. My data is mine with or without identifying information. They claim the user is acknowledging their "services", I guess that's one thing. However I suspected many users are being duped into monitoring and are unaware.

    3. Web site owners have their own rights. The users themselves may not have the right to have this traffic monitored even if approve. The monitoring and analyzing of copyrighted material directly leading to profit could breach US copyright law.

    To expand on point 3 - if the user downloads GPL content (for example), then any permutations to that code must be published. In analyzing traffic the ad agencies must build a database to analyze the content and choose ads. The information contained in this DB are directly derived from the copyrighted material (if the content were to change, so would the database). The DB may add knowledge, but it is still an extension of the original work even if it's ultimate purpose has changed. Under the terms of the GPL, this information must be freely available thereby breaking the business model for selling the information.

    Some readers may find me argument far fetched. I'd like to hear other opinions.

  47. Anonymous Coward

    I think everyone just needs to calm down

    Look, i'm a web developer and I've done some research into how these targeted systems work. Mostly they dont use cookies, they watch your data stream packet by packet at the ISP and only trigger on keywords. In 90% of the cases you can't block it. What you CAN do is firewall the ad company that is feeding the content to your ISP assuming you want to maintain a HUGE list of IP's.

    All these companies claim that the monitoring is session based so anything gathered is thrown away when you disconnect from the ISP (Hard to do on DSL or cable modem). Besides just look at Google, they keep records of EVERYTHING you search on for around 18 months anyway.

    I honestly don't care if the ads I already get are "tuned" so that they are related to what I am doing at the time, I ignore all the ads anyway so who cares if I get more bike ads after browsing motorbike sites. It's not going to make me see more than I already am, and maybe it might even be less. What will piss me off is if my wife gets ads for Hustler magazine after I was surfing for nudie pics (secretly of course). Of course they claim that they only track things that wont embarrass you.

    Besides, just go to any Internet cafe and you'll get the same thing, it's how they pay for the "free" access.

  48. James O'Brien

    Well this sucks

    Glad to see Verizon isnt on that list so far from what I have seen. Though knowing the size of this bandwagon thats bound to change. Might have to give up my life on the net if this does actually take hold since I dont need my parents using my computer and seeing the sheep* :-P

    *baaaaaaaaahhhhd joke but you get the idea

    /mines the one with the white wool collar

  49. James Hunter


    After reading so many Phorm stories I finally decided to mention Hitwise, only to discover that someone in this thread has done the same - spooky timing :-)

    I would like el Reg to start looking at companies like this as well as Phorm - I can't really see much difference between them - other than Phorm is looking to put hardware in the ISP and Hitwise just buys the data.

    The company I used to work for used Hitwise, although I was never privy to the info; i do know that it was VERY revealing about people's browsing. And, as stated above, it is tied into Experian, so they can do profiling geographically, demographically and probably some other -ically's too.

    Perhaps you could highlight this sort of thing as well as Phorm so we can browse without our data being looked at or sold

  50. Kevin McMurtrie Silver badge

    No such thing as a one-way hash of IP address

    An IP address has fewer than 4 billion possible combinations. Taking regional data into account, you're probably left with a few hundred thousand combinations at best. It would only take a moment to generate a reverse lookup table. Collisions are highly unlikely. Claiming one-way hashing is a complete lie.

    I would sue my ISP if they were intercepting and sharing my data.

  51. Anonymous Coward

    Its time for the encrypted Internet

    Once upon a time https was so resource intensive that most people didn't have enough processor power / ram / bandwidth to use it as a norm. Surely those days are over now. Its the best answer to deep packet inspection that we have at the moment.

  52. Alex

    use what you like

    "we can see the entire internet"

    what ever you request from the web hits their profiler, the only way out is via the MAC code to another more ethical ISP.

  53. Anonymous Coward

    Encryption is the only answer long term

    So when is El Reg going to provide an encrypted (https) connection?

  54. Andy
    Dead Vulture


    I've just realised I haven't seen an unwanted advert on the internet for about a year.


    Mmmm, savoury

  55. Bryce Prewitt

    This about sums up my feelings.

  56. Anonymous Coward
    Anonymous Coward

    I think this is a job for:

    The ACLU...

  57. phormwatch

    Phorm is holding a 'Town Hall' meeting

    Phorm Town Hall event April 15, Central London

    April 10th, 2008

    We’re pleased to announce our Town Hall event on Tuesday 15th April 6.30pm — 8.30 pm in central London (details below). This is an opportunity for anyone who’s interested, critical or just curious, to come and ask questions about our technology, privacy and policies.

    The Town Hall is an open event and all are welcome.

    The event is organised by privacy consultancy 80/20 Thinking and is being conducted as part of our commitment to openness and transparency and will form part of our Privacy Impact Assessment.

    Further details are below and can also be found on the 80/20 Thinking and Open Rights Group Site. Similar information has been posted on the Foundation for Information Policy Research (FIPR) and ukcrypto boards.

  58. heystoopid


    Well with the US Federal Government setting the pace to spy on all US citizens irrespective of affiliations , you must expect the Madison Avenue suits to follow suit just as quickly in ignoring all privacy laws just like the government in a market that is both simultaneously imploding and dying at the same time caused by over consumption of everything , borrowing against the future to stave of the demons of today ! Add to that eclectic mix , hyper stagflation running out of control as the almighty greenback just becomes a worthless piece of paper like that which happened to another post WW2 ex major colonial country nearly a half a century ago until they found nirvana in the North Sea !

    Ah history continually stuck in the very same circular groove , as the participants repeat the same mistakes in the same way indefinitely , how sad is that !

  59. Michael Friesen

    IPv6 -- Correct me if I'm wrong, but...

    ...with IPv6, every computer becomes personally identifiable through its IP address. On the bright side, the Phormists will no longer be able to claim that they are respecting any kind of privacy. On the downside...

    Well, it's pretty much ALL downside, isn't it? Nothing is confidential when every IP address resolves to a single individual.

    We have seen the golden age of the internet, and it has passed. It was double-plus good. May as well have a barcode shoved up your arse at birth.

  60. Dom

    I'm Happy!

    Although I am worried about Phorm, and it's implications for many broadband users, my own ISP (Fast Internet) has released this statement:

    There has been a lot of concern about the "Phorm" service that a number of Internet Service Providers (ISPs) are adopting. We can confirm that we are not one of the ISPs who have had any discussion with, or entered into a contract with Phorm, or any similar company, who use browsing history data to provide targeted advertising. We strongly respect the privacy of our customers, and will never share any customer data.

    At least some ISP's are getting the message!

    If you want to avoid Phorm (and your ISP is using Phorm), show your displeasure by getting your MAC code and taking your highly taxed money elsewhere. Let's Phuck Phorm (like they are trying to Phuck us) and hit them where it hurts - in their bank balance! If customers start abandoning ISP's that use Phorm, then they are going to drop Phorm like a hot potato. What ISP would want to lose all their customers?


    And well done to Fast for standing up for it's customer's privacy. You have kept me as a customer!

  61. Anonymous Coward
    Anonymous Coward

    @AC: "I think everybody needs to calm down"

    Bull S-H-I-T! your suggested use of firewalling is essentially the same as requiring the ISP to put their phone on mute, while they tape your conversation with another party, if you'll pardon my telephone analogy. In this context, the only way to truly safeguard your privacy is to firewall your ISP, which would play hell on any attempts to retrieve email or get new porn... But seriously, this "deep inspection" crap is akin to having all of your HTTP traffic analyzed by a nonstop wireshark capture. And even though you're not directly receiving ads (only a matter of time before they figure a way around your safeguards), they still ARE capturing your browsing patterns...

  62. Aubry Thonon

    I have to agree with at least one of those interviewed

    "This is a free service, so if you don't want targeted advertising, you just say no to the free access."

    While I despise *paid* ISPs who try to increase their revenue on the back of their *paying* subscriber, I have to agree with the above statement (assuming the notice *is* easy to find, as stated in the report).

    TANSTAAFL people.

  63. Paul Martell-Mead

    Royal Mail analogy good, but....

    The Royal Mail analogy posted above is good, but needs modifying. This is my take:

    The Royal Mail signs a deal with a 3rd party, run by an individual with a track record in privacy invasion, to introduce a system (we'll call it "Postwise") which will supposedly stop malicious chain letters being sent to you.

    To do this the 3rd party installs a machine in the sorting office that opens everyones mail and photocopies every single letter and envelope. To make it anonymous, your name is erased from the envelope (but your address is still on it of course).

    These photocopies are sent to a data processing centre, located abroad, where they are read. The people reading your mail promise to ignore any confidential information, bank details, personal information, that they might just happen to see when reading your emails. They do however compile a profile, linked to your address, of everything you like or dislike based on having read all your personal and business correspondence that week.

    If any of the letters are malicious chain letters the 3rd party notifies the Royal Mail who stamp the word "Chain Letter" on the envelope.

    the 3rd party also cuts a deal with magazine publishers to cut out the normal, generic adverts in magazines and replace them with adverts targeted to you, based on all the information they have gathered on your address over the last week.

    Even if you ask for no Postwise, all your letters are still opened and photocopied.

    If you want to opt out you need to stick a post-it note on your letterbox saying "No Postwise Please". When the postman delivers your mail, if he sees your post-it note he crosses out any "Chain Letter" markings with a felt tip pen and delivers the original copy of PCPro rather than the customised copy full of adverts on viagra they'd prepared for you (well, you did write to your friend about your erectile disfunction problem this week). If the post-it note has fallen off, or he can't read your handwriting, then you get the targeted magazine.

    Taking the analogy a tiny bit further, the Royal Mail's Chief Technology Officer would have been involved in the running of an illegal mail-interception trial whose existence was repeatedly denied at the time, and after the trial the RM CTO leaves to go and be CTO at the company doing the interception. Some two years later the truth begins to emerge...

  64. DanO

    Safari is the answer

    Because their complete business model blows up if nobody sees the ads -- that is, if the ads are always blocked. Who will pay them for that?

  65. Anonymous Coward

    @AC: I think everyone just needs to calm down

    "When it comes right down to it there's really no difference between this and what you get at any internet cafe for free access."

    There is a difference as you just pointed out in the above statement...

    If it's free like Internet Cafe's then yes you put up with adverts BUT we PAY for our broadband access so WHY should we put up with it?

  66. Anonymous Coward
    Thumb Down


    Sorry mate, but 80/20 Thinking's reputation has gone south like Phorm's share price since they sold their soul to Kent et al.

    Why would anyone want to take part in this "Town Hall Event"? So they can be quoted out of context in Phorm's next spin campaign perhaps?

    No thanks.

  67. Tony

    @Safari is the answer

    'Because their complete business model blows up if nobody sees the ads -- that is, if the ads are always blocked. Who will pay them for that?'

    Things wrong with that statement:

    1) Safari is shit. Even most Mac owners agree. What's more, as it now tries to install itself without being asked, it may even qualify as 'malware'. Do yourself a favour and install Firefox + adblocker.

    2) I would personaly rather that companies were not allowed to intercept and sell my browsing habits at all, rather than rely on every single internet user in the UK installing an ad-blocker to their browser to 'starve them out' thanks.

  68. DanO


    I like ads. I don't want to block them, only those from Phorm.

  69. Anonymous Coward


    Most people seem to have misunderstood what Phorm et al will actually do.

    @ Vishal: Phorm will not, AFAIK, overlay anything onto your site if your site is not signed up to their advertisers network - it only overlays/replaces adverts on sites that are signed up to its advertiser network ie:, bt's home page etc.

    This is a fairly fundamental point and an understanding of this would go a long way to calming the discussion down to a more rational level.

    The system is anonymous, there is no way that anything can be traced to an individual at all (ISPs are not as clever as most people think - I know, I've worked for major ISPs for over 7 yrs in an architectural role) there are only about 10 categories and they're pretty generic, all the system can do is see references to things like mobile phones, mortgages, holidays, cars etc and change the ads you'd have seen on the specifc sites signed up to Phorm's ad network, you won't see any extra ads and you won't see any changes at all for sites not in their ad network. There is no category for things like adult/gambling sites so all you pig fucking fanatics are safe.

    Having said all of that, I still don't like it and will not accept being part of it but I do wish people would know what they're protesting about before they start ranting.

  70. Gabor Laszlo
    Black Helicopters

    Anonymous Encrypted Net Access

    Since my last employer was using a 'filtering proxy', I started using JAP (Java Anon Proxy, aka JonDonym -, a little Java program that acts as an encrypting proxy on your machine (basic service is free, high speed ultra secure access costs very little - the biggest subscription is 50€ for 10GB traffic). Your secure traffic is passed through a 'Mix Cascade' that effectively anonymizes it before it hits your destination website. Your ISP/govt. only sees an encrypted data stream to the first mix server, the site sees the traffic as coming from the last mix server, and if you use a hosts file, Firefox with AdBlock, NoScript and maybe FoxyProxy, and toss your cookies regularly you can start feeling safe on the net and never see an ad again. I also keep my Firefox profile on an encrypted flash drive, thus adding plausible deniability and some protection against identity theft by laptop theft.

  71. Anonymous Coward
    Anonymous Coward

    Switching browsers is NOT the answer

    Switching your browser will do nothing. Previous posts and the main article refer to "deep packet inspection". That means that there is a magnifying glass on your Ethernet cable, it's watching every packet that goes by looking for keywords. The dragon sleeps until it get a whack on the nose, then it bites, maybe it's a love bite or maybe it's your arm gone. The point is that dont think you can stop it by changing browsers any more than you can stop the FBI from tapping the cell phone network by changing your phone. We live in a fishbowl, cameras on every street corner, in every store, some people embrace this, some are horrified by it, most just ignore it. Which one will you be? For now I haven't decided.

  72. Jay


    "If it's free like Internet Cafe's then yes you put up with adverts BUT we PAY for our broadband access so WHY should we put up with it?"

    So if you got a "cash back" reward from your ISP for allowing the ads would that change your mind? Perhaps a discount on your account if you choose to allow the ads?

    If the CEO's of the ISP's and ad companies are reading this, have you considered this option? Lets say an ad pays 3 cents for each display, then give the user a 1/2 cent discount on his ISP bill per ad seen? I'd opt in for that, see enough ads and my Internet account might become free.....

  73. Alex

    @AC: "I think everybody needs to calm down"

    and other CONphormISTs.

    My Internet Service is not an Advertising Channel

    My Internet Service is not an Internet Cafe

    My Internet Service is not for Profiling

    My Internet Service is not your Product

    You have a history of unwanted Invasive & Untrustworthy Practices

    You have already carried out illegal leaching tests in clear breach of UK & EU Law

    You have already been caught trying to manipulate impartial factual resources to hide the facts

    You have over stepped the mark and got caught with your fingers in our pockets

    You want to sell my interests? to your potential advertisers? Phay up or Phuck off!

    I am not a cash cow for you to milk.

    I am not a target market.

    My web usage is not for sale.

  74. Alex

    European Human Rights

    no wonder people who are aware of this behavior are appalled, in Europe people actually have a right to be appalled... ...that right is:


    1. Everyone has the right to respect for his private and family life, his home and his correspondence.

    2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

    Whats more RIPA codes of practice state that "resultant data acquired

    should be treated as product of the interception." so Mr Data 'anonymiser' it appears that your "product" still counts as interception no matter how many random numbers you allocate or 'untraceable' names you give to it!

    Furthermore within the UK, The Report of the Interception of Communications Commissioner for 2005-2006 states: "50. It is fundamental to the Constitution of this country that no-one is above the law or is seen to be above the law." (this makes quite interesting reading:

    I hope BT, Phorm and their Parasitic Friends all choke.

    Funny thing about friends and family, you an choose your friends (read ISP's & their Cronies) but you can't choose your family (read Government).

  75. Anonymous Coward
    Anonymous Coward

    Protect your website from interception

    Send this letter to the registered offices of ISPs. It should deprive the ISPs of any defence to civil and criminal liability for interception of your web traffic:

    "We hereby serve notice that in accordance with sections 1 and 2 of RIPA, that we send and receive electronic communications (website traffic) on our following websites:


    and that

    - we do not consent, either as sender or recipient, to any interception of any of our website traffic for any purpose whatsoever

    - the fact that our website has been made available for download subject to its terms and conditions of use may not be construed as consent to any interception of our website traffic

    - in particular, we do not consent to any interception, either as sender or receiver, of our website traffic, even if the interception were for the purposes of ascertaining whether or not we consented to such interception."

  76. Anonymous Coward
    Anonymous Coward

    @The underlying problem ...

    The difference between what you say and Phorm, is that Phorm is also scanning all the other rival supermarket loyalty cards at the same time and also all your private online purchases as well from any other source. Plus they will commit illegal acts whist doing so!

    Also Phorm are a spyware company that have moved their spyware from PC's into the telephone exchange.

  77. Julian


    But they've still harvested all your internet activity/interests

  78. Julian
    Thumb Down

    @Jason Bloomberg

    I don't use Store Cards/Loyalty Cards because I don't want to share my shopping habit and get even more unwanted junk mail. Also, I value privacy and find those seeking to invade it offensive in the extreme.

    But I think most people are missing the point. This invasive, intrusive, and ultimately controlling, system is just the start of what's to come - the thin end of the wedge.

    Think about it.

  79. Anonymous Coward

    @Aubry Thonon

    Are you really that @#$%@#^$^@$@% ?



This topic is closed for new posts.

Other stories you might like