The PHORM problem

And what you can do about it

Background

Phorm is a UK company (or technology, it is a bit unclear what is what) that are planning to place content switches and server farms with ISPs in the UK, to inject ads into web pages. Yep, you read that right. Inject ads. Into web pages.

Dr. Richard Clayton has written a white-paper on the inner workings of Phorm (the information was gleaned from a workshop by the company).

Problems

I have a few problems with the workings of Phorm. To start with, I want to be control of the ad-ness or not of the pages my web server serves. If there's any ads plastered on it, I want to get my cut.

One could, possibly, argue that it is similar to the way Opera used to hae a free (ad-enabled) and a pay-for (ad-free) version of the browser and in some ways it is, in that content is used to target ads without the prior consent of the content producer. However, there are a few differences that are obvious. One is that Opera carefully placed the ads well out of the way of the page, so there was never any confusion about the fact that it was an Opera-sourced ad. Another is that the Opera ad-serving was opt-in on the part of the user (and rather explicitly so, they actually had to go to some lengths to install the browser in the first place).

Secondly, ~~Phorm is not opt-in, it is (at best) opt-out.~~ I have been informed that the Phorm kit should only place ads in specially-prepared Phorm-tags, so worries about Phorm ad-infesting innocent sites MAY have been overblown. Just recently, BBC News reported taht Phorm must be opt-in, rather than the opt-out they were hoping for. With any luck, this will make a Phorm roll-out so much more expensive taht it's considered unprofitable (it's also a pure administration nightmare, especially if the opt-out is taken as being "do not pass through the Phorm kit" rather than the easier-to-implement "do not let the Phorm kit do active stuff to the traffic").

Thirdly, Phorm are forging cookies in the name of other sites. Normally, a third-party cookie is easy to spot, unfortunately, Phorm do it while claiming to be the site in question, so... They then filter the cookie they set away. It is rummoured that the cookie is named "web wise" and it may be that creative scribbling in that cookie may break the system enough that your customers will complain (to you) and you can then tell them that it's because of Phorm and they can complain to their ISP.

It is unclear if this only happens for pages that fall under "May have Phorm ads on them" or all pages. If it's specifically only for pages within domains that have paid to have Phorm ads, it may count as actually being asked for.

What can you do?

As a customer

You can leave a Phorm-hosting ISP and cite "you have Phorm" as the reason.
You can add webwise.net to your hosts file (/etc/hosts on unix, HOSTS.TXT, in a for me unknown directory, on Windows). Be aware that this may well make it impossible for you to browse the web.
Refuse to opt-in to Phorm.

As a DNS operator

You can (somewhat dodgily, I admit) convince your DNS server that it is authorative for webwise.net and insert a wildcard IN A record for it, returning 127.0.0.1. This runs a high risk of making web browsing for anyone on a Phorm-infested ISP next to impossible.

As a web server administrator

There isn't much you can do. Scribbling in a cookie named "web wise" within your domain may work for a little while, but you will probably take the brunt of complaints before they can be redirected to the ISP(s).

You can refuse to sign up with Phorm to display ads on your pages. You can refuse Phorm to display ads on your behalf.

Thanks

Thanks to IF for corrections.

This is one of Ingvar's essays