According to the New York Times, UK company Phorm has developed the long-feared ultimate ad-serving cookie.
The term “cookie” is a nickname for persistent client-side web browser data. Cookies solve one of the earliest problems of the commercial World Wide Web: storing user information in the web browser for multiple pages of the same web site. Wikipedia’s article is rich with details, and has a good reference list.
Most Web browsers allow users to erase their cookies, usually through a setting in the privacy or security settings. But users are lazy, so most browsers are left in their default, cookie-storing state. Some web sites recommend the defaults, so users do not have to reenter their credentials during their session.
Advertising revenue
Web advertising firms sell third-party cookies, which work on several different web sites. This helps advertisers track users, so that the ad firms can serve up appropriate advertisements to each users. Users can opt-out of these third-party cookies by finding an opt-out page that itself sets a cookie in their browser.
Google’s main source of revenue is advertising. So is Yahoo’s. In fact, many large web portals, blogs and magazines rely on their advertising revenue to survive. So anything that can provide more precise targeting of advertisements might improve revenue.
Phorm’s cookie technology relies on ISPs. Phorm installs hardware in ISP networks that helps Phorm track individual users at the web page level, no matter what site they access because Phorm’s cookies are linked to the third-party advertiser cookies.
For more details, read the articles at Open Rights Group and Richard Clayton’s blog. The Wikipedia article on Phorm has many more references.
Clayton’s security analysis of Phorm’s Webwise technology is also available as a PDF document, with even more technical details. Clayton doesn’t like the technology at all, for very good reasons:
Phorm assumes that their system “anonymises” and therefore cannot possibly do anyone any harm; they assume that their processing is generic and so it cannot be interception; they assume that their business processes gives them the right to impersonate trusted websites and add tracking cookies under an assumed name; and they assume that if only people understood all the technical details they’d be happy.