Any company hoping to launch targeted advertising services should be watching the fate of UK start-up Phorm with great interest. In particular, they should take note of what this says about the public’s double standards on privacy.
Phorm is trying to build a new ad platform, serving ads targeted around users’ internet habits and interests. It is hoping to make this acceptable to the general public with reassurances that no personally identifiable information is kept or stored as part of the process.
According to Phorm, the system will know it is serving an ad to a 30-35 year old male looking for a new car insurance deal. It will not know who you are, however. You are just a random number. It will not even keep your IP address.
Phorm has consulted with every possible stakeholder to assure people the system is privacy-friendly – like the UK Home Office and the UK Information Commissioner - and it has had its privacy system audited by Ernst & Young and 80/20 Thinking, a privacy consultancy. It is inviting anyone with an interest to do their own inspection.
But none of this has really helped with public perception. There has been a blogosphere furore, and Phorm has been branded a spyware company in the press. A UK think tank this week sent an open letter to the Information Commissioner’s office, asserting that Phorm was possibly illegal.
As was seen in Facebook’s Beacon experiment, people are strongly against the idea of targeted advertising. Given any choice in the matter, it seems, they will campaign hard against it.
The attitude is, however, inconsistent with our tolerance for all kinds of other, less overt data collection and targeting. Where people are not explicitly told about targeting they are generally too lazy to protest.
Every Google search is stored for 18 months, complete with IP address and cookie information from a personal computer. There is much more of a profile kept on Google’s servers than on Phorm, yet, even after the issue was raised a year and a half ago by European privacy regulators as a problem, users have not abandoned the search engine in droves. It appears to be too convenient to boycott.
Millions of us carry store loyalty cards that allow supermarkets to closely profile our shopping habits. This is linked to our name and address – but that doesn’t bother any more than a handful of people.
In fact, we hand over our personal information constantly to any number of companies, from signing end-user licensing agreements to use software, to filling in forms to extend warranties on our household goods.
The companies to which we give this data use it for their own targeting – and are notoriously bad at protecting it. Several recent studies have shown that only a minority of companies have adequate data safeguards. Many don’t even know what data they have in their files and couldn’t say if any of it had leaked or been hacked. Big data losses such as the TJX incident are just the tip of the iceberg.
This is not causing major uproar. However, if a company declares its intention to target us, albeit in as secure a way as possible, we feel outrage. Phorm is in danger of becoming a scapegoat for a general frustration about an information society we no longer feel in control of.
It is a shame, because the company was at least trying to move privacy technology forward to some extent. It may not have gone far enough, but it is a start. Stamping the business out before it has even started will not stop attempts to target advertising, but may simply drive it underground. The lesson from all this seems to be: if you want to target, just don’t tell anyone you are doing it. They probably won’t notice.