Thursday, 24 April 2008

Phorm Webwise diagram

A diagram showing how Phorm's system creates copies of its tracking cookie in each domain the brower fetches, based on the analysis published by Richard Clayton The Phorm Webwise System

Phorm's system will intercept requests that don't contain their "webwise" tracking cookie and send them through a series of redirects to access and transfer the unique identity number they allocate to you from your master cookie to a tracking cookie they'll create for each site you visit.

This cookie will expire after three days, until then your browser will send this cookie with future requests for the site and their system will strip the cookie from each request and use it to identify your profile as it analyses your http traffic - including the search parameters you enter into major search engines, and the content of the pages you view.

Dr Richard Clayton has updated his paper on Phorm webwise, after Phorm managed to recall more of the detail of their system twisty-little-passages-all-alike.

It now seem that an additonal redirect will occur if a cookie isn't present to determine if the user is blocking cookies, in which case the user's IP address will be blacklisted for 30 minutes to avoid infinite loops.

It seems logical to me that they would use a similar approach to determine if the user is blocking cookies for the actual site he is visiting, either by setting a test cookie with the first redirect if no cookies are present in the initial request, or by using an additional redirect.

A poster on Badphorm has pointed out that because phorm's system redirects the browser to a third party domain (, the cookie is in fact a third party cookie.

As reported in that thread Opera will correctly (according to rfc2965) block (neither send not accept) all cookies after a redirect to a third party domain occurs if the "accept only cookies from the site I visit" option has been enabled by the user. It will continue to block cookies until a user action occurs where the user can verify the domain requested -such as clicking on a link on the page (even if subsequently redirected back to the original URL).

This will also result in the genuine website not being sent its cookies after a Phorm redirect, which will cause problems for users of Opera that block third party cookies.

No comments: