I thought I'd have a quick look at one of Phorm's rivals, Nebuad.
Apparently much like Phorm, Nebuad uses a cookie based opt-out. Opting out or back-in is achieved by requesting a URL, in response to which Nebuad's server sends your browser its opt-out, or opt-in cookies...
Surprisingly, the opt-in /opt-out pages are indexed by google: http://www.google.co.uk/search?num=100&hl=en&q=site%3Anebuad.com+optin&meta=.
The above search no longer works try http://www.google.co.uk/search?num=100&hl=en&q=site%3Anebuad.com+optout+OR+optin_done&btnG=Search&meta=.
Also cookie "h" is no longer set.
WARNING: if your ISP uses Nebuad and you've already opted-out, then opening the second search result shown in google (www.nebuad.com/privacy/optin_done.php) will almost certainly opt you back in.
WARNING: I've just noticed that Firefox has a page pre-fetch feature which might result in the opt-in page being accessed and the cookie changed just by clicking on the google search above (depends on which link appears first I think)- if you click on the link above, please make sure you opt-out afterwards.
Nebuad's opt-in/opt page can be found here:- www.nebuad.com/company/optout.php
Opting in creates 2 sets of 5 cookies, "o","u","c","h","w", one set in "a.faireagle.com", and the other in the "b.faireagle.com" subdomain. Opting out sets "o"="9" and deletes the other cookies.
o = 0 appears to indicate opted in.
o = 9 indicates opted out.
My guess is "o" might be a set of binary flags eg
bit #0 = 1 - don't track
bit #3 = 1 - don't show targetted adverts.
'c' is the name of an adserver.
'h' and 'u' are set to matching 14 digit numbers.
'w' is another 14 digit number, which appears to count upwards (could be a date and time perhaps?).
Different sets of numbers are generated for the a and b subdomains.
And for the opt-out page.
There does not appear to be any measures in place to prevent an "evil" website from opting you back-in using the same method - try clicking on Google's cached optin_done link and check for faireagle.com cookies.