Behavioral targeting which refers to the tracking of you online activities to provide you with more targeted advertising is creating a stir in the online shopping world with a study this year by AudioScience revealing that online shoppers are becoming more receptive to this form of advertising. Whilst this may be good news for advertisers in general, it’s forcing regulators and privacy advocates to consider restricting the practice in order to ensure consumers’ privacy.

Whilst behavioral targeting has been creating a buzz over the last year, it itself is nothing new. Most likely your bank has been using it for years. What is new however is the fact that average Websites and ISPs are starting to use it now, which in turn is causing more people to take notice of it.

Unless you use an ISP that blatantly makes use of behavioral targeting, you probably don’t think that you’re being targeted and tracked on sites you don’t have an existing relationship with. For the most part, you’re right. While it’s true that nearly every movement you make on the Web is tracked and recorded somewhere -- you’ve probably left gigs of log files and personally identifying data laying all over the place -- no one  is keeping track of all of it and doing anything with it.

However, marketers would love to know more about your online behavior, and plenty of companies have started putting together and analyzing the data they collect in order to do behavioral targeting.

Last year, there was a lot of media coverage on behavioral targeting. One of them centered on a company called Phorm, which partners with ISPs to track people’s Web browsing and feed them customized ads.  Indeed, Phorm's software is installed at the ISP level that theoretically gives it the unique ability to monitor and analyze all of the Internet activities of that ISP’s users. No wonder then that this has some privacy advocates concerned.

Phorm stresses that it has a strict privacy policy in place and that they don’t store any identifying information, passwords, numbers over three digits in length (to avoid storing credit card numbers), or secure transactions. In fact, they have said that their privacy policies have been audited by Ernst and Young and another auditing firm, and found to be truthful.

Serious questions have been raised, however, about how it’s possible to tie behavior to an individual browser without being able to identify the browser. As a result, there is currently an effort in the U.K. and the European Commission to attempt to have the government investigate Phorm or ban its adoption by ISPs.

Richard Clayton, a Cambridge University security researcher, attended an on-the-record meeting with Phorm, and published his account of how their advertising system is implemented:

Phorm's system, like many websites, uses HTTP cookies (small pieces of text) to store user settings. The company said that an initial web request is redirected three times within their system, so that they can inspect cookies to determine if the user has opted out. The system then sets a unique Phorm tracking identifier (UID) for the user (or collects it if it already exists), and adds a cookie that is forged to appear to come from the requested website.

In an analysis titled "Stealing Phorm Cookies", Clayton wrote that Phorm's system stores a tracking cookie for each website visited on the user's PC, and that each contains an identical copy of the user's UID. Where possible, Phorm's system strips its tracking cookies from http requests before they are forwarded across the internet to a website's server, but it cannot prevent the UID from being sent to websites using https. This allows websites to associate the UID to any details the website collects about the visitor.

Phorm senior vice president of Technology Marc Burgess has said that the collected information also includes a timestamp. Burgess said, "This is enough information to accurately target an ad in [the] future, but cannot be used to find out a) who you are, or b) where you have browsed."

Whatever it is, Phorm stirred up a lot of controversy and highlighted deep concerns with regards to individual privacy and property rights in data. 

Most security firms for example, classify Phorm’s targeting cookies as adware. Kaspersky Lab, whose anti-virus engine is licensed to many other security vendors, said it would detect the cookie as adware. Trend Micro has also said there was a "very high chance" that it would add detection for the tracking cookies as adware.

Security experts also wonder whether Phorm technology will increase the number of denial-of-service (DOS) attacks, since Phorm requests can be bounced back three or more times when Phorm serves targeted ads to users. Moreover, it also poses the problem of malware. What if malicious code somehow attaches to a Phorm cookie request and is spread throughout the network?

Most highly publicized of all is critics’ fear that Phorm’s technology will be “invasive,” as echoed in a Privacy International report that said, “The fact of having one's Web activity analyzed will, in the minds of some, be an intrusive act, regardless of legal analysis.”

Interestingly, the creator of the World Wide Web, Sir Tim Berners-Lee, also joined the foray and criticized the idea of tracking his browsing history saying that "It's mine - you can't have it. If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return." He also said that he would change his ISP if they introduced the Phorm system. As Director of the World Wide Web Consortium, Berners-Lee also published a set of personal design notes titled "No Snooping", in which he explains his views on commercial use of packet inspection and references Phorm.

Concerns have also been raised about the financial impact Phorm's system could have on businesses such as online shops: since Phorm uses the content viewed by visitors to build their profiles, competing stores can target advertisements at them based on products they have seen, and divert sales from shops the users previously visited.

There have already been reactions on several fronts in the online world. In April 2009, announced that it would not allow Phorm to scan any of its domains. The Wikimedia Foundation has also requested an opt-out from scans, and took the necessary steps to block all Wikimedia and Wikipedia domains from being processed by the Phorm system on the 16th of the same month. In addition, the three ISPs linked to Phorm have all changed or clarified their plans since first signing on with the company.

Phorm has maintained throughout the privacy controversy it dredged up that its technology does not store personal data or IP addresses and that anyone can opt out as easily as they opt in. The company also says that it is simply an enabler and that it ultimately will be ISPs that determine how the technology is used by their customers.

Whatever else, the controversy stirred up by Phorm on behavioral targeting is not going to disappear anytime soon. While Simon Davies, Founder of Privacy International, has expressed satisfaction with Phorm’s privacy precautions he notes that many search engines can retain detailed logs of their users' queries for years, pointing out that “Google and other companies have deployed technologies far worse than anything Phorm could have ever dreamt up.”

What all this points to is that governments need to take a strong hand in investigating behavioral targeting, and it looks like they eventually will.

While organized and publicized behavioral targeting efforts generally must at least provide an opt-out option and detailed rules about how they store and use your data, more casual and ad hoc efforts often lack even the most basic safeguards against accidental release of personal information. This some might say, is a much bigger threat to our privacy than highly personalized advertising.

By Shanti Anne Morais