Phorm Cookie and Flash LSO Technical Analysis.

(last updated 23 October 2011)

Phorm uses a number of cookies and Flash 'LSOs' to manage a subscriber's identity and state.

The cookie specifications have not been published; what follows is data gathered by analysis of the known Phorm web sites.

2011 Brazilian/Romanian Cookies

I'm grateful to people who have provided me with information about the Brazilian cookies. I understand the Romanian cookies are similar (but cannot confirm at the time of writing).

The Brazilian system currently being trialled comprises both ordinary HTTP cookies, and  Flash Local Shared Objects (LSOs aka Flash cookies).

There are three HTTP cookies. A UID cookie, a 'ct' cookie, and an 'OPTED_IN' cookie (or 'OPTED_OUT').

There is also a single Flash LSO comprising three values (presumably used to reinstate the HTTP cookies when they are deleted).

Brazilian UID Cookie

Phorm have recently changed the format of their UID cookie to a 65 character UID value composed of random printable characters [A-Za-z0-9_] characters. (Earlier deployments in Brazil used a base64 encoded 128bit value, padded by two full stop characters '..' to make a 22+2 character string comprising printable characters [A-Za-z0-9+/]).

Name: uid
Content: 65 printable characters [A-Za-z0-9_]
Domain: .oix.net
Path: /
Send For: any type of connection
Expires: (12 months)

 

Brazilian OPTED_IN Cookie

The Brazil trial seems to be using an 'opted in' cookie (as well as an 'opted out' cookie as in the UK). Perhaps a bogus attempt to convince regulators that involuntarily being forced to retain an 'opt out' cookie is somehow 'opt in' rather than 'opt out'.

The cookie data is an unencrypted value of 1.

Name: OPTED_IN
Content: 1
Domain: .oix.net
Path: /
Send For: any type of connection
Expires: (12 months)

 

Brazilian 'ct' Cookie

Phorm are using a third cookie, named 'ct'. The purpose of this cookie isn't known [to me]. Connection Type? Customer Type? Cheap Trick?

The cookie data is an unencrypted coded value

Brazilian OPTED_OUT Cookie

The opted out cookie seems idential to the UK equivalent, albeit using the oix.net domain rather than webwise.net.

The cookie data is an unencrypted value of 'YES' (otherwise not present)

Name: OPTED_OUT
Content: YES
Domain: .oix.net
Path: /
Send For: any type of connection
Expires: (24 months)


Brazilian LSO Flash Cookie

Phorm have introduced a Flash Locally Stored Object (LSO) into the mix. This value is used to retain the HTTP cookie values, ensuring that the user id and opt in/out state cannot be easily deleted.

Erase your cookies, and the LSO can be used to reinstate your user id, allowing the illegal tracking to continue.

Name: oix.sol
Location (Windows): \Documents and Settings\<user>\Application Data\Macromedia\Flash Player\b.oix.net\cs\memo2.swf\oix.sol
Contents: 3 string values

  • uid: { OPTED_OUT | 65 printable characters [A-Za-z0-9_] }
  • ct: ##-######-####-##-## (where # is a numeric)
  • ooexpires: Date + 24 months

Expires: (not applicable)

 

2008 UK Cookies

The details below are more for historical interest only. These were the cookies used to implement the UK BT Webwise trials.

UK UID Cookie

The UID (user id) cookie is described by Phorm as 'simply a random value unique to you'. The cookie is deleted when you opt out.

Examination of the data suggests it may be a base64 encoded 128bit value, potentially a compound value (eg including ISP code, or country code, or IP address), padded by two vertical bar characters '||' to 22+2 character string. UIDs are made up of printable characters [A-Za-z0-9+/].

Name: uid
Content: (base64 encoded 128bit value)
Host: a.webwise.net
Path: /services/
Send For: any type of connection
Expires: (12 months)

Statistical Analysis of the UK UID Cookie

I analysed a sample of 10 UK UID cookies for randomness. I decoded each as a base64 encoded value, and plotted mean and standard deviation for each byte and each bit.

The results appear to indicate the cookies are a compound value with two, three, or more fields.

UK UID Bytewise Mean/Standard Deviation

Byte 1 has a very high mean value. Bytes 7/9 seem to be very unrandom. Consistently low mean values, low standard deviation.

 

UK UID Bitwise Mean

Bits  49/50/51/52 are effectively a fixed value (for cookies assigned to me). The value is consistently 0100 for all samples.

Bits 65/66 likewise are effectively a fixed value (for cookies assigned to me). The value is consistently 10 for all samples.

This strongly resembles a Microsoft MS GUID.

Bitwise Standard Deviation

 

UK OPTED_OUT cookie

The opted out cookie is used to flag your request to opt out of Phorming.

The cookie data is an unencrypted value of 'YES' (otherwise not present)

Name: OPTED_OUT
Content: YES
Domain: .webwise.net
Path: /
Send For: any type of connection
Expires: (24 months)