Data Centers

Behavioral targeting: What you need to know

Behavioral targeting is advertising's attempt at supplying you with specialized ads developed from your Internet history. The intent of this article by Michael Kassner is to shed light on how behavioral targeting works and how it could affect you.

Behavioral targeting, to say the least, is an interesting concept. It may change how all of us view and use the Internet. Knowing that, I'd hope everyone would want to understand what it's all about. Briefly, behavioral targeting first determines what you like, based on where you go on the Internet. Then, behavioral targeting selects advertisements that are most likely to influence you, displaying them on the new web pages you ask for.

Before we get too much deeper into behavioral targeting, I need to point out some related technology that makes behavioral targeting possible. Behavioral targeting only became feasible when Deep Packet Inspection (DPI) matured into an established technology. Therefore, it's important to comprehend what DPI is. To help in that regard, please refer to a recent article of mine called "Deep Packet Inspection: What You Need to Know." I know it seems like a shameless plug, but it helps if we're all on the same page.

The infamous cookie

The next piece of the puzzle we need to understand is the much-maligned cookie. Cookies are benign text files that are sent to the web browser from the web server that's hosting the web pages being queried. Cookies have multiple purposes: they allow automatic authentication, keep track of the browser's session state, and identify the user/web browser combination to the web server. The fact that cookies can identify the user/web browser combination is paramount to our discussion about behavioral targeting, because the behavioral targeting process installs additional cookies specifically to track what web pages have been viewed. That's why cookies are so important and why I'd like to describe how a cookie is installed:

  1. The process starts when I type the URL of a web site into the web browser.
  2. The browser will check the computer's hard drive for a cookie associated with the web site I just entered. If it finds the appropriate cookie, the browser will send the cookie information along with the URL to the web server controlling the web site being queried. If the browser doesn't find a cookie, no data is sent.
  3. The web server receives the request for a page. It then checks to see if a cookie was sent as well. If so, the web server can use that information to tailor the web page specifically for me.
  4. If the web server didn't receive a cookie, it knows that I haven't visited the site before. The web server then creates a new ID for me in the web server's database and sends a cookie in the header for the web page to the computer I'm using. My computer then stores the cookie on the hard drive. From that point on I'm uniquely identified when I ask for web pages from that particular web server.

We now have all the relevant pieces, so let's get to the important stuff. Behavioral targeting is an application that uses information it has gleaned from our web-browsing habits to display ads it thinks we'd like to see. The process starts with companies like Phorm or NebuAd (behavioral targeting development companies) talking to our ISPs, offering the ISPs money if they will allow Phorm or NebuAd to install equipment in the main traffic stream of the ISP. This equipment serves two purposes:

  • It inserts a Phorm or NebuAd cookie that uniquely identifies each ISP subscriber and is associated with every cookie domain that has been issued to the subscriber.
  • By using DPI equipment, reads every web page that the subscriber has asked for and creates a profile of the subscriber's interests based on a predetermined checklist.
Phorm's approach

The subscriber profile is of obvious interest to advertising firms — why serve ads about baby diapers to someone interested in joining AARP? The advertising firms negotiate with Phorm or NebuAd to provide content through the behavioral targeting application. Thereafter, no matter where the subscriber goes on the Internet, those specific ads will show up on the web page being served to the subscriber. To help clarify this, let's take a look at the process (diagram courtesy of Wikipedia) Phorm uses to set up behavioral targeting:


Click to enlarge diagram.

  1. I want to go to, so I type the appropriate URL in my browser and the browser sends the query out to the Internet.
  2. My ISP receives the request, normally passing the query on. Since there's Phorm equipment in the data stream, it intercepts my query for
  3. The Phorm application then checks to see if there's a cookie (a domain name owned by Phorm) associated with the domain.
  4. There's not one initially since the Phorm equipment has just been installed. Therefore, Phorm blocks access to
  5. Now a Phorm server at the ISP steps in and pretends to be a web server at, returning a "307-Temporary Redirect" to my web browser. The 307 redirect tells my browser that the URL I asked for has been relocated temporarily to a different location.
  6. My browser now thinks that has moved to, so it makes a redirection query to If my web browser locates a Webwise domain cookie it will also be attached to the redirection query. Phorm then knows who I am by the unique ID associated with the domain cookie.
  7. If there isn't a Webwise domain cookie, the Phorm server will assign one to me and send it back to my browser in another 307 temporary redirect response to a fake page that is on the Phorm server. Therefore, if I didn't have a cookie, I do now and it's a first-party cookie.
  8. Next, my web browser sends a redirection query to the fake page. The Phorm server once again steps in and pretends to be the web server at Remember the browser thinks it's sending a query to and there's still the unique Webwise user ID in the query. The Phorm server now sends the final 307 temporary redirect response to my web browser telling it to go to the actual web page. This part is important: The Phorm server also sends back a Webwise cookie, but it's placed in the domain and becomes another first-party cookie.
  9. Finally, my web browser sends a query to and it appears that it will make it this time. The query has a unique payload of cookies as well, one for the domain and one for the domain.
  10. The Phorm equipment at my ISP intercepts this query and the domain cookie is stripped off before the query actually proceeds to the web server. This appears to take place to avoid public visibility of the cookie, as it shouldn't be on a query.
  11. The contents from my query to come back and are intercepted by Phorm equipment. A copy of the information along with my domain and domain cookies are sent to a secondary piece of Phorm equipment.
  12. The secondary Phorm equipment scans my web page for key information that will be added to their browsing profile about me.

Sorry for the long, drawn-out description, but that's exactly what takes place every time a web browser sends out a query. In this way, Phorm knows exactly where I go on the Internet and what I'm looking at. With these profiles, Phorm, for a fee, will tell advertising firms what ads to place on the web pages being served to me. The company states this whole process is anonymous, but that requires trust in what Phorm says, as the Phorm application is proprietary and not available for peer review. I don't have an opinion one way or the other as to the claims of anonymity by Phorm. As mentioned earlier, I'm just concerned that most users are not aware of this technology, and I want to correct that.

NebuAd's approach

NebuAd is another major player in behavioral targeting. Their process is slightly different, and I'd like to explain the differences, even though the results are the same. The NebuAd equipment is also placed in the ISP's main data stream, but NebuAd doesn't use the cookie shuffle like Phorm. NebuAd, to their credit, uses a very innovative approach I'll explain by using the following example:

  1. I want to go to, so I type the appropriate URL in my browser and the browser sends the query out to the Internet.
  2. My ISP receives the request and passes the query on to (different from Phorm).
  3. The web server at replies to my web browser's query with the appropriate web page.
  4. The NebuAd equipment at my ISP is monitoring this exchange and as the last packet reaches the ISP, the NebuAd application injects one packet to the end of the traffic from the web server at
  5. This final packet contains JavaScript. The script causes my web browser to go and retrieve scripting code at a NebuAd web site.
  6. My web browser then runs the script and a NebuAd cookie is planted on my computer.

The NebuAd cookie is similar to the Phorm cookie in that it uniquely identifies me and allows the NebuAd applications located at my ISP to track my Internet activity, scan the returned web pages, and create a profile that's of interest to advertisers. At this point, Phorm and NebuAd are almost identical.

What's it all mean

That's the ultimate question, and I'll leave that to the pundits who are much more knowledgeable than I am. As I mentioned, my goal was to make you aware of what's coming. I'm not sure I want a business entity tracking my every move on the Internet. My government, sure that's a different story. They aren't doing it for monetary gain; they are protecting me. That being said, I do understand the need for advertising. Part of my professional existence depends on advertisements. I'm just not sure being this invasive is the answer.

Also, I suspect that this business model will place the advertising world in some sort of turmoil. For instance, who gets to decide what ads are displayed when I go to TechRepublic or someone paying my ISP? For more insight into how this topic is playing out, I suggest that you listen to Steve Gibson of and Leo LaPorte from Twit.TV. They cohost a series called Security Now and have put together several of their pod casts that explain relevant pieces of behavioral targeting. I'd especially recommend listening to the podcast, "Episode 153: DePhormed Politics," where Steve and Leo have an enlightening discussion with Alexander Hanff, a technologist and anti-Phorm activist from the UK.

Preventative measures

There are options that you can use to avoid behavioral targeting cookies and DPI scrutiny. Encrypted tunnels through your ISP disallow the installation of behavioral targeting cookies. Also using VPNs, whether they are IPsec, L2TP, or SSL, will negate any effort by DPI to decipher the encrypted traffic. E-mail is another subject, and once again the only for sure way to ensure its privacy is to encrypt the message. There are not a whole lot of options, but that's because behavioral targeting applications are being placed only one hop away from your network perimeter.

Final thoughts

Whew, this is a tough subject. I know that opinions about behavioral targeting will run from A to Z, and that's good. I'm not even sure what my final thoughts are. What bothered me was the lack of information about behavioral targeting. Hopefully, I was able to change that with this article.


Michael Kassner has been involved with wireless communications for 40 plus years, starting with amateur radio (K0PBX) and now as a network field engineer and independent wireless consultant. Current certifications include Cisco ESTQ Field Engineer, CWNA, and CWSP.


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks