Our Berkman colleague, Hal Roberts, notes that Phorm (an ISP-based advertising system that has raised some eyebrows with regard to consumer privacy) may violate its own privacy policy:

In fact, in a couple of hours of looking at the available technical information I found a significant breach of Phorm’s privacy policy missed by the audit: Phorm’s privacy policy claims that it will not disclose its Phorm IDs to any third parties, but a technical description of the system by Richard Clayton finds that Phorm does indeed share its IDs with web sites in a common usage scenario.

StopBadware.org has been keeping an eye on services such as Phorm and competitors such as NebuAd and Front Porch. At issue is that ISPs may deploy these services, which inspect a user’s web traffic to profile the user and serve up relevant ads, without providing the clear notice and opportunity for consent that would give users control over their privacy. We’re not alone in being concerned. The U.S. Congress and the European Commission have both gotten involved after reports of ISPs in the U.S. and the U.K. testing these advertising programs with no notice to their customers.

ForceUp.com has been connected with a recent mal-vertising campaign. Contacting companies and offering to advertise on their sites, Diane Samuels, representing forceup.com, has been linked with an SWF that raised questions for many of those contacted. Attempts to contact her have not resulted in any response.

While TeMerc.com describes it only as “some kind of virus” Sandi at SpyWare Sucks bring us some more details on the code. She has posted the URL, which specifically targets South Africa, United States, and the UK.

ForceUp.com has been repeatedly mentioned as a source of malware along with BlessedAds and Traveltray

Over on Sophos’s blog, there is a post about a “household name” web site delivering infected third-party content through a marketing relationship. This is consistent with what we have seen lately in our web site work, where infected ads pop up on an ad network, causing an otherwise “clean” site to appear infected.

I disagree with the author’s assertion that the responsibility lies entirely with the hacker and the marketing company, though he does temper that by saying:

Remember, adding third party content can be a risky business. You have to make sure that their security policies match yours, otherwise you lose your reputation.

Beyond just your reputation, you endanger the privacy and security of your customers/visitors if you allow infected third party content onto your site. So, be sure to very carefully learn about the security practices of advertisers (or other third party content providers) before allowing them to serve content on your site.