Broadband ISP TalkTalk
UK could be about to incur the wrath of privacy campaigners after some of its customers spotted that their online website browsing activity was being monitored and recorded without consent. The situation has caused a significant amount of concern with many end-users worried about the impact upon their personal privacy.
TalkTalk has since confirmed that the monitoring, which was first discovered on the ISPs discussion forum during the middle of July (here
), is part of a future Malware/Security/Parental Guidance tool to be provided by Chinese vendor Huawei. This is due to launch before the end of 2010.
The system, which is not yet fully in place, aims to help block dangerous websites (e.g. those designed to spread malware) by comparing the URL that a person visits against a list of good and bad/dangerous sites. Bad sites will then be restricted.
TalkTalk's Official Statement
We are developing some really exciting new security and parental control services, which will be based deep within our network infrastructure, to provide our customers with greater protection for all the devices they connect to their broadband line with. We’ve had considerable feedback from customers that PC-based software only deals with part of the wider security problem facing today's internet users, so we’ve developed these new services to help improve our customers online experience with us.
In preparation for the launch of these services, as our users surf the internet, details of websites visited are put into a list. Scanning engines then compare this list to a blacklist (sites that have been found to contain recent threats) and whitelist (sites that have been recently scanned with no threats found); if the site is not on either of these, it will visit the site and scan it for malicious code. Sites that are already on either list are not scanned again until the following day.
Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP
address), nor do they store any data for us to cross-reference this back to our customers. We are not interested in who has visited which site - we are simply scanning a list of sites which our customers, as a whole internet community, have visited. What we are interested in is making the web a safer place for all our customers.
In due course we will be trialing and launching these services. We hope to be able to share more info on all of this soon.
At present the affected customers cannot opt-out of TalkTalk's data collection exercise, while the actual malware/block tool itself has yet to be enabled and will also be subjected to optional customer testing before it is. The resulting system will apparently only be available if you opt-in to use it.
As a result the systems first stage is currently just monitoring and recording URLs, which TalkTalk
says is an anonymous process; no end-user IP
address or personal details are revealed. However some customer posts have suggested that the TalkTalk
system also reads the code for sites, at least the ones it cannot identify, which could in theory pose a security risk if the URL you visited was for a private admin page. Some of these would be pages that even Google cannot find.
It's worth pointing out that ISPs are already required to record website and email accesses (but not content), including dates and times, as part of the previous governments Data Retention Directive. However this is a closed process for use by specific public/security services and should not be confused with what TalkTalk
TalkTalk claims that its new system does not require prior customer consent because it is effectively just gathering an anonymous list of public website addresses (retained for 24 hours). The data itself will also be stored in a network device and at the moment only Huawei has visibility of this information. That last bit doesn't inspire confidence.
A TalkTalk spokesperson told The Register :
"Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP
address), nor do they store any data for us to cross-reference this back to our customers."
Given the absence of any technical data that could explain precisely how this system works it would be very difficult to assess the reality of their words. The situation also harks back to BT's secret trials of Phorm
technology, which pledged to offer a similar website filtering system alongside its controversial behavioural advertising "service
Many likened Phorm's Deep Packet Inspection (DPI) system to spyware and it was eventually hounded out of the UK and lost its major UK ISP support, which at the time also included TalkTalk. In fairness the ISP is not proposing to do exactly what Phorm
did, although the similarities are there.
TalkTalk are intercepting their customers communications data (protected by the law) and passing it to a profiling system, which a third party firm appears to have visibility of, for the purpose of launching a commercially advantageous system. There are some legally grey areas here. It might also clash with what TalkTalk's boss recently said as part of its opposition to the Digital Economy Act 2010
Charles Dunstone, Chairman of the TalkTalk Group, said:
"The Digital Economy Act's measures will cost the UK hundreds of millions and many people believe they are unfair, unwarranted and won't work. So it’s no surprise that in Nick Clegg’s call for laws to repeal, this Act is top of the public’s ‘wish list’. Innocent broadband customers will suffer and citizens will have their privacy invaded.
At least one of TalkTalk's forum administrators agrees that the ISP could have told people that the URL collecting had started, in fact they should have informed them BEFORE it started. Such a system was always going to be contentious and clearly needed prior discussion. On the upside at least TalkTalk
are owning up to it instead of trying to disguise their activity.
Furthermore we have to ask whether this kind of service is even needed. TalkTalk
claims that it is but similar systems already exist through Google searches, anti-virus software and most modern website browsers. Do we really need a fourth level of protection that is trying to perform almost exactly the same task?UPDATE 2:40pm
We've also seen some reports that the new system confuses login sessions for certain websites and web-based games that require a degree of IP
authentication, although at this stage it's difficult to know if the problem is directly related.