Broadband ISP TalkTalk UK has kindly responded to a number of the concerns we raised about its forthcoming security service. The controversial system shot into the headlines last month after several of the internet providers customers noticed that their website browsing activity was being monitored ("stalked") without consent.The ISP then promptly moved to allay any fears of privacy invasion by stating that the activity, which allegedly makes an anonymous record of the URL (website) addresses visited by all of its customers, was part of a new free security service targeted to launch before the end of 2010; following a proper public trial.
TalkTalk's July 2010 statement said:
"In preparation for the launch of these services, as our users surf the internet, details of websites visited are put into a list. Scanning engines then compare this list to a blacklist (sites that have been found to contain recent threats) and whitelist (sites that have been recently scanned with no threats found); if the site is not on either of these, it will visit the site and scan it for malicious code. Sites that are already on either list are not scanned again until the following day.
Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers. We are not interested in who has visited which site - we are simply scanning a list of sites which our customers, as a whole internet community, have visited. What we are interested in is making the web a safer place for all our customers."
"In preparation for the launch of these services, as our users surf the internet, details of websites visited are put into a list. Scanning engines then compare this list to a blacklist (sites that have been found to contain recent threats) and whitelist (sites that have been recently scanned with no threats found); if the site is not on either of these, it will visit the site and scan it for malicious code. Sites that are already on either list are not scanned again until the following day.
Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers. We are not interested in who has visited which site - we are simply scanning a list of sites which our customers, as a whole internet community, have visited. What we are interested in is making the web a safer place for all our customers."
TalkTalk's technical bods also claimed that the ISP had no visibility of the website addresses. However any comfort this may have given was soon eroded after it revealed that the data would instead be held remotely in a device managed solely by commercial Chinese firm Huawei.
Privacy campaigners and concerned customers soon weighed in to point out that section 3 of the UK Regulation of Investigatory Powers Act 2000 prohibits "interception of a communication", such as when visiting a website, unless consent is given.
3 Lawful interception without an interception warrant [sample quote only]The EC Data Retention Directive (PDF) says something similar and also notes that "No data revealing the content of the communication may be retained pursuant to this Directive". TalkTalk counters this by semi-correctly saying that ISPs are already required to log basic website and email communications data ("All ISPs in the EU have a legal obligation to store this sort of data," they claim).
(1) Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which, or which that person has reasonable grounds for believing, is both— .(a) a communication sent by a person who has consented to the interception; and .(2) Conduct by any person consisting in the interception of a communication is authorised by this section if— .
(b) a communication the intended recipient of which has so consented.(a) the communication is one sent by, or intended for, a person who has consented to the interception; and .
(b) surveillance by means of that interception has been authorised under Part II.
However, at least so far as we are aware (please correct us if we're wrong), this information should come in the form of names, address and IP (e.g. 192.234.12.1) details. It is also crucial to point out that such data is only supposed to be accessible by certain public services and security agencies.
Website addresses and IP's are two directly connected but also different things. A URL can easily contain "the content of a communication", such as when passing data over a website form or logging in to a web based system (usernames and other details may occasionally be contained within the URL). In some instances even the URL itself could reveal a system location that is normally intended to be hidden from public view.
You can of course resolve any URL to an IP address but the IP will usually be a single bland number that cannot, by itself, reveal any data or content. For example there might be 200,000+ URL addresses (web pages) on ISPreview.co.uk but they will all resolve to just one IP address. Suffice to say that we have put some of these concerns to TalkTalk.
ISPreview: There is concern that Huawei, a Chinese firm that has suffered due to some high-profile allegations of state sponsored spying, could have visibility of the tracked URLs.We have asked TalkTalk to clarify some of their responses and are still awaiting a reply, not least because the last reply of "there is no logging" appears to contradict their earlier explanation of how the system works. At some point the URL's visited by TalkTalk's customer must be put into the overall database.
TalkTalk: URL’s are not linked to customers and all webpages are publicly accessible.
ISPreview: There is concern that TalkTalk's system would add to the server load of websites and ignore copyright notices and other methods that prohibit automated processing of content.
TalkTalk: There is no copyright infringed as all data is publicly accessible, content processing is restricted to known malware identification which we believe can only be beneficial.
ISPreview: There is concern that TalkTalk's system would inadvertently reveal private data to Huawei, which can often be held in URL addresses (usernames, emails.. sometimes even passwords). Furthermore, when you are writting a new web system it's not uncommon to do this in a semi-live environment and at times you might even disable security that could reveal database logins and more in a URL just to see how it works. Recording this data is dangerous.
TalkTalk: No data is stored that wouldn’t ordinarily pass through an ISPs network. We are only scanning publicly accessible webpages.
ISPreview: Some fear it would also presumably scan webpages that would normally be held away from public view, such as private admin login pages and potentially even the content of a private admin page itself. The URL location itself is valuable and sensitive data and may not always be held behind an SSL connection, such as in the case of admincp's for forum software.
TalkTalk: We do not store the URL data or pass it on. We believe that scanning any page for viruses can only be beneficial to both customers and website owners.
ISPreview: Re-requesting URLs that help web-based applications to function could also unintentionally result in a specific individuals remote website service or feature being accidentally enable or disabled (i.e. a dynamic URL can often tell a service to enable or disable depending on when and how a variable is accessed). In some situations this could even disrupt private login routines.
TalkTalk: This issue has been highlighted in our testing and we are working to avoid session based URL replication.
ISPreview: There is further concern that customers will have no way to disable the logging, which we also believe should be opt-in only (not just for the system but the recording of URLs too).
TalkTalk: There is no logging. Our security proposition that will launch later in the year will be opt-in.
The "all webpages are publicly accessible" claim also has a problem in that public and accessible can mean quite different things. For example, a URL containing private website FORM submission data would technically be publicly accessible but at the same time is a unique and normally private process for a specific individual (i.e. its working over a public system but is not itself open to public display).
These processes cannot be logged by Google, website visitors or other "remote" systems, they are not publicly viewable, but the way in which TalkTalk's system appears to work could expose them and any private data held in the URL itself, assuming this is the kind of data that the ISPs system retains in its remote database. We continue to await their reply.
Alexander Hanff of Privacy International, and anti-Phorm fame, told ISPreview.co.uk:
"The entire thing is utterly unacceptable - they have no authority to follow people around the Internet and in fact in my mind this is a clear example of the literal term "stalking". Furthermore their insistance that they are required to do this under the Data Retention Directive is grossly misleading and false."
"The entire thing is utterly unacceptable - they have no authority to follow people around the Internet and in fact in my mind this is a clear example of the literal term "stalking". Furthermore their insistance that they are required to do this under the Data Retention Directive is grossly misleading and false."
In fairness it would be technically impossible to run any ISP without passing sensitive data from customers and the internet over their networks, although the argument about where management of a network and actual interception of content occurs, to the point of being illegal, is harder to pin down.
If the Phorm situation was anything to go by then the country's contradictory laws and ineffective Information Commissioners Office (ICO) aren't likely to be of much help either. Ofcom's push for greater use of Deep Packet Inspection (DPI) technology to monitor unlawful file sharing could even represent a potential conflict of interest.
In the meantime, while we await some much needed clarity from various quarters, TalkTalk customers have no ability to opt-out of the URL processing activity itself. The ISP clearly feels that this sort system is necessary to discover instances of malware infested websites, a type of service that is already offered by most good anti-virus software, firewalls, free website browsers and even some popular internet search engines.
Related News:
26th July 2010 - UK ISP Talk Talk Monitoring its Customers Online Activity Without Consent
30th July 2010 - UK ISP Talk Talk Defends Customer Website Snooping System
Tweet
Comments: 12
PetePosted: 16 August, 2010 - 9:58 AM
Link to comment
Anti-virus software, firewalls, and browsers are a personal choice.
Covertly monitoring customer communications is not a free choice.
In fact, its a crime. It is illegal communications surveillance. Replaying those requests, using the same identifiers, to obtain unauthorised access to intellectual property is simply fraud and computer misuse. Obtaining and processing literary works without a licence is a copyright theft.
What TalkTalk are doing is consequently completely illegal.
TalkTalk are already subject to an Enforcement Notice from the ICO dating back to January 2008, for unlawfully processing personal information.
HatariPosted: 16 August, 2010 - 10:22 AM
Link to comment
My websites are all copyright with all rights reserved, my robots.txt only allows specific robots access and the Talktalk's stalker is not one of them, and bars all other robots. Talktalk were told in May 2010 not to access my sites, repeated and ignored. Talktalk are breaking copyright several areas:
They were not authorised to access my sites therefore any access by Talktalk is a breach of copyright as well as other things.
Talktalk do not have a licence from me to use the content of my websites for commercial use, i.e. developing a system for their commercial offering to their customers.
Talktalk are trying to access Private & Confidential areas on my sites, including the Admin area and Private Messaging boxes.
Talktalk are attempting to access pages on a closed forum (Not publicly available).
Detailed http://www.the-phoenix-broadband-advice-community.co.uk/index.php
JamesPosted: 16 August, 2010 - 10:37 AM
Link to comment
I opted out by changing ISP. I was lucky because I was close to the end of my contract. I am out of pocket as a result.
Not so for many others. They are effectively locked-in or hostages to this idiocy.
TalkTalk have implemented 'opt-nothing'
Worrying to see that the company has more or less clammed up over this and is now excreting worthless answers to probing questions.
PaulPosted: 16 August, 2010 - 10:42 AM
Link to comment
This is clearly a case of Phormism first found in am ISP in the UK a couple of years ago.
BT still has some remnants of Phormism as they struggle to cleanse themselves of the after effects! They still have Webwise pages on their corporate website.
TalkTalk are in the early stages of the infection. Denying the issue. STallSTalking is clearly illegal, no matter how good their ultimate intentions.
STalkSTalkPosted: 16 August, 2010 - 11:06 AM
Link to comment
TT's constant recourse to phrases like "publicly available" totally ignores UK copyright law (& contradicts the phrasing of their own website T&Cs/access conditions.
http://www.opal.co.uk/legal/terms-of-use/
http://www.talktalk.co.uk/legal/terms/terms-of-use.html?utype=nonmember
Websites are not "publicly available", they are available on license and only according to the terms of the license.
Just try copying and publishing a library book (or Beatles CD) on the web and see how far your "publicly available" defence gets you. Or perhaps try and put the script of Samuel Beckett's "Waiting for godot" on your website and see how long it takes his estate to get in touch. Sorry TT - won't do. Go back to the legal team - those answers are as full of holes as my grannies knitted swimming costume. And your current policy could cost you a LOT of money. Sauce, geese and ganders come to mind.
onceablualwaysabluePosted: 16 August, 2010 - 3:24 PM
Link to comment
Im a customer with talktalk and this is very concerning as i do online banking. I will be looking for another ISP when my contract runs out as i dont feel safe doing online banking over talktalks network. Talktalk have shot themselves in the foot here and when it hits the fan i wont be the last to leave talktalk
MytherooPosted: 16 August, 2010 - 4:35 PM
Link to comment
signed my parents up to TalkTalk when they first appeared, have to consider changing them now.
Good value upfront....guess that means lots of hidden ways their business model makes more money.
selling state secrets to China for instance?
JDPosted: 16 August, 2010 - 5:41 PM
Link to comment
This is not the service I pay YOU to provide TT.
For the next two months while I am still in my contract I shall be using 3g mobile internet, and then ditching this company that neglects their customers privacy.
Consider me gone and never to return TalkTalk!
Cho Yung TeaPosted: 17 August, 2010 - 6:48 AM
Link to comment
It is illegal communications surveillance. Replaying those requests, using the same identifiers, to obtain unauthorised access to intellectual property is simply fraud and computer misuse. Obtaining and processing literary works without a licence is a copyright theft.
http://choyungteatrial.com
JanetteDominguez32Posted: 4 July, 2011 - 11:36 PM
Link to comment
According to my own analysis, billions of persons all over the world receive the <a href="http://bestfinance-blog.com/topics/mortgage-loans">mortgage loans</a> from various banks. So, there's a good possibility to get a collateral loan in every country.
loansPosted: 25 December, 2011 - 8:46 AM
Link to comment
Do not money to buy a building? Worry no more, just because it is possible to get the loan to resolve such problems. Thus take a financial loan to buy all you want.
Generated in 0.76404 seconds.
DB queries: 8
Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved (Terms, Privacy Policy, Links (.), Live Chat & Website Rules).