Broadband ISP TalkTalk UK has kindly responded to a number of the concerns we raised about its forthcoming security service. The controversial system shot into the headlines last month after several of the internet providers customers noticed that their website browsing activity was being monitored ("stalked") without consent.

The ISP then promptly moved to allay any fears of privacy invasion by stating that the activity, which allegedly makes an anonymous record of the URL (website) addresses visited by all of its customers, was part of a new free security service targeted to launch before the end of 2010; following a proper public trial.


TalkTalk's technical bods also claimed that the ISP had no visibility of the website addresses. However any comfort this may have given was soon eroded after it revealed that the data would instead be held remotely in a device managed solely by commercial Chinese firm Huawei.

Privacy campaigners and concerned customers soon weighed in to point out that section 3 of the UK Regulation of Investigatory Powers Act 2000 prohibits "interception of a communication", such as when visiting a website, unless consent is given.

3 Lawful interception without an interception warrant [sample quote only]

(1) Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which, or which that person has reasonable grounds for believing, is both— .

(a) a communication sent by a person who has consented to the interception; and .
(b) a communication the intended recipient of which has so consented.

(2) Conduct by any person consisting in the interception of a communication is authorised by this section if— .

(a) the communication is one sent by, or intended for, a person who has consented to the interception; and .
(b) surveillance by means of that interception has been authorised under Part II.

The EC Data Retention Directive (PDF) says something similar and also notes that "No data revealing the content of the communication may be retained pursuant to this Directive". TalkTalk counters this by semi-correctly saying that ISPs are already required to log basic website and email communications data ("All ISPs in the EU have a legal obligation to store this sort of data," they claim).

However, at least so far as we are aware (please correct us if we're wrong), this information should come in the form of names, address and IP (e.g. 192.234.12.1) details. It is also crucial to point out that such data is only supposed to be accessible by certain public services and security agencies.

Website addresses and IP's are two directly connected but also different things. A URL can easily contain "the content of a communication", such as when passing data over a website form or logging in to a web based system (usernames and other details may occasionally be contained within the URL). In some instances even the URL itself could reveal a system location that is normally intended to be hidden from public view.

You can of course resolve any URL to an IP address but the IP will usually be a single bland number that cannot, by itself, reveal any data or content. For example there might be 200,000+ URL addresses (web pages) on ISPreview.co.uk but they will all resolve to just one IP address. Suffice to say that we have put some of these concerns to TalkTalk.

ISPreview: There is concern that Huawei, a Chinese firm that has suffered due to some high-profile allegations of state sponsored spying, could have visibility of the tracked URLs.

TalkTalk: URL’s are not linked to customers and all webpages are publicly accessible.

ISPreview: There is concern that TalkTalk's system would add to the server load of websites and ignore copyright notices and other methods that prohibit automated processing of content.

TalkTalk: There is no copyright infringed as all data is publicly accessible, content processing is restricted to known malware identification which we believe can only be beneficial.

ISPreview: There is concern that TalkTalk's system would inadvertently reveal private data to Huawei, which can often be held in URL addresses (usernames, emails.. sometimes even passwords). Furthermore, when you are writting a new web system it's not uncommon to do this in a semi-live environment and at times you might even disable security that could reveal database logins and more in a URL just to see how it works. Recording this data is dangerous.

TalkTalk: No data is stored that wouldn’t ordinarily pass through an ISPs network. We are only scanning publicly accessible webpages.

ISPreview: Some fear it would also presumably scan webpages that would normally be held away from public view, such as private admin login pages and potentially even the content of a private admin page itself. The URL location itself is valuable and sensitive data and may not always be held behind an SSL connection, such as in the case of admincp's for forum software.

TalkTalk: We do not store the URL data or pass it on. We believe that scanning any page for viruses can only be beneficial to both customers and website owners.

ISPreview: Re-requesting URLs that help web-based applications to function could also unintentionally result in a specific individuals remote website service or feature being accidentally enable or disabled (i.e. a dynamic URL can often tell a service to enable or disable depending on when and how a variable is accessed). In some situations this could even disrupt private login routines.

TalkTalk: This issue has been highlighted in our testing and we are working to avoid session based URL replication.

ISPreview: There is further concern that customers will have no way to disable the logging, which we also believe should be opt-in only (not just for the system but the recording of URLs too).

TalkTalk: There is no logging. Our security proposition that will launch later in the year will be opt-in.

We have asked TalkTalk to clarify some of their responses and are still awaiting a reply, not least because the last reply of "there is no logging" appears to contradict their earlier explanation of how the system works. At some point the URL's visited by TalkTalk's customer must be put into the overall database.

The "all webpages are publicly accessible" claim also has a problem in that public and accessible can mean quite different things. For example, a URL containing private website FORM submission data would technically be publicly accessible but at the same time is a unique and normally private process for a specific individual (i.e. its working over a public system but is not itself open to public display).

These processes cannot be logged by Google, website visitors or other "remote" systems, they are not publicly viewable, but the way in which TalkTalk's system appears to work could expose them and any private data held in the URL itself, assuming this is the kind of data that the ISPs system retains in its remote database. We continue to await their reply.


In fairness it would be technically impossible to run any ISP without passing sensitive data from customers and the internet over their networks, although the argument about where management of a network and actual interception of content occurs, to the point of being illegal, is harder to pin down.

If the Phorm situation was anything to go by then the country's contradictory laws and ineffective Information Commissioners Office (ICO) aren't likely to be of much help either. Ofcom's push for greater use of Deep Packet Inspection (DPI) technology to monitor unlawful file sharing could even represent a potential conflict of interest.

In the meantime, while we await some much needed clarity from various quarters, TalkTalk customers have no ability to opt-out of the URL processing activity itself. The ISP clearly feels that this sort system is necessary to discover instances of malware infested websites, a type of service that is already offered by most good anti-virus software, firewalls, free website browsers and even some popular internet search engines.

Related News:
26th July 2010 - UK ISP Talk Talk Monitoring its Customers Online Activity Without Consent
30th July 2010 - UK ISP Talk Talk Defends Customer Website Snooping System