Broadband ISP TalkTalk UK has issued a new update today that offers more detail on how its controversial future security system, which follows customers around the internet and makes an anonymous record of the website addresses (URLs) they visit, will work. Sadly TalkTalk still does not appear to recognise that URL addresses themselves can also hold private personal data, many of which would not ordinarily be visible to the public or search engines like Google.The update itself doesn't offer anything terribly new except for some additional clarification. The ISP admits to having received "lots of questions from customers about [its] network security technology", which has been covered in several of our recent news items.
Related News:TalkTalk also firmly believes that its anti-malware system is compliant with the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998. This has yet to be properly tested and, as we highlighted in our article on 16th August 2010, the reality is somewhat less clear cut.
26th July 2010 - UK ISP Talk Talk Monitoring its Customers Online Activity Without Consent
30th July 2010 - UK ISP Talk Talk Defends Customer Website Snooping System
16th August 2010 - ISP Talk Talk UK Responds to Privacy Concerns Over URL Monitoring Service
TalkTalk's 23rd August 2010 Clarification Update
As a network operator, TalkTalk receives and processes billions of requests daily from its customers to connect to websites across the internet.
We route these requests across our network and beyond but inevitably this exposes our customers to the countless viruses, worms, spyware and other malicious pieces of software out there on the internet.
As I’ve mentioned before, the aim of our new internet security technology, which will be free and opt-in only, is to help make the internet a safer place for our customers by warning them if their computer or device connected to their home broadband is viewing a page that contains viruses or other online threats.
Our new internet security technology will include an anti-malware system which has been tested in the TalkTalk network. (Malware is the name given to any software designed to infiltrate a person’s computer without their consent.)
As requests move through the network, the anti-malware system filters and records the website URLs to which our network has been asked to connect. The system simply records the destination website URLs; it does not record who sends the request or other personal data with the URL.
Being located in the TalkTalk network, the system is subject to the same high level of security applicable to the TalkTalk network and TalkTalk’s customer data. The process is not dissimilar to how we record voice traffic.
The system scans website URLs for malware and other viruses and then places each website URL in a white list (if the scan is clean – this is retained for up to 24 hours and then automatically deleted) or a black list (if the scan shows viruses, malware or other irregularities – this is retained for up to 7 days and then automatically deleted).
Given the volume of website URLs, these lists are recorded in a temporary electronic state and not in conventional accessible storage. When the anti-malware service goes live to customers, these lists will in future be used to alert customers to websites suspected to have malware or viruses.
Importantly, the anti-malware system does not record or scan any secure “https” website URLs.
And TalkTalk’s use of the anti-malware system is compliant with the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.
As a network operator, TalkTalk receives and processes billions of requests daily from its customers to connect to websites across the internet.
We route these requests across our network and beyond but inevitably this exposes our customers to the countless viruses, worms, spyware and other malicious pieces of software out there on the internet.
As I’ve mentioned before, the aim of our new internet security technology, which will be free and opt-in only, is to help make the internet a safer place for our customers by warning them if their computer or device connected to their home broadband is viewing a page that contains viruses or other online threats.
Our new internet security technology will include an anti-malware system which has been tested in the TalkTalk network. (Malware is the name given to any software designed to infiltrate a person’s computer without their consent.)
As requests move through the network, the anti-malware system filters and records the website URLs to which our network has been asked to connect. The system simply records the destination website URLs; it does not record who sends the request or other personal data with the URL.
Being located in the TalkTalk network, the system is subject to the same high level of security applicable to the TalkTalk network and TalkTalk’s customer data. The process is not dissimilar to how we record voice traffic.
The system scans website URLs for malware and other viruses and then places each website URL in a white list (if the scan is clean – this is retained for up to 24 hours and then automatically deleted) or a black list (if the scan shows viruses, malware or other irregularities – this is retained for up to 7 days and then automatically deleted).
Given the volume of website URLs, these lists are recorded in a temporary electronic state and not in conventional accessible storage. When the anti-malware service goes live to customers, these lists will in future be used to alert customers to websites suspected to have malware or viruses.
Importantly, the anti-malware system does not record or scan any secure “https” website URLs.
And TalkTalk’s use of the anti-malware system is compliant with the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.
The ISP hopes that its latest clarification update will "allay some of the concerns" expressed by their customers, which we have our doubts about. They have also promised to reveal more information nearer to the products actual launch, which is expected before the end of this year.
Tweet
Comments: 3
DJWPosted: 23 August, 2010 - 1:42 PM
Link to comment
How can TalkTalk say they are DPA compliant , when they have just had discussions about this scanning with the ICO. The ICO have said they will have an answer for TalkTalk in about 1 months time. This will confirm compliance or not.
MarkJPosted: 23 August, 2010 - 1:49 PM
Link to comment
Indeed it is not for TalkTalk itself to say whether it is or is not compliant, although the ICO proved with Phorm that it could not fully understand how the internet works and therefore did not understand what to do with Phorm. I can't help but wonder how many people at the ICO would have the same problem with TT's system.
PetePosted: 23 August, 2010 - 6:04 PM
Link to comment
That baffling excuse doesn't explain how Clive Dorsman obtained consent from the customers and web sites who's communications he has already intercepted.
PECR reg 7 requires consent for the processing of traffic data. DPA requires explicit consent for the processing of sensitive personal information contained in web pages (such as sexuality, politics, health).
And he can't explain how he avoids illegal interception, fraud, computer misuse, and commercial copyright infringement.
And if you want a vector to attack TalkTalk customers? Use encryption (or any protocol other than http).
Perhaps the most astonishing statement in that article is the claim "The process is not dissimilar to how we record voice traffic".
I can't see Clive Dorsman hanging on to his job much longer. He's embarrassing himself, someone needs to guide him gently toward the exit.
Generated in 0.52627 seconds.
DB queries: 8
Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved (Terms, Privacy Policy, Links (.), Live Chat & Website Rules).