Security Fears Re-emerge Over UK ISP TalkTalk and Huawei Internet Filter

Broadband provider TalkTalk has confirmed that Chinese firm Huawei, which has recently suffered due to some high-profile concerns over state sponsored spying (here), now appears to be in full control of the ISPs network-level internet filtering service (HomeSafe) after US security firm Symantec stopped working on it over one year ago.

Regular readers will recall that Huawei’s controversial involvement in the website scanning and remote database system that underpins HomeSafe was somewhat of a hot topic in 2010 (here, here and here). The system, which affects all customers regardless of whether or not you choose to use HomeSafe, “anonymously” records the URL addresses visited by TalkTalk’s customers and compares them against a list of good and bad websites. Sites that are not on one of its lists were also “scanned for threats” (Viruses, Trojans, Porn etc.).

Suffice to say that some customers and privacy advocates were concerned that the system could be secretly data mined to reveal a significant amount of personal information that would normally not be visible (e.g. dynamic URL’s can easily contain personal details like names and addresses), which wasn’t helped by the knowledge that Huawei would handle the database remotely.

However TalkTalk was adamant that its system “does not record who sends the request or other personal data with the URL” and the concerns gradually faded from media headlines. But a recent report from the government’s Intelligence and Security Committee (ISC) and this weeks porn filter news appears to have helped resuscitate the story.

The BBC has now confirmed that Symantec, which was initially said to be responsible for maintaining the HomeSafe blacklist (i.e. Huawei only provided the hardware), actually stopped working on it over one year ago and that this aspect is now also controlled by Huawei. The ISP itself maintains that there’s nothing to worry about but not everybody shares that viewpoint.

Dr Martyn Thomas, Chair of the Institution of Engineering and Technology, said:

“It needs to be run by an organisation accountable to a minister so it can be challenged in Parliament. There’s certainly a concern about the process of how a web address gets added to a blacklist – who knows about it, and who has an opportunity to appeal against it.

You could easily imagine a commercial organisation finding itself on that blacklist wrongly, and where they actually lost a lot of web traffic completely silently and suffered commercial damage. The issue is who gets to choose who’s on that blocking list, and what accountability do they have?”

The somewhat resuscitated TalkTalk news naturally flows from the UK government’s move this week to force big ISPs into blocking adult websites (here), which has triggered a lot of fresh discussion about the pros and cons of internet censorship.

The Prime Minister, David Cameron, has indicated that ISPs would be monitored (i.e. by Ofcom) to ensure that the filtering is done correctly. But in reality this has more to do with ensuring that the filtering is actually installed as requested and is less about whether or not the technology is being abused or working properly.

Sadly no appeals process for wrongful website blocking exists and it’s likely that only a legislative solution could deliver that, which would risk putting UK Internet filtering on the same sort of level as China.