Home » 

UK ISP News Archives

 » 
Sponsored
By: MarkJ - 16 August, 2010 (12:10 AM)
talktalk uk dpi internet isp privacy concernBroadband ISP TalkTalk UK has kindly responded to a number of the concerns we raised about its forthcoming security service. The controversial system shot into the headlines last month after several of the internet providers customers noticed that their website browsing activity was being monitored ("stalked") without consent.

The ISP then promptly moved to allay any fears of privacy invasion by stating that the activity, which allegedly makes an anonymous record of the URL (website) addresses visited by all of its customers, was part of a new free security service targeted to launch before the end of 2010; following a proper public trial.

TalkTalk's July 2010 statement said:

"In preparation for the launch of these services, as our users surf the internet, details of websites visited are put into a list. Scanning engines then compare this list to a blacklist (sites that have been found to contain recent threats) and whitelist (sites that have been recently scanned with no threats found); if the site is not on either of these, it will visit the site and scan it for malicious code. Sites that are already on either list are not scanned again until the following day.

Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers. We are not interested in who has visited which site - we are simply scanning a list of sites which our customers, as a whole internet community, have visited. What we are interested in is making the web a safer place for all our customers."

TalkTalk's technical bods also claimed that the ISP had no visibility of the website addresses. However any comfort this may have given was soon eroded after it revealed that the data would instead be held remotely in a device managed solely by commercial Chinese firm Huawei.

Privacy campaigners and concerned customers soon weighed in to point out that section 3 of the UK Regulation of Investigatory Powers Act 2000 prohibits "interception of a communication", such as when visiting a website, unless consent is given.
3 Lawful interception without an interception warrant [sample quote only]

(1) Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which, or which that person has reasonable grounds for believing, is both— .
(a) a communication sent by a person who has consented to the interception; and .
(b) a communication the intended recipient of which has so consented.
(2) Conduct by any person consisting in the interception of a communication is authorised by this section if— .
(a) the communication is one sent by, or intended for, a person who has consented to the interception; and .
(b) surveillance by means of that interception has been authorised under Part II.
The EC Data Retention Directive (PDF) says something similar and also notes that "No data revealing the content of the communication may be retained pursuant to this Directive". TalkTalk counters this by semi-correctly saying that ISPs are already required to log basic website and email communications data ("All ISPs in the EU have a legal obligation to store this sort of data," they claim).

However, at least so far as we are aware (please correct us if we're wrong), this information should come in the form of names, address and IP (e.g. 192.234.12.1) details. It is also crucial to point out that such data is only supposed to be accessible by certain public services and security agencies.

Website addresses and IP's are two directly connected but also different things. A URL can easily contain "the content of a communication", such as when passing data over a website form or logging in to a web based system (usernames and other details may occasionally be contained within the URL). In some instances even the URL itself could reveal a system location that is normally intended to be hidden from public view.

You can of course resolve any URL to an IP address but the IP will usually be a single bland number that cannot, by itself, reveal any data or content. For example there might be 200,000+ URL addresses (web pages) on ISPreview.co.uk but they will all resolve to just one IP address. Suffice to say that we have put some of these concerns to TalkTalk.
ISPreview: There is concern that Huawei, a Chinese firm that has suffered due to some high-profile allegations of state sponsored spying, could have visibility of the tracked URLs.

TalkTalk: URL’s are not linked to customers and all webpages are publicly accessible.

ISPreview: There is concern that TalkTalk's system would add to the server load of websites and ignore copyright notices and other methods that prohibit automated processing of content.

TalkTalk: There is no copyright infringed as all data is publicly accessible, content processing is restricted to known malware identification which we believe can only be beneficial.

ISPreview: There is concern that TalkTalk's system would inadvertently reveal private data to Huawei, which can often be held in URL addresses (usernames, emails.. sometimes even passwords). Furthermore, when you are writting a new web system it's not uncommon to do this in a semi-live environment and at times you might even disable security that could reveal database logins and more in a URL just to see how it works. Recording this data is dangerous.

TalkTalk: No data is stored that wouldn’t ordinarily pass through an ISPs network. We are only scanning publicly accessible webpages.

ISPreview: Some fear it would also presumably scan webpages that would normally be held away from public view, such as private admin login pages and potentially even the content of a private admin page itself. The URL location itself is valuable and sensitive data and may not always be held behind an SSL connection, such as in the case of admincp's for forum software.

TalkTalk: We do not store the URL data or pass it on. We believe that scanning any page for viruses can only be beneficial to both customers and website owners.

ISPreview: Re-requesting URLs that help web-based applications to function could also unintentionally result in a specific individuals remote website service or feature being accidentally enable or disabled (i.e. a dynamic URL can often tell a service to enable or disable depending on when and how a variable is accessed). In some situations this could even disrupt private login routines.

TalkTalk: This issue has been highlighted in our testing and we are working to avoid session based URL replication.

ISPreview: There is further concern that customers will have no way to disable the logging, which we also believe should be opt-in only (not just for the system but the recording of URLs too).

TalkTalk: There is no logging. Our security proposition that will launch later in the year will be opt-in.
We have asked TalkTalk to clarify some of their responses and are still awaiting a reply, not least because the last reply of "there is no logging" appears to contradict their earlier explanation of how the system works. At some point the URL's visited by TalkTalk's customer must be put into the overall database.

The "all webpages are publicly accessible" claim also has a problem in that public and accessible can mean quite different things. For example, a URL containing private website FORM submission data would technically be publicly accessible but at the same time is a unique and normally private process for a specific individual (i.e. its working over a public system but is not itself open to public display).

These processes cannot be logged by Google, website visitors or other "remote" systems, they are not publicly viewable, but the way in which TalkTalk's system appears to work could expose them and any private data held in the URL itself, assuming this is the kind of data that the ISPs system retains in its remote database. We continue to await their reply.

Alexander Hanff of Privacy International, and anti-Phorm fame, told ISPreview.co.uk:

"The entire thing is utterly unacceptable - they have no authority to follow people around the Internet and in fact in my mind this is a clear example of the literal term "stalking". Furthermore their insistance that they are required to do this under the Data Retention Directive is grossly misleading and false."

In fairness it would be technically impossible to run any ISP without passing sensitive data from customers and the internet over their networks, although the argument about where management of a network and actual interception of content occurs, to the point of being illegal, is harder to pin down.

If the Phorm situation was anything to go by then the country's contradictory laws and ineffective Information Commissioners Office (ICO) aren't likely to be of much help either. Ofcom's push for greater use of Deep Packet Inspection (DPI) technology to monitor unlawful file sharing could even represent a potential conflict of interest.

In the meantime, while we await some much needed clarity from various quarters, TalkTalk customers have no ability to opt-out of the URL processing activity itself. The ISP clearly feels that this sort system is necessary to discover instances of malware infested websites, a type of service that is already offered by most good anti-virus software, firewalls, free website browsers and even some popular internet search engines.
Related News:
26th July 2010 - UK ISP Talk Talk Monitoring its Customers Online Activity Without Consent
30th July 2010 - UK ISP Talk Talk Defends Customer Website Snooping System

Option: Link | Search

Generated in 0.15416 seconds.
DB queries: 6
 Latest UK ISP News
 Cheapest Superfast Broadband ISPs
  • Vodafone £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Onestream £22.49 (*29.99)
    Avg. Speed 45Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*36.52)
    Avg. Speed 36Mbps, Unlimited
    Gift: £55 Reward Card
Prices inc. Line Rental | Compare More ISPs
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules