Posted: 07th Sep, 2010 By: MarkJ
The
Information Commissioner's Office (ICO) has criticised broadband ISP TalkTalk UK for failing to inform both itself and subscribers that it was conducting a controversial new security trial on them. The service, which the ICO also likened to Phorm (WebWise), follows customers around the internet and makes an anonymous record of the website addresses (URLs) they visit.
However website addresses can also contain personal data, such as usernames or other private details; sometimes even the location of the URL on a website can be sensitive (i.e. revealing an admin login page). This kind of information would not ordinarily be visible to the wider public or search engines like Google, although TalkTalk's unique system would have visibility.
The ICO conversations with TalkTalk were revealed as part of an individual's
Freedom of Information Act (FOIA) request, which asked that the ICO disclose any communications with TalkTalk in the last year in regard to any new services they propose to provide to their broadband customers.
For its part, TalkTalk sticks to its guns and reiterates most of the points that we've heard before. However they do offer a more in-depth explanation of how, in their interpretation, the URL monitoring avoids conflicting with the
Data Protection Act 1998 (DPA) laws.
TalkTalk's DPA Interpretation
Data Protection Act 1998 (“DPA”)
The anti-malware system records website URLs alone (and not together with any other information). The website URLs constitute “data” under the DPA. While the data relates to a living individual (as it is an individual who initiates the request to access the website URL), the individual cannot be identified from the data itself nor from the data together with any other information in our possession.
The website URL may by its nature contain information about racial or ethnic origin, political beliefs, religious beliefs or other areas referred to in section 2 DPA. However, as the website URL data does not constitute “personal data” under the DPA, it will not by definition constitute “sensitive personal data”.
Pursuant to section 17 of the DPA, both Opal Telecom Limited (the network provider) and TalkTalk Telecom Limited (the primary entity contracting with customers) are registered under the DPA.
TalkTalk claims that the "
individual cannot be identified from the data itself", which seems odd considering that URLs can contain personal details like names, addresses, usernames, dates of birth (i.e. when filling in some HTML forms). TalkTalk has no way, that we know of, to ensure that such URLs are screened out.
Similarly section 3 of the UK Regulation of Investigatory Powers Act 2000 (RIPA) prohibits "
interception of a communication", such as when visiting a website, unless consent is given. We covered this in more detail on our 16th August article (
here).
As it stands we are still awaiting an
official public verdict from the ICO, although those with privacy fears should avoid having high expectations. Even the ICO states that it has "
no responsibility for assessment of compliance with (or enforcement of) RIPA". In addition, they will NOT rule on whether an "
interception" has taken place and, if so, whether it is legal. A fat lot of good that is.
Related News:
26th July 2010 - UK ISP Talk Talk Monitoring its Customers Online Activity Without Consent
30th July 2010 - UK ISP Talk Talk Defends Customer Website Snooping System
16th August 2010 - ISP Talk Talk UK Responds to Privacy Concerns Over URL Monitoring Service
23rd August 2010 - UK ISP Talk Talk Defends Website URL Tracking System from Privacy Concerns