

Mobile operator Vodafone UK has been accused of "
illegally"
snooping on the internet surfing activity of their Mobile Broadband users. Several customers spotted the problem after noticing that they were being stalked by an automated system, which would almost immediately load the same website address (URL) an instant after they had requested it.
It didn't take long before one enterprising customer was able to
trace the unusual internet stalker back to its source at a
Californian technology firm called
Bluecoat. The firm appears to have been providing Vodafone with website filtering, anti-malware (perhaps ironically including anti-spyware) and other services since 2006.
The particular BlueCoat service in question is called
Webpulse, which is designed to
categorise website content and thus allow customers (i.e. Vodafone) to decide how they want it to be treated. At the time of writing it's still not entirely clear what Vodafone is using the service for as they have not responded to the concerns, although their adult website filtering is a likely candidate.
A BlueCoat Spokesperson explained to ISPreview.co.uk:
"For instance, parents may want to keep their children from pornography or gambling sites, and service providers are required by law in most places to keep users from child pornography. In addition, the latest links to malicious threats can be flagged and avoided.
It is only the URL address that goes into this service--no content or user information. There is no interception of data/content flow. Because there is no association of the URL to a user, there are no privacy issues at stake."
Still, concerned customers claim that the
Deep Packet Inspection (DPI) style technology, which is similar to one being used by fixed line broadband ISP TalkTalk UK, could be in breach of the
Regulation of Investigatory Powers Act 2000 (RIPA) and other UK/EU privacy directives. RIPA prohibits "
interception of a communication", such as when visiting a website (URL), unless consent is given.
3 Lawful interception without an interception warrant [sample quote only]
(1) Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which, or which that person has reasonable grounds for believing, is both— .(a) a communication sent by a person who has consented to the interception; and .
(b) a communication the intended recipient of which has so consented.
(2) Conduct by any person consisting in the interception of a communication is authorised by this section if— .
(a) the communication is one sent by, or intended for, a person who has consented to the interception; and .
(b) surveillance by means of that interception has been authorised under Part II.
Another key point to make, which is often overlooked or ignored by those who develop or deploy such technology, is that the
URL address itself can contain personal details, such as names, addresses, passwords and other sensitive data (
e.g. www.sample.com/form.php?$name=bloke$address=catland).
As these URLs could exist as part of an individual's isolated and not directly public process then, irrespective of whether you know who the end-user is, there could still be a
risk to private data. Sometimes even the location of the URL, which could be from a non-public development website or admin login page, can be sensitive
Some operators claim that customers effectively give their "
implied consent" to such interception by agreeing to their
Terms & Conditions (T&C) and or
Privacy Policy when joining. Vodafone's terms are particularly big and effectively allow them to monitor where you go, what you look at and to even share the data with certain third parties.
Jim Killock, Executive Director of the Open Rights Group (ORG), said:
"Interception of communications is legal only in very narrow circumstances. Vodafone need to explain their legal justification and inform their customers what they are doing. And the government needs to sort out regulation so there is someone to complain and investigate - they are still being threatened with court action over this."
Alexander Hanff, Privacy International, added:
"This is a big issue not limited to Vodafone. I did a review in 2009 of all the mobile contracts in the UK and apart from "Three" all of them had terms and conditions which allowed them to intercept and use their customers comms data for marketing purposes and that was all comms data including sms, emails and browsing.
As you know, interception of communications in the UK is a crime unless it is carried out with either a warrant or consent."
Unfortunately the UK law, police and
Information Commissioners Office (ICO) aren't very effective at tackling or even understanding such problems. Thankfully, after several years of EU campaigning, the country is
finally moving to tighten up its restrictions.
The
new RIPA directive, which is currently being consulted upon, make clear that consent to interceptions of electronic communications by persons other than users must be "
freely given specific and informed". It should be said that this is still very much open to change and such a move would be of little use if there is no effective enforcement regime.
UPDATE 1:09pmWe've had an official response from Vodafone UK.
Vodafone Statement to ISPreview.co.uk
We use the Blue Coat filter to classify internet sites so that we can apply an adult bar appropriately. This is not a question of intercepting customer communications but of ensuring the safety of our younger customers in a dynamic environment. It is used solely for child protection and to block illegal content and not for any other purpose. Other network operators use the same or similar systems. We are required to to this in order to meet our regulatory and industry obligations.
UPDATE 8th March 2011We've had a further comment from BlueCoat, which claims any web process that isn't dealt with via a secure web session (HTTPS) is effectively giving up the user's right to privacy.
A BlueCoat Spokesperson said:
"If there is sensitive/confidential information being passed from a user to a site, it would mostly likely (should) be done via HTTPS. In this case, the entire URL request would be shrouded from the ISP (and WebPulse accordingly).
If such information is being sent unencrypted (by HTTP) is would be available for the WebPulse data center to see, but it is also available for anyone else to see. It would be data sent in the clear across the Internet available to anyone sniffing along the way, as well as to any router."
Certainly not using HTTPS can be a risk to hackers and spyware but it shouldn't automatically sign away an individual's right to privacy. Most webmasters will be aware that in the real-world HTTPS doesn't work for everything.
Likewise there's also this issue of data that is deemed to be "
public" or "
sent in the clear", which BlueCoat states would be "
available for anyone else to see". That's not strictly correct, you would probably have to be hacking or stalking to access such data when part of an individual's own private process. It is not available to everybody by default.
Many of us leave an upstairs window open at home during the summer to let a bit of cooling air in, but you don't expect to be burgled because of it. Yes it's a security risk to open a window but it's still a crime to enter that person's home and steal something.