ICO Confirms TalkTalk Probe Over Customer Snooping

The Information Commissioner’s Office (ICO) has confirmed it is looking into the process that TalkTalk uses to monitor the web addresses that its customers are using.

The news that TalkTalk was monitoring its customers’ online activity, as part of a trial for a new anti-malware system, first came to light in late July.

This was because a TalkTalk customer had noticed that two “guest” IP addresses had appeared in his web server logs, and brought the issue up on the ISPs discussion forum. Several other users discovered they were being tracked by the same IPs, prompting a fierce privacy debate among TalkTalk customers.

URL Monitoring

TalkTalk then admitted to the monitoring, but said that it was a necessary part of the testing process for a new anti-malware system it is developing. The system is provided by Chinese vendor Huawei, and is due to be launched before the end of 2010.

As TalkTalk customers browse the web, the TalkTalk anti-malware system records all the URLs they visit and checks them against a blacklist of sites known to be infected with malware. It also has a “whitelist” of sites that have been scanned for threats and approved.

“The ICO is currently looking into the process by which Talk Talk collects data about websites visited on its network,” a spokesperson for the Information Commissioner’s Office (ICO) confirmed to eWEEK Europe UK in an email.

“We have requested further details about how data is used and will continue to monitor this service to ensure that it complies with the Data Protection Act,” the spokesman added.

Meanwhile Christopher Graham, the Information Commissioner, apparently told TalkTalk that he was disappointed that the operator had not warned its 4.2 million customers about the web monitoring.

According to the Register, Graham had sent a letter to TalkTalk at the end of July, which it obtained under the Freedom of Information Act. “I am concerned that the trial was undertaken without first informing those affected that it was taking place,” the letter said.

TalkTalk Response

But Clive Dorsman, Managing Director of TalkTalk Technology, used a blog posting to put his side of the argument.

“We’ve had lots of questions from customers about our network security technology so we wanted to provide a bit more detail on how the system works,” said Dorsman. “As I’ve mentioned before, the aim of our new Internet security technology, which will be free and opt-in only, is to help make the Internet a safer place for our customers by warning them if their computer or device connected to their home broadband is viewing a page that contains viruses or other online threats.”

“Our new Internet security technology will include an anti-malware system which has been tested in the TalkTalk network,” said TalkTalk’s Dorsman. “Being located in the TalkTalk network, the system is subject to the same high level of security applicable to the TalkTalk network and TalkTalk’s customer data. The process is not dissimilar to how we record voice traffic.”

“Given the volume of website URLs, these lists are recorded in a temporary electronic state and not in conventional accessible storage,” he said, hoping to ease user concerns. He also stated that TalkTalk’s use of the anti-malware system is compliant with the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.

BT Phorm Controversy

But for many users, this TalkTalk trial will have an uncomfortable comparison to BT’s secret trials of Phorm technology last year. BT had been hoping to offer a similar filtering system alongside its controversial behavioural advertising service.

But the UK carrier was forced to drop the technology in July last year, following a mass public outcry and threats from the European Commission that it would take legal action against the UK government over its failure to protect users from the software.

Virgin Media faced similar outrage from privacy campaigners in November 2009, when it was found to be trialling new technology from Detica that would allow it to monitor file-sharing over the Internet. The trials were in response to a clause in the Digital Economy Bill – now the Digital Economy Act – which requires ISPs to combat illegal file-sharing over their networks.