TalkTalk has addressed customer concerns over the introduction of a new security system that tracks users' internet browsing habits, saying in a blog that the company's use of the anti-malware system is "compliant" with the Privacy and Electronic Communications Regulations 2003 and the Data Protection Act 1998.
The company's response follows strong criticism of the system from non-profit, privacy watchdog Privacy International. The system has been introduced to aid development of TalkTalk's free internet security technologies by bolstering protection against malware, viruses and Trojans, according to a statement from the ISP.
As TalkTalk customers browse the web, each IP address they visit is scanned for threats and the results are used to build up lists of safe or suspect sites. Some customers have expressed concern over privacy issues leading from this system.
Clive Dorsman, chief networks officer at TalkTalk reassured customers on Monday on the company blog that no individually identifiable information is sent. He also said that white lists — sites deemed safe — are retained for up to 24 hours, and websites that are flagged for the black list — those which contain malicious code, malware or other irregularities — are kept for up to seven days, before being automatically deleted. Dorsman also added that secure connections ('https') are not scanned as part of the security check.
However, a spokesman for Privacy International told ZDNet UK on Tuesday that the organisation "is deeply concerned about the TalkTalk issue and feel it certainly imposes on people's private communications. We are concerned that the technology falls foul of Regulation of Investigatory Powers Act (Ripa) and Privacy and Electronic Communications (EC Directive) Regulations (PECR)".
"In our minds, TalkTalk [has] opened [itself] up to criminal liability under Ripa and civil liability under various torts and PECR... We have already raised our concerns with the Information Commissioner's Office (who are currently investigating) and our advice to TalkTalk customers would be to leave TalkTalk and seek legal advice about any penalties TalkTalk may try to charge," the spokesman added.
A spokesman for the Information Commissioner's Office (ICO) confirmed to ZDNet UK that it has been in discussion with TalkTalk "over the process of scanning customers' URLs".
The ISP introduced the monitoring system in mid-July without any publicity but some customers began noticing DNS addresses shadowing their online activity and asked questions about the tracker-like activity on the company's support forum — ultimately resulting in an explanatory post on the official TalkTalk blog.
Virgin Media announced earlier in August that it will begin sending out letters to its customers that are known to be infected by malware or part of a botnet as part of a campaign to "educate" its users.
Phorm, a behaviourally-targeted ad platform that tracked internet usage in order to provide relevant advertising, was dropped by BT — and subsequently TalkTalk — in July 2009. The company said it had nothing to do with customers' privacy concerns and was "a question of resources, priorities and focus", according to a BT spokesperson.
Talkback
I don't believe him.
Only 2 webcrawlers covering all of their customer requests?
Only pulls single pages the user visits and not linked pages or other pages on the site (from searches on the IP address that reveal AWStats logs). Why not linked pages?
Pulls the page AFTER the user reads it, and thus cannot possibly protect that user from malware.
Discards the evil URL after 7 days, ... why wouldn't you rescan it.
Why wouldn't you just do a webcrawl to scan the web.
Why wouldn't you just use the spamhaus XBL list?
http://www.spamhaus.org/xbl/
How come all these millions of TalkTalk customers and I can find so few entries for their crawler?...
IMHO, they are monitoring a few customers for reasons not disclosed and having been caught, he's talk talking something nonsensical to cover their asses.
I cannot for the life of me see what the problem is. Most paid for internet security programs do just what TalkTalk are offering for free. It is also an opt in, meaning you have to physically switch the stupid thing on. I think that perhaps someone needs to get a life, or perhaps switch from journalism to bus driving
Hi Dennis, I think the exception most people take is that the process seemed to start unannounced, without informing customers in advance. As you, and the commenter above, correctly say, it isn't anything above and beyond what other similar services or programs are doing - which sort of begs the question of why are TalkTalk doing this themselves? Most new PCs come with antivirus options pre-installed, a number of other web services are already hard at work scanning the internet for malware and malicious sites, so it just seems a slightly strange decision to take this process in-house.