Skip Navigation


TalkTalk subject to an ICO probe over anti-malware system
Tuesday 07 September 2010 19:58:32 by John Hunt

The Information Commissioner has written to TalkTalk with concern and disappointment over its phorm-like network scanning system designed to protect customers from malware on websites which it announced back in July. The system collects every website address that its customers visit and compares these with a known list of blacklisted (bad) and whitelisted (good) sites which it builds by following its customers around the Internet. If a site has not been verified in the last 24hours the system will visit the website after the user has done so.

Although TalkTalk claim that the system will not receive or store any personal information and that it is completely legal, it has raised concern amongst worried customers and critics as to whether their interception of data is within the law.

You will be aware of recent media interest in Talk Talk's trial of a service aimed at blocking malware. This matter has also been brought to my attention by individuals concerned that the service involves the interception of communications and that the trial itself was undertaken without the knowledge of Talk Talk customers whose browsing habits have been tracked.

I should be grateful first of all if you could clarify how the monitoring takes place. While I recognise that the aim of the service is to protect users from websites containing malicious software, it is still important that it does so within the law. In a statement made to The Daily Telegraph, Talk Talk have assured customers that the monitoring process is completely legal. Please provide details of how your analysis demonstrates that the service can operate in compliance with the Data Protection Act 1998 and the Privacy Electronic Communications Regulations.

I am concerned that the trial was undertaken without first informing those affected that it was taking place. You will be aware that compliance with one of the underlying principles of data protection legislation relies on providing individuals with information about how and why their information will be used. You will also be aware that these principles are not suspended simply because the information is being used for the purposes of a trial. I should be grateful if you could inform me as to the reasons why the trial was conducted without first informing customers and in particular how such a trial was in compliance with the relevant legislation.

Finally, and in light of the public reaction to BT's trial of the proposed Webwise [Phorm] service I am disappointed to note that this particular trial was not mentioned to my officials during the latest of our liaison meetings. I appreciate that your analysis may have led to the conclusion that it was not necessary to provide us with this information but we would be in a much better position to respond to the enquiries we have received on this matter if we had the chance to review and discuss the trial with you."

Letter from Information Commissioner, Christopher Graham, to TalkTalk

The question therefore lies as to whether the system does store or process personal information. Documentation provided by TalkTalk in response to the above letter from the ICO and following meetings provides a detailed overview of how their system works and in particular how rules such as the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR) apply.

Data Protection Act 1998 ("DPA")

The anti-malware system records website URLs alone (and not together with any other information). The website URLs constitute "data" under the DPA. While the data relates to a living individual (as it is an individual who initiates the request to access the website URL), the individual cannot be identified from the data itself nor from the data together with any other information in our possession.

The website URL may by its nature contain information about racial or ethnic origin, political beliefs, religious beliefs or other areas referred to in section 2 DPA. However, as the website URL data does not constitute "personal data" under the DPA, it will not by definition constitute "sensitive personal data".

Pursuant to section 17 of the DPA, both Opal Telecom Limited (the network provider) and TalkTalk Telecom Limited (the primary entity contracting with customers) are registered under the DPA.

Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”)

Under PECR, "traffic data" is defined to include "data relating to the routing, duration or time of a communication". The website URL is traffic data.

Our use of the traffic data is compliant with regulation 7 of PECR. The traffic data, when no longer required for the purpose of the transmission of the communication (i.e. requesting the website URL), is modified such that it ceases to be personal data (under regulation 7(1)(b) or (c)). In fact, the website URL does not require modification as it never becomes personal data. The network records the destination website URL with no reference to the customer who made the request.

The anti-malware service does not store information, or gain access to information stored, in the terminal equipment of a customer. PECR regulation 6 does not accordingly apply.

TalkTalk documentation on anti-malware system

The ICO are expected to decide upon whether the system breaches the DPA but will not make rulings on whether it could be deemed that it breaches the RIPA (Regulation of Investigatory Powers Act) due to interception of data. This would likely need to be raised with the Police in a similar way to Phorm which was investigated by the City of London Policy for breaches of RIPA.

Comments

Posted by ianeiloart over 6 years ago
This isn't quite good enough. Web URLs can contain personal, and even sensitive personal information. They can even contain usernames and passwords. Talk Talk need to confirm that the remove usernames, passwords, and GET query parameters from the URLs. Even then, a URL still contain sensitive personal information, as in this fictional example: http://somesocialnetworksite.example/myname/befriend/othername
Posted by spinneybel over 6 years ago
Oh well, so much for PCI compliancy. I'm glad they're not my ISP.
Posted by TaRkADaHl over 6 years ago
I wonder if CB complained about this one when it was announced...

Probably not, only has hatred for BT...

On topic, this is just as on par with Phorm and should be stopped... URL's often contain user info, especially since many sites (this included) use on-topic-URLs-to-describe-the-page-so-they-are-picked-up-by-search-engines.
Posted by GMAN99 over 6 years ago
:)

Yes it has to be stopped, as I said when this first appeared its not enough for TT to say "oh don't bother yourself we won't record anything sensitive or personal" if there's any possible chance something could be logged it shouldn't be done and there should always be an Opt in available the default being Opt out.
Posted by CARPETBURN over 6 years ago
quote"I wonder if CB complained about this one when it was announced...

Probably not, only has hatred for BT..."

I wonder if you have always been an idiot i dont only have hate for BT but any dishonesty, see my recent rants in the O2 forums, idiot
Posted by CARPETBURN over 6 years ago
If i had known about this i may have took the time to complain to the relevant authorities, as it is i didnt (i avoid anything Talk Talk ;) ) That being said sound like they are another bunch of scumbags, but we all knew that already :D
Posted by TaRkADaHl over 6 years ago
Harsh words... they hurt :(

lol
Posted by CARPETBURN over 6 years ago
^^^ If they did i can only offer help by rubbing salt into the wounds. ;)
Posted by BIORAPTOR over 6 years ago
Now we know why they offer 6months free,although get you to sign a 18 month contract.
On topic this is so wrong.
You must be logged in to post comments. Click here to login.