TalkTalk Snoops On Customers’ Web Activity

Broadband provider TalkTalk has been caught monitoring and recording its customers’ online activity without their consent.

The situation first came to light when a TalkTalk customer noticed two “guest” IP addresses appearing in his web server logs, and brought the issue up on the ISPs discussion forum. Several other users discovered they were being tracked by the same IPs, prompting a fierce privacy debate among TalkTalk customers.

TalkTalk has since admitted to the monitoring, but claims it was a necessary part of the testing process for a new anti-malware system it is developing. The system is provided by Chinese vendor Huawei, and is due to be launched before the end of 2010.

“We are developing some really exciting new security and parental control services, which will be based deep within our network infrastructure, to provide our customers with greater protection for all the devices they connect to their broadband line with,” said TalkTalk in a statement. “We’ve had considerable feedback from customers that PC-based software only deals with part of the wider security problem facing today’s Internet users, so we’ve developed these new services to help improve our customers online experience with us.”

Web-monitoring

Customers are currently not able to opt out of TalkTalk’s data collection project. As they browse the web, URLs are recorded and checked against a blacklist of sites known to be infected with malware, as well as a “whitelist” of sites that have been scanned for threats and approved in the last 24 hours.

Many people participating in the discussion on TalkTalk’s forum have likened the situation to BT’s secret trials of Phorm technology, which pledged to offer a similar filtering system alongside its controversial behavioural advertising service.

BT was forced to drop the technology in July last year, following a mass public outcry and threats from the European Commission that it would take legal action against the UK government over its failure to protect users from the software.

“Technologies like internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules. These rules are there to protect the privacy of citizens and must be rigorously enforced by all Member States,” said former EU telecoms commissioner Viviane Reding at the time.

Virgin Media faced similar outrage from privacy campaigners in November 2009, when it was found to be trialling new technology from Detica that would allow it to monitor file-sharing over the Internet. The trials were in response to a clause in the Digital Economy Bill – now the Digital Economy Act – which requires ISPs to combat illegal file-sharing over their networks.

No data stored

Despite the obvious privacy implications of this type of software, TalkTalk defended its decision to work with Huawei, claiming that its new system effectively just gathers an anonymous list of public website addresses.

“Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers,” it said.

Ironically, TalkTalk has recently become known as a champion of online privacy. Earlier this month, BT and TalkTalk called for a judicial review of the Digital Economy Act by the High Court, claiming that the measures to curb online copyright infringement did not receive sufficient scrutiny when the bill was passing through Parliament.

“Innocent broadband customers will suffer and citizens will have their privacy invaded,” said TalkTalk Group chairman Charles Dunstone at the time. “We think the previous government’s rushed approach resulted in flawed legislation.”