TalkTalk defends website spying

TalkTalk has today issued a statement defending its recent action of spying on customers, reiterating its assertion that its website tracker is only part of its anti-malware program, not an attempt to invade users’ privacy.

It said that its approach is designed to make the internet “a safer place”, scanning the URLs of websites visited and comparing them to a database of threats, allowing TalkTalk to block such threats before customers engage them.

Websites that are found to be clean will be stored in a “white list” database and automatically deleted after 24 hours, while websites found to contain malware are stored in a “black list” database for a full week before being deleted. TalkTalk also said that it will be storing this in a “temporary electronic state”, not a conventional accessible storage medium, suggesting that customers need not fear about anyone accessing their data.

TalkTalk also said that the system will only record the destination URLs, not who sends them or any other personal data, which means it should be impossible to link the two. This will be vital if it hopes its anti-malware system, which will be opt-in only, is to be widely adopted.

Another important clarification it offered was that it does not scan or record secure website URLs (i.e. those with https), allaying fears that TalkTalk’s spy system could be monitoring your online banking and other private affairs.

The problem is that many will not believe an anti-malware system justifies the invasion of privacy, particularly considering no one was ever told about this until some customers spotted the stalking TalkTalk IP addresses. It is not clear why TalkTalk did not announce this system until after it had been caught in the act, but it certainly gives a bad impression to customers.

Another issue is that the testing period for the system is not opt-in, but rather opt-out, which means all TalkTalk customers are unwittingly sending their visited websites to TalkTalk’s database unless they tell the company to stop. 

However, one commenter on our previous story on TechEye revealed that TalkTalk was still monitoring him even though he requested it cease in May of this year. If this is so, and if others are also experiencing this problem, it creates an even greater privacy concern for everyone using the TalkTalk service.

The TalkTalk statement in full is as follows:

As a network operator, TalkTalk receives and processes billions of requests daily from its customers to connect to websites across the internet.

We route these requests across our network and beyond but inevitably this exposes our customers to the countless viruses, worms, spyware and other malicious pieces of software out there on the internet.

As I’ve mentioned before, the aim of our new internet security technology, which will be free and opt-in only, is to help make the internet a safer place for our customers by warning them if their computer or device connected to their home broadband is viewing a page that contains viruses or other online threats.

Our new internet security technology will include an anti-malware system which has been tested in the TalkTalk network. (Malware is the name given to any software designed to infiltrate a person’s computer without their consent.)

As requests move through the network, the anti-malware system filters and records the website URLs to which our network has been asked to connect. The system simply records the destination website URLs; it does not record who sends the request or other personal data with the URL.

Being located in the TalkTalk network, the system is subject to the same high level of security applicable to the TalkTalk network and TalkTalk’s customer data. The process is not dissimilar to how we record voice traffic.

The system scans website URLs for malware and other viruses and then places each website URL in a white list (if the scan is clean – this is retained for up to 24 hours and then automatically deleted) or a black list (if the scan shows viruses, malware or other irregularities – this is retained for up to 7 days and then automatically deleted).

Given the volume of website URLs, these lists are recorded in a temporary electronic state and not in conventional accessible storage. When the anti-malware service goes live to customers, these lists will in future be used to alert customers to websites suspected to have malware or viruses.

Importantly, the anti-malware system does not record or scan any secure “https” website URLs.

And TalkTalk’s use of the anti-malware system is compliant with the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.