TalkTalk spies on customers

UK internet service provider TalkTalk has been caught spying on its users only a couple of weeks after it joined other ISPs in challenging the Digital Economy Act over privacy concerns.

The discovery was made by some TalkTalk customers, who noticed that IP addresses from Opal Telecom, a subsidiary of TalkTalk, were following every website they visited. Other users were then able to replicate the procedure and discover the stalking tactics in their logs.

After a series of complaints to TalkTalk, it revealed that it is developing “some really exciting new security and parental control services”, which it said would provide “greater protection” for its customers. Only, it doesn’t protect it from snooping ISPs.

The new monitoring system comes from the Chinese company Huawei. It follows users’ every move online, recording visited website URLs and comparing them to those which are known to contain malware. TalkTalk knows what sites you’re visiting within 30 seconds to 2 minutes, but it’s all to protect you. TalkTalk promises.

It said that users can opt out of the data mining operation if they want but it never told its users it was doing it in the first place, which limited the option to get rid until it was well and truly rumbled. The fact that it is not advertised anywhere and was only discovered by worried customers makes the whole affair that bit more shady.

In a time when ISPs, including TalkTalk itself, have been fighting against the Digital Economy Act, which may require the handing over of IP addresses of suspected illegal downloaders, this seems a tad hypocritical. TalkTalk doesn’t want outsiders asking it to monitor its users, but it has no problem doing it anyway without consent or knowledge.

TalkTalk has tried to allay fears by saying it only monitors and collects data of sites visited, but does not receive or store any details of who visited those sites. It said it is running a legitimate program for targeting malware and is “not interested in who has visited which site”. However, trust is important for any brand. We’ve a sneaking suspicion that customers will now also have sneaking suspicions. What other things could it be doing behind customers’ backs?

TalkTalk said that URLs it collects are deleted after 24 hours if they are found to be free from malware, while infected sites are checked and blocked on a daily basis until they are clean for seven days.

The malware blocker and parental controls system will come into force in the latter half of this year, which TalkTalk users can opt in for at no cost. It is unusual that the finished product requires an opt-in, while the testing of it requires an opt-out; perhaps TalkTalk might have better approached it by offering the trial as an opt-in as well.

It is not clear why TalkTalk decided to begin this testing phase with such a hush-hush attitude, but it is clear that its customers aren’t impressed, regardless of what it claims it’s doing it for.