Privacy watchdog raps TalkTalk over URL scanning

The Information Commissioner's Office was not informed about a TalkTalk malware-scanning trial that is looking at all websites requested bythe ISP's customers
Written by Tom Espiner, Contributor

The Information Commissioner's Office was kept in the dark by TalkTalk about a technology trial in which the ISP covertly collects information on the web sites its customers want to visit, according to recently revealed documents.

The UK's official privacy watchdog was not informed about the trial, according to correspondence obtained via a Freedom of Information (FoI) request by WhatDoTheyKnow.com, which published the documents on Friday.

Information commissioner Christopher Graham complained to TalkTalk about the lack of communication with his office and with its own customers in an email to dated 30 July that was released under the FoI request.

"In light of the public reaction to BT's trial of the proposed Webwise service, I am disappointed to note that this particular trial was not mentioned to my officials during the latest of our liaison meetings," wrote Graham in the email.

TalkTalk began the trial of its technology, which scans the URLs requested by customers for malware, at the beginning of July, a company spokesman told ZDNet UK on Tuesday. The ISP's customers are automatically included in the trial, which is ongoing, and are not asked to opt in, according to the company.

"I am concerned that the trial was undertaken without first informing those affected that it was taking place," Graham wrote in his July email. "You will be aware that compliance with one of the underlying principles of data protection legislation relies on providing individuals with information about how and why their information will be used."

The commissioner compared TalkTalk's technology to BT's Webwise service, which was provided by Phorm. Webwise, which monitored people's web browsing to serve adverts based on their behaviour, was shelved in July 2009 after criticism that it was a potential risk to customer privacy.

TalkTalk has not been monitoring which customers make the requests for URLs as part of its malware scanning, according to the company's spokesman.

"Of course we can look and see who has accessed [websites, but] we disassociate that information," he said. "We are looking at websites accessed from our network. We don't know who has accessed them."

Since the trial began in July, TalkTalk has found 75,000 websites it believes contain malware, he added. When the ISP launches the malware scanning as a full service later this year, it will shift to opt-in, he said.

TalkTalk's technical details (PDF) of how the anti-malware scanning works were also revealed as part of the FoI request. Under the system, customer requests for URLs pass through the TalkTalk network traffic control systems. The anti-malware scanner pulls out a specific URL from the general traffic routing data associated with a request and discards the personal data associated with it.

The ISP stressed that at present, it is not recording any personal data from the trial. However, the opt-in service will allow TalkTalk to identify customers and send them warnings in relation to potentially harmful URLs they want to visit.

Editorial standards