Web scanner complies with privacy law, says TalkTalk

Development of an internet security tool that notes which websites users visit has caused discontent among the ISP's subscribers and Privacy International

TalkTalk has addressed customer concerns over the introduction of a new security system that tracks users' internet browsing habits, saying in a blog that the company's use of the anti-malware system is "compliant" with the Privacy and Electronic Communications Regulations 2003 and the Data Protection Act 1998.

The company's response follows strong criticism of the system from non-profit, privacy watchdog Privacy International. The system has been introduced to aid development of TalkTalk's free internet security technologies by bolstering protection against malware, viruses and Trojans, according to a statement from the ISP.

As TalkTalk customers browse the web, each IP address they visit is scanned for threats and the results are used to build up lists of safe or suspect sites. Some customers have expressed concern over privacy issues leading from this system.

Clive Dorsman, chief networks officer at TalkTalk reassured customers on Monday on the company blog that no individually identifiable information is sent. He also said that white lists — sites deemed safe — are retained for up to 24 hours, and websites that are flagged for the black list — those which contain malicious code, malware or other irregularities — are kept for up to seven days, before being automatically deleted. Dorsman also added that secure connections ('https') are not scanned as part of the security check.

However, a spokesman for Privacy International told ZDNet UK on Tuesday that the organisation "is deeply concerned about the TalkTalk issue and feel it certainly imposes on people's private communications. We are concerned that the technology falls foul of Regulation of Investigatory Powers Act (Ripa) and Privacy and Electronic Communications (EC Directive) Regulations (PECR)".

"In our minds, TalkTalk [has] opened [itself] up to criminal liability under Ripa and civil liability under various torts and PECR... We have already raised our concerns with the Information Commissioner's Office (who are currently investigating) and our advice to TalkTalk customers would be to leave TalkTalk and seek legal advice about any penalties TalkTalk may try to charge," the spokesman added.

A spokesman for the Information Commissioner's Office (ICO) confirmed to ZDNet UK that it has been in discussion with TalkTalk "over the process of scanning customers' URLs".

The ISP introduced the monitoring system in mid-July without any publicity but some customers began noticing DNS addresses shadowing their online activity and asked questions about the tracker-like activity on the company's support forum — ultimately resulting in an explanatory post on the official TalkTalk blog.

Virgin Media announced earlier in August that it will begin sending out letters to its customers that are known to be infected by malware or part of a botnet as part of a campaign to "educate" its users.

Phorm, a behaviourally-targeted ad platform that tracked internet usage in order to provide relevant advertising, was dropped by BT — and subsequently TalkTalk — in July 2009. The company said it had nothing to do with customers' privacy concerns and was "a question of resources, priorities and focus", according to a BT spokesperson.