Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK ISP TalkTalk Caught Monitoring Its Customers

Posted by kdawson on from the shades-of-phorm dept.

An anonymous reader writes "The UK ISP TalkTalk has been caught using a form of Deep Packet Inspection technology to monitor and record the websites that its customers visit, without getting their explicit consent. The system, which is not yet fully in place, ultimately aims to help block malware websites by comparing the URL that a person visits against a list of good and bad sites. Bad sites will then be restricted. TalkTalk claims that its method is totally anonymous and that the only people with visibility of the URL database itself are Chinese firm Huawei, which will no doubt help everybody to feel a lot better (apply sarc mark here) about potentially having their privacy invaded."

30 of 139 comments (clear)

  1. Twas ever thus by benbean · · Score: 5, Insightful

    Doesn't really sound any different to what the search companies store. Sans encryption, nothing you do on the Internet is private. Caveat Browsor. Or, erm, something.

    --
    It's a Unix system - I know this.
    1. Re:Twas ever thus by zaax · · Score: 3, Informative

      In the UK it is illegal to monitor a person priate converstaion on the phone, unless you have a judges authority. Also it's against Human Rights. Maybe Talk-Talk customsers should report them to the police.

    2. Re:Twas ever thus by mistralol · · Score: 4, Informative

      Actually in UK law the digital economy act practically requires by law that isp's are to monitor their users and notify certain bodies of any possible illegal activity. TalkTalk and BT are the only people attempting to stand up to this. I guess TalkTalk are a little more two faced than we thought.

    3. Re:Twas ever thus by smallfries · · Score: 2, Insightful

      Sans encryption, nothing you do on the Internet is private

      Very true, and yet within ten minutes there will still be several hundred posts in this story decrying the evil wiretappers of the man and how this is breach of basic civil liberties.

      So here is a question (and it's only half devil's advocate) :
      If you send your data to a private company who has not signed any kind of contract to say that they will keep the data private: why wouldn't they look at it?

      --
      Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    4. Re:Twas ever thus by noidentity · · Score: 2, Insightful

      How about just using English in the first place?

    5. Re:Twas ever thus by Anonymous Coward · · Score: 3, Funny

      Because Latin keeps the proles out

    6. Re:Twas ever thus by h4rm0ny · · Score: 4, Insightful


      They should indeed report them. It was not "ever thus" and quite demonstrably so because we've only had mass electronic communication relatively recently and in a form that is easy for third-parties to record en masse for substantially less time than that.

      Each time a new frontier opens in the eternal war between the rulers and the ruled, a land-grab ensues where governments and corporations try to make the public accept something as inevitable or right whilst at the same time the public realizes just because they've allowed the government to make them do something in other areas, that doesn't mean it was right.

      It's vitally important at times like this to defend our rights as forcefully as possible. We did a lot of damage to Phorm when this was tried previously. In fact, Phorm turned into a ugly business black hole that no-one wanted to touch, with a reputation as down the toilet as SCO and I pity the people associated with it (except I don't). Clearly someone hasn't learned their lesson and we need to burn down a few more companies before we finally establish our right to privacy.

      So let's make them regret this.

      --

      Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
    7. Re:Twas ever thus by MoonBuggy · · Score: 5, Informative

      Firstly, in the UK, the data protection act comes into play, especially considering the level of insight that browsing info can give about many of the items listed on the "Sensitive personal data" list.

      Secondly, wiretapping legislation specifically forbids monitoring of telephone communications except in specific circumstances, whether they are encrypted or not. It's hardly a stretch to apply the same logic to internet communication.

    8. Re:Twas ever thus by tolan-b · · Score: 3, Insightful

      It is English.

      http://www.oxforddictionaries.com/view/entry/m_en_gb0131000#m_en_gb0131000

      As well as being Latin of course.

    9. Re:Twas ever thus by smallfries · · Score: 2, Interesting

      That's a very cool site, best description of the data protection act that I've read. It still leaves me wondering how the DPI that TalkTalk performed would breach it though. If they pass URLs to a third party without anyway to lookup who requested each URL then it doesn't count as personal data under the act. I also see that any personal data they did pass on would have been legal as long as it was correct and TalkTalk actually told people what they were doing (not that they did).

      Why would wiretapping legislation be relevant? It wouldn't be a great stretch if this were some third-party breaking into the line between TalkTalk and its customers, but it is not. This is the ISP looking at the data that it has been sent - that is a huge stretch of wiretapping legislation and it is not clear that it would apply at all.

      --
      Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    10. Re:Twas ever thus by somersault · · Score: 3, Informative

      How is them trying to warn users they area about to visit a malicious site anything like recording activity for the purposes of relaying to the government? There is nothing two faced about this, it is good for the customer.

      This is just the usual BS sensationalism. According to TFA, the data being recorded is anonymous:

      Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers. We are not interested in who has visited which site - we are simply scanning a list of sites which our customers, as a whole internet community, have visited. What we are interested in is making the web a safer place for all our customers.

      This is the type of thing we should be encouraging rather than discouraging, if it reduces the number of idiots infecting their machines, which it will slightly. I think the ISP should enable this type of warning by default, with the option to opt out for those who actually want the very slight improvement in latency.

      --
      which is totally what she said
    11. Re:Twas ever thus by renoX · · Score: 2, Insightful

      > Sans encryption, nothing you do on the Internet is private.

      Even with encryption, your ISP can log every IP address you access, I would hardly call this a private activity!

      So I would correct: nothing you do on the Internet is private, only semi-private with encryption, except if you are using either
        1) encryption + TOR or
        2) steganography.
      And (1) is quite easy to detect for your ISP, so you would be "noticed": in some country this could be dangerous..
      So the only really private communication you can have on the Internet is (2)..

    12. Re:Twas ever thus by Yer+Mom · · Score: 2, Insightful

      If they pass URLs to a third party without anyway to lookup who requested each URL then it doesn't count as personal data under the act.

      http://www.example.com/account.php?e=myaddress@example.net. Bang. Personal data right there.

      Unless they have a way that can guarantee email addresses, account numbers etc are stripped out of the URL, of course...

      --
      Never mind Spamassassin. When's Spammerassassin coming out?
    13. Re:Twas ever thus by makomk · · Score: 2, Interesting

      Actually, thinking a bit more, it's worse than that. If you know the URL of a Facebook image, even a private one, you can view the image (there's no access protection on static content like image files) and you can link it back to the Facebook account of the person who posted it. Unless someone's taken special care, this information is very likely to be in TalkTalk's logs.

    14. Re:Twas ever thus by HungryHobo · · Score: 2, Interesting

      If it's malware they're trying to stop and not anything else then they gain little.
      Foolish people who click "OK" to popups asking them to install anything and everything constitute an almost perfectly random search.

      Better to just get a list of sites which serve malware from one of the companies which track such things and re-direct traffic for them into a hole.

      this seems less innocent the more I think about it.

    15. Re:Twas ever thus by RobertM1968 · · Score: 2, Insightful

      No, a LOT more two faced. Anyone with even the slightest networking knowledge knows that any ISP such as this, who runs their own DNS server can simply drop the bad domains into the DNS servers and have them point to one of their own servers which will present a "This site has been blocked for... " page.

      A simple example of something similar (in implementation) are the "not found" redirects that many ISPs are doing now, that bring you to one of their customized search pages.

      They dont need to monitor what users are doing since they are not building a list of bad sites - they are (supposedly) comparing users' surfing to an already existing list.

      I call massive bullshit on the part of TalkTalk.

      --
      StarTrekPhase2 - The Five Year Mission Continues!
  2. End-to-end encryption by Anonymous Coward · · Score: 5, Insightful

    It's the only way to be sure. I know of at least one German university which also filters all external web traffic through a proxy which blocks URLs, also supposedly to reduce malware infections. The road to hell is paved with good intentions. The same technology which is installed to fight malware is also ideally suited to work as censorship infrastructure. Once it's in place, the operators will undoubtedly be confronted with the question why they only filter malware and not other "illegal" content. Once they've succumbed to that, the list of URLs to block will grow to include "unruly" opinions, videos of police, etc.

    End-to-end encryption. Now.

    1. Re:End-to-end encryption by AHuxley · · Score: 4, Informative

      Yes like in Australia the "URL database" will grow and grow.
      http://zfoneproject.com/ for all :)

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:End-to-end encryption by Dexter+Herbivore · · Score: 2, Funny

      It's the only way to be sure.

      No, nuke it from orbit.. THAT'S the only way to be sure.

  3. The difference should be obvious by SmallFurryCreature · · Score: 3, Insightful

    My ISP is often a matter of little choice, if I want to access the internet, I MUST go through an ISP.

    I never ever have to go to google or any other domain. It is trivial to avoid any domain I wish, just put it in hosts file with local ip.

    Especially since Google doesn't know my personal details. My ISP does.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

    1. Re:The difference should be obvious by MoonBuggy · · Score: 5, Informative

      One thing to add, which you may not have realised if you're not a UK user, is that it is absolutely possible for people to vote with their wallets in this case. Unlike the situation as I understand it in the US, we have a fairly good choice of DSL ISPs.

      If a person is using TalkTalk, it means they have a BT (physical) phone line, although it may not be currently connected to BT equipment at the exchange. Since BT has long been required to open up their government-provided-monopoly infrastructure to others, it means that there will be a wide choice of ISPs and switching is relatively straightforward.

      Also, on a purely personal note, this allows me a brilliant concrete example of why I advise people to pay a little more for a straightforward, unadulterated connection from Be or UKFSN's LLU service (no affiliation with either other than as a satisfied customer) and support those ISPs who don't pull crap like this.

  4. Data protection by rainmouse · · Score: 3, Insightful

    Isn't passing personal information out for Europe without expressed permission a breach of the Data Protection Act? Though lets face it, peoples biggest privacy concerns here are their porn viewing habits. Perhaps some porn sites should set up shop that show up in the URL history as stocks and shares or Technology News.

    Anna.Techsupport032a2.jpg, Anna.Techsupport032a3.jpg

    1. Re:Data protection by Tapewolf · · Score: 2, Funny

      Isn't passing personal information out for Europe without expressed permission a breach of the Data Protection Act? Though lets face it, peoples biggest privacy concerns here are their porn viewing habits. Perhaps some porn sites should set up shop that show up in the URL history as stocks and shares or Technology News.

      Anna.Techsupport032a2.jpg, Anna.Techsupport032a3.jpg

      There was once a porn site that had a very similar URL to an ADSL comparison site, presumably for that reason. It was particularly annoying when I was trying to find the ADSL site at work...

  5. Name change by Rik+Sweeney · · Score: 2, Funny

    (You may want to sit down before reading on, or at least steady yourself against something)

    (Ready?)

    Maybe they should change their name to Watch Watch instead.

    --
    Summation 2
    1. Re:Name change by Dexter+Herbivore · · Score: 5, Funny

      Maybe they should change their name to Watch Watch instead.

      Actually, I thought StalkStalk was a better option.

  6. Re:Ironic by asdf7890 · · Score: 5, Informative

    Ironic this, seeing as how TalkTalk have been pushing back against almost the same things in the Digital Economy Act.

    They are against the act because as itis currently written it favours smaller operators, as some of its rules such as the automatic disconnection for copyright violation only apply to ISPs with at least 40,000 customers. They are not fighting the act to protect anyone's privacy, they are fighting the act because it could make their services look less competitive.

    Shame really the did look like they might be good guys.

    No they didn't, not if you look into their (recent) past. They were one of the big three ISPs connected to the "ex-" spyware outfit Phorm in 2008/2009 and their past sales techniques including line-slamming (using people's details gleaned from other sales activity to switch their landline provision to them without permission) and apparetnyl deliberate ignorance of the Telephone Preference List have left a lot to be desired. See http://en.wikipedia.org/wiki/TalkTalk#Data_pimping and http://en.wikipedia.org/wiki/The_Carphone_Warehouse#Data_protection respectively for links to more info.

  7. Monitoring traffic, not customers by myxiplx · · Score: 4, Interesting

    The thing is, if you ignore the sensationalist headline and look at what there doing, it's just a list of websites that are accessed over their network, which they're using to create an opt in filtering system.

    Oh no, an ISP actually doing something useful for it's customers, whatever will we do!

    Stories like this are what annoy me about the press (slashdot included).

  8. Huawei has been mentioned before. by dalmor · · Score: 4, Informative

    The company has been mentioned previously here on /. for its questionable relationship with the Chinese government.

    http://tech.slashdot.org/story/10/05/28/1228224/Chinese-Networking-Vendor-Huaweis-Murky-Ownership

  9. Hey TalkTalk! It's My Life! by imac.usr · · Score: 2, Funny

    Don't you forget!

    Really, this story is Such A Shame.

    --
    I use Macs for work, Linux for education, and Windows for cardplaying.
  10. How Much of the URL? by s7uar7 · · Score: 2, Insightful

    Presumably they need to capture at least the page that the user is visiting, as checking for malware on just the root of a site is a waste of time. As most sites these days are dynamic they'll also have to capture the parameters in a GET (and possibly POST), so there is every chance they *will* be capturing personally identifiable data.