Talktalk defends secret web-scanning trial

Internet Service Provider TalkTalk has defended secretly testing a service that “followed” its subscribers around the web following disclosure of a letter from the Information Commissioner.

In a letter sent in July but revealed this week after a Freedom of Information request, Information Commissioner Christopher Graham told the ISP he was “concerned that the trial was undertaken without first informing those affected that it was taking place”.

“You will be aware that compliance with one of the underlying principles of data protection legislation relies on providing individuals with information about how and why their information will be used”, he added.

However, TalkTalk denied that it had done anything wrong. In August it replied, stating that it was “confident our testing of the service falls outside the scope of the Data Protection Act.”

“It is unfortunate that the media and certain individuals have, without being fully informed, viewed the network testing of the service with suspicion”, it added.

When asked whether it regretted not informing its customers, Communications Director Mark Schmid told Computeractive that the company “acknowledged that it would have been helpful to have told” the Information Commissioner’s Office.

“In terms of customers, what we’re doing is looking at websites accessed by our network”, he said. “We weren’t looking at customers’ data in any way”.

In a previous statement, the company wrote that “Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers.”

Mr Schmid said that the system was designed to inspect website addresses, or URLs, visited by its customers in order to scan them for threats, and to create a list of dangerous websites so that future visitors could be warned.

He added that so far it had found 75,000 visits to dangerous sites, and that when the service launches users will have to opt-in to make use of it.

Often, however, websites include personal information such as usernames in the URLs accessed by their visitors. Mr Schmid could not confirm whether or not the service was removing this information before storing the addresses.

The secret testing first came to light on the 13th of July, when a TalkTalk customer posted a message titled “I’m being monitored/watched?” on the ISP’s Members Forum.

“I've got a pretty serious privacy issue”, they wrote. “I have two Opal Telecom IP addresses that are following my every move, they follow me to every page that I visit.”