Tags: interception

TalkTalk cleared by ICO to commence stalking their customers online.

The BBC yesterday ran a story about TalkTalk's plans to commence with trials of a new malware warning system despite anger from the public that the system tracks them around the Internet.  The technology, referred to by customers as "StalkStalk", intercepts the web communications of TalkTalk's customers then immediately sends a robot (software not a tin man) to the exact same pages viewed by those customers, at which point it scrapes the web page and runs an analysis on it to check for malicious content.  If the page is considered to be malware free it is added to a white list for 24 hours - if a page is considered to host malware then it is added to a black list for upto 7 days.

On the face of it many people might be quite happy and see it as a valuable service - but the reality is that such use of technology is against the law in the UK and much of Europe.  But there is another issue with this in that the Information Commissioner's Office (ICO) - the regulator responsible for enforcing the Privacy and Electronic Communications Regulations (PECR), are reported to have cleared the technology.

The BBC reports that ICO's issued the following statement:

"We have advised Talk Talk on the safeguards which are necessary to comply with the Data Protection Act and the Privacy and Electronic Communications Regulations."
The problem is that the technology cannot comply with PECR Regulation 7 unless consent is obtained from TalkTalk's customers and TalkTalk have already made it clear that they will not be seeking consent nor will they allow customers to even "Opt-Out" of having their communications data intercepted and their every move on the web shadowed by TalkTalk's "service".

Regulation 7 states the following:
Restrictions on the processing of certain traffic data
7. (3) Traffic data relating to a subscriber or user may be processed
and stored by a provider of a public electronic communications service if—

(a)such processing and storage are for the purpose of marketing
electronic communications services, or for the provision of value added
services to that subscriber or user; and

(b)the subscriber or user to whom the traffic data relate has given his
consent to such processing or storage; and

(c)such processing and storage are undertaken only for the duration
necessary for the purposes specified in subparagraph (a).

(4) Where a user or subscriber has given his consent in accordance with
paragraph (3), he shall be able to withdraw it at any time.
It is important to note that 7 (3)(a) and 7(3)(b) are both appended with the word "and" which means that 7(3) is only permitted once all the conditions are met through 7(3)(a) - 7(3)(c) - this is the crux of the issue.

TalkTalk have stated that they will obtain prior consent via an Opt-In mechanism before it serves customers with warnings about potential threats, but that consent mechanism does not extend to the interception and stalking of customers' online activities.  This is made clear by a "FAQ" posted to TalkTalk's user forums:
"7. Will only customers who sign up to Network Security have the websites they visit scanned?"

"We are scanning all the websites our customer base as a whole visits, in complete anonymity, You have to opt-into the Virus Alerts product itself, so if you don't want the warnings while you browse you don't have to enable the service, or if you activate Virus Alerts, you can switch it off again at any time afterwards."

Many people commenting on this issue are misunderstanding the purpose of PECR and assuming that because TalkTalk state they are not processing personal information and that they anonymise the data, that they are not breaking the law.  The problem is, we are not dealing with the Data Protection Act here - which is specifically concerned with Personal Information; we are looking at PECR which covers private communications not personal information.  To state that this technology complies with law because of anonymisation is a red herring and completely irrelevant for the purposes of PECR.

TalkTalk also state they are not processing private communications, but that they are processing network communications - this simply is not true.  PECR clearly states that "Traffic data relating to a subscriber or user" requires consent - the fact that TalkTalk are intercepting customers' traffic data and then following them directly to the page they just visited can only be defined as "traffic data relating to a subscriber".  As for the "not processing" argument - again they are processing the data, they claim to strip out session IDs and other data which could be used to identify the customer and they are acting on the data they obtain when the intercept those communications in the first place; therefore it is ridiculous to claim that this is not "processing".

Many people might ask "well what is the problem, they are only trying to make the Internet safer for their customers?" - yes they are, but they are doing it in a way which is illegal and earlier trials of the technology this year proved that TalkTalk were not doing what they said they were.  For example, TalkTalk claimed not to visit any pages which are dynamically generated for a specific user (such as a forum control panel or shopping cart) but that was proved not to be the case.  Several system administrators and web site owners reported that TalkTalk's robots were using captured session IDs and URL parameters to directly access private pages.  Furthermore, there simply is no need for TalkTalk to be doing any of this in order to provide a malware alert service - there are already several services TalkTalk could utilise and most modern web browsers already do this, which raises the question of whether or not TalkTalk's system is completely redundant.  To stalk people around the Internet in order to protect them is akin to wire tapping your phone to let you know when a malicious call is incoming - with the caveat that in order to detect malicious calls they have to listen to every single call that the line is used for.

At the end of the BBC article the ICO also add:

"it would take seriously any complaints it received about the service but said it had not received any to date."
(emphasis added)

This is blatently untrue. On Friday 13th August 2010, I had a meeting at ICO's head office with a senior member of ICO's staff.  The TalkTalk issue was discussed at length (probably more than 1/3rd of the meeting) and it was made very clear this was a complaint and a outline of the action ICO were planning to take was discussed.  Furthermore, after that meeting I was asked to provide a list of questions which addressed customers' concerns for ICO which they would ask at a meeting with TalkTalk on Monday 16th August 2010 - which after consulting with various customers, was provided.  I also know for a fact that several people wrote formal complaints to ICO in the month leading up to that meeting.

So it seems we have a number of issues here:
  1. ICO are once again showing that they are unwilling to take enforcement action against big industry players.
  2. ICO do not understand the Privacy and Electronic Communications Regulations which they are mandated to enforce and have repeatedly made the error that commercial interception of private communications is permissable without consent, if it is for the purpose of a value added service (they made the same mistake with Phorm) - whereas the regulations explicitly state the opposite.
  3. TalkTalk will continue to intercept the private communications of their customers for the purposes of shadowing their every activity on the web - but they will do it now with the full support of the regulator.
  4. ICO have once again shown to be enveloped by regulatory capture.
I should also make it clear that TalkTalk's technology fails to comply with the Regulation of Investigatory Powers Act (RIPA) - which makes commercial interception of communications a crime if no consent it obtained.  I have chosen not to go into detail over RIPA in this piece for a number of reasons:
  1. The UK are currently involved in a legal case with the European Commission for failing to implement European Directives governing interception of communications appropriately.  The Commission have commenced with a case in the European Court of Justice claiming that RIPA is in breach of European Law.
  2. RIPA is currently under review and we are in the middle of a consultation period (ending December 17th 2010) - until that consultation period concludes and the review is complete, it is difficult to know how RIPA will eventually look.  Currently it is looking as though the Home Office are going to make it even worse by making commercial interception a civil matter with a maximum £10 000 fine (whereas state interception will remain a crime unless a warrant is obtained) - this is a very serious concern but that is the subject of a future discussion and is beyond the scope of this article.
In conclusion, it would seem that the public cannot rely on ICO to protect their private communications and as such, it is my recommendation that all TalkTalk customers cancel their contracts as soon as TalkTalk go live with their trials.  It is my belief that this would be a material breach of customers' contracts and if TalkTalk update their Terms and Conditions in order to counter this argument, it would be a material change to those contracts which under UK Law allows customers to cancel the contract without penalty.  I will be taking this issue to the EU Commission and appeal to the public to email complaints to Vice President Neelie Kroes at the European Commission, who is responsible for ePrivacy and related EU Law - you can email Ms Kroes here Cab-Kroes-NK@ec.europa.eu.

I am not a lawyer, but I spend a great deal of time dealing with and researching law - it is my sincere opinion that my analysis in the paragraph above is correct, but please, if you have any doubts or questions, contact a solicitor.

BBC Article on TalkTalk
TalkTalk FAQ on their User Forums

Should we trust Google regarding WiFi Scandal?

Google have claimed to the Press and Media that the latest privacy scandal regarding their interception of Internet communications whilst sniffing out WiFi hot spots with their Streetview cars was an "accident".

They have stated that the code was being worked on for a different project and somehow managed to get inserted into the Streetview project - and frankly that doesn't wash.

Having worked on large IT projects for 15 years I have a strong understanding of the design, developement, testing and deployment cycles fo such projects, so let me explain a little how it works.

1.  The Design Phase
As the title suggest this phase is where the project is originally defined and designed.  Normally at the beginning of this phase there would be a very high level concept design which would not include any "code" as such - its purpose would be to give management and executives a human readable outline of the design principles and purpose of the project.

Once this has been signed off by management and a project leader/manager has taken control, that design concept will be fleshed out to make it ready for the engineers - this would result in documentation still at quite a high level (human readable) with perhaps some "pseudo code" but certainly nothing more.

The output from this phase would consist of lot of reference documents, technical glossary, project plan and a lot of documents defining technical functionality and specifications - these would then become the core knowledge resources for the entire project and would be used by developers, testers and even management, throughout.

2.  The Development Phase
Nothing too complex in describing this phase - it is what it says on the tin.  Using the design references and technical specifications the engineers would develop the code base for the project.  They liase with the Designers frequently and once they have some code it goes off for testing and debugging.

3.  The Testing Phase
Testing and Debugging will be heavily reliant on the technical specifications and various other documents from higher up the chain.  Test environments would be setup to mimic the real world and extensive testing of every single piece of code is carried out.  This is one of the most important phases in any IT project and it lasts a long time.  Every single byte of data which is produced by the tests is inspected to ensure that it is working as planned.  It never does, at least not in the early phases of project so there is a lot of interaction between developers and testers and again a lot of interaction between developers and designers.

4.  The Deployment Phase
In essence once a project has been thoroughly tested and is seen as stable it will be deployed into the real world - this doesn't mean that the three previous groups become obsolete - in fact they would continue to redesign, redevelop and retest in order to add new features, remove features which are not needed and deal with bugs or unexpected behaviour which was not picked up in the labs.  And believe me, these -always- manifest - I have yet to work on a large project which works as desired first time round, it simply doesn't happen.  The project manager has to deal with change requests, bugs, resource issues, efficiency issues and a whole bunch of other things.

So the question is how does a piece of code "intended" for another project entirely, manage to find its way into the project without being noticed?  The short answer is that it doesn't, it simply is not possible because of the very granular method in which projects are developed.

At the very worst it would have been picked up in Phase 3 (Testing) as the data coming back from the test environments would include all this "accidental" data and would be picked up by the people doing the testing.  At this phase in order for it to be "rogue" code one would assume there would be no technical specifications for that code which would immediately ring alarm bells with the testers as they find they have all this data which is not defined.

Even if it was missed during the testing phase (which is incredibly unlikely) it would certainly be noticed in the data coming back during the early stages of deployment - which is always examined thoroughly - you simply cannot fail to notice all this incoming data containing the contents of Internet communications.

Furthermore, one has to assume that the size of this data (considering it has been collected for over 3 years) would be significant - probably hundreds of terabytes - that all has to be stored somewhere and believe me when I say Database and System Administrators know their systems very well indeed, it is their job to know what is in their systems and why it is there - they need to know this to keep on top of resources, manage access control and backups - you can't store all this extra data accidentally, it takes physical space, money and real man hours to manage it.

So do I trust Google when they say it was accident?  Absolutely not - they knew they had the data, they knew where and what that data was and they stockpiled it for 3 years - and it is likely they would have continued to do so had Germany not demanded to know what data they were collecting.

Google may well be able to pull the wool over the eyes of regulators, press, media and the general public - but anyone who has worked professionally on large IT projects knows full well that this was no accident - it just doesn't happen that way.