Tags: talktalk

TalkTalk cleared by ICO to commence stalking their customers online.

The BBC yesterday ran a story about TalkTalk's plans to commence with trials of a new malware warning system despite anger from the public that the system tracks them around the Internet.  The technology, referred to by customers as "StalkStalk", intercepts the web communications of TalkTalk's customers then immediately sends a robot (software not a tin man) to the exact same pages viewed by those customers, at which point it scrapes the web page and runs an analysis on it to check for malicious content.  If the page is considered to be malware free it is added to a white list for 24 hours - if a page is considered to host malware then it is added to a black list for upto 7 days.

On the face of it many people might be quite happy and see it as a valuable service - but the reality is that such use of technology is against the law in the UK and much of Europe.  But there is another issue with this in that the Information Commissioner's Office (ICO) - the regulator responsible for enforcing the Privacy and Electronic Communications Regulations (PECR), are reported to have cleared the technology.

The BBC reports that ICO's issued the following statement:

"We have advised Talk Talk on the safeguards which are necessary to comply with the Data Protection Act and the Privacy and Electronic Communications Regulations."
The problem is that the technology cannot comply with PECR Regulation 7 unless consent is obtained from TalkTalk's customers and TalkTalk have already made it clear that they will not be seeking consent nor will they allow customers to even "Opt-Out" of having their communications data intercepted and their every move on the web shadowed by TalkTalk's "service".

Regulation 7 states the following:
Restrictions on the processing of certain traffic data
7. (3) Traffic data relating to a subscriber or user may be processed
and stored by a provider of a public electronic communications service if—

(a)such processing and storage are for the purpose of marketing
electronic communications services, or for the provision of value added
services to that subscriber or user; and

(b)the subscriber or user to whom the traffic data relate has given his
consent to such processing or storage; and

(c)such processing and storage are undertaken only for the duration
necessary for the purposes specified in subparagraph (a).

(4) Where a user or subscriber has given his consent in accordance with
paragraph (3), he shall be able to withdraw it at any time.
It is important to note that 7 (3)(a) and 7(3)(b) are both appended with the word "and" which means that 7(3) is only permitted once all the conditions are met through 7(3)(a) - 7(3)(c) - this is the crux of the issue.

TalkTalk have stated that they will obtain prior consent via an Opt-In mechanism before it serves customers with warnings about potential threats, but that consent mechanism does not extend to the interception and stalking of customers' online activities.  This is made clear by a "FAQ" posted to TalkTalk's user forums:
"7. Will only customers who sign up to Network Security have the websites they visit scanned?"

"We are scanning all the websites our customer base as a whole visits, in complete anonymity, You have to opt-into the Virus Alerts product itself, so if you don't want the warnings while you browse you don't have to enable the service, or if you activate Virus Alerts, you can switch it off again at any time afterwards."

Many people commenting on this issue are misunderstanding the purpose of PECR and assuming that because TalkTalk state they are not processing personal information and that they anonymise the data, that they are not breaking the law.  The problem is, we are not dealing with the Data Protection Act here - which is specifically concerned with Personal Information; we are looking at PECR which covers private communications not personal information.  To state that this technology complies with law because of anonymisation is a red herring and completely irrelevant for the purposes of PECR.

TalkTalk also state they are not processing private communications, but that they are processing network communications - this simply is not true.  PECR clearly states that "Traffic data relating to a subscriber or user" requires consent - the fact that TalkTalk are intercepting customers' traffic data and then following them directly to the page they just visited can only be defined as "traffic data relating to a subscriber".  As for the "not processing" argument - again they are processing the data, they claim to strip out session IDs and other data which could be used to identify the customer and they are acting on the data they obtain when the intercept those communications in the first place; therefore it is ridiculous to claim that this is not "processing".

Many people might ask "well what is the problem, they are only trying to make the Internet safer for their customers?" - yes they are, but they are doing it in a way which is illegal and earlier trials of the technology this year proved that TalkTalk were not doing what they said they were.  For example, TalkTalk claimed not to visit any pages which are dynamically generated for a specific user (such as a forum control panel or shopping cart) but that was proved not to be the case.  Several system administrators and web site owners reported that TalkTalk's robots were using captured session IDs and URL parameters to directly access private pages.  Furthermore, there simply is no need for TalkTalk to be doing any of this in order to provide a malware alert service - there are already several services TalkTalk could utilise and most modern web browsers already do this, which raises the question of whether or not TalkTalk's system is completely redundant.  To stalk people around the Internet in order to protect them is akin to wire tapping your phone to let you know when a malicious call is incoming - with the caveat that in order to detect malicious calls they have to listen to every single call that the line is used for.

At the end of the BBC article the ICO also add:

"it would take seriously any complaints it received about the service but said it had not received any to date."
(emphasis added)

This is blatently untrue. On Friday 13th August 2010, I had a meeting at ICO's head office with a senior member of ICO's staff.  The TalkTalk issue was discussed at length (probably more than 1/3rd of the meeting) and it was made very clear this was a complaint and a outline of the action ICO were planning to take was discussed.  Furthermore, after that meeting I was asked to provide a list of questions which addressed customers' concerns for ICO which they would ask at a meeting with TalkTalk on Monday 16th August 2010 - which after consulting with various customers, was provided.  I also know for a fact that several people wrote formal complaints to ICO in the month leading up to that meeting.

So it seems we have a number of issues here:
  1. ICO are once again showing that they are unwilling to take enforcement action against big industry players.
  2. ICO do not understand the Privacy and Electronic Communications Regulations which they are mandated to enforce and have repeatedly made the error that commercial interception of private communications is permissable without consent, if it is for the purpose of a value added service (they made the same mistake with Phorm) - whereas the regulations explicitly state the opposite.
  3. TalkTalk will continue to intercept the private communications of their customers for the purposes of shadowing their every activity on the web - but they will do it now with the full support of the regulator.
  4. ICO have once again shown to be enveloped by regulatory capture.
I should also make it clear that TalkTalk's technology fails to comply with the Regulation of Investigatory Powers Act (RIPA) - which makes commercial interception of communications a crime if no consent it obtained.  I have chosen not to go into detail over RIPA in this piece for a number of reasons:
  1. The UK are currently involved in a legal case with the European Commission for failing to implement European Directives governing interception of communications appropriately.  The Commission have commenced with a case in the European Court of Justice claiming that RIPA is in breach of European Law.
  2. RIPA is currently under review and we are in the middle of a consultation period (ending December 17th 2010) - until that consultation period concludes and the review is complete, it is difficult to know how RIPA will eventually look.  Currently it is looking as though the Home Office are going to make it even worse by making commercial interception a civil matter with a maximum £10 000 fine (whereas state interception will remain a crime unless a warrant is obtained) - this is a very serious concern but that is the subject of a future discussion and is beyond the scope of this article.
In conclusion, it would seem that the public cannot rely on ICO to protect their private communications and as such, it is my recommendation that all TalkTalk customers cancel their contracts as soon as TalkTalk go live with their trials.  It is my belief that this would be a material breach of customers' contracts and if TalkTalk update their Terms and Conditions in order to counter this argument, it would be a material change to those contracts which under UK Law allows customers to cancel the contract without penalty.  I will be taking this issue to the EU Commission and appeal to the public to email complaints to Vice President Neelie Kroes at the European Commission, who is responsible for ePrivacy and related EU Law - you can email Ms Kroes here Cab-Kroes-NK@ec.europa.eu.

I am not a lawyer, but I spend a great deal of time dealing with and researching law - it is my sincere opinion that my analysis in the paragraph above is correct, but please, if you have any doubts or questions, contact a solicitor.

BBC Article on TalkTalk
TalkTalk FAQ on their User Forums