TalkTalk becomes StalkStalk

  seefuu1 16:53 16 Aug 2010

click here

A little over 3 weeks ago, an observant UK TalkTalk customer discovered their ISP was stalking their web surfing. (Read more on the Phoenix Broadband forum).

For a period of approximately two months, TalkTalk have been covertly monitoring the web pages requested by their customers. Then, moments later, replaying exactly the same requests, to obtain the same page content that their customers had been reading for analysis. Even TalkTalk staffers seem surprised that consent was not sought for this process.

  seefuu1 16:57 16 Aug 2010
  ridicle 22:42 17 Aug 2010

they rang me up today to ask me to sign up, i declined, no im a little worried, what would happen if the information was given to the wrong people or used in the wrong context.

  Forum Editor 23:00 17 Aug 2010

seem surprised that consent was not sought for this process."

Hang on a minute - let's get this straight. As far as I can see, what Talk Talk has done is monitor the web page requests that have been made by its subscribers. It has then used this information for some kind of internal company analysis. If I've got this wrong please correct me.

The only way in which the company may have contravened current legislation is by attempting to use the unique secure site session identifiers that appear in a browser's address bar when someone logs into a password-protected web page. I haven't seen any evidence to suggest that this was done, or that it was attempted.

I'm not suggesting that there can be no risk to the security of an individual's data security if an ISP indulges in this practice - I'm simply saying that I haven't seen any evidence of illegal action in this case.

  bigsteveUK 14:04 04 Sep 2010

It's looking like there is evidence...

There is yet further detail "to be released" which will give more information, however what has been released raises more questions than it's answering.

For the benefit of those who are new to this (how could you miss the Phorm BT Webwise scandal!): The Information Commissioner's Office ICO deals with questions about compliance with the Data Protection Act and The Privacy and Electronic Communications regulations.

In a reply to a request under the Freedom Of Information Act ICO released a quantity of communication material.

TalkTalk has stated (and they continue to claim) that using part of their customers' communication data is ok, because it is what is termed "Traffic Data". You can see they refer to this in the ICO documentation.

However, if you look on the internet at Government web pages you can locate a document which specifies exactly what "Traffic" data is and, more importantly, what it is "not".

The government paper says that traffic data identifies the website (or Server which serves the website). It says clearly that Traffic Data does not identify the specific web page or application on the server.

So... Since "content" of communications is private, and the specific web page in the URL of a communication between an ISP's customer and a website/server is NOT Traffic Data, it is "Content" of the communication.

TalkTalk did not request permission to use the content of the communication. They did not ask their customers, nor did they as the people (the websites) they were communicating with. So it's looking like the TalkTalk position is very hard (or impossible) to defend. They used private communication content in an attempt to build a business enhancing product which would add value to their customer proposition.

This would appear to be illegal and that's why the ICO people wanted to discuss it further. The contents of that meeting should be forthcoming soon. Interesting to see in that first ICO information release they almost seemed to be suggesting that the information should be requested.

Despite the ineffective position the ICO appears to be in on most occasions, this time they seem to be taking quite a stance with TalkTalk. Who can blame them? TalkTalk has made a mockery of the ICO by not even briefing them that they were planning this covert stalking of their customers web activity.

Talk Talk response to ICO (source here click here ) says, "Under PECR, “traffic data” is defined to include “data relating to the routing, duration or time of a
communication”. The website URL is traffic data."

Government traffic data definition (here click here )
Quote: "traffic data may identify a server or domain name (web site) but not a web page."

The TalkTalk STalkSTalk system was logged using full URLs, _including_ query strings etc!! So what they have done in the covert trial is actually wrong, and some might say "they know it!"

Looking ahead TalkTalk say the anti-malware option is Opt-in, however you have to wonder how they will scan enough web pages without legally being able to use the full URL of all customers (the URL trafic data and content data specifying web page addresses etc)

All the above does not even scratch the surface of the other potential legal issues. URLs can (and do) contain specific data that applies to an individual, session IDs, post codes (which can be very specific) and other ID data.

Also, how can TalkTalk legally "pretend" to be their customers, re-visiting the web page resources their customers did, replaying the exact visit using the full URLs? That's what they did in the covert trial - there are logs on the internet to show that. I'm sure people have sent the data to the ICO as evidence, they should do so. There is a line. TalkTalk crossed it with the STalkSTalk STalker and it's good to see the mag covering the story but we ought to see you challenging the facts a bit on behalf of readers.

  GANDALF <|:-)> 16:10 04 Sep 2010

The Internet is a publicly available resource with no privacy. If you don't like the word 'publicly', don't use the Internet and stop getting carried away by your own assumption of self importance. Simples.


  bigsteveUK 10:50 05 Sep 2010

I'll respond to that post of yours if I may Gandalf.

First, I do assume self importance for everyone. I am not carried away with my own, but I set it up there with everyone else's.

Second, I actually agree with you that the Internet is a publicly available resource, but only because anoyone can access it, for example through a public library. It is public like the telephone network is public.

I'd be interested to understand if you think that "publicly available" means "not private"? Does "publicly available" mean "not confidential"?

The publicly available telephone network, the web, even the publicly available postal service... I can't see how "publicly available" means that communication content is "public"?

Is that what you were trying to suggest? You'd obviously be very wrong if that was your suggestion. Communication content is protected by laws and somehow I suspect you don't need them explaining, you just take a view and have nothing to say to back it up?

I loved your reference to the ingenious meerkats and their "Simples" slogan. I really enjoy that campaign, quite topical too considering yesterday's news of the "security hole found in top price-comparison sites". I'm in danger of going of topic... I'll stop right there.

This is about the issue of private communication CONTENT being used by the company paid to be the CONDUIT; a wrong action when the text of those laws and regulations are examined. TalkTalk, trying to defent the STalkSTalk, are fudging the issue, bending the truth and using wording carefully designed to avoid the questions and detail required.


  GANDALF <|:-)> 12:24 05 Sep 2010

The Internet is an open source network and therefore has no privacy unless you want to take measures to protect yourself from intrusion, so I assume you are therefore a spook. You are getting overly and hilariously paranoid and if you want to prevent 'people' watching your every move and from seeing that you visit Pr0n sites, then may I suggest an anonymous proxy or just don't use the OPEN SOURCE network. Now, take a long walk, smell the fresh air and try to avoid thinking that men in black are following you.


  Forum Editor 13:24 05 Sep 2010

I'm struggling with this - where's the evidence that a) the law has been broken and b) that anyone has suffered any harm as a result?

As GANDALF <|:-)> has pointed out,use of the internet involves an understanding that little of what you do - if anything- can be truly 'private'. If you're going to worry about someone knowing which web pages you visit you might as well go and live on a remote Scottish island and never touch a keyboard again.

This all has the distinct aroma of a big fuss about very little. The document you link to as containing the "Government traffic data definition" is in fact a consultative document issued by the previous government. It defines nothing in law.

I repeat - please produce some evidence to show that current data protection law has been breached in terms of an invasion of personal privacy, and I'll be only too happy to explore the subject with you.

  bigsteveUK 15:39 05 Sep 2010

Forum Editor, you are correct of course, that document is from the consulation on the Interception Modernisation Programme.

Perhaps I should say how I see this sit in in the context of the issue.

There is a London School of Economics paper which also considers "What is 'communications data?'" (on the back of the IMP activiy)

Source click here

The Regulation of Investigatory Powers Act Sections 21(6) and (7) provide detail on the sub-set of communications data known as
“traffic data”:

(6) In this section “traffic data”, in relation to any communication, means—


(d) any data identifying the data or other data as data comprised in or attached to a
particular communication,
but that expression includes data identifying a computer file or computer program access
to which is obtained, or which is run, by means of the communication to the extent
only that the file or program is identified by reference to the apparatus in which it
is stored.

(end of quote)

Item 6d is the interesting one in the actual legislation, because it states traffic data is only traffic data to the extent that the file or program is identified by reference to the apparatus in which it's stored.

So TalkTalk can only use it as "traffic data" when it is used to identify the server apparatus (e.g. which resolves to an IP and machineaparatus).

TalkTalk CANNOT say they are using "traffic data" if they decide to use it to identify a specific file on the server (e.g. etc)

As I contended before, the data that TalkTalk is using was CONTENT of communication data. The act of using it in the operation they were performing is illegal under RIPA.

Extending this legal definition of Traffic Data to the reply from TalkTalk to ICO... They claim it is Traffic Data. Now unless there is some other definition in law that says something different to RIPA, they are clearly wrong to try and say that.

I would agree that we do need to await the outcome of the ICO meeting held with TalkTalk in August, however there are other inconsistencies in the TalkTalk reply. They claim there is no personal data involved, yet they then talk about anonymisation processing and stripping of personal communication data.

It is against DPA law to process personal data without agreement from the data subject (you will know that from any of those phone calls where they insist on reading a DPA statement to you before continuing, eg. car insuarnce) BUT TalkTalk seem blissfully unaware that removing personal data IS processing the data. So they cannot do that legally. However, from the evidence on the TalkTalk forums, it would seem they did not strip this data or do this processing, which means they were using it. There is evidence on the TalkTalk forums of full website URLs being re-used by TalkTalk, including the communication content data.

(See also next post)

  bigsteveUK 15:39 05 Sep 2010

You asked about harm too. In reality, as a Forum Ed you probably are aware that bandwidth is not "free". The TalkTalk Stalker system has been adding to the load on servers owned by companies and private individuals. Visits by TalkTalk customers to websites resulted in additional visits soon after, the STalkSTalk "Replay" to download the same content. I know webmasters would rather not pay to help TalkTalk improve their business model. One webmaster told them to stop, and they did not. TalkTalk ignored Ts & Cs that the site owner put in place and notified them of. They are currently discussing with TalkTalk's lawyers... There has been "harm" if you mean "costs incurred".

There have also been TalkTalk customers with issues caused by the "replay" of their communications. Looking at the TalkTalk forum, it did "break" some applications. So if you mean inconvenience or cost, yes there has been harm done.

On the "Other" reply to my previous post: Often people will turn to attack individuals and make jibes etc. I'm not interested in that. Not interested in paranoiac suggestions, tin foil hats or suggestions I have a criminal or immoral behaviour to hide. These suggestions are not correct, but you're entitled to your opinion. So I shall not respond further to any of those.

I would actually value a proper debate of the issues though. It's going on at government level, no reason why the general public shouldn't have their own discussions. What better place than a respected site such as this? It's good to talk. Not so good to Stalk!

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Alienware 17 R4 2017 review

Illustrator Sylvain Tegroeg created thousands of intricate line drawings for the mobile game…

Best iPad buying guide 2017

Comment télécharger une application indisponible en France ?