2010-09-01
Abstract
TalkTalk incurs the wrath of the ICO after covert trials of a new anti-malware system.
Copyright © 2010 Virus Bulletin
The UK’s largest ISP TalkTalk has been rapped by the Information Commissioner’s Office (ICO) over its covert trials of a new anti-malware system. The initial phase of TalkTalk’s new security measures involved logging every URL visited by each of its customers, then visiting each web page to scan for threats. Master blacklists and whitelists were then compiled from the information gathered. When the system is fully operational (which is expected to be later in the year and will be on an opt-in basis) the anti-malware service will use the blacklists to prevent its users from visiting malicious web pages.
TalkTalk began its data gathering in July this year, but failed to notify its users that it would be logging their web-browsing movements in this way. It was this lack of communication that provoked the ire of the ICO. In a letter to TalkTalk the Information Commissioner Christopher Graham wrote: ‘I am concerned that the trial was undertaken without first informing those affected that it was taking place... You will be aware that compliance with one of the underlying principles of data protection legislation relies on providing individuals with information about how and why their information will be used.’
Just a couple of years ago UK telecoms company BT found itself in hot water after undertaking a test with Phorm – a company which used deep packet inspection at the ISP level to gather information on subscribers’ web-surfing habits and subsequently deliver tailored advertising content. Although Phorm claimed that it had removed any personally identifiable information from the content it gathered, there was widespread outrage that the test had gone ahead without the knowledge or consent of BT’s user-base. Indeed, the two companies narrowly avoided criminal investigation after campaigners compiled a dossier of evidence against the two companies and presented it to the City of London Police.
TalkTalk has claimed that its technology and the trials it has undertaken comply with privacy laws – the ICO has requested documents to support these claims. David Evans of the ICO will give a presentation on data protection, privacy and security, outlining the ICO’s view, at the VB Seminar later this year (in central London, 25 November 2010 – for details see http://www.virusbtn.com/seminar/).
