TalkTalk tracking you, phorm?

[Rchivist]

I won't get out my dictionary (phew!) but don't forget that CPW/TalkTalk were the subject of an ICO enforcement notice dated January 2009,
http://www.ico.gov.uk/upload/documen...telecom_en.pdf

associated press release:
http://www.ico.gov.uk/upload/documen...talk_final.pdf

which gives an important contemporary legal and regulatory context to the current ICO comments. CPW/TT are currently subject to active ongoing monitoring of their DPA/PECR compliance as part of an ongoing investigation of earlier breaches that are officially of the type that could lead to them being charged with an offence/offences or the ICO or other authority instituting criminal proceedings.

To put it bluntly, TT/CPW are already officially in the ICO's naughty corner, with penalty points on their license, and any rune-reading of what the civil service language might mean, as the ICO expresses "disappointment" and "concern" in an official letter, should be done with that in mind (as well as an awareness of the understated way civil servants generally express themselves in writing - for assistance - turn to the "Yes Minister!" archive of Sir Humphrey's advice on such matters).

It isn't the sort of "squeaky clean" behaviour you would normally expect during a probationary/monitoring period following breaches which included:

a) failure to comply with subject access requests
b) unfairly and unlawfully processing data
c) failing to take appropriate technical and organisational measures to
ensure there was no unauthorised or unlawful processing
d) processing inaccurate and/or out of date data

That is the official and on-the-record background that informs MY interpretation of the civil service language used by the ICO in his recent letter to TT, and perhaps suggested the word "reprimand" to the BBC journalist, in connection with TalkTalk's lack of candour with the ICO (and their customers) on a DPA related matter, only eighteen months later, while that oversight and enforcement monitoring was ongoing, as it still is now.

The Register preferred "chides".
http://www.theregister.co.uk/2010/09/06/ico_stalkstalk/

The BBC suggested "rapped" and "reprimanded"
http://www.bbc.co.uk/news/technology-11213488

PCPro used "mild rebuke"
http://www.pcpro.co.uk/news/security...trial-to-phorm

eWeek Europe uses "unhappy"
http://www.eweekeurope.co.uk/news/ic...-snooping-9477

I've read rather a lot (too much...!?) of ICO correspondence over the last two years, attended their conferences and training, and sat in meetings with their representatives. I think I have got fairly good at reading between the lines of their public statements and private correspondence.

[bluecar1]

Quote:

Originally Posted by foreverwar

Well, next time I'm "reprimanded", I hope it is as soft as this one.....



ZOMG, he was "concerned" and "disappointed" - that's TalkTalk frakked, then....

(actually, I do think TT were in the wrong about undertaking this trial without informing their customers, but I also think some people need to get a sense of perspective....)

for the ICO that is about ask far as powers extend and the worst he can do

if viewed as a whole, the ICO is far from happy with Talk Talk, compare it to the published exchanges with other companies like BT over phorm and it is far more scathing,

if you actually talk to the ICO you find they want to do more but the "statutory instruments" (powers to you and me) whilst on the books have never been activated so he can't use them, so he can see his teeth, just can't put them in and use them

OK if everyone who doesn't want me to visit their sites would just give me the URLS and I promise NEVER to visit them and if I inadvertently do so I'll arrange to have my eyeballs turfed out with rusty spoons...

Now what was the topic?Because to be perfectly honest I lost the plot ages ago.

What exactly is this thread about?..And the explanation had better be in the language stupido or thicko so I can follow it..

I ask this because I notice that there is very little input from anyone else apart from a very few very technically minded and it has occurred to me that this might be because hardly anyone knows what this thread is about.The legalese has certainly baffled the hell out of me..

[bluecar1]

Quote:

Originally Posted by Maggy J

OK if everyone who doesn't want me to visit their sites would just give me the URLS and I promise NEVER to visit them and if I inadvertently do so I'll arrange to have my eyeballs turfed out with rusty spoons...

Now what was the topic?Because to be perfectly honest I lost the plot ages ago.

What exactly is this thread about?..And the explanation had better be in the language stupido or thicko so I can follow it..

I ask this because I notice that there is very little input from anyone else apart from a very few very technically minded and it has occurred to me that this might be because hardly anyone knows what this thread is about.The legalese has certainly baffled the hell out of me..

i think this is the aim of some on here to obscure the topic and baffle most

bottom line the topic is about Talk Talk creating a system that follows users to web pages to scan them for malware

problem is that presents a number of legal issues which are quite technical in nature

ranging from

1:- probable breaches of PECR (EU legislation on privacy of electronic communications,

2:- the old favourite RIPA as the information they are gather (web page / URL instead of just host name) means it falls foul of definitions of communications data, for those who do not know the difference, host name is like www.bbc.co.uk but a web page / url identifies a single page or area on a website like http://www.bbc.co.uk/news/technology-11213488

3:- possibly fraud act as well as the system appears to reply full URL string including session information in the query string part of the URL (after the ? in the URL) so some claim it fraudulently trys to impersonate the ISP customer to gain access to the website pages

and the fact it is designed to operate covertly / invisble to the ISP customers and websites

TalkTalk were scanning websites (without informing anyone) in what they said was a trial for malware scanning software. Some people were very unhappy about this (as they believed TalkTalk were breaking various laws and statutes) so made comments about "caching being illegal" and "charging TalkTalk £10 per time for accessing their websites".

Most of the discussion since then has been differing viewpoints on the legality of what TalkTalk were doing, and the provenance of the some of the sites quoted as being the source of these "attacks", and also differing technical interpretations of some other stuff.

hth

---------- Post added at 22:41 ---------- Previous post was at 22:39 ----------

Quote:

Originally Posted by bluecar1

i think this is the aim of some on here to obscure the topic and baffle most

bottom line the topic is about Talk Talk creating a system that follows users to web pages to scan them for malware

problem is that presents a number of legal issues which are quite technical in nature

ranging from

1:- probable breaches of PECR (EU legislation on privacy of electronic communications,

2:- the old favourite RIPA as the information they are gather (web page / URL instead of just host name) means it falls foul of definitions of communications data, for those who do not know the difference, host name is like www.bbc.co.uk but a web page / url identifies a single page or area on a website like http://www.bbc.co.uk/news/technology-11213488

3:- possibly fraud act as well as the system appears to reply full URL string including session information in the query string part of the URL (after the ? in the URL) so some claim it fraudulently trys to impersonate the ISP customer to gain access to the website pages

and the fact it is designed to operate covertly / invisble to the ISP customers and websites

TalkTalk were scanning websites (without informing anyone) in what they said was a trial for malware scanning software. Some people were very unhappy about this (as they believed TalkTalk were breaking various laws and statutes) so made comments about "caching being illegal" and "charging TalkTalk £10 per time for accessing their websites".

Most of the discussion since then has been differing viewpoints on the legality of what TalkTalk were doing, and the provenance of the some of the sites quoted as being the source of these "attacks", and also differing technical interpretations of some other stuff.

hth

Edit; funnily enough, bc1,

Quote:

i think this is the aim of some on here to obscure the topic and baffle most

that is exactly what some of the regular CF posters believe about some of the irregular CF posters...

Quote:

Originally Posted by bluecar1

i think this is the aim of some on here to obscure the topic and baffle most

bottom line the topic is about Talk Talk creating a system that follows users to web pages to scan them for malware

problem is that presents a number of legal issues which are quite technical in nature

ranging from

1:- probable breaches of PECR (EU legislation on privacy of electronic communications,

2:- the old favourite RIPA as the information they are gather (web page / URL instead of just host name) means it falls foul of definitions of communications data, for those who do not know the difference, host name is like www.bbc.co.uk but a web page / url identifies a single page or area on a website like http://www.bbc.co.uk/news/technology-11213488

3:- possibly fraud act as well as the system appears to reply full URL string including session information in the query string part of the URL (after the ? in the URL) so some claim it fraudulently trys to impersonate the ISP customer to gain access to the website pages

and the fact it is designed to operate covertly / invisble to the ISP customers and websites

Sorry.Foot tapping going on here..does not compute...

---------- Post added at 22:54 ---------- Previous post was at 22:52 ----------

Quote:

Originally Posted by foreverwar

TalkTalk were scanning websites (without informing anyone) in what they said was a trial for malware scanning software. Some people were very unhappy about this (as they believed TalkTalk were breaking various laws and statutes) so made comments about "caching being illegal" and "charging TalkTalk £10 per time for accessing their websites".

Most of the discussion since then has been differing viewpoints on the legality of what TalkTalk were doing, and the provenance of the some of the sites quoted as being the source of these "attacks", and also differing technical interpretations of some other stuff.

hth

---------- Post added at 22:41 ---------- Previous post was at 22:39 ----------


TalkTalk were scanning websites (without informing anyone) in what they said was a trial for malware scanning software. Some people were very unhappy about this (as they believed TalkTalk were breaking various laws and statutes) so made comments about "caching being illegal" and "charging TalkTalk £10 per time for accessing their websites".

Most of the discussion since then has been differing viewpoints on the legality of what TalkTalk were doing, and the provenance of the some of the sites quoted as being the source of these "attacks", and also differing technical interpretations of some other stuff.

hth

Edit; funnily enough, bc1, that is exactly what some of the regular CF posters believe about some of the irregular CF posters...

Scanning how? Using bots?Eyeballs? How come what they are doing isn't regarded as kosher by some?

[bluecar1]

Quote:

Originally Posted by foreverwar

TalkTalk were scanning websites (without informing anyone) in what they said was a trial for malware scanning software. Some people were very unhappy about this (as they believed TalkTalk were breaking various laws and statutes) so made comments about "caching being illegal" and "charging TalkTalk £10 per time for accessing their websites".

Most of the discussion since then has been differing viewpoints on the legality of what TalkTalk were doing, and the provenance of the some of the sites quoted as being the source of these "attacks", and also differing technical interpretations of some other stuff.

hth

Edit; funnily enough, bc1, that is exactly what some of the regular CF posters believe about some of the irregular CF posters...

caching is a very important part of traffic reduction on ISP networks where they join the actual internet, this is why they have some very specific exemptions from RIPA etc but these exemptions are very specific about what can occur on a proxy / cache server

as to the differing view points that is what a forum is designed for, to share and debate ideas and topics

i watch with interest and post occasionally when i feel i can add value or to correct waht i percieve to be an incorrect statement or assumption

Quote:

Originally Posted by bluecar1

caching is a very important part of traffic reduction on ISP networks where they join the actual internet, this is why they have some very specific exemptions from RIPA etc but these exemptions are very specific about what can occur on a proxy / cache server

as to the differing view points that is what a forum is designed for, to share and debate ideas and topics

i watch with interest and post occasionally when i feel i can add value or to correct waht i percieve to be an incorrect statement or assumption

Unfortunately the majority seem unable to share in this 'debate' mainly because they, like me haven't a clue what this thread is about..

Quote:

Originally Posted by Maggy J

Sorry.Foot tapping going on here..does not compute...

---------- Post added at 22:54 ---------- Previous post was at 22:52 ----------



Scanning how? Using bots?Eyeballs? How come what they are doing isn't regarded as kosher by some?

From the official comment on the talktalk forums (#89 on this page)

Quote:

We are developing some really exciting new security and parental control services, which will be based deep within our network infrastructure, to provide our customers with greater protection for all the devices they connect to their broadband line with. We’ve had considerable feedback from customers that PC-based software only deals with part of the wider security problem facing today's internet users, so we’ve developed these new services to help improve our customers online experience with us.

In preparation for the launch of these services, as our users surf the internet, details of websites visited are put into a list. Scanning engines then compare this list to a blacklist (sites that have been found to contain recent threats) and whitelist (sites that have been recently scanned with no threats found); if the site is not on either of these, it will visit the site and scan it for malicious code. Sites that are already on either list are not scanned again until the following day.

Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers. We are not interested in who has visited which site - we are simply scanning a list of sites which our customers, as a whole internet community, have visited. What we are interested in is making the web a safer place for all our customers.

In due course we will be trialing and launching these services. We hope to be able to share more info on all of this soon.

I believe the upset is that customers were not informed about this (and I think they should have been), and some people believe undertaking this scanning breaks various laws/statutes.

Quote:

Originally Posted by foreverwar

From the official comment on the talktalk forums (#89 on this page) I believe the upset is that customers were not informed about this (and I think they should have been), and some people believe undertaking this scanning breaks various laws/statutes.

Question? How does this differ from the way my AV and the various plugins in in FF tell me when I've reached an iffy site.Can this 'system' break or interfere with my AV and the plug ins?

What laws?Whose laws?Will the Chinese like it?

[bluecar1]

there are two sides to this issue,

one is at face value TT seem to be trying to do something to protect people from malware and driveby attack on the internet making things hopefully safer for everyone

i for one have often said that the isp's should be able to do more to stop infected machine from sending out spam, being used for hosting dodgy websites etc

BUT

the way TT seem to have gone about this makes me very suspicious as to their motives

on one hand TT want to make the system covert so that sites hosting malicious content don't know about it so can't block the probes and monitoring system

but on the other hand you have legisilation that protect certain rights of both websites and users that this system seems to breach

it is a fine balance which TT do not seem to have got right

the obvious place to put this system would be on a transparent proxy (a computer that all web traffic passes through covertly) then so long as the processing takes place on the fly purely to detect viruses and malware it should be ok

problem is to do this in real time the amount of computing power is prohibatively high, hence i think they have gone for the off line / after the visit option which causes its own potential problems, as many web pages are now what is known as dynamic so they are created on the fly as a one off page then dumped once viewed and the TT system could never scan them

Quote:

Originally Posted by bluecar1

there are two sides to this issue,

one is at face value TT seem to be trying to do something to protect people from malware and driveby attack on the internet making things hopefully safer for everyone

i for one have often said that the isp's should be able to do more to stop infected machine from sending out spam, being used for hosting dodgy websites etc

BUT

the way TT seem to have gone about this makes me very suspicious as to their motives

on one hand TT want to make the system covert so that sites hosting malicious content don't know about it so can't block the probes and monitoring system

but on the other hand you have legisilation that protect certain rights of both websites and users that this system seems to breach

it is a fine balance which TT do not seem to have got right

the obvious place to put this system would be on a transparent proxy (a computer that all web traffic passes through covertly) then so long as the processing takes place on the fly purely to detect viruses and malware it should be ok

problem is to do this in real time the amount of computing power is prohibatively high, hence i think they have gone for the off line / after the visit option which causes its own potential problems, as many web pages are now what is known as dynamic so they are created on the fly as a one off page then dumped once viewed and the TT system could never scan them

What would this system do to my set up against nasty trojans and virii?

What rights?

And you are losing me again in the last two paragraphs...Complete and utter thicko about such matters.

[Stuart]

The way the system appears to be working at the moment is that it is just recording the URLs visited by Talk Talk customers. The system will then visit those URLs itself. Based purely on what Talk Talk have said, I would suggest it will then check the site for malware, but (at this stage) do nothing else.

I suspect (again this is speculation) that in the future, TT will use the system to either warn visitors to those sites, or stop them visiting the site totally.

The arguments against it are that it possibly violates our right to privacy along with various EU regulations (the same ones that Phorm violated), and that it could violate the webmaster's copyright.

My own opinion on the system is that *if* it works as I state, it *could* be a good thing in the fight against Malware.

However, I am rather concerned that Talk Talk have not been a lot more open about this. The fact they haven't suggests to me that they are either worried about the reaction in the light of the Phorm PR disaster or they are planning something they aren't telling us.

[Ignitionnet]

http://www.whatdotheyknow.com/reques...e%20tt.pdf.pdf has a diagram showing how the finished product will work.

It's intended to offer both malware protection and parental controls on an opt-in basis.

[Stuart]

Quote:

Originally Posted by Maggy J

What would this system do to my set up against nasty trojans and virii?

It would do nothing to your system. Depending on how the TT system was configured, if it encountered a Malware infested page, it would either operate like Google's Malware warning system (bringing up a page, but letting you go to the site regardless) or it would block the site with an error.

Quote:

What rights?

Copyright for the website owners, and the right to Privacy for the user.