ISP TalkTalk caught snooping

Broadband ISP TalkTalk UK has come under fire from users after being caught recording information about their surfing habits.

According to a report on UK website ISP Review, evidence of the Internet provider's snooping emerged in the middle of July when a user complained on the TalkTalk Members forum of being shadowed by two unknown IP addresses.

TalkTalk, which is owned by mobile retailer Carphone Warehouse, has since confirmed that the monitoring is for an anti-malware/parental guidance tool being created for it by Chinese software maker Huawei, due to be launched by the end of 2010.

The system will restrict access to dangerous websites that spread malware by comparing the URLs visited by users against a blacklist of sites containing recently discovered threats. Data about the sites visited is stored for 24 hours.

In a statement, the ISP said that the system was necessary because of the different types of device accessing its network, many of which have no access to anti-virus or other security software. TalkTalk also reassured users that all data would be gathered anonymously:

"Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers. We are not interested in who has visited which site - we are simply scanning a list of sites which our customers, as a whole internet community, have visited. What we are interested in is making the web a safer place for all our customers."

TalkTalk isn't legally required to ask its users' consent before instigating a policy such as this, because it's collecting anonymous data - but it might have been polite. And because the system scans the contents of the pages visited, it could pose a real security threat: all data in the trial is shared with TalkTalk's third-party software supplier, Huawei.

The scope of the ISP's snooping goes far beyond that required by the Digital Economy Act. The controversial legislation demands that ISPs keep a log of internet use, but restricts access to that log to specified bodies such as law enforcement agencies.