Feeds

TalkTalk turns StalkStalk to build malware blocker

Unheralded system shadows browsers round the web

High performance access to file storage

It's less TalkTalk, more StalkStalk: the UK's second largest ISP has quietly begun following its customers around the web and scanning what they look at for a new anti-malware system it is developing.

Without telling customers, the firm has switched on the compulsory first part of the system, which is harvesting lists of the URLs every one of them visits. It often then follows them to the sites to scan for threats.

The data will be used by the second part of the system, which will block potentially dangerous sites at network level.

A poster on TalkTalk's official forums first noticed he was being followed in early July.

"I've got a pretty serious privacy issue," samnwb wrote. "I have two Opal Telecom IPs that are following my every move, they follow me to every page that I visit."

The poster runs websites and was able to see the two IP addresses tailing him in logs. Opal Telecom is TalkTalk's business ISP subsidiary.

Other forum posters replicated samnwb's observations, and following speculation that the stalking IP addresses could be part of law enforcement compliance, or a targeted advertising system, TalkTalk staff weighed in with answers.

"We are developing some really exciting new security and parental control services, which will be based deep within our network infrastructure, to provide our customers with greater protection for all the devices they connect to their broadband line with," the firm said.

"We've had considerable feedback from customers that PC-based software only deals with part of the wider security problem facing today's internet users, so we’ve developed these new services to help improve our customers online experience with us."

The new system is provided by Chinese vendor Huawei, and customers can't opt out of the data collection exercise. As they browse the web, URLs are recorded and checked against a blacklist of sites known to carry malware. They are also compared to a whitelist of sites that have been scanned for threats and approved in the last 24 hours.

If a URL appears on neither list, Huawei servers follow the user to the page and scan the code. According to measurements by webmasters, the TalkTalk stalker servers show up between about 30 seconds and two minutes after TalkTalk subscribers.

A spokeswoman for the firm told The Register it had not told customers it would be following them online because it is not gathering details of their personal activity, but instead making basic lists of all web pages passing over its network.

In its statement the firm sought to head off the privacy concerns stirred by harvesting of URLs.

"Our scanning engines receive no knowledge about which users visited what sites (e.g. telephone number, account number, IP address), nor do they store any data for us to cross-reference this back to our customers," it said.

"We are not interested in who has visited which site - we are simply scanning a list of sites which our customers, as a whole internet community, have visited."

However the system touches on the same legal issues that dogged Phorm's targeted advertising system. Under the relevant laws, URLs are deemed communications content, and intercepting them without customer permission is prohibited.

TalkTalk's spokeswoman said that URLs added to the whitelist are deleted after 24 hours, while blacklisted pages are checked every day and unblocked if they are clean for seven days in a row.

When the blocking features and parental controls of the system are activated, customers will be asked if they want to opt in at no extra cost, TalkTalk representatives said. The service will launch in the second half of this year once testing is complete, the spokeswoman added.

TalkTalk is probably just the first major ISP to implement network-level anti-malware blockers. There have been political calls for ISPs to take some responsibility for protecting their users from online threats, and the industry will be keen to avoid regulation. ®

High performance access to file storage

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.