BT cheerfully admits snooping on customer LANs
For the good of the customers, of course
BT reserves, and makes use of, the right to remotely detect all devices connected to LANs owned by its broadband customers – for their own good, of course.
BT Broadband customers can expect to have their network checked any time the operator feels it needs to take a peek to help it provide the service, or when the safety of the customer is in doubt – the latter being the motivation behind the only instance where we know the capability has been used.
That happened last week, when some BT Broadband customers received letters about the kit they had plugged into their networks.
The kit in question were powerline networking (PLT) boxes originally supplied by BT. Some of the units supplied suffered a manufacturing flaw that could, potentially, expose live wires. So BT shipped out replacements back in October last year. But customers who eschewed the operator's advice (having examined the devices and satisfied themselves that they were safe) have now received letters telling them that BT's "remote diagnostic test" shows the devices are still connected and warning the customers of the ongoing danger.
PLT devices don't have IP addresses; they operate like switches, so they shouldn't be detectable from the internet. We assume that BT is getting round this issue by running a scan of MAC addresses from the supplied router, but the company hasn't confirmed that.
What it has confirmed is that "[t]here may be other circumstances in which we would carry out remote diagnostic tests of customers' equipment to make sure all is working," and that "we don't believe that consent is necessary where the testing is necessary to the service that we are providing".
Perhaps we're being cynical, perhaps BT will never decide to take a quick scan of its customers to see who has network storage attached, or an IP-capable television. Such information could, arguably, help them provide their broadband service more efficiently and thus would be allowed by BT's own terms.
BT describes the process as being similar to that offered by Microsoft with Windows Update, gently implying that we should be grateful to have big BT keeping a watchful eye on our LANs. But even Microsoft lets its customers opt out of Windows Update, or opt out of Windows entirely. BT's Broadband customers don't even know they've got the company looking out for them, and might not be so impressed if they did. ®
"we don't believe that consent is necessary"
Welcome to the new corporate excuse.
I hope a judge sets them right quickly.
"we don't believe that consent is necessary where the testing is necessary to the service that we are providing" - you think they might of learned?, no!, well I was never holding my breath.
Juicy new attack vector?
And by admitting that the facility exists to scan networks behind "the firewall" (which everyone has carefully setup - right?) in one's router, you can bet that there are several blackhats now actively searching for a method to exploit it.
Will people never learn?