Back in September, I linked to a number of news stories in the U.K. about how TalkTalk had become the talk of the privacy community for trialing a program that tracked its users’ web browsing. The purpose of the tracking was to develop a malware system that would warn its customers when they clicked on a link to a site that hosts malware. While the purpose might seem like a Good Thing, the ISP had neither informed its customers of the trial not obtained their consent. At the time, the ICO said it was “disappointed” in TalkTalk and cautioned them about compliance with relevant principles, noting that even when an entity is doing something that might be of benefit, it needs to inform and obtain consent. But other than that caution, the ICO essentially cleared TalkTalk. Now, unsurprisingly, TalkTalk announced that it would be resuming its trial of the system. This time, however, it says it will give its customers the option to opt-in to get the warning notices. TalkTalk does not say, however, that its customers can opt-in or opt-out of having their web surfing activities recorded as part of developing its database of malware sites. From their FAQ:
7. Will only customers who sign up to Network Security have the websites they visit scanned?
We are scanning all the websites our customer base as a whole visits, in complete anonymity, You have to opt-into the Virus Alerts product itself, so if you don’t want the warnings while you browse you don’t have to enable the service, or if you activate Virus Alerts, you can switch it off again at any time afterwards.
It claims that no personally identifiable information will be recorded in creating and maintaining the system.
But the bigger question is whether what TalkTalk is doing legal under the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PERC). Some privacy advocates say that it’s not, and they feel that the ICO is not enforcing the clear language of U.K. law.
A blog entry by Paladine lays out the concerns and arguments. In particular, he cites part of PERC:
Regulation 7 states the following:
Restrictions on the processing of certain traffic data
7. (3) Traffic data relating to a subscriber or user may be processed and stored by a provider of a public electronic communications service if—(a)such processing and storage are for the purpose of marketing electronic communications services, or for the provision of value added services to that subscriber or user; and
(b)the subscriber or user to whom the traffic data relate has given his consent to such processing or storage; and
(c)such processing and storage are undertaken only for the duration necessary for the purposes specified in subparagraph (a).
(4) Where a user or subscriber has given his consent in accordance with paragraph (3), he shall be able to withdraw it at any time.
It is important to note that 7 (3)(a) and 7(3)(b) are both appended with the word “and” which means that 7(3) is only permitted once all the conditions are met through 7(3)(a) – 7(3)(c) – this is the crux of the issue.
I read the language the same way Paladine does, which may bring us to the issue of what does it mean to “process” traffic data relating to a user.
For it’s part, TalkTalk has claimed that it is not processing user data – that it is processing network communications. I have not read the legislative history/debate about this law so I can’t say that I’m clear on what the legislators intended, but even if the service is “value added,” and keeping in mind that I am not a lawyer, I think what they are doing does involve both intercepting and collecting data that contains personal information — even if the personal information is then stripped out and not recorded durably. As such, I, too, wonder why the ICO has gone along with this plan as the spirit of this law seems clear.
Read Paladine’s entire discussion and concerns here.