Malware monitoring by TalkTalk

Leigh Park Initiative made this Freedom of Information request to Home Office This request has been closed to new correspondence. Contact us if you think it should be reopened.

The request was successful.

Leigh Park Initiative

Dear Home Office,

I run the website of a registered charity which during the summer experienced the unwanted attentions of scanner "bots", which were repeatedly and covertly scanning my charity's website without identifying their origin or identity, nor seeking my consent, nor observing the access restrictions coded, according to recognised internet protocols, into my site servers. My website logs reveal that these scanning bots emanated from the TalkTalk Group plc. and subsequent publicity revealed that the system was purporting to be scanning websites for "malware" although without either the TalkTalk customer's or the website owner's consent or knowledge.

During subsequent correspondence between TalkTalk Group plc. and our charity, TalkTalk claimed that their system's legality had been fully investigated and that it complied with current UK and EU legislation.

As the charity's webmaster, I believe I have a legitimate interest in trying to ascertain whether TalkTalk discussed the legality of their project in advance with the relevant regulatory, advisory and enforcement bodies responsible for RIPA, DPA and PECR legislation. I need to do this so that I may fulfil my statutory responsibilities in protecting both the personal data of our charity's site users, and also the intellectual property of the website, against unlawful commercial exploitation, contrary to our charitable objectives.

With regard to the malware scanning system's compliance with PECR and DPA, I have already reported the situation to the Information Commissioner's Office (responsible to the Ministry of Justice), and they openly and promptly communicated that they were investigating this incident.

They also revealed, both in private correspondence, and also in public statements, that TalkTalk had not discussed the legal compliance of their proposed malware detection system with the ICO, prior to the malware scanning project becoming public knowledge. Indeed the ICO even publicly communicated their disappointment that such consultation had not taken place.

That leaves the matter of RIPA compliance. RIPA legislation is something the Home Office have responsibility for, and the ICO are unable to comment on it. So I am asking the same question of yourselves as I asked the ICO.

My request is:
As the website registrant pursing this matter, and being in dispute with TalkTalk, I would be grateful if you could indicate whether TalkTalk Group plc or any of their constituent companies, had meetings with the Home Office to discuss the legality of their malware scanning project, between July 2009 and July 2010, prior to the malware scanning project becoming a matter of public knowledge.

This information will be of value to me in investigating TalkTalk's claims that their malware scanning project is compliant with UK and EU legislation, and clarity on this matter would clearly be in the public interest, particularly in the light of EU interest in the way the UK enforces the ePrivacy Directive.

The only way I can personally obtain this information is by asking the Home Office, the government department with responsibility for RIPA legislation. The purpose of asking is solely to elicit the information requested which is not available via any other source and is required by me in fulfilling my responsibilities as charity webmaster and charity data protection officer (for which purpose I registered and attended an ICO DPO training conference in March 2009 in Manchester, in the name of the above charity). Had the information been published already, in accordance with the above mentioned precedents, I would not need to make this request.

I look forward to you dealing with this enquiry in the open manner in which similar enquiries on this matter have been handled by the Information Commissioner's Office. I would also draw your attention to the precedent of earlier Home Office public statements on their contacts and discussions with other internet related companies in connection with RIPA compliance matters, including public responses to similar questions relating to discussions with companies such as Phorm Inc, BT and Detica, some of which responses were published without any intervention from the general public whatsoever. For example:

http://cryptome.org/ho-phorm.htm

http://www.whatdotheyknow.com/request/me...

http://www.homeoffice.gov.uk/about-us/fr...

I am therefore hopeful that a similar statement, either positive or negative may be made about contacts with TalkTalk regarding their malware scanning project.

Incidentally, my status to make FOI enquiries on behalf of a registered charity, and in that charity's name has previously been approved by the Information Commissioner's Office.

"Further to your subsequent email regarding the name used on the request, we have further considered your comments and agree that the name provided is valid for the purposes of the Freedom of Information Act 2000 (FOIA). Consequently your request has been dealt with as a valid FOIA request and, as explained in the attached response, you have the right to request an internal review and appeal if required. Please accept my apologies for any concerns caused previously."

This is my second ever FOI request, and both enquiries, concerning TalkTalk, have resulted from me attempting to fulfil my responsibilities as a registered charity webmaster and respond to unwanted exploitation of the charity's website data and also the charity's intellectual property. I am confident the Home Office would want to assist me in that task, and look forward to receiving a prompt answer to my question. I thank you in anticipation of your co-operation.

Yours faithfully,

Leigh Park Initiative

Leigh Park Initiative left an annotation ()

I welcome the Coalition government's commitment to transparency as issued by Number 10,on November 8th.
http://www.number10.gov.uk/news/topstory...

and their commitment to transparency
http://transparency.number10.gov.uk/

I welcome the Home Office's business plan as it will no doubt inform their response to this FOI, particularly Section E on transparency, p27 onwards.
http://www.number10.gov.uk/wp-content/up...

FOI Responses, Home Office

1 Attachment

Dear Sirs

Please find attached the Home Office response to your request for
information case 16529.

 

Many Thanks

 

Martin Riddle | Information Access Team
Information Management Service | Financial and Commercial Group
Ground Floor | Seacole Building | Home Office | 2 Marsham Street | London
SW1P 4DF
Switchboard Number: 0207 035 4848

 

 

show quoted sections

 

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Leigh Park Initiative

Dear Home Office,

Please pass this on to the person who conducts Freedom of Information reviews.

We are writing to request an internal review of Home Office's handling of our FOI request 'Malware monitoring by TalkTalk'.

We strongly resent our request being regarded as vexatious. Vexatious implies that our main goal is to cause annoyance or distress. This is untrue, our main goal is to discover the answer to our question, and as a secondary matter, to discover why there is such reluctance to provide it on the part of the Home Office. It is the Home Office's blatant obstructiveness that has become annoying and distressing - not a charity's simple request for information.

We have given clear and legitimate relevant reasons why this information is of specific interest to our registered charity as it relates to the actions of TalkTalk in accessing one of our religious charity websites, covertly and without consent, contrary to our website settings, during May-August 2010 and our ongoing active attempts to get to the bottom of why that happened and what we can do, within the criminal and civil law to stop it.

We believe that the Home Office are now following a clear policy to reject requests on this matter as vexatious without considering them on their merits. If it is vexatious to enquire about the contacts that an ISP may have had with government prior to covertly monitoring the users of our religious-themed charity websites, and then scraping the content of such religious themed websites, then we have somehow moved away from democratic principles to something much more worrying.

If the Home Office believes there are legitimate grounds for refusing the request then they should state them, within the terms of the FOI legislation. But this resort to the "vexatious" argument is totally unconvincing as well as democratically offensive. I can see no public interest in this line of argument whatsoever.

We are also puzzled that the Home Office Minister Mr Nick Herbert, in answering a recent written question from Annette Brooke MP on 26th October 2010, (Hansard http://services.parliament.uk/hansard/Co... )indicated that he had received "no recent representations" on this matter when his department would seem to have spent their time since the summer rejecting representation after representation on exactly this subject, including this one. (As a search via Whatdotheyknow.com reveals) Perhaps his officials are not keeping him fully informed?
"Nick Herbert [holding answer 26 October 2010]: I have had no recent representations in respect of the practices of TalkTalk in monitoring internet browsing activity by its customers." - the most charitable interpretation I can put on this answer is that it seems to have unwittingly misled parliament.

A full history of my FOI request and all correspondence is available on the Internet at this address:
http://www.whatdotheyknow.com/request/ma...

The Home Office could save a great deal of everyone's time and public money by simply answering what is a reasonable question from a charitable organisation with a legitimate interest in the matter, answering with a simple yes or no - they have answered similar questions in the past. Their refusal to do so looks bad in the light of current European Court of Justice interest in the policing of ePrivacy in the United Kingdom.

If they have not discussed this issue with TalkTalk we cannot see why they do not say so; and if they HAVE discussed it, prior to its implementation, then that is a matter of legitimate, indeed pressing, public interest, bearing directly as it does, on the government's goodwill in implementing the ePrivacy Directive in the United Kingdom and protecting the privacy from commercial snooping, of internet users browsing religious themed sites - and - possibly - avoiding a heavy fine for taxpayers, in the European Court of Justice. We are keeping the EU Commission informed of progress in this matter.

Yours faithfully,

Leigh Park Initiative

FOI Responses, Home Office

1 Attachment

Please find attached correspondence regarding your internal review
request.

 

Regards,

 

Information Access Team, Home Office

 

 

show quoted sections

 

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

FOI Responses, Home Office

1 Attachment

Dear Sirs,

 

Please find attached our response to your internal review request.

Regards,

 

Information Access Team, Home Office

 

show quoted sections

 

show quoted sections

Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.

Leigh Park Initiative

Dear FOI Responses,

Thank you your review of our request. I note that you both reject the decision by the Home Office to label our request "vexatious" and that you have now supplied the original information we asked for, which is that the Home Office did NOT meet with TalkTalk to discuss their malware monitoring programme prior to its implementation.

We would comment that this seems to have taken an inordinate amount of time, and wasted rather too much public money. The answer could have been given weeks ago without the sky falling in. Thank you very much indeed. Sometimes, the public interest IS served by openness and transparency.

This matter is now closed to our satisfaction.

Yours sincerely,

Leigh Park Initiative