back to article TalkTalk turns StalkStalk to build malware blocker

It's less TalkTalk, more StalkStalk: the UK's second largest ISP has quietly begun following its customers around the web and scanning what they look at for a new anti-malware system it is developing. Without telling customers, the firm has switched on the compulsory first part of the system, which is harvesting lists of the …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward


    Opal Telecom is what TalkTalk is known to BT Openreach as. Opal Telecom was bought by CPW in the early 2000's and then launched TalkTalk.

    If your on TalkTalk and do a speed test your provider will show as Opal Telecom. It costs a small fortune to have the name changed from Opal Telecom to TalkTalk through Openreach, so they just left it.

  2. Sampler


    If you're a virus vendor you don't send malware to these easy to find IP's or like some malware we've seen before only punt to random users so there's a good chance the site will be missed or even flagged as clean (whitelisted).

    Still, suppose it's scuppers some of the lower level crud.

    Now if ISP's worked together on these lists that would be brilliant, but of course they won't as they're trying to push a USP.

  3. Anonymous Coward

    Why, oh why...

    ...can't these arseholes just be honest upfront

    If in a bill, nice and clearly they just said.

    "We will be testing a new antivirus product in the next few months it will work like this.... If you want to / not to / be part of this trial send a text to 12345."

    How hard can it be?

  4. Pirate Peter

    this looks a crude attempt to get round some of the phorm issues

    they claim they only pass the URL to the new system so fully anonymous, no ip, PII passed

    only problem is how much data is encoded in a URL?

    logon to hotmail and many other websites and a lot of other information is passed as variables after the ? in the URL's

    this is every bit as bad as phorm, and they are not being clear as to the exact reason, but providing a obscure reference to anti-malware / parental controls

    antivirus / malware embedded in the ISP network? wait for the phrase "VALUE ADD SERVICE" to be thrown into things to try and get around PECR etc (phorm tried it)

    the anti malware is not required as all current browser have the funtionality built in. and there are numerous databases which are maintained

    there will be some other service round the corner, no doubt to "MONETORISE" their customer base at the expense of the customers privacy

    what other information is being gathered whilst they are "checking the page for malware" profiling the page for advertising?

    do not trust this system, it looks like a crude attempt to get around some of the problems of the phorm system by making a direct request for pages


    1. The BigYin

      I agree

      There is simply no need for this invasion of privacy (and I am a TalkTalk customer). Had I known, I would have opted out as I do not require this level of nannying from my ISP. I want my ISP to be an efficient, yet dumb, data pipe. That is all.

      And how do they determine what is a threat. Many "threats" only target some systems, so an attack on XP may not work on Win7 and almost certainly will not work against a real OS.

      It also leads to end-user complacency. "I do not need any firewall or AV as my ISP protects me." Cue TalkTalk customers getting data-raped by a zero-day that basic measures could have prevented.

      Up to know I have been happy with TalkTalk and was pleased at their stance on Phorm. This action gives me serious misgivings and I will watch it with interest.

      I wonder if this is serious enough to complain to the ICO about....not that they'll do anything of course.

  5. Anonymous Coward
    Anonymous Coward

    But we're doing it for you, honest!

    Whenever these kind of questionable looking marketing plans are uncovered the companies involved say that we should trust that they are actually doing the right thing and it is all for our own good.

    Unfortunately they repeatedly show they cannot be trusted (some ISPs, the government, ICANN etc) so they should not be surprised we are so suspicious of their shady looking activities.

    1. Rob


      "...we should trust that they are actually doing the right thing and it is all for our own good."

      Sounds like it has been adapted from the statement the government put out to justify their terror laws.

  6. Anonymous Coward

    So... that's what's causing all the problems for TalkTalk users...

    Its preventing some gamers:

    Its preventing users that are not already logged in from accessing their iTunes accounts:

    Goodness knows what other websites are now "broken" because of this, but there are surely more complaints than ususal on the TalkTalk members forums:

    I always thought thet intercepting PRIVATE communications without the consent of both parties was in breach of RIPA?

    Actually, this is more like a hybrid between Kindsight and Phorm. - also operate in "stealth mode" but have their old Project Rialto crawlers that independently spider the net rather than tracking individual users. The ISP's then use DPI to track users. Will TalkTalk have plans in this direction?

    Phorm... well we all know about that.

    1. Anonymous Coward
      Anonymous Coward

      Much as

      I disagree with TalkTalk's policy on this, surely they would argue that just tracking the URLs is not intercepting private communications - they would say it's not like steaming open the envelope, but just looking at the address on the outside.

      1. Ken Hagan Gold badge

        Re: steaming open the envelope

        That's not how the HTTP protocol works. Your browser contacts the server (using that readily harvestable IP address) and then sends an http message requesting the URL. Purely from a protocol point of view, both the outgoing URL and the web page sent in reply are part of the (private) conversation between your machine and the web server. If you are using HTTPS, this whole conversation is sent within the encrypted channel, so snoopers can't see the URL or the web page.

        What they /can/ see, in either case, are the source and destination IP addresses of the packets. If TalkTalk had simply collected those, they'd be on much firmer legal ground and they'd probably have built up almost as good a collection of "places our users have been".

      2. David Eddleman


        Reading any information not destined to you is intercepting communications. Imagine if TalkTalk stumbled upon some sensitive data that's not to be released to the public (confidental private/company docs, gov/mil/edu docs that are nocirc, etc.). They'd be accountable for it as the logs would plainly see and could easily be sued or have criminal proceedings on them for it. It doesn't matter if that agency or entity's security is poor, it would easily stand up that TalkTalk used an exploit (since I doubt their system does any error checking to see whether or not the URL is "followable", using blind logic).

    2. Anonymous Coward

      Well actually...

      ...the itunes issue is an apple issue, which apple have admitted, but never mind eh.

  7. Alastair Dodd 1
    Big Brother

    nasty nasty

    but tbh Talk Talk are probably the worst ISP I've had the misfortune to use, god awful service and support (I didn't choose them). Cheap, but cheap and rubbish. Avoid.

  8. Pirate Peter

    someone fighting back,1828.120.html

    op is having fun with TT over the scraping of hhis board


  9. Wize

    They are not just harvesting the pages visted

    They are visiting the pages themselves. Nosey little buggers.

    It may let Talk Talk users vote twice when clicking on voting sites.

  10. Anonymous Coward
    Anonymous Coward

    Glad I don't use Talk Talk.

    Even taking their word for it that they could never siphon off people's personal data or add sites to the blacklist for any reason other than because they host malware, it still strikes me as a waste of time and money.

    Of course anyone with the wit to keep their computer safe online probably isn't using Talk Talk, so if this actually DOES keep their customers marginally safer then that can't be a bad thing. But one does wonder why a bargain basement ISP would spend all this money implementing such a system 'out of the kindness of their hearts'. It's hard to believe that it won't be used as a revenue generator somehow.

    And I don't suppose "free" malware protection is much of a selling point as those who really need it don't know what malware is and therefore don't care while those who don't need it obviously don't care either.

  11. Kevin Pollock

    Other ways to protect users


    I used to work for a content security company who won a deal with a major ISP for a similar capability (ie. detection of infected broadband subscribers). In that case the equipment simply monitored outbound traffic from the subscriber to detect Port 25 packets. This gave an extremely high probability that this subscriber was infected, and was acting as part of a botnet.

    (Note, I know that botnet technology has moved on, but even today a simple Port 25 test would probably find over 90% of user infections).

    Note that the tiny % of ISP customers who run their own mail servers (and therefore generate legitimate Port 25 traffic) can request to be put on a "white list" so they do not receive repeated warnings.

    The company I worked for unfortunately was not successful commercially. The problem is that, while it is useful for an ISP's customers to be warned if they are infected, there is nothing in it for the ISP. It's not worth the ISP paying for the solution.

    This leads the ISP to consider dodgy systems like Phorm, and maybe the one described here. In other words the ISP tries to make some money out of it.

    I spoke to a number of security guys in some very large ISPs around the world and they told me that they thought that 25-33% of their subscribers were infected.

    This did not surprise me because the average UK broadband user has no clue about how to protect themselves on the Net.

    TalkTalk may well have had the good of their customers in mind here - let's give them the benefit of the doubt. But they don't seem to have handled this situation very well. If they had been honest with their users it would have been much easier for them. I guess ISPs never learn.

    Also, FYI, TalkTalk does not have Ellacoya DPI boxes in their network (unlike other UK ISPs like BT). They use Sandvine boxes instead. The Sandvine boxes are not in-line with user data, so they do not have the same active DPI capabilities as a result.



  12. Pirate Peter

    free malware prevention

    all current browser have malware solutions built in so like phorms attempt to use this as a "value add service" to get around PECR, TT will fail if they then try to launch another service based on the data provided

    as how can a service be "value add" when the same service is available free in all current browsers?

    there has to be money behind anything like this and it is normally advertising

    any TT users able to see if cookies are being set for each site you visit?


    1. Anonymous Coward


      Since the tracking servers are their Radius Servers, there's no need for TT to place or modify other site's cookies as they know all your subscriber details anyway. Much of the Phorm database was a "distributed database" placed in modified cookies all over users machines as Phorm had no access to subscriber details and no other way to identify you, all TT have to do is to warehouse your sites visited in their own datacenters and can log this against your subscriber details - which they know as unlike the BT Broadband service, users have to authenticate with a userid and passy (unless sonebody tells me (I'm wrong about that).

  13. Hayden Clark Silver badge

    Plus - it won't work for many sitres soon anyway

    Once the bad guys twig that this is going on, they will simply tweak the pages hosting the malware so as not return innocuous content when the TalkTalk probing engine looks at the site.

    The only way to detect malware-infested or phishing pages is to sniff the data returned to the punter's computer. Which is, of course illegal. And wouldn't work for SSL anyway.

  14. Graham Marsden

    "We are not interested in who has visited which site"...

    ... but you can bet that The Authorities would love to get their hands on this information (of course, as with Talk Talk's plans, it's for our own good!)

  15. Anonymous Coward

    Would it even work?

    TalkTalk took a helluva beating over Phorm. In fairness, they did terminate their agreement with Phorm following the user backlash.

    I suspect that, this time around, their motives are genuine. So long as they don't give in to the temptation to match the visited URL with subscriber names {ahem], there's no real harm here.

    But what's the point? Malware websites already serve up "legit" content when probed by security firms. I'm sure malware sites will be smart enough to appear legit to these automated probes.

    Not sure how much this will achieve.

    1. Alan_Peery
      Thumb Down

      "No harm" -- think about session ids in URLs

      If they are visiting the same URLs that I visit, and the website uses session ids in their URLs, here are oe of the outcomes that I think are likely

      1) my session gets confused about watt page I am on, and takes me to another page

      2) the page is using some variation on the most common form technology (I'll be nice ad assume te TT folks are screen out a lot of the POST URLs.) and duplicate orders are placed on a website

      3) Their access from another IP address trips a "session invalid" check and throws me out of my session

      Therea are probably a lot more....

  16. Lamont Cranston
    Big Brother

    So, customers cannot opt out of being tracked,

    but shouldn't worry, as the anti-malware software being developed is "really exciting"?

    Come on, everyone, let's get excited!

  17. Anonymous Coward
    Anonymous Coward

    Ah, and what about Data Protection Laws?

    Hmm, I would be interesting to hear if any of the customers signed up to the collection of their web activities. As far as the excuse goes, I cannot see any reason to make such information personally identifiable, so I think a nice deep audit of the Office of the Information Commissioner may be in order. If they indeed don't track people individually I don't think it's a big deal - provided it stays that way. There are all these information hungry sharks out there would would sell their grandmother for this data, so once you have a the facilities in place a small "oopsie" a la Google WiFi collection is quickly made.

    AFAIK (IANAL), permission for collection of personally identifiable information MUST be EXCLUSIVE (i.e. as a separate permission statement), it cannot be INCLUSIVE (as 4 point light grey text on a white background somewhere in a contract), and even if permission was granted you ought to be able to withdraw it.

    Smells like a nice case for the Information Commissioner's Office to demonstrate on whose side it is - get a few people to file a complaint.. Just give me a moment while I grab some popcorn first, because that could become rather entertaining...

  18. Anonymous Coward

    Failing at Law

    If only Phorm had been prosecuted, actions like this would most likely not have happened.

  19. LinkOfHyrule

    Site owners

    I can see site owners banning the StalkStalk IPs from their servers and maybe even having other fun messing with this system. It will probably do something dumb like those web crawler thingies* that can hog your web-server resources by downloading a zillion* pages per second or something silly!

    *Can you tell I'm not an expert on these things!

  20. OffBeatMammal

    why not use existing services

    rather than re-invent the wheel why don't they partner with someone like OpenDNS ( or and make those services better for everyone rather than addig yet another partial solution (especially one that relies on stalking users without their consent)

  21. dave 46

    what if...

    Some badly written website back end did something destructive when talk talk loaded your url again?

  22. Anonymous Coward
    Anonymous Coward


    I wonder if it's possible to circumvent this by using OpenDNS or a roll-your-own rather than the ISP's DNS?

  23. Anonymous Coward
    Thumb Down

    Does Charles Dunstone understand the law?

    The comments from Charles Dunstone of StalkStalk to this website admin,

    ( )

    suggests a very poor grasp of copyright law. I wonder if he is equally ropey on RIPA, PECR and DPA. Luckily for him, our UK regulators are very very lax and soft on ISPs, the ICO has a six month backlog and no signs of wanting to protect ISP consumers, our police forces don't seem to understand about RIPA when it comes to commercial companies intercepting communications, and our CPS seems only able to sit on its hands (651 days so far thinking about the Phorm/BT case).. So TalkTalk will get away with it. Just like BT did. But at least they are getting some bad PR and more on the way hopefully.

    The story seems to be unfolding in an uncannily similar way to the Phorm scandal in Feb 2008. Next stop the stumbling stuttering TV interview on Channel 4 about how it is all legal and they have sought er obtained er legal advice er opinion, thingy, sort of. And if it is on the internet, anyone can copy it.

    1. Graham Cobb Silver badge

      Tell us EXACTLY

      We need TT to tell us exactly what they are recording. For example, are they only recording URLs? What about other things from the HTTP message (like cookies, etc)? Do they store the whole URL or do they truncate at the first "?"? Do they record only GET URLs or others (POST, PUT, DELETE, etc)? Is the data definitely destroyed after 24 hours (no backups, logs, etc)?

      And what does their spider do? Does it honour robots.txt? Does it only issue GET methods? Does it include any cookies in the request? How does the website tell that this is coming from their spider?

      This just looks like more and more reason to put all browsing through a secure VPN. Maybe Opal can rent me one :-)

  24. Big PC


    Even the TTMF Manager posted this


    Not sure who this persons source is but they are so far from the truth they wouldn't know it if it hit them on the head.

    I can assure you we don't monitor peoples online activity!!!!! Hope this put some of your minds at rest


    Stephen Fell

    TalkTalk`s Online Community

    Meet the forum staff and ensure you know Who`s Who

    Then this .What arguement just simple truthful answers not as above .

    Hi all,

    Not going to comment any further as some people just want an argument, official statement to follow!!



    Stephen Fell

    TalkTalk`s Online Community

    Meet the forum staff and ensure you know Who`s Who

    Link to thread on TTMF.

    I checked this morning to see if i was followed with a test set up on Phoenix Broadband .It took them 4 seconds to follow .Thread on phoenix here,1828.0.html

    The owner was aware in may and has done alot of tests for TT customers .

    It is a very informative thread .

  25. Conrad Longmore

    What about PPC ads?

    What about PPC ads? Where an advertiser pays per click.. does this mean that some PPC ads are being "clicked" more than because of this crawler? It's clear that it could cause all sorts of mischief on other similar systems too.

    It's not actually a hugely bad idea though.. if you could opt in to it, that is.

  26. ZenCoder

    I'm highly skeptical.

    A) An ISP should have neither the right nor responsibility to censor my internet access whatever their motive.

    B) I think they are lying about their motives and objectives. Businesses exist to make money, they have a plan to monetize this and given their secrecy, they are going to do it in a way that if know would alienate their customers.

    C) I can already opt-in to similar protection via Web Of Trust (highly recommended), Web Security Guard and probably dozes of other browser add-ons that will check malicious websites against various blacklists. I think a similar feature is build into I.E. 8. The difference here being I chose what protection I want and who I want to obtain it from.

  27. Anonymous Coward
    Anonymous Coward

    But what can an ISP do?

    Personally I think they should limit themselves to "side tracking" known infected PCs, perhaps with some intranet thingummy with clean-up tools. Keep an eye on spam and abuse reports, (dns)blacklists, promptly act on noticing something on their network has gone bad. And if they must, well, malware checking already exists, though it neither is infallible nor very controllable. At least it does let you opt-out, which these bozos can't seem to get licked.

    What ISPs certainly shouldn't be doing is pre-emtively break the law to forestall regulation. That just gets them sued, and rightly so. Worse, it gives entirely the wrong signal to the already befuddled politicos. How stupid can you get? Don't answer that. "IWF". 'nuff said.

  28. Anonymous Coward
    Big Brother

    If it makes you feel any better...

    ... we the hapless monkeys on the front lines of TalkTalk's endlessly inept fault management processes didn't have a clue this existed, either.

  29. Anonymous Coward

    havent seen it

    I'm with talk talk and i haven't seen anyone following me round. I wonder if they are targeting windows PCs / areas of the country.

  30. Mr Young

    WooHoo - a new friend!

    My ISP is interested in my completely boring life? They really must be scraping that barrell thingy. Sad bastards. I can't even remember how old the phone tap law etc is - applies the same as far as I can see!

  31. David Eddleman


    As someone who's worked in the web hosting industry before, I have to wonder how much scraping TalkTalk is doing on sites it "checks". Does it just grab the page and scan, or does it download the entire shebang and run it through some heuristics engine? If it's the latter, I have to wonder just how much they're costing webmasters in bandwidth fees.

    Bandwidth is NOT cheap, folks!

  32. Jesthar

    PPC Ads

    There have already been reports of some accounts being suspended, possibly as a result of TalkTalk stalking:,1828.msg36026.html#msg36026

  33. Julian 1


    I am very dissapointed to read this. Notwithstanding the privacy issues, I have noticed an apparent falloff in performance recently. I had attributed this to the World Cup, but the reduced performance has continued. Bandwidth and all that.

    The secrecy of the trial mitigates heavily against TalkTalk integrity and intentions. It'll be hard for them to dig themselves out of the hole which they have dug for themselves.

  34. M Gale

    if (ip_is_from_stalkstalk($ip)){





  35. Peter Fairbrother 1

    Interception? An analysis.

    TalkTalk have modified their network so as to make URLs available (to themselves, so they can do things with them). The exception for traffic data in RIPA ss.2(5) does not apply, as parts of URLs are considered to be content, not traffic data (generally speaking the parts after the third slash, but see RIPA ss.2(9)).

    TalkTalk's action therefore falls under ss.2(2) of RIPA, and is thus interception. I don't think there is much doubt or wiggle room there, if any.

    Next, is it lawful interception, or not? TalkTalk are perhaps in a better position than Phorm were, as they can argue that their action is lawful under RIPA ss.3(3), like virus or spam filtering of emails.

    However unlike virus and spam filtering of emails, TalkTalk's action was not necessary, nor was it done, to protect the service - the web would still work fine [*] without it, while email would, or so it's argued, fail entirely if spam and virus filtering wasn't done.

    TalkTalk's action would be made lawful by ss.3(3) if it was done "for purposes connected with the provision or operation of th[e telecommunications] service".

    I think instead it was done in order to provide an extra service on top of the basic telecomms service, and thus s.3(3) does not apply - it only applies to the basic message-passing service (passing bits), see the definition of "telecommunications service" in ss.2(1).

    So, in my opinion, yes, it's interception and yes, it's a criminal offense under RIPA ss.1(1).

    [*] for some TalkTalk value of "fine" ... :(

    1. Camilla Smythe


      "TalkTalk have modified their network so as to make URLs available (to themselves, so they can do things with them)."

      Not quite. The indication is that they have allowed Huawei to install equipment in the Radius, probably supplied by Huawei as well which gifts the URL's to Huawei so that Huawei can visit those URL's and profile the content.

      Pop Up for full application

  36. david 12

    We know it works...

    Clearly, using tried-and-true technology from the Great Firewall of China. It automatically scans any websites for any suspicious content (like "Falun Gong") and black lists the site. All "Chinese vendor Huawei" have to do is build up the new database of sites to block, which they are doing now.

  37. MrHorizontal

    My god...

    Sniffing URL's is one thing, and a bad one at that, furthemore blocking IP addresses that StalkStalk deem inappropriate is a huge issue - virtually everyone knows that blacklists being created and used to block IP's is a very harmful method.

    I'll chime in also with calling for Talk Talk to disclose how they farm the URLs in the first place. That's the illegal part IMO.

    What I don't understand, if Talk Talk actually wanted to protect customers is implement network-wide IPS, using something like Snort. It's open source, and it's far more sensible than this sniffing, and will only block reactively when an attack is happening. It's also far more cost effective to harden these network wide servers than all consumer's routers too...


  38. pengipete

    It makes no sense.

    What's really hilarious is the idea that TalkTalk's customers have some sort of collective conciousness. As TT say...

    "In preparation for the launch of these services, as our users surf the internet, details of websites visited are put into a list. Scanning engines then compare this list to a blacklist (sites that have been found to contain recent threats) and whitelist (sites that have been recently scanned with no threats found); if the site is not on either of these, it will visit the site and scan it for malicious code. Sites that are already on either list are not scanned again until the following day."

    In other words, TT are simply creating an updated blacklist based on sites that other TT customers have visited. If you are the first visitor to a site your on your own - the site isn't checked until AFTER you've been exposed to any risks. It also appears that any site visited by a TT will be continually monitored even if no-one ever visits that site again.

    The whole concept is ridiculous - it only works if all TT customer only ever visit the same sites as each other or if TT scan the entire contents of the www at least once a day. If such a system was even possible, the costs involved would be so high that it would make far more sense for every ISP to be involved as a joint venture with the blacklist being shared amongst them with the whole process and system being overseen by an external watchdog to ensure that standards are met, the system is not abused and website owners have a means of appealing against incorrect (or malicious) flagging of their sites as "dangerous".

    I can't believe that senior staff at TT aren't aware of the shortcomings in their explanation which makes me think that - like so much spyware - the security angle is just a front for spyware.

  39. Big PC


    The Manager of TTMF has sent this to me .ALSO removed link in my signature .

    Today, 12:59 PM



    Due to the fact that we have been blocked from viewing the above site we are no longer able to validate the URL for the site posted on this site which is a requirement as per the forums terms of use.

    As such please note we will remove any such links on the grounds that we are not able to validate its content, I would appreciate your adherence to the forums rules.




    Stephen Fell

    TalkTalk`s Online Community

    Meet the forum staff and ensure you know Who`s Who

    Quick Links:

    l Speed Test l Network Status l Exchange Capacity l Help & Support l Extension Leads, Do Not Use Them l


  40. Hatari

    Stalkstalk seems to have changed IP

    It appears that there has been a change in the IPs being used by the TT stalker. It now appears to be using Huawei IPs.

    The one captured at the moment is about 70 accesses here yesterday.

    And the complete range is -

    I would suggest people block the complete range.

  41. Anonymous Coward
    Anonymous Coward

    Talk the Talk

    They cannot talk the talk or walk the walk but they certainly can stalk the stalk!

  42. Hatari

    They download the entire shebang

    They download the entire shebang as my logs have shown. My websites have something of the order of a 100 plus accesses a day from them even though they are blocked and Charles Dunstone has been told by email, replied to, not to access my site. Yesterday it was 130 accesses/attempted accesses.

    Talktalk have been told that all accesses/attempted accesses after 09:00 on the 26/7/10 will be charge at £10 per accesses/attempted accesses.

    If all webmasters charged them they would soon stop


    Phoenix Broadband Advice

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021