Outsourcing censorship to the experts

Earlier this week I raised concerns that a lack of transparency and accountability makes commercial censorship systems a privacy risk to consumers. This morning the BBC reported:

The pornography filtering system praised by David Cameron is controlled by the controversial Chinese company Huawei…

[TalkTalk’s net filtering service] Homesafe is a voluntary scheme which allows subscribers to select categories – including social media, gambling and pornography – that they want blocked.

Customers who do not want filtering still have their traffic routed through the system, but matches to Huawei’s database are dismissed rather than acted upon. (Emphasis mine).

TalkTalk’s privacy policy says nothing explicit about sending all traffic, for all subscribers, to a third party. Neither the privacy policy nor the BBC report state whether Huawei log what individual subscribers are accessing or analyse that information in any way. I emailed TalkTalk to ask about this. They pointed me to their HomeSafe FAQ and assured me the content-filtering part of the system works in the same way as their virus alerts system:

“None of this information is personalised or stored. The network processes billions of requests a day, so these lists are recorded in temporary memory.”

TalkTalk didn’t clarify how their customers are made aware that their requests are being processed by Huawei. Nor did they say what arrangements are in place, if any, to ensure Huawei and its systems preserve subscribers’ privacy. TalkTalk do say they’ve shared the details of their system with the Information Commissioner’s Office, however the ICO is notoriously under-resourced so it isn’t able to provide much of a safeguard, and the FAQ doesn’t say whether they passed any comment.

TalkTalk aren’t the only company who outsource their net filtering. Your employer, your library and your coffee-shop probably employ device- or network-level filters the behaviours of which are controlled by third parties, for example. It’s natural for businesses to contract out such non-core activities. The trouble is that there’s no incentive for providers to bake in any privacy protection for consumers, and while the Government is using legislation as a blackmail threat rather than a tool to regulate ISPs implementation of default-on filtering, that situation seems likely to persist.

With opt-in systems, and where a choice of services exists, people can be as careful as they like in checking for privacy safeguards and can avoid systems they find problematic. With default on services, and where there is no choice provided, I think providers should be obliged to be transparent about how systems work, to be proactive about keeping their customers informed, and to build in explicit privacy protections.

Most people don’t change the default settings of anything, so since the Government is demanding ISPs censor all our connections by default, why don’t they also demand privacy safeguards be put in place to protect consumers from the surveillance required to implement such systems?

If you’re a TalkTalk customer reading this I’d be interested to hear whether you knew that all your web traffic was being sent to a third party. Please drop me a comment either way and let me know!