UK mobile operator Three illegally intercepting and sharing traffic
I was recently lucky enough to be given a new phone, and also got a 3 PAYG SIM to use with the device. Shortly after starting to use the service however I noticed that my connection was being filtered and my attempts to establish VPN connections seemed to fail. It would appear from the brief explanation that I got from Three that this was being done to filter out adult content as they could not be certain of the age of customers on PAYG connections without further verification. To make matters worse however the page that showed the block advertised – yes, you guessed it – porn.
This is something that all mobile phone operators in the UK seem to do. For them the excuse ‘for the children’ seems to excuse any illegal behaviour that takes place as a result of this filtering. It’s a view that completely ignores the fact that sooner or later children will gain access to that sort of material. Furthermore a lot of the material actually originates from the children themselves (google the term ‘sexting’ to see what I mean). This user generated material will never be caught by the filter.
Hey Three, here’s an idea: if protecting children from smut on mobiles is so important then don’t sell them the handsets to start with!
Doing anything else is little better than paying lip service to the issue and done at the expense of the privacy of others.
One other mobile operator in particular already uses services provided by a US company called Bluecoat to filter traffic, so I was curious to see if the same was happening with Three. I tried visiting a custom page produced by somebody with an interest in privacy that had been designed to expose entries in the web server’s access log. Sure enough there was a couple of entries that were of particular interest:
The first IP address is owned by Three. The second IP address is owned by Bluecoat. More information on the IP address can be found here:
The IDs in the log entries above have been removed by me, but they have identical values in all 6 cases. What would appear to be happening is that Three are sharing the requests I’m making to websites with Bluecoat. Bluecoat then visit the same site using the same credentials as me.
In addition I have also been visited by another Bluecoat IP address: 18.104.22.168.
This method of duplicating visits is sometimes referred to as a replay attack. This not just illegal, it can cause serious problems with the operation of websites too. Imagine for example the situation where visiting a given URL confirms payment for an item. If you were to visit the site through a Three connection then the payment could end up going through twice thanks to this unwanted extra visit.
This is the surprising part though: I tried complaining publically through Twitter and Three’s own blog as they seemed to be taking their time responding to emails. One of the moderators actually replied with the following:
That particular response can be found here:
They seem to be quite happy to admit that they use Bluecoat. There is one glaring problem with their excuse of filtering for content listed by the IWF: if you go to the IWF website then you’ll see that Three are listed as one of the recipients of the IWF list. Why then send details of our online activities half way around the world to check against a list that they already have access to?
I tried to get more details from Three as to how they could possibly believe that what they were doing was legal. The best I could get from them was this:
Thank you for your emails.
Three’s policy with regards to filtering is intended to ensure that children are protected from inappropriate content when using the internet on their phones. This is why we require our Pay As You Go customers to prove they are 18 before they can access sites that Three considers to be inappropriate for under 18s and/or which are classified as inappropriate by the IWF. This is not about intercepting customer communications but is about the safety of children who use our network.
We do not accept your allegations that Three’s policy in this regard breaches any of the laws that you have mentioned in your correspondence. However, if you maintain your position that Three is in breach of RIPA, the DPA, the PECRs and/or the Computer Misuse Act, then you are at liberty to take this matter up with the police and/or the ICO, and we will fully cooperate with any investigations that they may wish to instigate. Similarly, we note your comments regarding the SABAM/Scarlet case, but do not believe that we’re required to change our policy in light of this case.
With regards to your concerns about Bluecoat, I recommend that you take the matter up directly with Bluecoat.
I hope this clarifies our final position regarding this matter.
Social Media Advisor – Executive Office
Observant readers will also notice how three have repeatedly tried to use the old excuse for breaking the law: ‘it’s for the children’. They appear to be trying to scare people into not complaining by raising the spectre of paedophilia.
This just isn’t good enough.
Three have decided to sell their phones to minors both through resellers and their own shops. It’s up to Three to find an acceptable solution without trampling over the rights of the entire general public to private communications. This is after all a problem that Three themselves have created by selling devices to children that are unsuitable for those children to use. It’s probably also worth pointing out at this stage that children are generating a lot of this unsuitable material themselves through so-called sexting, often as a result of bullying. No filter can ever stop this.
Stopping the sale of such devices to minors can, however, seriously limit this type of bullying and indecent exposure.
There is no age limit within RIPA, the DPA or the CMA. Everybody has the same rights to private communications. Even children. If Three were really committed to protecting children then they would stop any sale of their devices to minors, only allow them to be sold to adults and make the adult buying the phone make the decision as to whether filtering is required. The fact that they care so much about maximising profits at the expense of the privacy of their customers shows where their priorities really lie.
Back to Three and their use of Bluecoat’s systems: I asked Three why they were wasting money on Bluecoat’s services when any webmaster worth his salt knows how to tailor the response from the server based on the IP address of the PC making the request. They could produce a page full of innocent images for Bluecoat when they come calling, but save all the unsavoury material for the ‘real’ visitor. There is also the certainty that the service would not be of any use when SSL is used. I can’t emphasise this enough: if the site is protected by the use of SSL then Bluecoat’s services are rendered useless. The same page used to get the log entries included in this article doesn’t show any shadow visits from Bluecoat when the page is protected in this way.
The system as a whole is ineffective as a security measure.
It would also appear to be completely unnecessary given that other operators – notably Orange – don’t appear to need to share traffic in this way in order to filter it. This is the first time I’ve seen this excuse: ‘Bluecoat made us do it’. It really does beggar belief and does nothing to encourage people to believe that any filter is capable of doing it’s job satisfactorily. Anybody wanting an example of how badly filters can fail should look into TalkTalk’s HomeSafe product and how it failed to block access to one of the biggest porn sites on the internet.
I wonder if Three realise that anything sent to the US can always be accessed by the US government thanks to the PATRIOT act, with Three not even being notified that a request has been made, much less complied with? Don’t they see that allowing this sort of eavesdropping increases the chance of industrial espionage? US companies could quite easily end up having access to confidential information obtained through illegal means. The potential for losing confidential information or giving away intellectual property is huge.
Three are intercepting my requests without prior authorisation from both the sender and recipient parties to the communication. That’s illegal under the Regulation of Investigatory Powers Act. They’re sharing my information without consent with a 3rd party overseas and that is completely outside the reach of the regulators here. That goes against the Data Protection Act. They are interfering with the operation of a computer. That’s illegal under the Computer Misuse Act.
I suppose now I had better get that complaint to the police sorted out as I have no intention of putting up with this illegal interception and sharing of my personal communications.
I’d like to welcome users from the British government accessing this website and others from the EU commission whose visits have been popping up in the server’s access log over the last few months.
It is interesting however that despite the wealth of evidence showing the abuse of personal data by companies in the private sector that pretty much nothing appears to be done about it. BT, TalkTalk, Vodafone, Three, the media – the list goes on and on.
I hope somebody from the ICO is reading this because I’m sure I’m not the only one who would like an explanation as to why no substantial action has been taken over past transgressions when they involve the private sector.