The adult content blocking system championed by David Cameron is controlled by the controversial Chinese company Huawei, the BBC has learned.
UK-based employees at the firm are able to decide which sites TalkTalk's service blocks.
Politicians in both the UK and US have raised concerns about alleged close ties between Huawei and the Chinese government.
Even customers who do not want filtering still have their traffic routed through the system, but matches to Huawei's database are dismissed rather than acted upon.
One expert insisted that private companies should not hold power over blacklists, and that the responsibility should lie with an independent group. Dr Martyn Thomas, chair of the IT policy panel at the Institution of Engineering and Technology,
told the BBC:
It needs to be run by an organisation accountable to a minister so it can be challenged in Parliament,
There's certainly a concern about the process of how a web address gets added to a blacklist - who knows about it, and who has an opportunity to appeal against it.
You could easily imagine a commercial organisation finding itself on that blacklist wrongly, and where they actually lost a lot of web traffic completely silently and suffered commercial damage. The issue is who gets to choose who's on that blocking
list, and what accountability do they have? 'Policing themselves'
Huawei's position was recently the subject of an Intelligence and Security Committee (ISC) report. It criticised the lack of ministerial oversight over the firm's rapid expansion in the UK. The committee said:
The alleged links between Huawei and the Chinese State are concerning, as they generate suspicion as to whether Huawei's intentions are strictly commercial or are more political.
In the US, intelligence committees have gone further, branding Huawei a threat to national security.
Initially, TalkTalk told the BBC that it was US security firm Symantec that was responsible for maintaining its blacklist, and that Huawei only provided the hardware, as previously reported. However, Symantec said that while it had been in a joint
venture with Huawei to run Homesafe in its early stages, it had not been involved for over a year.
TalkTalk later confirmed it is Huawei that monitors activity, checking requests against its blacklist of over 65 million web addresses, and denying access if there is a match.
The contents of this list are largely determined by an automated process, but both Huawei and TalkTalk employees are able to add or remove sites independently.