Subscribe:
28 Jun 2012
By Anthony Goonan
Jun
28
2012

Further Update – Telstra ‘Smart Controls’ Cyber-Safety Tool

telstra-logo-blog-header

Yesterday, we stopped sale of a cyber-safety tool (named ‘Smart Controls’) in response to your concerns about the process that we had been employing in collecting data to support the launch of the product.  To reassure our customers about what this process had involved, we published a post outlining the background to the development of this product. In response to this post, a number of our customers have contacted us with further, specific questions about this process.

These questions were legitimate and well informed and we thought that all our customers would benefit from hearing the answers. A lot of these questions related to how and what information was passed on to our supplier for this product.

We understand that there are a lot of misperceptions about this at present, so I’ve set out the process under which information was provided to our supplier in detail below.

The first thing to know is that at no time was a customer’s browsing history or ‘clickstream’ provided to the suppliers of this product. As we’ve set out in more detail below, the only information that was provided to the supplier of this product was target website addresses without any information to link these target website addresses to a customer, or even any other websites visited by the customer, or any information provided by the customer.

When you type or click on an internet address (URL), a number of things are sent as part of your request to retrieve the website. This includes the URL (eg http://exchange.telstra.com.au) and your separate IP address – effectively your computer or mobile’s personal address on the internet.

In some instances where you are required to type in additional information as part of the website request, this information (called ‘variables’) can be included in the URL itself. For example, if I search for my name on this website the URL would be http://cluster01-query.funnelback.com/search/search.cgi?query=anthony+goonan&collection=telstra-exchange&form=simple.

It is important to understand that before any URLs were provided to our supplier, all variable information contained in a URL was ‘stripped out’ and only the base or ‘root’ URL (the URL address) was provided to our supplier. In fact, at no time was information linking the URL address to any customer provided to our supplier. Only the URL address without any variables or other information from the internet site was stored in the Telstra or Netsweeper databases.

As the internet is constantly evolving, with new websites being added every minute, a cyber safety product such as Smart Control will only be effective if it is continually updating its database of website classifications. As such, to develop this product, a process was needed that quickly identified new websites, then assessed them and classified them to enable customers’ preferences to work as accurately as possible.  This is why Netsweeper was used. Netsweeper already maintains an extensive database of the classification of website addresses and is used by companies around the world for this purpose.

As part of developing this cyber safety product, Telstra began comparing websites requested by its mobile customers against a list of known websites in a Telstra database housed in Australia to see if it was already classified and within the specified lifetime of the classification (anywhere from 12 hours to 30 days depending on the site). If a site was already classified, as were the majority of sites on the internet, no further action was taken.

If the Telstra database did not recognise the website, usually because the website had only recently been created, the URL was sent to the Netsweeper database (either in the US or Canada) to see if it had a classification for the website. If the website had been classified in the Netsweeper database this information was sent back to the Telstra database and no further action was taken. If the Netsweeper database didn’t recognise the URL address, the site was accessed and then assessed for classification and sent back to the Netsweeper and Telstra databases.  The databases are used solely for the purposes of enabling websites to be classified to give customers the opportunity to opt into a service that would allow them to manage what sites can be accessed on their device

The process in its most basic form is outlined in the diagram below.

Information flow diagram

In response to your concerns, we’ve talked about this process with the Privacy Commissioner, the Australian Communication and Media Authority, the Telecommunications Industry Ombudsman, the Australian Communications Consumer Action Network as well as talking to our community through this forum and one on one with individual customers. We are committed to being transparent about how we use the personal information customers entrust to us, and we apologise for any confusion or concern this has caused – we’ll keep working with you to clarify any further points of concern you might raise.

By

Posts: 3

71 Comments

  1. Steve says:

    I have corrected your statement about Netsweeper:

    “Netsweeper already maintains an extensive database of the classification of website addresses and is used by companies [and oppressive regimes] around the world for this purpose [and to stifle freedom of expression and human rights].”

    • Jason says:

      Steve, So netsweeper is used by other companies/countries, What does that have to do with how telstra uses it? you may have concerns with the way these other companies/countries use it but that does not mean that you should out this onto telstra..

    • I am grateful that a telecommunications provider is being so obvious about spying on its customer base.

      It is a pity they are trying to cover this up with absurd lies.

  2. Steve says:

    “we apologise for any confusion or concern this has caused”

    The only confusion has been caused by Telstra’s ongoing attempts to hide what was going on.

    • Ed says:

      Anyone who thinks that telstra or any other web content aggregator does not or should not data mine for financial gain is living in cloud cuckoo land.

      Facebook’s entire business plan is based on harvesting and selling off data of its users. Why should they be the only one? The Internet is in fact the most insecure information service ever devised. The only secure computer is one that has never been connected to the net.

  3. Tom says:

    Claiming no personal data is passed in a URL stripped of HTML params is still a false claim.

    What about
    http://example.com/private/activation/a3#5fdjjdg&34/

    Stop trying to defend this. You have made a very big mistake and leaked Australia’s browsing history off shore including private personal data.

    Commit to never doing this again.

    • Will Hughes says:

      The hash symbol (“#”) has a special meaning and treatment in URLs. Specifically, modern browsers do not send anything to the right of the hash in their requests.

      So, if you type: “http://example.com/private/activation/a3#5fdjjdg&34/” into your browser, only “http://example.com/private/activation/a3″ would be transmitted.

      That said, your point is otherwise valid – By Telstra transmitting URLs that may be unique to you, Telstra are transmitting data that could be used to identify you.

      For example, some web based email systems use URLs including the email address or username. eg: “http://webmail.example.com/mail/johnsmith/”

      The same would apply if the identifying portion was in the domain. eg: “http://0dc45dc3.activate.example.com/”

      Ideally data which has your information on it would only be transmitted over HTTPS (HTTP + SSL, or the technique used to encrypt web traffic during transmission) – but many sites do not do this by default.

      This is really a wake-up call for everyone: If you’re not already using HTTPS for everything user-specific, you should do so ASAP.

      This would not only defeat any ‘cyber safety’ functionality based on URL filtering, it would also prevent third parties like Telstra from monitoring your internet access.

  4. Cory says:

    Aren’t people’s concerns that Telstra was doing this without customers knowledge???

    If a few customers were paying for this service, good luck to them. They obviously know what it’s about.

    So those ‘not in the know’ would presumably be billed for it without their knowledge, or get it for free.

    I’m more confussed now!

  5. Dan says:

    So according to your diagram the Telstra database contains full URLs for websites, and their classification, and the IP address of customers who have accessed that URL… So not anonymous data at all in Telstra database.

    Why the IP correlation in your diagram and what is the retention period of IP data?

  6. Dan says:

    So the full URL and the customer Is which accessed it are stored in the Telstra database (according to the diagram).

    Why store the customer IP if it’s just a filter database

  7. Cameron says:

    While I appreciate the response you have provided. It appears you were not only sending the stripped URL as you have stated.

    As stated here
    http://forums.whirlpool.net.au/forum-replies.cfm?t=1935438&p=21#r401

    If a user visited a URL it was immediately also visited by the USA website you were sending this data too. If the same user visited this website the USA website would not visit.

    However if another user visited the same website the website in question was checked again by the USA website.

    So you must be storing some form of identification (anonymous or not) alongside each stripped URL otherwise the situation would not have occurred where you knew not to check the URL again.

    So sadly you are still hiding details from us as to what data was being passed.

    Even if this identification linked to each URL was anonymous there are many proven cases where peoples identities can be deduced from such data sets.

    Regardless this URL stripped or URI information is still pretty identifiable
    http://www.facebook.com/your.name.here

    It appears you were storing what customers had looked at

  8. Heath Gibson says:

    Anthony (or another mod)

    Where you say you stored the IP address – do you mean the IP address of the website requested, or the IP of the customer who accessed the site. If it was the customers IP address – why was it necessary to store this information?

  9. Ash says:

    So you couldn’t bring yourselves to say sorry for sending the internet activities of millions of Australians to an overseas company without getting our permission or even telling us.

    And yet you claim our trust is the most important thing to you.

    I’m so sick of PR spin and corporate dishonesty.

  10. seven_tech says:

    While I DO NOT condone the behaviour of doing this WITHOUT specific consent from the customers involved, I don’t have a problem with the use of Netsweeper as a service.

    It’s lovely to be conspiratorial around these things, but I don’t see how accessing and assessing websites of customers (with no private data attached) visits constitutes an “oppressive regime” or “evil selling of private data.”

    Telstra appear to be doing this as a part of offering an evolution of service on filtering. It SHOULD have been made public, but the idea behind it is not a big deal people….

  11. John says:

    5th paragraph reads

    ‘When you type or click on an internet address (URL), a number of things are sent as part of your request to retrieve the website. This includes the URL (eg http://exchange.telstra.com.au) and your separate IP address – effectively your computer or mobile’s personal address on the internet.’

    Surely that is giving a link between the person (your separate IP) and the url, so it IS spying, it does not matter how you sugar coat it as that is what it is.

    J

  12. Mark Gregory says:

    I have posted a comment on this situation at The Conversation.

    https://theconversation.edu.au/why-is-telstra-next-g-serving-your-data-to-netsweeper-in-america-7939

    Waiting for more information from Telstra about what is really happening.

    regards, Mark

  13. Mark Newton says:

    With all due respect, Anthony, you didn’t “stop sale” of Smart Controls, unless “stop sale” is the new euphemism for “removing from the market a product that didn’t exist.”

    Nobody even knew about it until you published an amended, un-proofread version of your T&Cs document on Tuesday.

    Furthermore, providing the product doesn’t require the kind of disclosures you made to netsweeper, providing data from all subscribers behind their backs. You could have limited it to Smart Controls subscribers, for example. Maybe it would have been less effective, but that’s an implementation decision, right? Something you trade-off against the value you place in the privacy and trust of your customers.

    Also:

    As others have pointed out since Tuesday, it’s overly simplistic to assert that stripping the bit after the ? in a URL is sufficient to anonymize it. How many customers were identified to Netsweeper by virtue of a username appearing in a URL before the ? character? Do you even know?

    Having had that question asked multiple times over the last couple of days, you could have issued a statement to say that you’re aware of that issue, and are investigating to determine how many customers were affected. Or you could have stated that you’re aware of the risk, and that’s one of the reasons why you stopped sending data to Netsweeper. Or that you know it could happen but don’t care. Something. Anything other than ignoring it altogether.

    By ignoring it you’re minimizing what is, to me, a very legitimate concern, insisting that the data was anonymized without any satisfactory explanation of how that could possibly be true.

    Rather than engaging the actual conversation that’s unfolding on these pages, my impression is that you’re picking and choosing the bits you’re prepared to respond to. Don’t mention the war.

    Yesterday this blog carried a statement By Danielle Clark which said, “Firstly, it’s crucial for me to point out that our customers’ trust is the most important thing to us.” Having been caught with your hand in the cookie jar, that trust has been eroded. You don’t earn it back by means of “proof by repeated assertion.”

    The community has lots of people who can understand technical details. I think what you need to do is to get one of your geeks, one of the people who was actually working on this system, to explain in obsessive detail exactly how the data was transferred from your network to Netsweeper’s. Go to the level of packet dumps if you have to. Whatever it takes to validate the statements you’re making about anonymity. Because it’s easy to SAY that the data is anonymized, but is it really? What other metadata goes with it? And what other metadata is encoded in the bits of the URLs you haven’t stripped off?

    Openness and transparency. That’s how you build trust. That’s how you put meat on the bones Danielle assembled for us yesterday.

    On Monday you guys told scmagazine.com.au that this was “a normal network operation,” and that statement turned out to be false. Everyone knew it was false. Even the people inside your company who were implementing it must have known it was false, but that’s what Craig Middleton (who also must’ve known it was false) said anyway.

    Maybe what you’ve said here is 100% true. Maybe it isn’t. How can anyone know?

    After your company’s recent performance we’d be pretty silly if we simply took your word for it. Without proof and real, live, open engagement, how is anyone supposed to know that what you’ve said here isn’t false too?

    “Our customers’ trust is the most important thing to us.” Great. Brilliant. Just what everyone wants to hear.

    Now prove it, please.

    – mark

  14. Matthew Moyle-Croft says:

    The issues that are key are still being ignored:

    (a) That Telstra did this and won’t admit they were wrong.
    (b) That they were intercepting a telecommunications service
    (c) Using data from that service for a reason other than network management or billing or for which a warrant didn’t exist.
    (d) They still don’t seem to be willing to admit they were wrong.

    Whether the URLs were sanitized or not is almost irrelevant. It’s clear that the URLs weren’t particularly sanitized from the examples I created.

    • Ben_F says:

      Matthew, aren’t you a Node Employee? Seems like there is some concieted effort (as I know that Mark Newton was or is a NodeFan/Node Employee).

      Who isn’t disclosing what to who now?

    • Matthew Moyle-Croft says:

      Ben_F -> I’m (a) not an Internode Employee – haven’t been for almost a year (b) I’m a Telstra customer for mobile and have been on and off since 1996.

      Why should I not be able to disagree with them for a product I purchase?

      THis isn’t about MY disclosure. I’m not providing a product that is being illegally intercepted.

  15. Justin says:

    I’m sorry, but you need to do a little better than that. This is not good enough. I did not sign up for smart controls, nor did I sign up the other 6 mobiles on my business account.

    Additionally, I’d like to know how you can even get the web address out of the HTTP traffic without breaching the Telecommunications Interception Act. Is this a by-product of the way Telstra and other providers have circumvented the parliament by getting the AFP to issue a 313 request in order to implement its “voluntary” filter?

  16. Justin says:

    Also, there was a suggestion that “Smart Controls” keeps your browsing history for 60 days. Was this happening on accounts that don’t have “Smart Controls” enabled? i.e. all the people experiencing this issue.

  17. Iain says:

    What about urls of the form:

    http://www.someonespersonalblog.org/wp-admin

    how many people do you suppose might have hit bigiain/com/wp-admin ?

  18. Furious says:

    “If the Netsweeper database didn’t recognise the URL address, the site was accessed and then assessed for classification and sent back to the Netsweeper and Telstra databases. ”

    And if that site was a private one and the data you were accessing was confidential, that data is now in the possession of a company in the USA outside the reach of Australian laws.

    Screw you, Telstra.

  19. Ben says:

    Also, don’t forget that this data of ours is being held in the US, where the US government can seize the information under the patriot act.

  20. Ross says:

    Thanks Anthony for attempting to shed some light on this.

    There’s a few things that don’t really make sense from your explanation however.

    The first is, why realtime? I would have thought it was both simpler and cheaper to pull your squid logs once per [insert period here], de-dup & remove known sites, then fire that list off to netsweeper or whoever in a transparently anonymised way. It seems that implementing a realtime solution adds both cost and complexity, and makes suspicious minds nervous.

    Secondly, what you’ve described doesn’t match my experience. Knowing the sysadmin of a couple of sites that have been around for quite some time, I was able to fire off a few requests and see this realtime piggyback request hit the logs. Not sure how that tallies with your expectation that only brand new sites would be getting indexed in this way.

    Lastly the choice to run this process off the back of mobile internet browsing seems illogical if the goal is to maintain as comprehensive index of websites & content ratings as possible. Surely you would get better coverage of the net by sourcing site information from your broadband networks? Again this seems to cast a shadow over the explanation given thus far.

    From a customer’s perspective, this whole incident is unsettling, not just because of the realtime data feed itself, but also because a few different explanations have been given by Telstra, and none of them really seem to add up.

    A number of customers asked in response to Danielle’s post for the contact details or process by which customers can request a copy of their usage records as they were supplied to any 3rd party. I think providing these details, and this information, would go a long way towards defusing the anxiety, and would allay the concerns of those who have noted that this seemingly simple request hasn’t been addressed, and wonder what that itself might signify.

  21. Rol says:

    The only reason tel$tra didn’t ask people to participate in this ‘data mining’ activity is because they knew most would opt out. So instead they went down the stealth route. Now caught with their pants down and in a very compromising position, they use all the spin in the world to try placating people by feeding misinformation. Read all the comments that people have posted. Only Anon in the previous post (a tel$tra employee no doubt) was supporting tel$tra – the rest of us are rightly outraged. I will be placing an official complaint with relevant authorities and I hope others do too.

  22. LateralNW says:

    Consider this scenario
    All cars have as standard gps systems built in to the ECU
    All gps systems report back to the car dealership or manufacturer
    Unknowingly your car is being monitored everywhere it goes without your permission.
    Would you feel your trust in the car manufacturer has been violated?
    I think you would.
    Now consider this.
    An ISP manages your traffic for you via their “roads”
    Because they can see all the traffic on those roads do they have the rights to track that information?
    Just because the information is there does not mean they have the right to use it.
    As a network administrator does it give me the right to go in to users accounts and check their personal information or read their emails… No it does not. (If you have signed a discloser then thats different.)

    Telstra has no right to play with users personal habits regardless of what access they have.
    Neither does any other ISP

    • TonyInTsv says:

      All gps systems report back to the car dealership or manufacturer
      Unknowingly your car is being monitored everywhere it goes without your permission.
      Would you feel your trust in the car manufacturer has been violated?”

      I would feel safer! Imagine this scenario

      I’m driving along the road. I have an accident. The cars ECU detecting the airbag deployment or tripped by the rolover sensors instructs the GPS to report an accident to the dealership. The dealership contacts 000 and gives them my coordinates. Ambulance arrives, rescues me, I survive where normally I may have died.

      “An ISP manages your traffic for you via their “roads”
      Because they can see all the traffic on those roads do they have the rights to track that information?”

      ISP’s have always tracked traffic on their “roads”. How else would they know when a DSLAM or a mobile phone tower is congested? How else would they know to install new backhaul?

      I personally like the idea of having a product that I can purchase, network side to prevent my children from accessing material that is inappropriate. Sure, things can be installed on the PC to prevent this but these are by no means foolproof and are easily circumvented. I haven’t seen anything that fulfils this role for smart phones yet, and even if there was, again, how hard would it be for your average 15 year old to get around it?

      If I can put a filter on a service from the network side, then I have piece of mind.

  23. Alan D. says:

    I think that you’re missing the point, Anthony.

    You have lost our trust. Your credibility is destroyed … even if what you say is true (as far as you believe it to be so) we can’t believe you!

    Telstra sends our passwords and personal information and other info to some United States company which got breached last year, then it happens again a few weeks later with some company out of Hong Kong, then your games system is hacked and NOW we find out you’ve been snooping on our mobile traffic without asking, without our consent, and without any legitimate reason whatsoever.

    What you write by way of an explanation is nonsense. You didn’t “stop sale” on anything! You thought you could get away with something, you got caught, Telstra lied about the reasons, and now we’re given more half-truths from people who clearly do not understand what they’re talking about.

    The manual for Netsweeper makes it clear that it CAN intercept a lot more than you claim Telstra is doing. How can we believe you that you’re not doing this?

    Some more questions:

    1. How long have you been intercepting our data without our consent on this non-existent product? When did it start?
    2. You say you’ve stopped, but what precisely has stopped? Are you still gathering the data at the Telstra side and not passing it off to Netsweeper in the US? It should be turned off, lights off, no more snooping.
    3. Will an independent third party ensure that all of the gathered data is destroyed from Telstra’s systems, including any backups? Will you require Netsweeper to destroy ANYTHING that it received from Telstra, any classifications, any contents of sites, any URLs? Will this be verified?

    Many others have pointed out that it’s not just WHAT you did, but WHO you did it with. Getting into bed with companies who support censorship and oppressive regimes in the Middle East is a horrific image for Telstra to want to adopt. And that you did this without asking us and denied it when you got nailed by true experts shows just how little you regard your customers, our privacy, and our business.

    Back in February I read an article that said you were going to start measuring customer satisfaction by how much we “promote” you as a company. Do you really think that after all of these failures, and this latest (and probably the worst) we would even consider recommending Telstra? My mates ask me who to go to as a telco and I’ll be sure to say “someone you can trust, and that sure as hell isn’t Telstra.”

    I wanted to believe you could change and keep up with modern times, but you only seem to be interested in sending our private information to other companies, in other countries (like sending all our email to Microsoft in the United States!) and charging us for the privilege.

    Enough is enough Telstra.

  24. Al says:

    I really dont see what the issue is here other than nobody was told… Apple does it… Google does it… Microsoft does it… do you have an issue with them as well?

    It is normal practice for companies in the field to monitor and collate what people are doing online and with thier products.. its helps make the products and services better.

    As said in the article – “only the base url is provided” that means it stops at the .com.au (or the .com) so they don’t know what you where actually looking at in the site..

    So if Telstra doesn’t do this and you buy the product and then can’t get to a website? Its going to be called a bad product…

    Do you want something that works or something that doesn’t?

    • Cameron says:

      I think you misunderstood the article.

      They claim that for this URL
      http://somesite.com/thispage.html?thisvariable=that

      They will send the base URL stripping the URI
      http://somesite.com/thispage.html

      But again they fail to explain how if they are not linking these addresses why a second visit to the same site doesn’t cause this. However a different person visiting the same site does.

      They are definitely linking this data to individual users. Whether they are sending the linked data to a third party or not we dont know as they keep feeding us half the story.

  25. Phil says:

    These actions by Telstra are shots in the battle for eventual control of the internet. That battle is not being waged by one single party or organisation but by “large interest groups” who see the internet as a tool to manipulate and use for their own ends.

    Now that the Fairfax’s of the world have been forced out of their BAU model and moved to acknowledge the net is where they have to go, it is plain to see there will be immense competition between the large monied interests for your mouse clicks like never before.

    The NBN (a great thing) is going to intensify the battle by bringing direct video competition to organisations like Fox.

    The on-going fight to control and regulate print, TV and radio media is being extended into the internet.

    None of the combatants (including Telstra) are interested in you or me except for extracting our money and directing our behaviour because that is the purpose of corporations.

    We are witnessing the early stages of a huge tug of war between a range of parties including government control via regulation and with filtering, big business for marketing and big media for eyeballs.

    Privacy is one essential part of that fight, though our privacy has already been subsumed to an extent by Google/search engines and ISPs as demonstrated by these events, we will need to fight every inch of the way to limit the use of the information they capture to preserve what we’ve got left.

  26. peter bassett says:

    Was the computers Ip address also stripped out? The article doesn’t make it clear if this is considered as part of the “variables” removed.

  27. Greg says:

    Never have I seen such a collective of paranoid hysterical people (well except maybe on Whirpool). If you’re so worried about somebody perhaps seeing what you’re looking at on the web, maybe you should go borrow a book instead, go for a walk in the park or throw a ball for a dog. Sure Telstra might have made a mistake, but it has been blown out of all proportion by a few geeks with too much time on their hands.

    • Tom says:

      Greg, you may not have noticed, but the internet is a war zone. From the US destroying nuclear facilities in Iran with viruses, to Chinese hackers stealing trade secrets the world over. Nearly every government, corporation and NGO (like wikileaks) are fighting for every piece of information they can get their hands on, and they’re all after different types of data, from the secrets of people, to the secrets of governments and corporations.

      All the protects individual people is their own awareness and the morals and ethics of the companies they pay money to for access to the internet, for most people they’re relying on the latter at their own peril, which is why this betrayal hurts.

      Once information is leaked on the internet, it’s never coming back, you’ve lost control, forever. I don’t think people here are that paranoid, I think they’re expressing anger at losing control over their private communications, from logging their web history to sending it offshore. And not even being told it was happening.

  28. Mark Gregory says:

    Guys,

    I recommend you put your comments on TheConversation or The Age and ask for Telstra to comment there. You realise this webpage is likely to be deleted as soon as everyone has expressed concern – it is called a comment corral.

    https://theconversation.edu.au/why-is-telstra-next-g-serving-your-data-to-netsweeper-in-america-7939

    regards, Mark Gregory

    • Hi Mark. Thanks for the feedback here and your post on The Conversation. I can assure you we’ve never done a comment corral and we never will. We built this blog as a means to share our stories, connect with our customers and understand their needs and opinions. Telstra Exchange is full of diverse experiences and opinions, positve and negative. We don’t delete comments, we simply do not post comments if they breach our community guidelines.

  29. Nick says:

    Seeing as you didn’t follow up to my original question – like you said you would (another failure in communication) – I’ll post these questions again:

    Why did you initially lie and say it was “normal network operation” when it is now acknowledged that it was for a product that didn’t exist and thus, far from “normal network operation”? What other lies has Telstra told?

    Does Telstra acknowledge that the list of URLs that I may visit is my personal information and may be personally identifiable information?

    Aside from this incident, what other information have you kept for any reason, including “product development”? Are you recording my calls?

  30. Mr M C says:

    Send my browsing history wherever you want. I’ve got nothing to hide. I hear what ppl are saying about privacy but some ppl are transparent and honest, like me.

    • Cory says:

      As a transparent and honest person, you might just be outraged if your personal details, preferences and thoughts were mis-used by someone. Do you really think a company in this country has the right to send “your life” half way around the world without your knowledge.

      Regardless of whether you’re ‘good’ or ‘bad’… wrong is wrong. And what Telstra have done here is wrong, and they continue to be in the wrong by treating us like idiots by not coming clean on the distasteful affair.

  31. John says:

    Everybody seems to have neglected to read the requirements of Telecommunications Act and the Telecommunications (Interception and Access) Act! This is not just a privacy issue. It is possibly far more serious.

    Under the above mentioned Acts, a telecommunications carrier cannot by law intercept and use the contents or substance of any communications (data or voice or signals) it carries for any purpose other than the operation and maintenance of its facilities. Clearly the development of a consumer product does not meet those criteria. If it was allowed, then all phone calls could also be recorded and listened to, maybe by a company in India, to find out how may people call their grandmothers so a carrier could develop a special priority service product for those calling their grandmothers.

    Telstra claims it is only sending the “to” details to the overseas company. The “to” (and “from”) is part of a communication. The “to” and “from” are essential for the carriers operation of its service but that is where the use of the data must stop.

    If as alleged, that more data is also being sent that identifies what may have been accessed on the “to” (IP address), then it further shows that Telstra is intercepting the substance ( data contents) of the communication. A carrier definitely does not need to access this information for the operation and maintenace of it facilities.

    This should be a matter for the Federal Police rather than the Privacy Commissioner. There are penalties prescribed under the above mentioned Acts for the interception of communications

  32. seven_tech says:

    Look, I don’t think everyone here is wearing a tinfoil hat by any means.

    Telstra have breached trust and privacy laws by NOT telling customers what it was doing. It would ALSO be disturbing if user IP addresses were passed on to Netsweeper. There’s NO legitimate reason for this. If Telstra need to keep a record of what IP addresses are attached to what URL query, they can randomly generate a number that can be attached to the URL which means NOTHING to Netsweeper without access to Telstra’s database.

    However, this is NO different from what Google, Apple, Microsoft, Amazon et al. do. Yes, they hid it. They should be scolded, fined and possibly sanctioned for it. But what they are doing by collecting data from users is IN the T’s & C’s when you sign up. Just like in Google. Or Apple.

    And for those of you that say “I don’t want my private web browsing followed”….I’ve got news for you….ALL web browsing is followed, even some details in Incognito or safe browser modes.

    Don’t want your “private web browsing” followed….sorry, but the only option is to NOT web browse at all to be 100% sure. The internet is public. If you don’t like or agree with that, don’t use it.

    • John says:

      @seven_tech, I am not entirely disagreeing with what you have said but the core difference here is that ‘Telstra’ is our ISP. It is not a third party like Google, it is not Apple and so on of whom we ‘elect’ to be a part of and have our data used as part of their T&C’s. In fact Google, Microsoft and Apple are very open about what they do and also provide options to opt out of some of the data mining they do – to what extent that is I am not sure about, but the opt out is there.

      Telstra on the other hand is required under Australian Acts that have been stated in these comments to ensure our data is NOT misused, NOT used for anything other than what it was intended for and NOT shared with ANY third party.

      By all means if Telstra was to bring out a new contract for their services that stated they WILL share our info to a third party, we then have a choice to leave or stay with Telstra. However even that will get such bad publicity that I am sure Telstra will not give that ultimatum to their customers. So their next and really only option is to have an opt in for Smart Controls, and then they need to clearly state what is being used, where it is being used, for what purpose it is being used and how that data will be used.

      I do not believe this is a tin foil hat issue as some others have commented on in these comments. This was blatant misuse of our data and a massive breach of several Australian Acts of which Telstra should be reported to and fined via the Australain Federal Police.

  33. Jay says:

    This is deep packet inspection. This is a gross and reckless breach of privacy no matter what they claim they keep and don’t keep!

    And as such it must surely breach existing law. How can an ISP intercept, and examine the contents of packets, without a user’s authorization?

    So much for the “we value your privacy” and similar such inane assurances.

    Let’s hope our brave politicians, when they find some time between sessions plotting ways to record all of our internet activities, find the courage to find Telstra guilty of breaching those laws that they have spend some much time carefully constructing and fine-tuning, and fine them at least $1b. That would, after all, be only a fraction of the taxpayers’ money that the government has decide to pass to Telstra for nothing much more than several holes in the ground.

  34. Mark Newton says:

    Mr M C:

    The issue isn’t about whether or not you have anything to hide.

    The issue is about whether you’re able to choose to hide it.

    Choice. Informed consent. Transparency. Trust.

    – mark

  35. Chris says:

    I personally think changing the T&C on the fly when you lot got caught out is nearly as much of a problem as the one you created. How can you be allowed to make up the rules as you go, when you make a huge mistake like this you change the playing field so when you do it again, you have covered yourself……..WRONG.

    You should not be allowed to use the phrase “We are Australian”, because you simply are a bunch of thieves nothing more.

  36. Chris says:

    I would like to add, for the people asking Telstra to prove anything, seriously how would you know if that’s not a lie, compulsive liars cannot be trusted…period.

    The only thing now is how long before the next lie, weeks, months.

  37. Anthony Goonan says:

    For those who have asked for more information. As previously advised, before any URLs were provided to our supplier, all variable information contained in the URL was ‘stripped out’ and only the base or ‘root’ URL (the URL address) was provided to the supplier. Our systems identify this variable data in URLs by identifying question mark separators and then stripping out all subsequent information. Where the URL string is separated in other ways, this information would not be stripped out from the URL provided to our suppliers.

    We believe the way in which the process was implemented complies with Telstra’s privacy obligations. Regardless, Telstra has informed the Office of the Australian Information Commissioner about this process and the information that has been provided to our supplier.

    Further, given our customers’ concerns with this process we voluntarily ended this process last week.

    Anthony

    • Matthew Moyle-Croft says:

      This doesn’t excuse doing it in the first place. (ie. intercepting a telecommunications service, harvesting data from it and sending it to a 3rd party overseas). Stripping some of the data away doesn’t remove some possible traces of who was using it – depending on how people choose to encode URLs. So, you are guaranteed to have leaked some data.

      I notice no apology, just more self justification.

    • Cameron says:

      Most importantly you have still failed to explain why the same user only gets ‘scanned’ by the remote system once when the user visits the same URL twice.

      Then when a different user visits the same URL they are scanned.

      It indicates that you are linking URL data to each user somewhere in your system. Anonymised or not this data had been proven to be identifiable.

      That is one of the most concerning issues that is being brushed under the carpet.

    • Ross says:

      Hi Anthony,

      Would you please post details of the person we should contact to receive a copy of our data that was stored and/or forwarded to a 3rd party.

      I’m struggling to understand why this simple request is taking so long to address.

    • Thank you Ross for your comment.
      Telstra removes the IP address which is associated with the customer before any information is sent to our supplier and as such it is not technically possible for our supplier to associate any information with a specific customer. So no information that we or our supplier can link with you was stored and therefore we cannot provide copies.

    • Cameron says:

      Thankyou for the further information Anthony.

      You state
      “Telstra removes the IP address which is associated with the customer before any information is sent to our supplier and as such it is not technically possible for our supplier to associate any information with a specific customer. So no information that we or our supplier can link with you was stored and therefore we cannot provide copies.”

      While I accept you remove the IP address. Is there another anonymous ID associated to the URLs so that the data sent to the supplier is grouped to each individual user.

      Its an easy yes or no question which no Telstra rep has addressed. It has also been asked many times by myself and others here.

      Can you provide us with an example line of data you would send through to the supplier please?

    • Dan says:

      Hi Anthony,

      We appreciate your responses to our queries and for many of us it is simple to set our minds at ease.

      Specifically when you say: “So no information that we or our supplier can link with you was stored and therefore we cannot provide copies.”

      So you are confirming that the Telstra database does NOT contain individual customer IP addresses and their associated URLs, but rather contains only stripped URLs and their relative “ratings” with no customer IP or other identifying data?

    • Peter Reeves says:

      Anthony, you state

      “Telstra removes the IP address which is associated with the customer before any information is sent to our supplier and as such it is not technically possible for our supplier to associate any information with a specific customer”

      I might be a bit confused, but who is your supplier and why are you sending information to them in the first place. What services are they supplying?

      regards

      peter

  38. Hubert says:

    So according to the diagram, full unredacted URLs and customer IPs were (are?) stored in a Telstra database before being redacted and sent to Netsweeper?

    What’s the retention policy on this Telstra database and what is the justification for storing customer IPs and full URLs at all, at any point?

    This seems to indicate that Telstra is logging data obtained from deep-packet inspection in a way that allows an individual customer’s browsing history to be reconstructed.

    I find this highly objectionable, particularly as I would never subscribe to any ‘cyber-safety’ or filtering tool and have no interest in contributing to its development in any way.

  39. I am very concerned at the number of telstra sockpuppets that seem to be in damage control mode, offering platitudes and irrelevant information about the function and use of data.

    Nobody is going to jump to a telco’s defence over spying and storing the data offshore. You’re dumb, apologise.

  40. Barry says:

    There can be no excuse for this, I pay $129 for a premium service. This only makes me question what the funds are going towards. Soon as my contract expires I will be signing up with another provider.

  41. Geoff Hiuston says:

    It is important to understand that Section 7 of the Telecommunications (Interception and Access) Act states that:

    “A person shall not:
    (a) intercept;
    (b) authorize, suffer or permit another person to intercept; or
    (c) do any act or thing that will enable him or her or another person to intercept;
    a communication passing over a telecommunications system.”

    It is important to understand that Telstra employees authorising interception of a customer’s data stream and picking out URLs is in breach of this Act. What ever they did with the URL string thereafter is not really the issue, nor are their motives. Yes there are privacy issues here, but equally there is a clear issue relating to the Telecommunications Act itself and Telstra’s role as a public carrier under the terms of the Telecommunications Act. The Telecommunications Act is clear – Telstra has no grounds for interception customer’s traffic, and is breaking the laws of the Commonwealth of Australia when it did so. THAT is what “is important to understand” here.

    And no, my mind is not “at ease” after reading Telstra’s corporate response to this. I am very concerned when an Australian corporate entity thinks it operates in a rarefied atmosphere that is above the laws of this country and treats these laws with such evident disdain. By admitting that Telstra harvested URLs and saying that this had absolutely nothing to do with the normal operation of the network then clearly they are saying that they breached the provisions of the Telecommunications Act, yet they appear to believe that this is simply not a problem, and would rather this was simply a matter of privacy. As if “we are sorry and we will do better next time” is enough. Such erstwhile wringing of their corporate hands may be enough to satisfy the Privacy Commissioner (or not – who knows), but it does not strike me as anything even vaguely like an admissible defence to a clear breach of the provisions of the Telecommunications (Interception and Access) Act.

    • Totally Unacceptable says:

      Stated the case perfectly.

    • Justin says:

      Hi Geoff,

      They seem to be happily ignoring this little issue of breaching the Telecommunications Act. Has anybody reported the breach to the AFP yet?

      Justin.

  42. Ash says:

    Anthony,

    Your last sentence was “we’ll keep working with you to clarify any further points of concern you might raise.”

    Were you being honest when you wrote this? Many further points of concern have been raised in this blog (let alone in other forums), when will you be clarifying them like you said you would?

    Telstra representatives keep talking about trust, but if you do not do the things you say you will do, how on earth do you expect to gain trust?

    This is not rocket science, just be honest.

  43. louisa says:

    how dare you seek to censor my access to the web! who the hell do you think you are?! nevermind storing and fossicking through my private data which you know is illegal.

    how is an Australian citizen to trust Telstra if the company seeks to limit that citizens access to information secretly?? how is that citizen to know that they are not getting the product advertised “the Internet” but in fact a sanitized version. in which that citizen will never know what telstra deemed unfit for their eyes? because you never intended to disclose.

    you guys need to seriously get off your God-complex

  44. Totally Unacceptable says:

    There are a number of significant issues here that I am very concerned about. You:

    (a) observed by browsing habits
    (b) recorded them
    (c) didn’t tell me
    (d) gave it to an offshore third party
    (e) may or may not have removed personal information
    (f) lied about it and
    (g) changed the terms and conditions when you got caught

    If your girlfriend did this to you, what would you do?

    Not only do I feel like I have been lied to and spied on, I am now concerned about my online security and the trustworthiness of Telstra.

    Do I have to change all of my passwords? Is my personal account information safe. How can I trust the person that comments on this post – as skeptik wats doin johnston has noted – there seems to be a lot of Telstra friendlies on here.

    What does my Telstra contract say about breaches? Should we decide to terminate or keep the contract afoot and look for compensation?

  45. Ben says:

    Hi,

    I am a Telstra mobile & Bigpond subscriber.

    I am deeply concerned that Telstra has been building a database of my browsing history by means of transparent proxy or such without my consent.

    Even if you are ‘sanitising’ the data (only if it’s uses a ? for variables) before you send it offshore the fact that this offshore provider was only visiting URLs on the first instance that they were accessed by each individual subscriber indicates that you have built a database of my browsing history.

    So what I want to know is:

    1. Who can I write to in order to obtain the full details of the data you have harvested on my browsing?

    2. What is your data retention policy?

    3. How do you identify customers in this database? Is it by IP? Subscriber numbers? etc.

    4. How secure is your database?

    5. Have you constructed any similar database of Bigpond subscribers?

    Thanks,

    Ben.

  46. Barry says:

    Is there a way I can cancel my mobile contract over this without too much hassle?

    I am going to call up telstra to discuss and then refer it to the TIO if I have issues with it. I don’t care what they used the data for, the very fact that they monitored my traffic violates my privacy.

    Also to all those saying google facebook etc do this all the time you are missing the point. First of all, I don’t have to use facebook or google, there are alternatives. Also, I never entered a sales contract where I agreed to pay them money for services, they are providing a free (to me) service so I am more lenient that they try to raise funds somehow. Telstra in this case is being paid by me to provide a service for me. Why do they need to violate my privacy in order to assist for their own goals? Is the money not enough?

    One way or another – this is going to the TIO, I will stop payments and I am in a position where I can afford a lawyer over this and will happily spend what would be a great deal of money to the average consumer for the principle of what is right and wrong.

    • Hi Barry. May I suggest you that you use the button to the top right hand of our blog with two options – you can click to ‘Ask the Crowd’ in a forum or you can go through to our ’24/7 Facebook page’. There are two options to contact us here as these links get you straight through to people who can help – you’ve come through to our corporate blog site here and I’d highly recommend using one of these new avenues to get directly in touch with Telstra about a specific product issue. Unfortunately I can’t look into it from where I am sitting. These avenues are a good way to get someone to look into your account and the issues you’ve been having. Brendan

Leave a Comment