Yesterday, we stopped sale of a cyber-safety tool (named ‘Smart Controls’) in response to your concerns about the process that we had been employing in collecting data to support the launch of the product. To reassure our customers about what this process had involved, we published a post outlining the background to the development of this product. In response to this post, a number of our customers have contacted us with further, specific questions about this process.
These questions were legitimate and well informed and we thought that all our customers would benefit from hearing the answers. A lot of these questions related to how and what information was passed on to our supplier for this product.
We understand that there are a lot of misperceptions about this at present, so I’ve set out the process under which information was provided to our supplier in detail below.
The first thing to know is that at no time was a customer’s browsing history or ‘clickstream’ provided to the suppliers of this product. As we’ve set out in more detail below, the only information that was provided to the supplier of this product was target website addresses without any information to link these target website addresses to a customer, or even any other websites visited by the customer, or any information provided by the customer.
When you type or click on an internet address (URL), a number of things are sent as part of your request to retrieve the website. This includes the URL (eg http://exchange.telstra.com.au) and your separate IP address – effectively your computer or mobile’s personal address on the internet.
In some instances where you are required to type in additional information as part of the website request, this information (called ‘variables’) can be included in the URL itself. For example, if I search for my name on this website the URL would be http://cluster01-query.funnelback.com/search/search.cgi?query=anthony+goonan&collection=telstra-exchange&form=simple.
It is important to understand that before any URLs were provided to our supplier, all variable information contained in a URL was ‘stripped out’ and only the base or ‘root’ URL (the URL address) was provided to our supplier. In fact, at no time was information linking the URL address to any customer provided to our supplier. Only the URL address without any variables or other information from the internet site was stored in the Telstra or Netsweeper databases.
As the internet is constantly evolving, with new websites being added every minute, a cyber safety product such as Smart Control will only be effective if it is continually updating its database of website classifications. As such, to develop this product, a process was needed that quickly identified new websites, then assessed them and classified them to enable customers’ preferences to work as accurately as possible. This is why Netsweeper was used. Netsweeper already maintains an extensive database of the classification of website addresses and is used by companies around the world for this purpose.
As part of developing this cyber safety product, Telstra began comparing websites requested by its mobile customers against a list of known websites in a Telstra database housed in Australia to see if it was already classified and within the specified lifetime of the classification (anywhere from 12 hours to 30 days depending on the site). If a site was already classified, as were the majority of sites on the internet, no further action was taken.
If the Telstra database did not recognise the website, usually because the website had only recently been created, the URL was sent to the Netsweeper database (either in the US or Canada) to see if it had a classification for the website. If the website had been classified in the Netsweeper database this information was sent back to the Telstra database and no further action was taken. If the Netsweeper database didn’t recognise the URL address, the site was accessed and then assessed for classification and sent back to the Netsweeper and Telstra databases. The databases are used solely for the purposes of enabling websites to be classified to give customers the opportunity to opt into a service that would allow them to manage what sites can be accessed on their device
The process in its most basic form is outlined in the diagram below.
In response to your concerns, we’ve talked about this process with the Privacy Commissioner, the Australian Communication and Media Authority, the Telecommunications Industry Ombudsman, the Australian Communications Consumer Action Network as well as talking to our community through this forum and one on one with individual customers. We are committed to being transparent about how we use the personal information customers entrust to us, and we apologise for any confusion or concern this has caused – we’ll keep working with you to clarify any further points of concern you might raise.