news The nation’s largest telco Telstra has flatly rejected allegations that it is routinely logging all of its customers’ web browsing data and email history on behalf of national security and intelligence agencies, stating that it does not “routinely” collect or store its customers’ telecommunications data unless required to do so.
Late last week, respected security and intelligence journalist Philip Dorling, who has broken a number of major Australian security, intelligence and defence stories, published a detailed article in The Age newspaper claiming that Telstra “has installed highly advanced surveillance systems to “vacuum” the telephone calls, texts, social media messages and internet metadata of millions of Australians so that information can be filtered and given to intelligence and law enforcement agencies.”
Dorling claimed Telstra had implemented sophisticated traffic monitoring solutions from global firm Gigamon, as distributed locally by Newgen Systems. The journalist claimed among the data being collected by Telstra was not only telephone records, which every Australian telco maintains for billing purposes, but also web browsing history and metadata pertaining to emails sent and received. In response, Telstra this morning issued the following statement:
“Telstra does not routinely collect or store our customers’ telecommunications data to undertake mass surveillance on behalf of Australian national security agencies. Intrinsic to providing telecommunications services is generating data, for example the time, location and duration of telephone calls. We generate this data as part of providing a service to our customers and we store it for as long as it makes sense commercially and legally to do so. For instance, we are required to hold billing data for up to six years to meet out obligations under the Telecommunications Consumer Protection Code.”
“Telstra does not use any traffic monitoring system to conduct mass surveillance on behalf of Australian national security agencies. There are legally defined instances when we receive and are required to comply with lawful requests from national security agencies to provide specific data from our networks. We comply with the law and only collect and disclose information to these agencies only when we are legally required or permitted to do so.”
“Telstra is not required by law to store all communications data for Australian Government agencies. All telecommunications companies in Australia have obligations to provide reasonable assistance to law enforcement and national security agencies, which can include disclosing certain data when we receive a lawful request from these agencies. These powers are outlined in the Telco Act and TIA Act.”
Dorling’s claims are not the first time that Telstra has been accused of widespread surveillance of its customers’ Internet and telecommunications habits.
In mid-July this year, for example, independent media outlet Crikey published what appeared to be the text of a secret agreement signed by Telstra a decade ago with US Government agencies such as the FBI and the Department of Justice that provided American law enforcement and national security organisations with an extremely broad level of access to all of the telco’s telecommunications passing in and out of the US through Telstra’s Reach submarine telecommunications cables.
The agreement is particularly concerning for Australians, given the volume of Internet traffic and routed telephone calls which pass through Reach’s infrastructure to the US, where much of the world’s largest Internet backbones and data sources are located. It is likely that Reach’s data retention facilities in the US have stored hundreds of millions to billions of records about Australian telecommunications and Internet access over the past 12 years; all of which would have been made available to US Government agencies.
Asked about the issue at the time, a Telstra spokesperson attempted to downplay the situation.
“This Agreement, at that time 12 years ago, reflected Reach’s operating obligations in the US that require carriers to comply with US domestic law,” they said. “It relates to a Telstra joint venture company’s operating obligations in the United States under their domestic law. We understand similar agreements would be in place for all network infrastructure in the US. When operating in any jurisdiction, here or overseas, carriers are legally required to provide various forms of assistance to Government agencies.”
Separately, in June 2012, it was revealed that Telstra had been archiving web addresses visited by users of its Next G mobile network, as part of its development process for a new cyber safety tool dubbed ‘Smart Controls’, using technology from US company Netsweeper to build an Internet database that would allow customers of its broadband services to set categories of content which their children could access online.
A spokeswoman for the telco at the time said the system had “absolutely nothing to do” with Telstra’s marketing or billing divisions, but was a new platform which Telstra would offer parents to help manage their children’s use of the Internet.
Dorling’s report comes six months after the Parliamentary Committee examining the Government’s controversial national security reforms recommended that the data retention segments of the reforms, which would have seen telcos such as Telstra storing data in a very similar fashion to that suggested by Dorling last week, go through the committee process once again. The data retention reforms have been almost universally criticised as privacy-invasive by a wide range of stakeholders in the Australian community. The then-Labor Federal Government subsequently put the reforms on the back burner.
The news comes amid widespread concern over the use of telecommunications networks and datacentres, especially those used for cloud computing facilities, especially associated with revelations by former NSA contractor and whistleblower Edward Snowden.
In June, UK newspaper the Guardian published classified documents created by the agency, which stated that the NSA was able to gain “direct access” to the servers of companies such as Google, Facebook, Apple, Microsoft, Yahoo and Skype. The access allowed US officials to collect information including search history, the content of emails, file transfers and live chats.
Subsequently, the New York Times reported that the US Government had used the system to collect information on non-US citizens overseas for nearly six years. The revelation of the move has caused outrage online, amongst the general public as well as those specifically interested in digital rights and privacy online. Fairfax reported at the time that the Australian Government had access to data sourced from the so-called PRISM program.
In Australia, the Greens are seeking a wide-ranging inquiry into the activities of the nation’s intelligence agencies, as well as separate Parliamentary Committees into these issues.
In a speech in the Senate last week, Ludlam pointed out that other major countries had already initiated inquiries following Snowden’s revelations. “The European parliament is extremely concerned about this,” he said. “It immediately established an inquiry on electronic mass surveillance, once the revelations had been made public by The Guardian and The Washington Post. The French, Canadian and German parliaments, and Westminster itself-all considered like-minded democracies-initiated inquiries immediately. This was followed by Brazil, Ecuador and many others. In the United States, the head of the NSA was called before congressional committees and told to explain himself.”
This is not a black and white situation. Do I think there is some truth to Dorling’s article? Certainly. I think Telstra has indeed engaged with the traffic monitoring systems described, and it obviously has the capacity to monitor and log its customers’ online activities. It’s even required to do so for certain customers that are of national security concern.
Is Telstra doing this on a mass scale with all of its customers? I don’t think so right now. But again, it’s not a black and white situation — there are degrees of technical granularity here. I don’t think, for example, that the telco has an easily accessible internal database of all its customers’ web history. But it’s possible that its systems store all customers’ data temporarily, or a limited subset of their data. Modern network traffic monitoring and control systems are extremely complex and powerful. There could be a thousand degrees for a thousand different customer segments in terms of what Telstra is or is not storing.
What we can be sure of is that this is an issue that is going to come up again and again with Australia’s major telcos. Constant vigilance on their operations — and mandatory disclosure laws enforcing transparency to customers — is the only way to be ensure they won’t abuse their very obvious power. In this sense, although Dorling’s article might not represent the whole context of what’s happening here, it is still a very useful piece of journalism indeed.
If telcos like Telstra believed nobody was watching, I have no doubt they would go a lot further with respect to this area than they are today.
Image credit: Telstra