Telstra cancels covert filter testing

15

news The nation’s largest telco Telstra today announced it had stopped archiving the web browsing activity of its users for the purpose of implementing a new voluntary Internet filter product, following widespread concern expressed this week after the test was revealed by a savvy group of network administrators.

Earlier this week it was revealed that Telstra was developing a new cyber safety tool dubbed ‘Smart Controls’, using technology from US company Netsweeper to build an Internet database that would allow customers of its broadband services to set categories of content which their children could access online. A spokeswoman for the telco said the system had “absolutely nothing to do” with Telstra’s marketing or billing divisions, but was a new platform which Telstra would offer parents to help manage their children’s use of the Internet.

However, a number of Telstra customers expressed concern earlier this week after it was found that Telstra had been developing the system’s database partly by archiving web addresses visited by users of its Next G mobile network, with the data heading offshore to be stored in the US. Greens Senator and Communications Spokesperson Scott Ludlam issued a terse request on Twitter to Telstra to explain the behaviour, and the Pirate Party issued an extensive statement stating that it was “outraged” at what it described as Telstra’s “underhanded scheme”.

“This raises a series of very serious issues. They are logging user behaviour without consent and the data is stored in the United States where our Privacy Act does not apply, but where the Patriot Act does apply. I find the claims that the non-consensual use of the data will be used to build an Internet filtering database for their ‘Smart Controls’ product to be troubling,” said Brendan Molloy, Party Secretary.

“If they were simply comparing the access URLs against a list, there would be no need for their software to actually download the requested pages. The worst part is that the logging software they are using poses as a legitimate hit from a Firefox 3 browser, so one cannot just block or detect their logging software. It’s dishonest at best, and malicious at worst. You won’t find a Google indexing spider pretending to be another browser.”

The Pirate Party called for the immediate cessation of the data logging by Telstra pending the consent of Telstra users, and a recommendation for an investigation by the Privacy Commissioner. “Pirate Party Australia will not tolerate any incursion into personal privacy, which includes data retention schemes with no judicial or public oversight,” the organisation wrote.

This morning Telstra announced that it would back down with regards to the system, following the complaints by customers and the political pressure applied by several parties.

“Our customers trust is the most important thing to us and we’ve been listening to the concerns of our customers regarding the development of a new cyber safety product,” a spokeswoman said in an emailed statement.

“We want to reassure all our customers that at no point in the development of this product was personal information collected or stored. We’ve heard the concerns online and we acknowledge more consultation was needed. We are stopping all collection of website addresses for the development of this new product. More explanation would have avoided concerns about what we were collecting.”

opinion/analysis
Firstly, I want to thank the many readers who sent me information about this issue over the past several days. I didn’t quite have enough time to cover the issue until today, but I appreciate you all getting in contact about it. Data retention — particularly covert data retention — by Australian telcos is an incredibly important issue, and I’m glad we’ve finally gotten to the bottom of what was going on here. I also want to pay tribute to journalists at ZDNet.com.au and SC Magazine for their excellent work on this issue.

My own personal view on this issue is that it was always a bit overblown. I was a bit time-constrained this week, but I also didn’t devote as much attention to this issue as some would have no doubt liked, because Telstra made it clear to me very early in my investigation of what was going on here that at no stage was the data being collected linked to individual account-holders, as it would be in the far more nefarious data retention initiatives currently being pursued by the Federal Attorney-General’s Department (commonly known as ‘OzLog’).

I don’t particularly see why Telstra had to use live data for its testing of this new opt-in filter product, and I certainly don’t think the telco should be collecting such data without notifying its users that it’s doing so.

However, in the grand scheme of things, Telstra isn’t an ‘evil’ company right now — in fact, by almost any measure it seems to be doing its best to become a good company which supports its customers with great customer service, disclosure and overall good products and services — and its activities here in logging this data weren’t designed to harm customers. It anonymised the data it collected, after all, and was collecting it in the first place to help build a system to protect children.

For Telstra to collect anonymised data on the web sites its customers are visiting is pretty analogous to a major bank collecting anonymised data on what its customers are using their credit card for. Sure, this activity should be disclosed; but what Telstra was doing was very likely not illegal, not nefarious and probably quite useful in the long run. Before we all get on our high horse talking about our civil liberties being trampled on, I think we should remember that. There are far worse breaches of privacy going on out there at the moment; many of them involving government itself; and I suspect that in a week’s time this minor activity by Telstra will have already been forgotten.

Image credit: Telstra

15 COMMENTS

  1. Hi Renai,

    I agree with hindsight that this was probably a little overblown, but at the outset, I believe my concerns were justified especially in the light of precedents set elsewhere for example with BT and Phorm.

    I completely support the idea of a simple to use filter for parents and am sure it will be very successful, provided it isn’t trivial to circumvent of course.

    Also let’s hope, unlike another filtering product on the horizon, it won’t be marketed in a way likely to give parents a false sense of security. IMHO Children are more likely at risk from sites categorised as ‘social networking’ than pornography but blocking the former is likely to be a much harder sell.

    E

  2. “There are far worse breaches of privacy going on out there at the moment; many of them involving government itself; and I suspect that in a week’s time this minor activity by Telstra will have already been forgotten”.

    soooo…

    Its not to worry folks because the not so good stuff Telstra is doing without disclosure to its paying customers is…

    … not as bad as the really bad stuff others are doing.

    hmmmm…

  3. Agreed Renai.

    It should be disclosed and for NOT doing that, Telstra SHOULD get a wrap on the knuckles. But what they’re doing amounts to only a small portion of what a company like Google does. The difference being Google asks.

    I would hate to see a legitimate attempt at providing a good tool destroyed by overzealous ‘privacy protection’ campaigners.

  4. But why are they needing to collect URLs to build a filter?

    The other thing is these URLs they are collecting are nothing like a bank collecting details on what you buy. These URLs if accessed could link you to things that are behind ‘security’ settings for them to not be public. Example facebook photos, if you get a direct link to one you bypass the ‘security’ facebook puts in place to stop people from seeing it on the facebook site.

  5. I would like the answer to some very simple questions.

    Why does Telstra need to harvest customers requests for an URL?

    They supposedly claim that they are running the URLs against the Netsweep data base. Netsweep have been providing filtering for years and to some hard markets like Iran according to what I have read. I would have thought that their data base was pretty accurate. Surely all Telstra needed to do was purchase the Netsweep system and configure it..

    Why would they need to go to the expense of developing and maintaining their own filter?

    A bit of tin foil hat I know but the explanation doesn’t quite sit comfortably for me. I would like to see some deeper digging into this.

  6. It sounds like the storing and querying of unknown URLs is a built-in magic feature of the product they tested. Telstra might not have examined the product in detail before they flipped the switch. They perhaps should have.

    Oh well, at least they owned up to it quickly.

  7. I think the analogy of a bank collecting anonymised information from its customers is flawed. If I go to a bank’s website, essentially my request terminates at the bank’s servers — the bank is collecting information about the accesses I’m requesting *of the bank*. In this case, it would appear that Telstra is collecting information about how I use *non-Telstra services*. In other words, they are intercepting a communication to which they’re not a party other than by virtue of being a carrier. And then “using” that data for product development (as against service management) purposes.

    By recording the data that they have, it would seem Telstra hae created a stored communication which can be accessed under the relevant part of the Telecommunications Act. Under s108 of the Act, accessing a stored communication without the knowledge of the sender or recipient is subject to penalty [same applies as well to non-stored communication, but that’s harder to demonstrate]. Telstra has admitted the activity. So who will hold them accountable to the Act?

  8. So it seems that Google were unfairly penalised when they did less – they only grabbed people’s Wifi traffic for brief periods while they drove past.

    • This is exactly what I was thinking, Google only collected information from open wifi spots briefly, Telstra has been intercepting all traffic on it’s mobile network for an unknown time period and for a not yet fully disclosed purpose.

      As stated by Mike C above this is a clear breach of the privacy act, no doubt Senator Ludlam will hold them to account though when more information (like what Mark Newton was asking) comes to light.

      I will say I’m a bit surprised as Renai’s article, it doesn’t really matter if Telstra is a “good” company or whatever, it’s grossly breached the privacy act and admitted to it, just like the recent cases against Optus and TPG for their ACCC breaches Telstra need to be held to account for this, if they’re not then it sets a bad precident for other carriers and for peoples privacy rights online.

    • Google only collected information from open WiFi systems that were publicly broadcast in their misguided drive by operation.

      Telstra has collected and distributed private data on a closed network, breaching the trust of their customers at the very least.

      Both have breached privacy in my opinion but the conduct of one seems more reprehensible than the other. I am sure you can figure out which is which.

    • Google claim that their action in logging wifi packet data was accidental.

      Telstra are unable claim such a thing – it requires deliberate configuration to install traffic sniffing devices on the network, and configure them to forward that traffic to a third party.

      Simply: Telstra’s actions were deliberately monitoring traffic, Google’s accidental.

    • This isn’t kindergarden Renai, I’m pretty sure that if (and by the sounds of it when) Telstra is found to have breached the privacy act by not informing customers of what they were doing, them simply saying sorry isn’t going to cut it.

Comments are closed.