news The nation’s largest telco Telstra has flatly rejected allegations that it is routinely logging all of its customers’ web browsing data and email history on behalf of national security and intelligence agencies, stating that it does not “routinely” collect or store its customers’ telecommunications data unless required to do so.
Late last week, respected security and intelligence journalist Philip Dorling, who has broken a number of major Australian security, intelligence and defence stories, published a detailed article in The Age newspaper claiming that Telstra “has installed highly advanced surveillance systems to “vacuum” the telephone calls, texts, social media messages and internet metadata of millions of Australians so that information can be filtered and given to intelligence and law enforcement agencies.”
Dorling claimed Telstra had implemented sophisticated traffic monitoring solutions from global firm Gigamon, as distributed locally by Newgen Systems. The journalist claimed among the data being collected by Telstra was not only telephone records, which every Australian telco maintains for billing purposes, but also web browsing history and metadata pertaining to emails sent and received. In response, Telstra this morning issued the following statement:
“Telstra does not routinely collect or store our customers’ telecommunications data to undertake mass surveillance on behalf of Australian national security agencies. Intrinsic to providing telecommunications services is generating data, for example the time, location and duration of telephone calls. We generate this data as part of providing a service to our customers and we store it for as long as it makes sense commercially and legally to do so. For instance, we are required to hold billing data for up to six years to meet out obligations under the Telecommunications Consumer Protection Code.”
“Telstra does not use any traffic monitoring system to conduct mass surveillance on behalf of Australian national security agencies. There are legally defined instances when we receive and are required to comply with lawful requests from national security agencies to provide specific data from our networks. We comply with the law and only collect and disclose information to these agencies only when we are legally required or permitted to do so.”
“Telstra is not required by law to store all communications data for Australian Government agencies. All telecommunications companies in Australia have obligations to provide reasonable assistance to law enforcement and national security agencies, which can include disclosing certain data when we receive a lawful request from these agencies. These powers are outlined in the Telco Act and TIA Act.”
Dorling’s claims are not the first time that Telstra has been accused of widespread surveillance of its customers’ Internet and telecommunications habits.
In mid-July this year, for example, independent media outlet Crikey published what appeared to be the text of a secret agreement signed by Telstra a decade ago with US Government agencies such as the FBI and the Department of Justice that provided American law enforcement and national security organisations with an extremely broad level of access to all of the telco’s telecommunications passing in and out of the US through Telstra’s Reach submarine telecommunications cables.
The agreement is particularly concerning for Australians, given the volume of Internet traffic and routed telephone calls which pass through Reach’s infrastructure to the US, where much of the world’s largest Internet backbones and data sources are located. It is likely that Reach’s data retention facilities in the US have stored hundreds of millions to billions of records about Australian telecommunications and Internet access over the past 12 years; all of which would have been made available to US Government agencies.
Asked about the issue at the time, a Telstra spokesperson attempted to downplay the situation.
“This Agreement, at that time 12 years ago, reflected Reach’s operating obligations in the US that require carriers to comply with US domestic law,” they said. “It relates to a Telstra joint venture company’s operating obligations in the United States under their domestic law. We understand similar agreements would be in place for all network infrastructure in the US. When operating in any jurisdiction, here or overseas, carriers are legally required to provide various forms of assistance to Government agencies.”
Separately, in June 2012, it was revealed that Telstra had been archiving web addresses visited by users of its Next G mobile network, as part of its development process for a new cyber safety tool dubbed ‘Smart Controls’, using technology from US company Netsweeper to build an Internet database that would allow customers of its broadband services to set categories of content which their children could access online.
A spokeswoman for the telco at the time said the system had “absolutely nothing to do” with Telstra’s marketing or billing divisions, but was a new platform which Telstra would offer parents to help manage their children’s use of the Internet.
Dorling’s report comes six months after the Parliamentary Committee examining the Government’s controversial national security reforms recommended that the data retention segments of the reforms, which would have seen telcos such as Telstra storing data in a very similar fashion to that suggested by Dorling last week, go through the committee process once again. The data retention reforms have been almost universally criticised as privacy-invasive by a wide range of stakeholders in the Australian community. The then-Labor Federal Government subsequently put the reforms on the back burner.
The news comes amid widespread concern over the use of telecommunications networks and datacentres, especially those used for cloud computing facilities, especially associated with revelations by former NSA contractor and whistleblower Edward Snowden.
In June, UK newspaper the Guardian published classified documents created by the agency, which stated that the NSA was able to gain “direct access” to the servers of companies such as Google, Facebook, Apple, Microsoft, Yahoo and Skype. The access allowed US officials to collect information including search history, the content of emails, file transfers and live chats.
Subsequently, the New York Times reported that the US Government had used the system to collect information on non-US citizens overseas for nearly six years. The revelation of the move has caused outrage online, amongst the general public as well as those specifically interested in digital rights and privacy online. Fairfax reported at the time that the Australian Government had access to data sourced from the so-called PRISM program.
In Australia, the Greens are seeking a wide-ranging inquiry into the activities of the nation’s intelligence agencies, as well as separate Parliamentary Committees into these issues.
In a speech in the Senate last week, Ludlam pointed out that other major countries had already initiated inquiries following Snowden’s revelations. “The European parliament is extremely concerned about this,” he said. “It immediately established an inquiry on electronic mass surveillance, once the revelations had been made public by The Guardian and The Washington Post. The French, Canadian and German parliaments, and Westminster itself-all considered like-minded democracies-initiated inquiries immediately. This was followed by Brazil, Ecuador and many others. In the United States, the head of the NSA was called before congressional committees and told to explain himself.”
opinion/analysis
This is not a black and white situation. Do I think there is some truth to Dorling’s article? Certainly. I think Telstra has indeed engaged with the traffic monitoring systems described, and it obviously has the capacity to monitor and log its customers’ online activities. It’s even required to do so for certain customers that are of national security concern.
Is Telstra doing this on a mass scale with all of its customers? I don’t think so right now. But again, it’s not a black and white situation — there are degrees of technical granularity here. I don’t think, for example, that the telco has an easily accessible internal database of all its customers’ web history. But it’s possible that its systems store all customers’ data temporarily, or a limited subset of their data. Modern network traffic monitoring and control systems are extremely complex and powerful. There could be a thousand degrees for a thousand different customer segments in terms of what Telstra is or is not storing.
What we can be sure of is that this is an issue that is going to come up again and again with Australia’s major telcos. Constant vigilance on their operations — and mandatory disclosure laws enforcing transparency to customers — is the only way to be ensure they won’t abuse their very obvious power. In this sense, although Dorling’s article might not represent the whole context of what’s happening here, it is still a very useful piece of journalism indeed.
If telcos like Telstra believed nobody was watching, I have no doubt they would go a lot further with respect to this area than they are today.
Image credit: Telstra
What concerns me is that there response is similar to the response I received from Optus about this issue on twitter last week.
https://twitter.com/Optus/status/408810787575042048
We’ve seen what can be construed to be legal obligations with all the S313 requests. If an agency comes to them and claims that it is reasonable for them to comply they don’t seem to question it.
I don’t trust any of them.
Oh and then there’s this http://www.theguardian.com/world/2013/dec/10/australian-police-to-adopt-technology-capable-of-collecting-emails
Would the logging/storage of user data not be done directly by Aus gov agencies as with direct fibre taps etc? This would make what Telstra is saying plausible though somewhat misleading.
Yep, could well be the case.
Ordinary law enforcement jobs may involve asking the ISP to collect data, which of course they will do with a warrant. This should go without saying.
If it’s a national security / intelligence mob doing the investigating, it’s unlikely they actually need any cooperation from the ISP as they have the tools to intercept regardless.
>”unless required to do so.”
Which therefore makes the denial meaningless. We already know that s313 places substantial and very vague obligations on carriers.
Telstra’s poor history in this regard creates a fundamental trust issue. The cloud (no pun intended) hanging over them, and over the LENSAs, can only be cleared by having a parliamentary enquiry with a full public disclosure over the scope of their activities.
One important issue that remains unresolved is: what is metadata?
How much of an email that either passes through Telstra’s network or is handed to Telstra for onward delivery is metadata and how much is content?
How much of a web request that either passes through Telstra’s network or is intercepted by Telstra (transparent proxy) is metadata and how much is content?
The definition of metadata was created in the telephone era. It is fine for telephone calls placed over the PSTN. The definition is inadequate in the internet era.
Telstra moved there email to US based servers a year or so ago. They dont have to log anything the NSA will do it for them.
They might not collect this data for law enforcement unless they have to, but they do collect it for their own use..
I was at a presentation at the Oracle offices in Melbourne a few years ago where a Telstra guy was talking about “Big Data” and how awesome it was for marketing, one example he used was the potential to market a new mobile plan to a home phone customer who uses their home phone to call a competitors prepaid recharge line.
If they can use this kind of billing metadata for marketing, what’s to stop them marketing to you based on your web history, calling patterns, mobile locations etc.
I would say to start with that the number you call is an inherent part of billing the service. Usage is not charge in this way, just by session so they would be collecting and storing information for no purpose. Sees like something some exec would come along and say “waste if money, cut it”.
Simple question to Telstra: Did they install a system from Gigamon or not?
If so, why?
Comments are closed.