Jun 27, 2012

‘It’s how we connect’: Telstra and the spy sites mystery

Telstra has been tracking the websites visited by Next G mobile customers and sending the data overseas to a Canadian company that supplies censorship systems to Qatar, the United Arab Emirates and Yemen.

Stilgherrian — Technology writer and broadcaster


Technology writer and broadcaster

Right. So Telstra hasn't just been tracking the websites visited by Next G mobile phone customers. It has been sending the data overseas without informed consent to a Canadian company that supplies censorship systems to Qatar, the United Arab Emirates and Yemen. And when Telstra was caught out, it tried, as SC Magazine reported, to wave it away as "normal network operation". Not a good look. Especially when it was discovered precisely because there was abnormal network behaviour. Last Monday night a Telstra customer with the handle "threadmark" posted a report of unusual activity on broadband forum Whirlpool. Every time he accessed a web page on his own web server from a Next G mobile, moments later that exact same page was accessed by a computer in the US. This only happened on Telstra's Next G network, not any of their competitors. The ensuing Whirlpool discussions about what might be going on and whether it was legal and ethical, as well as Telstra's dismissive response, caught the eye of information security consultant Eric Pinkerton. On Monday he posted details to the mailing list of AusNOG, the Australian Network Operators Group, which comprises network operators from ISPs, internet content providers and the like. Serious network geeks were now on the case. Within hours it was established that whenever a new web page was accessed the second time, not the first, about 250 milliseconds later the request was duplicated by a computer at Rackspace, an internet hosting provider based in Chicago. It was clear that Telstra was sending Next G users' entire web browsing "clickstream" offshore, where a different privacy law regime would be in force. It was also clear that clickstreams were being logged, so they knew when an individual page was accessed for the second time. The pressure on Telstra mounted, including a formal request from highly respected network engineer Mark Newton for the scope of and reasons behind the data collection and how it was being managed. Telstra has been forced to reveal that, as detailed at ZDNet Australia and iTnews, it has contracted Canadian company Netsweeper to build it a new web content filtering system called "Smart Controls" as an optional $2.95 per month add-on for the Next G network. Netsweeper is already a major player in web content filtering and so already maintains a massive database of the web's content, categorised according to the needs of its products. But with the web constantly changing, Netsweeper needs to discover new content quickly. Hence this system. When new web addresses are accessed the second time -- not the first, in case it was just a typo or other mistake -- Netsweeper's system at Rackspace accesses the page as well, and analyses and categorises the content it finds. "Once a new site has been recognised, there is no subsequent need for Telstra to access the site, so checking content contained in URLs will decrease over time, as the network 'educates' itself," Telstra said in a statement. "No customer data is sought, stored or shared in this process. Customers who subscribe to the cybersafety tool will temporarily have browsing history stored for assurance purposes. This history is automatically deleted within 60 days." Nevertheless, Telstra should quite rightly be embarrassed by all this. Even though customers will eventually opt-in to this service should they want it, they were all included in this trial, without notification, like it or not. Telstra's after-the-fact update of its terms and conditions document, dated June 26, was done in such haste that it even misspelled the word "Telstra". Clickstream data is highly individual. It doesn't need a customer name attached to be able to cross-correlate it to other data. This massive data mining is the real privacy problem online and it's getting worse. And then there's Netsweeper itself. While stopping corporate employees from wasting time on gambling sites and preventing school libraries being used to download porn, as m'colleague Bernard Keane reported earlier this year, there's plenty of money to be made helping governments stopping their own citizens seeing problematic material: "Netsweeper, which boasts on its website that one in three British schoolchildren are 'protected' by its product, has no qualms about providing censorship tools to the worst régimes in the Middle East." Can we trust the sending of everyone's personal clickstreams to this sort of business? Do we really want to be doing business with them at all? Just as this story was being filed, a Telstra spokesperson said that it had heard people’s concerns about this process, and has posted a more detailed issue update. It has also committed to responding individually to any customers with concerns.

Free Trial

You've hit members-only content.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

6 thoughts on “‘It’s how we connect’: Telstra and the spy sites mystery

  1. CarlitosM

    Hello Telecommunications Ombudsman, Privacy Commissioner, NSW Council of Civil Liberties, Electronic Frontiers Australia, etc. you better be looking into this and kicking some ar$e…

    Reading above and the links provided should be compulsory for anyone working in ICT or customer relations: learn how NOT to treat your customers.

  2. robinw

    Of course, not a thing will be done about this blatant intrusion. I’d be surprised if Telstra even got an admonition over this, let alone the hefty fine they should be copping.

  3. Mike Smith

    Will the ‘individual response’ include desisting from doing this on request?

  4. gikku

    Banks have IT outsourced OS too.
    Anybody have concerns their statement and/or transaction details are offshore.
    such as the complete history of where you used your visa / mastercard over the past 7+ years…

  5. Mike Smith

    Meantime, there’s trolls on the site that are happily playing the “won’t someone please think about the children” card, and suggesting it’s the users fault.

  6. Are you free?

    It’ll be interesting to see whether Telstra is treated as being above the law, as BT and Phorm were in Britain.

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details