Right. So Telstra hasn’t just been tracking the websites visited by Next G mobile phone customers. It has been sending the data overseas without informed consent to a Canadian company that supplies censorship systems to Qatar, the United Arab Emirates and Yemen.
And when Telstra was caught out, it tried, as SC Magazine reported, to wave it away as “normal network operation”. Not a good look. Especially when it was discovered precisely because there was abnormal network behaviour.
Last Monday night a Telstra customer with the handle “threadmark” posted a report of unusual activity on broadband forum Whirlpool. Every time he accessed a web page on his own web server from a Next G mobile, moments later that exact same page was accessed by a computer in the US. This only happened on Telstra’s Next G network, not any of their competitors.
The ensuing Whirlpool discussions about what might be going on and whether it was legal and ethical, as well as Telstra’s dismissive response, caught the eye of information security consultant Eric Pinkerton. On Monday he posted details to the mailing list of AusNOG, the Australian Network Operators Group, which comprises network operators from ISPs, internet content providers and the like.
Serious network geeks were now on the case. Within hours it was established that whenever a new web page was accessed the second time, not the first, about 250 milliseconds later the request was duplicated by a computer at Rackspace, an internet hosting provider based in Chicago.
It was clear that Telstra was sending Next G users’ entire web browsing “clickstream” offshore, where a different privacy law regime would be in force. It was also clear that clickstreams were being logged, so they knew when an individual page was accessed for the second time.
The pressure on Telstra mounted, including a formal request from highly respected network engineer Mark Newton for the scope of and reasons behind the data collection and how it was being managed.
Telstra has been forced to reveal that, as detailed at ZDNet Australia and iTnews, it has contracted Canadian company Netsweeper to build it a new web content filtering system called “Smart Controls” as an optional $2.95 per month add-on for the Next G network. Netsweeper is already a major player in web content filtering and so already maintains a massive database of the web’s content, categorised according to the needs of its products.
But with the web constantly changing, Netsweeper needs to discover new content quickly. Hence this system. When new web addresses are accessed the second time — not the first, in case it was just a typo or other mistake — Netsweeper’s system at Rackspace accesses the page as well, and analyses and categorises the content it finds.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
“Once a new site has been recognised, there is no subsequent need for Telstra to access the site, so checking content contained in URLs will decrease over time, as the network ‘educates’ itself,” Telstra said in a statement.
“No customer data is sought, stored or shared in this process. Customers who subscribe to the cybersafety tool will temporarily have browsing history stored for assurance purposes. This history is automatically deleted within 60 days.”
Nevertheless, Telstra should quite rightly be embarrassed by all this. Even though customers will eventually opt-in to this service should they want it, they were all included in this trial, without notification, like it or not.
Telstra’s after-the-fact update of its terms and conditions document, dated June 26, was done in such haste that it even misspelled the word “Telstra”.
Clickstream data is highly individual. It doesn’t need a customer name attached to be able to cross-correlate it to other data. This massive data mining is the real privacy problem online and it’s getting worse.
And then there’s Netsweeper itself. While stopping corporate employees from wasting time on gambling sites and preventing school libraries being used to download porn, as m’colleague Bernard Keane reported earlier this year, there’s plenty of money to be made helping governments stopping their own citizens seeing problematic material:
“Netsweeper, which boasts on its website that one in three British schoolchildren are ‘protected’ by its product, has no qualms about providing censorship tools to the worst régimes in the Middle East.”
Can we trust the sending of everyone’s personal clickstreams to this sort of business? Do we really want to be doing business with them at all?
Just as this story was being filed, a Telstra spokesperson said that it had heard people’s concerns about this process, and has posted a more detailed issue update. It has also committed to responding individually to any customers with concerns.