EFA is concerned about recent reports that Telstra has been sending the details of URLs visited by all subscribers to its NextG mobile network to a third party located outside Australia.
Telstra has confirmed that they have been forwarding this information to a Canadian company, Netsweeper, who they are working with to build a database to be used as part of a proposed web filtering product.
Though Telstra claims that “at no point…was personal information collected or stored”, a list of URLs visited by an individual (their ‘clickstream’) is in fact a highly personal set of data which can be readily correlated with other data, regardless of whether there is a customer or username associated with it. There is therefore a serious privacy issue involved in this practice, particularly as in this case where it was conducted without the customer’s knowledge and involved the sending of data offshore, outside the scope of Australian privacy legislation.
Telstra say they have moved quickly to suspend the harvesting of NextG users’ clickstreams, and yesterday hastily issued updated Terms and Conditions (pdf) for the service. Their initial reaction though, which was to dismiss the activity as ”a normal network operation” betrays a worrying lack of concern, or even worse, understanding, about the personal nature of the data they were collecting and sending offshore.
Clearly, Telstra should have informed their customers before they started harvesting this data, and should have applied the same opt-in approach to this activity as they propose to use for their ‘Smart Controls’ filtering product, which this activity was designed to support.
EFA is also concerned that Telstra would choose to partner with a Canadian company (Netsweeper) that also provides net censorship services to a variety of countries, including Qatar, the United Arab Emirates and Yemen.
EFA also has more general concerns about automated filtering services such as Telstra is currently developing. The lack of transparency and accountability inherent in these services in terms of the choice of which sites to block can lead to both false positives (blocking sites that should not be blocked) and false negatives (not blocking sites that arguably should be blocked). EFA therefore believes that it is unlikely that Telstra’s ‘Smart Control’ product will provide the level of service that is claimed.
EFA hopes that Telstra learns from this incident and employs much greater care for customer data during their future product development activities.