EFA is concerned about recent reports that Telstra has been sending the details of URLs visited by all subscribers to its NextG mobile network to a third party located outside Australia.

Telstra has confirmed that they have been forwarding this information to a Canadian company, Netsweeper, who they are working with to build a database to be used as part of a proposed web filtering product.

Though Telstra claims that “at no point…was personal information collected or stored”, a list of URLs visited by an individual (their ‘clickstream’) is in fact a highly personal set of data which can be readily correlated with other data, regardless of whether there is a customer or username associated with it.  There is therefore a serious privacy issue involved in this practice, particularly as in this case where it was conducted without the customer’s knowledge and involved the sending of data offshore, outside the scope of Australian privacy legislation.

Telstra say they have moved quickly to suspend the harvesting of NextG users’ clickstreams, and yesterday hastily issued updated Terms and Conditions (pdf) for the service.  Their initial reaction though, which was to dismiss the activity as ”a normal network operation” betrays a worrying lack of concern, or even worse, understanding, about the personal nature of the data they were collecting and sending offshore.

Clearly, Telstra should have informed their customers before they started harvesting this data, and should have applied the same opt-in approach to this activity as they propose to use for their ‘Smart Controls’ filtering product, which this activity was designed to support.

EFA is also concerned that Telstra would choose to partner with a Canadian company (Netsweeper) that also provides net censorship services to a variety of countries, including Qatar, the United Arab Emirates and Yemen.

EFA also has more general concerns about automated filtering services such as Telstra is currently developing.  The lack of transparency and accountability inherent in these services in terms of the choice of which sites to block can lead to both false positives (blocking sites that should not be blocked) and false negatives (not blocking sites that arguably should be blocked).  EFA therefore believes that it is unlikely that Telstra’s ‘Smart Control’ product will provide the level of service that is claimed.

EFA hopes that Telstra learns from this incident and employs much greater care for customer data during their future product development activities.

1 comment

  1. Thanks for posting on this.

    However there is much more to this than the issues described above.

    1. What are the changes to the Ts&Cs that have been linked to? Do they now say words to the effect:

    "Telstra unconditionally reserves the right to share your personal, private and confidential data with any parties it sees fit to do so, for any reason, at any point and to any extent" now or do they make a written commitment NOT to do this any more?

    1. Who has verified what Telstra has said so far (that they are not continuing their tactics to date, E.g.

    a. Do not disclose what they have done, any details about internal policies, practices, controls and checks to either users or the regulators
    b. Talk down any suggestion of wrong doing, risk, impact or effect.

    2. How do we know Telstra won't do it again and act exactly the same time? What and who will now check up on any undertakings? What will they check? When? Who in Telatra will be responsible?

    How will other ISPs be brought to account before they do the same thing (inadvertently or otherwise)?

    3. Why is Telstra only talking to regulators and government, not NextG users who have sent any data over the last 9 months or so and begin the process of helping them to understand where they may have lost important/vital information, so these customers can do things like changing passwords, providers, amending private and confidential business information, etc.

    I.e. Help the Users avoid any further impacts? Most still do not know!

    Comment by Yet Another Reamed NextG User on 14 July 2012 at 17:58