Telstra hands over browsing history in current warrantless metadata regime

Telstra hands over browsing history in current warrantless metadata regime

Summary: A paper from the Parliamentary Library has suggested URLs might be required to be retained under any data retention regime because Telstra has handed over URL history to law enforcement agencies in the past.


Telstra's revelation that it has previously handed over details of websites visited by its customers to government agencies without a warrant suggests mandatory data retention may still include URLs, according to the Parliamentary Library.

Earlier this month, Prime Minister Tony Abbott and Attorney-General George Brandis announced that the government would begin developing a framework to require Australian telecommunications companies to retain customer "metadata" for access by law enforcement agencies.

After Abbott and Brandis fumbled the initial explanation of what actual metadata the government wanted to be retained, Communications Minister Malcolm Turnbull said the data that would be retained would be what telcos already hand over under the existing access regime, such as call logs and assigned IP addresses, and not web browsing history.

"The police, the security services, ASIO and so forth, are not asking the government to require telcos to record or retain information they are not currently already recording," Turnbull said.

"There has been some concern expressed that the government was proposing that telcos should retain for two years a record of the websites you visit when you're online, whether that's expressed in the form of their domain names or their IP addresses; in other words that there would be a requirement to keep a two-year record of your web browsing or web surfing history — that is not the case," he said.

But a new paper from the Parliamentary Library indicates that URL history has in fact been part of the existing regime.

"The current regime for access to metadata arguably allows law enforcement and intelligence agencies to access URLs under the umbrella of 'metadata' (provided the URL does not identify the content of the communication) despite stakeholders holding contradictory perspectives," report author Jaan Murphy states.

"This ambiguity indicates that the proposed mandatory metadata retention scheme, if modelled on existing laws, may exacerbate the confusion surrounding the definition of metadata."

Murphy pointed to a 2012 submission to the Joint Standing Committee on Intelligence and Security from Australia's largest telecommunications' company Telstra where the company said it had, in fact, handed over URL data to government agencies under the current access regime.

In the explanation, Telstra details exactly what data it has provided under the Telecommunications (Interception and Access) Act.

Any telecommunications data or meta data but not the content or substance of a communication.

It may include:

  • Subscriber information (including name, address, date of birth, method of payment and related account transaction details)
  • Telephone numbers of the parties involved in the communication
  • The date and time of a communication
  • The duration of a communication
  • Internet Protocol (IP) addresses and Uniform Resource Locators (URLs) to the extent that they do not identify the content of a communication, and
  • Location-based information

"Industry practice therefore illustrates that URLs are currently provided to law enforcement and national security agencies without a warrant," Murphy said.

Last week, Telstra CEO David Thodey indicated that although its rivals such as Optus and iiNet have indicated that data retention could cost them hundreds of millions of dollars, Telstra's participation in a mandatory data retention regime would not be a big impact on the company.

"I should be clear about this: we hold a lot of data today. We've got to get some clarity around exactly what changes the government is asking but on the early discussions, we don't see it as a significant issue for Telstra going forward," he said.

The Australian Security Intelligence Organisation (ASIO) and the Australian Federal Police have indicated they do not want browsing history as part of mandatory data retention, but previous statements from Victoria Police and Northern Territory Police have called for browsing history to be retained.

A spokesperson for the attorney-general said URLs would not be included in the data retention regime, and despite Telstra's submission, said access to URLs required a warrant.

"Security agencies currently require a warrant to access URLs and this requirement will continue."

A spokesperson for Telstra said the company complies with the law as it exists today.

"Like all telecommunications companies that provide services in Australia, we are required by law to assist Australian government agencies for defined purposes, such as investigating and solving crimes. We also provide assistance to emergency services agencies in response to life threatening situations and Triple Zero emergency calls," the spokesperson said.

"Part of our obligation is to act on requests under law for our customer information and carriage service records, and warrants for communications travelling over or held in our network. We only disclose customer information in accordance with the law and we assess any request for information to ensure it complies with the law.

"We do not collect and store web browsing history against individual customer accounts."

Telstra later confirmed to ZDNet that it had in the past handed over URLs to law enforcement agencies, but it was not part of the company's normal business to collect browsing history.

"We do not collect URLs as a normal part of providing customer services and only in rare cases have we provided any URL data to agencies. For example the last time we did so was in relation to a life threatening situation involving a child more than 12 months ago."

Topics: Privacy, Government, Government AU, Telcos, Australia


Armed with a degree in Computer Science and a Masters in Journalism, Josh keeps a close eye on the telecommunications industry, the National Broadband Network, and all the goings on in government IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • great pick up

    Great to see some actual legal analysis getting some airtime. Great article Josh, and well done do the Parliamentary Library on giving a great plain-english explanation of the current state of affairs.
  • Confused

    Sorry guys a bit slow here...

    If agd says "Security agencies currently require a warrant to access URLs and this requirement will continue."

    But telstra is giving that out now without a warrant.

    Who is breaking the law?

    Telstra for giving the info?
    Whatever security agencies for requesting and not having a warrant, and then for taking the info?
    Or both?

    Kinda makes #getawarrant useless...

  • No one should be surprised !

    Telstra regards themselves as a 'Law unto themselves' !
    Their attitude to a customers privacy is reckless !
    Both Telstra & ASIO are breaking the laws as it stands.
    but hey! no one seems to care what they do !
    They want carte blanche to do as they please & to hell with our democratic & constitutional rights..
    Our politicians don't understand the technology, no clue at all, & the reckless attitude of our spy organisations has no bounds.
  • What a debacle

    If nothing else it is time to stop, take stock and return to basics.

    Clearly, every time anyone in a senior position makes a statement, it plainly contradicts the last guy that spoke.

    Telstra may have a legacy of extended assistance between one government agency and another. That may once have been seen to be appropriate, but I'd question that it should continue.

    I've said it before - Telstra is not the industry, and the industry is not Telstra. My gratuitous advice is - stop assuming that a conversation with Telstra is representative of the industry's view. None of us want to look, feel or smell like Telstra.
    That shouldn't be news.

    Clearly, there appears to be a lack of documented policy, otherwise someone would have invoked it by now. There is no policy, no definition, no clear legal obligation, no funding, no consistency and no comfort.

    Nobody seems in charge, policy makers are ill-informed, law enforcement agencies are all over the shop, assumptions from a sample of one are being treated as representative of the whole industry, lots of contradictory statements, it's a mess really.

    I think St Kilda may be better organised and they are on the bottom of the AFL ladder.
  • Transparency

    Would people be more surprised if all telcos published a similar document to Telstra's "Transparency Report"?
    Noni Mouse
    • According to Telstra's Transparency Report

      Telstra are breaking their own rules by providing information without a warrant.
  • Data retention

    Optus and IiNet complained about the cost associated with the legislation. I simply read this as a bit of Telstra one upmanship and would probably be happy to absorb the cost as they could do so more easily than the others and place them further ahead.
    If security is a concern just Google Optus in the Herald.
    David Boyd
  • Disclosure of URLs not authorised.

    I would like to point your attention to Sec 172 of the Telecommunications (Interception and Access) Act ( which says the following:
    "Divisions 3, 4 and 4A do not permit the disclosure of:
    (a) information that is the contents or substance of a communication; or
    (b) a document to the extent that the document contains the contents or substance of a communication."

    A URL reveals the content at that web page because anyone putting the URL into a web browser can see the content. I would therefore contend that it provides the substance of a communication. Accordingly I would suggest that a warrant is always required for this information.
  • Why are Telstra recording this data ?

    Surely there is no real business reason to record subscriber's browsing history, such as relates to providing service to the user.
    Therefore they must be breaking some data capture and retention rules.
    Perhaps they are selling it ?