MUST READ: Microsoft unleashes bug bounty program — for betas, too

Topic: Security

Discover

Telstra logs customer history for new filter

Summary: Telstra has admitted to tracking the websites visited by Next G mobile customers, as part of the development of a voluntary internet filtering system.

Josh Taylor

By |

Telstra has admitted to tracking the websites visited by Next G mobile customers, as part of the development of a voluntary internet filtering system.

The tracking was first picked up by members of the Australian Network Operators group, who noticed that requests made to a web server from port 80 on a Telstra mobile device, would immediately be followed by a request from an IP address in the US, hosted by Rackspace.

After inquiries on the anomaly by ZDNet Australia, Telstra today came clean and admitted that it is working on a new cybersafety tool called Smart Controls, that will block certain sites from appearing on Telstra mobiles that are signed up for the service.

"We will shortly launch a cybersafety tool that allows parents to specify the website categories their kids can browse. To prepare for this, we are working with a company called Netsweeper to ensure web content is accurately characterised," Telstra said in a statement.

Telstra said that Netsweeper has an extensive database of URLs, but when customers try to reach new domains not previously included in the database, the URL is sent to Netsweeper by Telstra.

"Netsweeper analyses the content to determine whether it fits categories parents may want to prevent their kids accessing — for instance, pornography or gambling sites," the company said.

"Once a new site has been recognised, there is no subsequent need for Telstra to access the site, so checking content contained in URLs will decrease over time, as the network 'educates' itself."

All customer data is left out of the information being shared with the US company, according to Telstra.

"No customer data is sought, stored or shared in this process. Customers who subscribe to the cybersafety tool will temporarily have browsing history stored for assurance purposes. This history is automatically deleted within 60 days."

The service will, ultimately, be opt-in, Telstra said.

The company also quickly moved to update its terms and conditions online (PDF) today, to include information about Smart Control.

The issue has already caught the eye of Greens communications spokesperson Scott Ludlam, who said today that he had been in touch with Telstra's government affairs representative on the matter.

Network engineer Mark Newton has already contacted Telstra about the data collection in an open letter, and has indicated his intention to complain to the Privacy Commissioner about the company sending his data overseas without permission.

More to come.

Topics: Security, Privacy, Telcos, Telstra

About

Armed with a degree in Computer Science and a Masters in Journalism, Josh keeps a close eye on the telecommunications industry and all the goings on in government IT. Like most Gen Y, he spends a lot of his time with his eyes glued to his iPhone on various social media apps.

Google+ Contact

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Looks like I'll be changing carriers. I don't have anything to hide, but I object to Telstra snooping into my affairs. If they want to tag along on my web surfing then they can pay half the bill too.
    wolfrider56
    Reply Vote
  • It's funny to think that people complain about the government introducing such a filter when service providers like Telstra introduce it regardless. However since this is Telstra I doubt many customers will complain or dump them unfortunately. The apathy of these twits is mind-blowing.
    Hubert Cumberdale
    Reply Vote
    • I'd gladly jump ship on principle but even though my next g coverage has degraded a lot recently it is still far superior to my other options.
      anonymous
      Reply Vote
    • "Takes a Twit to know a Twit Hubert."

      yeah cant argue with a 6th graders logic but I'll try to explain it so even you can understand. I know a few Telstra customers and they are not too bright. I dont offer my 'tech support' to these sorts anymore as it is a complete waste of my time. Hope that helps.


      "Let's wait to be a little more informed."

      This is the advice I would give to people before signing up for dodgy Telstra plans. Sadly some of them are the aforementioned twits and you know the rest.
      Hubert Cumberdale
      Reply Vote
  • Did you read this properly? They are currently logging URL's independent of customer information to categorize content. The resulting filter will be opt-in.

    Why would providing your customers with an additional optional service to filter out unsavoury content, make them dump you for another provider? And how does that make them twits?
    Pachanga-4184c
    Reply Vote
    • They are not passing just the sitename but the full URL. The URL itself may contain identifying information - anything from a userid to an email address. And the URL may be not be public (eg some sites share have simply privacy controls for documents/photos/videos just by using a private url). So claiming that they completely anonymise the information is quite misleading and 3rd parties will be accessing information that customers would not expect them to have access to.
      anonymous
      Reply Vote
      • Fair enough.
        I guess we really need clarification on the statement:
        "All customer data is left out of the information being shared with the US company, according to Telstra."
        Does that mean they only send out the root page url - do they strip off the additional args? Or does it mean they just don't link it to an IP address?
        Also, I'm assuming they wouldn't be sending https url's...

        Josh?
        Pachanga-4184c
        Reply Vote
        • Pachanga this is known as a bald faced lie.

          The details of the customer making the URL request is removed from the information passed to the US company. But evey URL in its full appears to be sent, and if the url is not in the Netsweeper database, Netsweeper makes a duplicate request to cache the content you just requested.

          Many urls contain private data linked to a particular person, activation emails, forum post notifications, login session transfers between websites which aren't SSLed.

          And not only that, I'm guessing it would be leak some 50% of all Australian mobile web history offshore.

          It's wrong.
          Rundll-9d970
          Reply Vote
          • Exactly Rundll. Many URL's contain information such as username, email address etc. So this information is most likely being captured in the data being proxied off shore. It all depends on how the website was written.

            If there was confirmation from Telstra that anything after http:\\www.tld.X\* is stripped out, then it's not that big a deal as they're then only sending the TLD part of the URL's from the looks of things and also not the requestors IP.

            Are Telstra smart enough to realise that they should be stripping this information from the URL's being sent? Most of the time no, so no doubt in this situation it is completely safe to assume that personal details have been sent offshore.
            spagman
            Reply Vote
          • If the user's URL is http://some.domain.com/xyz/session/secret?more_secrets then http://some.domain.com/xyz/session/secret is sent to the company in the US. So the query string (part after the ?) is removed, if present, but other specific private information is leaked.

            Even sending only the domain name without the user's informed consent is a breach of privacy.

            Also, some applications store information in the domain name itself.
            anonymous
            Reply Vote
        • HiPachanga,

          As far as I am aware it is the whole URL, but I have asked a few for a few qualifications from Telstra, and I will let you know as soon as I do.

          Josh
          Josh Taylor
          Reply Vote
  • I think many of you have not read that Smart Controls is an OPT IN service. Telstra was not refering URL's to Netsweeper unless a customer actually opted into Smart Controls.

    Also NO CUSTOMER DETAILS are disclosed to Netsweeper, only the URL the Smart Controls customer is trying to access, where Netsweeper scans the sites content and classifies it, if it is allows by the users parents filtering, the website is displayed, if not it is not shown.

    This is a great service for parents, so they can restrict content they don't want their children to access.

    So those who say "I'll be jumping ship since Telstra is sharing my details with a US company" - This is not the case, the URL you are attempting to access is shared, but ONLY if you have OPTED IN to Smart Controls service.
    anonymous
    Reply Vote
  • >ONLY if you have OPTED IN to Smart Controls service.

    This simply isn't correct. That may become true at some time in the future. Right now it is false.

    Telstra was sending URLs for any customer because they were using this information to develop the Smart Controls service. There is no way to opt out of this at the moment.

    *My* URLs were being sent to the US company. *I* have not opted in or out of Smart Controls and nor have I ever been given the opportunity to do so.

    Telstra appears now to understand that they were doing the wrong thing, as they claim to have ceased doing this.
    anonymous
    Reply Vote
    • So please do "jump ship".
      anonymous
      Reply Vote
CNET Join | Log In | Privacy | Cookies Close