Telstra has moved to quell fears over its passing of customer browsing history to a third party overseas, stating that only the base URL of a website was disclosed.
Telstra yesterday halted the passing on of the URLs of websites visited by Next G customers to US-based Canadian internet filter company Netsweeper, following public concern about the potential privacy impact that this might have. Telstra was providing the URLs to Netsweeper as part of a new cybersafety project called Smart Control, which would allow parents to prevent their children accessing certain websites on Next G phones. Telstra needed to build up an extensive database of the types of websites Next G customers were visiting.
Telstra earlier this week said that no customer information was provided to Netsweeper as part of the project, but could not confirm whether the entire URL was sent to Netsweeper.
Yesterday, Telstra's executive of wireless planning, Anthony Goonan, explained on Telstra's Exchange blog that the company stripped the GET variables out of collected URLs.
"At no time was information linking the URL address to any customer provided to our supplier. Only the URL address, without any [GET] variables or other information from the internet site, was stored in the Telstra or Netsweeper databases," Goonan said.
But Telstra could not clear up whether URLs that were not indexed by Google, or whether URLs that contain personal information not included in the GET variables, was passed onto Netsweeper. This was brought up in response to Goonan by users on broadband forum Whirlpool.
Telstra was asked about this yesterday, but had not responded at the time of writing.
Narelle Smythe, partner at law firm Clayton Utz, said that Telstra could be found to have breached the Privacy Act if people could be identified from the URLs provided to Netsweeper.
Goonan explained that Telstra first compared the URL (stripped of GET variables) against Telstra's own database, and if it was not already in a classified list, the URL was sent to the Netsweeper database, located in the US or Canada. If the URL was not in Netsweeper's database, then it was assessed for classification by Netsweeper, and entered into the database of both Telstra and Netsweeper.
Goonan said that Telstra had been in contact with the Privacy Commissioner, the Australian Communications and Media Authority, the Telecommunications Industry Ombudsman and the Australian Communications Consumer Action Network (ACCAN) about the issue. ACCAN tweeted yesterday that it had written to the Privacy Commissioner, asking him to investigate.
The office of the Privacy Commissioner has indicated that it may launch an investigation into the matter.