Telstra hands over browsing history in current warrantless metadata regime

A paper from the Parliamentary Library has suggested URLs might be required to be retained under any data retention regime because Telstra has handed over URL history to law enforcement agencies in the past.
Written by Josh Taylor, Contributor

Telstra's revelation that it has previously handed over details of websites visited by its customers to government agencies without a warrant suggests mandatory data retention may still include URLs, according to the Parliamentary Library.

Earlier this month, Prime Minister Tony Abbott and Attorney-General George Brandis announced that the government would begin developing a framework to require Australian telecommunications companies to retain customer "metadata" for access by law enforcement agencies.

After Abbott and Brandis fumbled the initial explanation of what actual metadata the government wanted to be retained, Communications Minister Malcolm Turnbull said the data that would be retained would be what telcos already hand over under the existing access regime, such as call logs and assigned IP addresses, and not web browsing history.

"The police, the security services, ASIO and so forth, are not asking the government to require telcos to record or retain information they are not currently already recording," Turnbull said.

"There has been some concern expressed that the government was proposing that telcos should retain for two years a record of the websites you visit when you're online, whether that's expressed in the form of their domain names or their IP addresses; in other words that there would be a requirement to keep a two-year record of your web browsing or web surfing history — that is not the case," he said.

But a new paper from the Parliamentary Library indicates that URL history has in fact been part of the existing regime.

"The current regime for access to metadata arguably allows law enforcement and intelligence agencies to access URLs under the umbrella of 'metadata' (provided the URL does not identify the content of the communication) despite stakeholders holding contradictory perspectives," report author Jaan Murphy states.

"This ambiguity indicates that the proposed mandatory metadata retention scheme, if modelled on existing laws, may exacerbate the confusion surrounding the definition of metadata."

Murphy pointed to a 2012 submission to the Joint Standing Committee on Intelligence and Security from Australia's largest telecommunications' company Telstra where the company said it had, in fact, handed over URL data to government agencies under the current access regime.

In the explanation, Telstra details exactly what data it has provided under the Telecommunications (Interception and Access) Act.

Any telecommunications data or meta data but not the content or substance of a communication.

It may include:

  • Subscriber information (including name, address, date of birth, method of payment and related account transaction details)
  • Telephone numbers of the parties involved in the communication
  • The date and time of a communication
  • The duration of a communication
  • Internet Protocol (IP) addresses and Uniform Resource Locators (URLs) to the extent that they do not identify the content of a communication, and
  • Location-based information

"Industry practice therefore illustrates that URLs are currently provided to law enforcement and national security agencies without a warrant," Murphy said.

Last week, Telstra CEO David Thodey indicated that although its rivals such as Optus and iiNet have indicated that data retention could cost them hundreds of millions of dollars, Telstra's participation in a mandatory data retention regime would not be a big impact on the company.

"I should be clear about this: we hold a lot of data today. We've got to get some clarity around exactly what changes the government is asking but on the early discussions, we don't see it as a significant issue for Telstra going forward," he said.

The Australian Security Intelligence Organisation (ASIO) and the Australian Federal Police have indicated they do not want browsing history as part of mandatory data retention, but previous statements from Victoria Police and Northern Territory Police have called for browsing history to be retained.

A spokesperson for the attorney-general said URLs would not be included in the data retention regime, and despite Telstra's submission, said access to URLs required a warrant.

"Security agencies currently require a warrant to access URLs and this requirement will continue."

A spokesperson for Telstra said the company complies with the law as it exists today.

"Like all telecommunications companies that provide services in Australia, we are required by law to assist Australian government agencies for defined purposes, such as investigating and solving crimes. We also provide assistance to emergency services agencies in response to life threatening situations and Triple Zero emergency calls," the spokesperson said.

"Part of our obligation is to act on requests under law for our customer information and carriage service records, and warrants for communications travelling over or held in our network. We only disclose customer information in accordance with the law and we assess any request for information to ensure it complies with the law.

"We do not collect and store web browsing history against individual customer accounts."

Telstra later confirmed to ZDNet that it had in the past handed over URLs to law enforcement agencies, but it was not part of the company's normal business to collect browsing history.

"We do not collect URLs as a normal part of providing customer services and only in rare cases have we provided any URL data to agencies. For example the last time we did so was in relation to a life threatening situation involving a child more than 12 months ago."

Editorial standards