Vodafone reveals plan to retain customers' browsing history

Vodafone Australia is working on rolling out a system that will record customers' web-browsing IP history for up to 90 days, as the government moves to compel telcos to hold on to users' metadata for up to two years.

Vodafone Hutchison Australia is planning to roll out a system that tracks customers' web-browsing history and holds the data for almost three months in order to help settle data usage queries.

The company's general manager for industry strategy and public policy Matthew Lobb said at a hearing for the Senate Committee for the Comprehensive Revision of the Telecommunications (Interception and Access) Act 1979 today that Vodafone was looking at storing the IP history of customers’ internet usage for 90 days.

"We're starting to move to a situation where there will be a clear IP identifier for each session, that when a customer accesses the internet or uses data," said Lobb. "But … it's in its infancy, that capability."

Lobb told the committee hearing that under the new system, when a customer begins a web session, that customer is assigned an internal IP identifier, and is subsequently assigned with a public IP identifier.

"And that’s dynamic," he said. "So, they will be allocated to different people each session, and there's a port number and a date stamp. The capability that is emerging is that that will be able to track that which is linked to a particular customer, and we will begin to start storing that for a period of time."

At present, according to Lobb, Vodafone is planning to hold that data for 90 days, in order to use as reference against billing or usage queries by customers within a specific billing period.

The move comes as the federal government works to introduce legislation that will compel local telecommunications companies and ISP providers hold onto customers' metadata for a mandatory two years — even though the government is yet to provide a specific definition for what constitutes metadata publicly.

Information provided to carriers indicates that the government is seeking customer IP addresses, times and technology used in communications, and billing information. It has specifically ruled out retaining web-browsing history after Attorney-General George Brandis now infamously fumbled the definition of metadata during a television interview to indicate that sites visited would be included.

Lobb said Vodafone was introducing the new technology in response to customers' requests for more insight into their data usage.

"Consumers sometimes want to know how much of data they're using on different sites, like Facebook or Twitter," he said. "If we designed [the IP identifier system] to say, "Did you access Facebook? it would tell you that you accessed Facebook."

However, he added that, under the system, the company would not be able to tell what a customer has done while on an identified website, such as Facebook.

Lobb said that the company was only at "the cusp" of developing the new capability, adding that if the Vodafone were required to store the data for the two-year timeframe the federal government is hoping to compel telcos and other companies to do, it would be challenging in terms of storage space, infrastructure and associated expenses.

Lobb revealed that the cost for Vodafone to develop the system to provide the 90-day web history information to customers is in the "tens of millions" of dollars.

"At the moment, it’s around ten or so million. But it's still in the development phase," he said.

From Lobb's perspective, the requirement for an IP identifier will become increasingly necessary as the industry moves away from traditional telecommunications methods.

"We're moving to an IP world, so the IP identifier is going to be an established part of how you access data, so that I would expect that to evolve to be the standard way it is to be undertaken," he said.

Lobb said that he believed that such capabilities have been evolving across the industry, with fixed-line carriers potentially possessing more advanced mechanisms to track a customer’s web-browsing history.

However, Telstra's director of government relations corporate affairs James Shaw said at the hearing that Australia's largest telco did not have such mechanisms in place, and currently had no intention to introduce such technology.

"We don't collect web browser history linked to customer's accounts," he said. "We have to have some browser history within the network. We don't collect data on which sites our customers have visited and record it against their account, but separate to customer service, our network does generate data related to internet usage. But, it's not stored in a way that is complete and it’s constantly being overwritten as more data comes onto it."

According to Telstra's chief risk officer Kate Hughes, the company's current strategy is to only keep what it needs for billing purposes or for network assurance purposes.

"I would suggest that most average data that sits in our network is never linked to a person's account," she said. "This is an objective we have in terms of our own personal standards, not least of all because it's an overhead we don't like to carry, but if it's there it presents a risk for us."

The latest hearing into the Comprehensive Revision of the Telecommunications (Interception and Acces) Act 1979 comes as the Senate passes new legislation that will give the Australian Security Intelligence Organisation (ASIO) the power to monitor every device on the internet, and copy, delete, or modify the data held on those computers with just a single warrant.