Telstra has a database of your NextG web activity

So, in what must be my biggest blog day ever, Telstra posted this:

What is clear from their previous post and the pickup in the media (including ABC, Crikey and is that people care about this, a lot.

What is also clear is that they’ve had to go and talk to the Privacy Commissioner, the Australian Communication and Media Authority, the Telecommunications Industry Ombudsman and the Australian Communications Consumer Action Network.

I’d like to thank Senator Ludlam for raising this with Telstra government affairs which without a doubt helped raise the profile of this issue.

There are a couple of issues with Telstra’s updated statement:

  1. They admit to constructing a database with your full query string and IP address
  2. They don’t address the moral issue of being involved with a company so involved in curtailing human rights (Netsweeper).
  3. Just stripping out the query string doesn’t erase all personal information

I don’t think we can ignore any of these problems, and I hope we get good responses and resolutions to them.

The significance of point 1 should not be understated. This means that some people, somewhere, have access to a decent amount of your browsing history. There is no details on who has access to this (hint: law enforcement could probably request it). There is also no explanation about why this was applied to everyone.

Update: after rereading their blog post, at best I can say it’s ambiguous on if they stored this or not. One sentence implies that they do, another implies that they don’t. Clarification would be most welcome, and given the history so far, we should not assume the best.

Personally, I’m really disappointed in Telstra for at any point thinking it’s okay to finance human rights abuses. I’m also really disappointed in world governments for permitting the sale of such software to those who use it to oppress their people. We should be in the business of exporting freedom and democracy, not exporting tyranny and oppression.

If you have a NextG handset, I strongly suggest the following:

Telstra stops tracking, still supporting Netsweeper

The big news:

“We are stopping all collection of website addresses for the development of this new product,” Telstra said in a statement.

This does not change their association (and presumed financial support) of Netsweeper, helping make its technology affordable to its government customers who use it to suppress free speech and access to information.

See also:

An update on Telstra’s surveillance of what you do online,telstra-tracks-users-to-build-web-filter.aspx

I’d suggest going and reading: to learn a bit about anonymization failures.

What we know:

  1. Telstra has the ability to monitor every URL you visit on a NextG connection
  2. Telstra is, in fact, monitoring every URL you visit through your NextG connection and piping that to some computer system that then takes action on it.
  3. None of this was disclosed to customers.
  4. Telstra is building a system for censorship.

What we don’t know:

  1. If this is a violation of any Australian privacy law (I’m not a lawyer)
  2. Who else has access to this “anonymised” data (hellooo US legal system)
  3. What universal surveillance infrastructure they have running

Update: this is a followup from yesterday’s post:

On Telstra tracking NextG HTTP requests and,telstra-says-its-not-spying-on-users.aspx were recently published saying that Telstra NextG users were seeing some interesting things. (Yes, there’s a Whirlpool post too, but since they block requests from Tor I’m not going to link to them)

Basically, on their servers they were seeing HTTP requests to the same URL as they had just visited with their phone, but from an IP address that certainly wasn’t their phone.

I started to investigate.

I put up a simple HTML page on a standard HTTP server and then got a NextG device to query it. I saw a log that came from a TELSTRA owned block of IPs. I didn’t see any suspicious second request though. Sadness.

Turns out you have to request the URL twice to get this other request. It is after this second request that you get a query from a Rackspace/Slicehost IP (cloud provider, so it is unlikely Rackspace itself is involved any more than as a Cloud provider) with the same URL (although via HTTP/1.0 instead of 1.1). On a subsequent request, I didn’t see a corresponding one from this IP. Also, when accessing this URL from a different NextG device, I did not see a request from the Rackspace/Slicehost IP block.

If I change the content of the file and try to fetch again, it doesn’t download it anew. This suggests that there is not inspection of the content of what’s coming back from the HTTP server.

The User Agent pretends to be Firefox running on Windows. I have not yet found out anything specific about it.

What can we learn from this?

  1. If you think that putting a URL up and only telling 1 person about it is private you are very, very, very much mistaken
  2. Telstra is quite possibly spying on you, from servers in the USA, which is under a different set of laws than if it was done in Australia.
  3. Telstra is sending what websites you visit on your NextG connection to the USA. If you are at all involved in anything that may make the US government unhappy (e.g. disagreeing with it) this may have interesting implications. Further research is needed as to what exactly
  4. Telstra keeps a record of all URLs as otherwise it could not implement “on the second request”
  5. The iPhone needs Tor more than ever and it needs it on a system level.

Update: I have been pointed to which is an Open Source Web Browser that uses Tor on iOS.