The Age (Fairfax) picks up on Telstra NextG ‘stalking’

http://www.theage.com.au/technology/technology-news/telstra-accused-of-next-g-web-stalking-20120705-21ivs.html

It took a while, but it’s there. There is a mention of Netsweeper and that they provide products and services to Yemen, Qatar and the United Arab Emirates but it misses what these products are really for.

Not a good week for Telstra and privacy

The Office of the Australian Information Commissioner just posted this: http://www.oaic.gov.au/news/media_releases/media_release_120629_telstra_breaches_privacy_act.html

This isn’t to do with what I’ve posted about here the past few days, but to do with an incident back in December 2011. The details of  734,000 customers were available publicly on the Internet.

Details exposed include:

  • Name
  • phone numbers
  • Services held
  • free text field (where information such as username, password, email or other information could be recorded)

The ACMA report says that up to 41,000 customers had their user names and passwords exposed.

So… who had access? I quote from the ACMA report:

Between 3 June 2011 and 8 December 2011, the Visibility Tool received 108 access requests per day from unrecognised IP addresses (IP addresses that cannot be conclusively identified as Telstra IP addresses). On the day of the media publication, this number increased to 20,498 access requests.

The information was available from 29th March 2011 through 9th December 2011 with from a date in October it being easier to access (via a google search).

Unfortunately this is yet another case of internal procedures failing and being inadequate and only when the issue was raised publicly (in Whirlpool and the media) was it swiftly fixed.

It can be hard for a person inside a company to speak up, continue to speak up and be an asshole on these issues. It’s just human nature and after all, annoying your boss isn’t what everybody wants to do all day at work. I hope that the improvements that Telstra has committed to as a result of this investigation make it easier for people to raise such problems and ensure they are resolved.

Achieving things inside large companies can be incredibly hard. I have sometimes felt I’ve had more success trying to convince a dead seal to go for a walk than to get a large company to fix something that’s obviously broken (and everybody knows it). Undoubtedly there were people inside Telstra who knew about the problem yet felt powerless to force a fix to happen. This kind of culture is poisonous and tricky to avoid in a large organisation.

Both ACMA (Australian Communications) and OAIC have full reports:

If we are extrapolate out for the latest incident (NextG and Netsweeper) we could expect:

  • Telstra Incident report in ~2 months
  • If ACMA or OAIC take action, a report in ~6months

 

Telstra has a database of your NextG web activity

So, in what must be my biggest blog day ever, Telstra posted this: http://exchange.telstra.com.au/2012/06/28/further-update-telstra-smart-controls-cyber-safety-tool/

What is clear from their previous post and the pickup in the media (including ABC, Crikey and news.com.au) is that people care about this, a lot.

What is also clear is that they’ve had to go and talk to the Privacy Commissioner, the Australian Communication and Media Authority, the Telecommunications Industry Ombudsman and the Australian Communications Consumer Action Network.

I’d like to thank Senator Ludlam for raising this with Telstra government affairs which without a doubt helped raise the profile of this issue.

There are a couple of issues with Telstra’s updated statement:

  1. They admit to constructing a database with your full query string and IP address
  2. They don’t address the moral issue of being involved with a company so involved in curtailing human rights (Netsweeper).
  3. Just stripping out the query string doesn’t erase all personal information

I don’t think we can ignore any of these problems, and I hope we get good responses and resolutions to them.

The significance of point 1 should not be understated. This means that some people, somewhere, have access to a decent amount of your browsing history. There is no details on who has access to this (hint: law enforcement could probably request it). There is also no explanation about why this was applied to everyone.

Update: after rereading their blog post, at best I can say it’s ambiguous on if they stored this or not. One sentence implies that they do, another implies that they don’t. Clarification would be most welcome, and given the history so far, we should not assume the best.

Personally, I’m really disappointed in Telstra for at any point thinking it’s okay to finance human rights abuses. I’m also really disappointed in world governments for permitting the sale of such software to those who use it to oppress their people. We should be in the business of exporting freedom and democracy, not exporting tyranny and oppression.

If you have a NextG handset, I strongly suggest the following:

Telstra stops tracking, still supporting Netsweeper

http://www.zdnet.com.au/telstra-halts-customer-tracking-339340404.htm

The big news:

“We are stopping all collection of website addresses for the development of this new product,” Telstra said in a statement.

This does not change their association (and presumed financial support) of Netsweeper, helping make its technology affordable to its government customers who use it to suppress free speech and access to information.

See also:

Telstra funding censorship in Middle East

This post inspired by https://twitter.com/BernardKeane/status/217535549731389440

So, we know that Netsweeper is used by Telstra – http://www.zdnet.com.au/telstra-logs-customer-history-for-new-filter-339340337.htm

We know that Netsweeper is used in Qatar, the UAE and Yemen ( http://en.wikipedia.org/wiki/Internet_censorship – see also http://www.guelphmercury.com/news/local/article/577673–aiding-repression-or-just-doing-business ) and these states use it to suppress free speech and access to information.

The majority of countries that implement suppression of free speech on the internet could not afford the high cost of developing such software. The only thing that makes it possible is the subsidies from companies in the free world. With Telstra using Netsweeper, they directly contribute to the development costs of this software.

In years gone past free speech was suppressed by members of secret police and guns. Now you can do a lot of that with software. Software that is made affordable because the development costs are shared with companies such as Telstra.

See also my last two posts on the topic:

An update on Telstra’s surveillance of what you do online

http://www.scmagazine.com.au/News/306441,telstra-tracks-users-to-build-web-filter.aspx

I’d suggest going and reading: http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/ to learn a bit about anonymization failures.

What we know:

  1. Telstra has the ability to monitor every URL you visit on a NextG connection
  2. Telstra is, in fact, monitoring every URL you visit through your NextG connection and piping that to some computer system that then takes action on it.
  3. None of this was disclosed to customers.
  4. Telstra is building a system for censorship.

What we don’t know:

  1. If this is a violation of any Australian privacy law (I’m not a lawyer)
  2. Who else has access to this “anonymised” data (hellooo US legal system)
  3. What universal surveillance infrastructure they have running

Update: this is a followup from yesterday’s post: http://www.flamingspork.com/blog/2012/06/25/on-telstra-tracking-nextg-http-requests/

On Telstra tracking NextG HTTP requests

http://lists.ausnog.net/pipermail/ausnog/2012-June/013833.html and http://www.scmagazine.com.au/News/305928,telstra-says-its-not-spying-on-users.aspx were recently published saying that Telstra NextG users were seeing some interesting things. (Yes, there’s a Whirlpool post too, but since they block requests from Tor I’m not going to link to them)

Basically, on their servers they were seeing HTTP requests to the same URL as they had just visited with their phone, but from an IP address that certainly wasn’t their phone.

I started to investigate.

I put up a simple HTML page on a standard HTTP server and then got a NextG device to query it. I saw a log that came from a TELSTRA owned block of IPs. I didn’t see any suspicious second request though. Sadness.

Turns out you have to request the URL twice to get this other request. It is after this second request that you get a query from a Rackspace/Slicehost IP (cloud provider, so it is unlikely Rackspace itself is involved any more than as a Cloud provider) with the same URL (although via HTTP/1.0 instead of 1.1). On a subsequent request, I didn’t see a corresponding one from this IP. Also, when accessing this URL from a different NextG device, I did not see a request from the Rackspace/Slicehost IP block.

If I change the content of the file and try to fetch again, it doesn’t download it anew. This suggests that there is not inspection of the content of what’s coming back from the HTTP server.

The User Agent pretends to be Firefox running on Windows. I have not yet found out anything specific about it.

What can we learn from this?

  1. If you think that putting a URL up and only telling 1 person about it is private you are very, very, very much mistaken
  2. Telstra is quite possibly spying on you, from servers in the USA, which is under a different set of laws than if it was done in Australia.
  3. Telstra is sending what websites you visit on your NextG connection to the USA. If you are at all involved in anything that may make the US government unhappy (e.g. disagreeing with it) this may have interesting implications. Further research is needed as to what exactly
  4. Telstra keeps a record of all URLs as otherwise it could not implement “on the second request”
  5. The iPhone needs Tor more than ever and it needs it on a system level.

Update: I have been pointed to http://v3.mike.tig.as/onionbrowser/ which is an Open Source Web Browser that uses Tor on iOS.

Update: http://www.flamingspork.com/blog/2012/06/26/an-update-on-telstras-surveillance-of-what-you-do-online/