It’s a tinfoil tale of international intrigue.
Australia’s biggest telecommunications company was compiling a list of websites for a new online safety tool intended for children. When a Next G user went to a website, and if that website had not been encountered before, a secondary request from a server in the US was issued to the website’s root.
“The new cyber safety tool was designed to allow adults to choose the website categories kids in their care can access on their mobile phone. The website addresses were being collected to allow parents to specify the website categories kids can … In order for this product to work accurately, we needed to classify internet sites, based on the content they hold,” wrote Danielle Horan, Telstra’s head of online and social media.
The problem with this approach was that users were unaware that this was happening, and that the data was going to a Canadian company’s servers, based in the United States.
This situation first appeared on Whirlpool forums, at the start of last week. But the furore really kicked into gear when it appeared on the Australian Network Operators group, where the secondary tracking request was pinned down to Rackspace.
Although Telstra stressed that the data was made anonymous, the data was being handled in the US by Netsweeper, a company that allegedly provides censorship software to Middle Eastern governments.
It sparked a maelstrom of criticism, which was succinctly summed up in this open letter by network engineer Mark Newton.
Telstra hastily updated its terms and conditions yesterday, which, at the time of writing, had reverted back to a version dated 19 June 2012, and did not include the added Section 27. The quality of the writing was summed up by:
27.9: “Nominiate”. Geez, how rushed was this? Twitter receives better proofreading than Telstra’s Smart Controls T&Cs.
— Mark Newton (@NewtonMark) June 26, 2012
By today, Telstra had decided that it would end the collection.
“We’ve made this decision as part of our acknowledgement that more consultation was needed before launching this service,” said the company.
The Privacy Commissioner told ZDNet Australia that it is making inquiries with Telstra about the issue, but would not say whether an investigation will be launched.
And, so it seems, this saga is at an end.
After watching the outpouring of scorn towards the telco over the past few days, it should serve as a warning on managing user trust and moving data over international jurisdictions.
As Greens senator Scott Ludlam told SC Magazine: “It is potentially problematic. Anything in the US is subject to the Patriot Act, even if the data is anonymised, or sent as batches.”
This means that the tracking of data that originated from Australia, requesting an Australian site, located in an Australian datacentre and being moved on an Australian carrier, is now subject to uniquely American laws, such as the Patriot Act.
As a Telstra user, it is a concern knowing that any part of my web history, however anonymised it maybe, is now subject to the provisions of the Patriot Act, or any other US law.
However noble Telstra’s intentions were in this matter, users should have been notified of the tracking, given the option to opt-in if they wished to participate and the tracking data kept solely within the legal auspices of Australia.