Telstra representatives have this week admitted to collecting data for a new internet filtering product and sending this data to the USA office of Netsweeper Inc.
Netsweeper Inc, based near Toronto, Canada, provides web content filtering and web threat management solutions. Web threat management solutions are designed to reduce email and web based threats such as phishing, viruses, malware and include the capability to do content filtering.
Telstra spokeswoman Nicole Mckenzie told the ABC:
"We were trying to classify internet sites as part of a new tool to help parents and kids when they’re surfing the net.”
"[…] Cyberspace safety is a really important issue to address but we’re obviously conscious of individual rights in that as well and we are going to be talking with key industry bodies to determine how next best to proceed.”
Concerns identified by users of the Whirlpool broadband forum, where this Telstra product development was publicly identified – in a thread aptly named "Are Telstra hackers?” – included the lack of notification by Telstra that customers' internet usage would be monitored and that the monitoring would occur from the USA.
It’s worth pointing out in this context that the USA does not have the same level of privacy protection as either Europe or Australia – a point not lost on many of those so far commenting on this development at Telstra.
Basic mistakes made by Telstra include its failure to notify its Next G customers of the work taking place for its "new internet filtering product” and its failure to invite customers to take part in a development trial.
The Telstra boo-boo will raise a few hackles and ultimately could lead to a Telstra apology to the customers concerned. But will the company’s offshore development effort end? Probably not – and this will mean more data from Australian customers being sent to the US.
Nicole McKenzie of Telstra stated: "We were trying to classify internet sites as part of a new tool to help parents and kids when they’re surfing the net.” Currently Telstra utilises the Nominum Domain Name Server solution for ensuring family safety online.
So why is the company working with Netsweeper – a company known for content filtering – to develop a new family safety product?
Current family internet safety systems rely upon static lists of banned webpages. The webpage blacklists are published by organisations such as Interpol.
What is different is the way the new application appears to work.
When a targeted Next G customer browses a webpage the IP is sent to a server in the USA which then immediately browses the same webpage. The purpose of the activity is apparently to identify the webpage and ultimately to identify those pages that should be blocked.
What we can identify about this new system is that it is not just blocking access to blacklisted webpages but includes individual customer tracking and appears to be near real-time testing of the webpages accessed.
Why? One possibility is that a simple test is being carried out to see if the webpage exists. This would be a useful step that would be carried out to ensure the webpage in question still exists before blocking further access to the it. But that’s unlikely to be the only reason.
It seems more likely what we’re seeing is the first step in a new system that will ultimately:
1) identify customers
2) track their browsing
3) send the IP addresses of the webpages browsed to a separate application server for further processing
It has been confirmed by Mark Newton, formerly a senior engineer with Australian internet company Internode, that the application server, upon receiving the details of a webpage, proceeds to browse the same webpage.
Given the purpose of this automated visit to the webpage has not, as yet, been explained by Telstra, I will speculate. In doing so, I am not suggesting this is what Telstra is doing – simply what could be possible in a similar scenario.
The next step
The next step of this type of product development could be an automated process that utilises deep packet inspection techniques.
Deep packet inspection is an automated process that captures copies of IP packets and identifies what’s inside them as they move across the internet. Assuming the content is not encrypted, the deep packet inspection system will identify what is in the packet in some detail.
The individual that accessed any given webpage would be known and the authorities could be notified whenever deemed appropriate.
Technology is now rapidly reaching a point where real-time internet tracking and traffic data mining will be carried out by carriers, Internet Service Providers and multi-national website providers.
This information gained is the Holy Grail for companies offering services over the internet and will become a major source of revenue for carriers and ISPs.
Behavioural-targeted advertising is the technologies, techniques and processes involved in providing advertising that has been tailored to individual customers.
The focus for behavioural-targeted advertising products has been multinational website providers. Information is collected every time a person accesses a website or carries out a search and this information is used to develop a behavioural targeted advertising strategy for the customer.
The customer is identified by his or her IP address, which for most residential and business customers does not change often – but mobile device users have a different IP address every time the device is used. The only way a website provider can link such a device to its user is with the help of cookies or the carrier/ISP because it is they who can identify the IP, the device and subsequently the owner.
Circumventing the Privacy Act
In Australia the Privacy Act places limits on the way information can be gathered and sold.
The RSPs will differentiate themselves by bundling products and seeking ways to tap into the large revenue stream that can be generated by providing data that can be used for behavioural-targeted advertising.
Targeted marketing by online advertisers in the USA will rise to more than US$2.6 billion in 2014. The value to Australian RSPs could be in the range of A$10 million to more than A$100 million annually.
RSPs may start looking for ways to appear to comply with, yet subtly circumvent the Privacy Act. Mel Gibson played Jerry Fletcher in Conspiracy Theory and I can hear him now saying: "Rumours are that this process may have already started.”
Is this what Telstra is really doing? Surely not.
But let’s be clear: a real-time customer computer or mobile device tracking and webpage monitoring system incorporating deep packet inspection that was developed as an improved new family safety product could quite readily be adapted for use as a real-time data mining system that would provide information that could be used by behavioural targeted advertising systems.
It is important that Telstra be asked to explain in some detail.
It is also time that all carriers and ISPs be required to disclose to customers all filtering, proxy servers or data mining products being used and commercial arrangements with all third-party companies that may be involved in the provision of these services or may be paying for information retrieved from these products.
How do we slow down the advance of behavioural-targeted advertising and the associated tracking of what we do on the internet? A few suggestions:
1. Ban carriers, ISPs and NBN Co from having systems that carry out tracking, monitoring, filtering real time data mining etcetera. But, while such a ban is possible, carriers, ISPs and NBN Co are required to provide this capability to police and therefore the capability would always be within the organisation. Naturally, it would be difficult to monitor and ensure the capability was not used for non-police related purposes.
2. Stipulate that all websites and mail systems are to use Secure Socket Layer (SSL) encryption, which would effectively defeat existing deep packet inspection systems. A side benefit is that by utilising SSL between mail servers and when connecting to a mail server it is possible to reduce SPAM.
3. Utilise Virtual Private Network (VPN) connections to defeat existing deep packet inspection systems. VPN provides a point-to-point encrypted traffic tunnel.
'Big Brother' is watching
One aspect of this is governments wanting to reduce cybercrime and terrorism. Recently the UK government announced that, under new legislation to be introduced soon, it will be able to monitor calls, email, SMS and website visits.
As anticipated, civil liberties groups have come out hard against the British government’s announcement.
"This is an unprecedented step that will see Britain adopt the same kind of surveillance seen in China and Iran. This is an absolute attack on privacy online and it is far from clear this will actually improve public safety, while adding significant costs to internet businesses.”
There is an urgent need for the government to update the Privacy Act and to fully consider the impact of the rapid technology change that is driving the internet.
In the interim, Telstra has some explaining to do.
The Australian Communications and Media Authority should carry out an inquiry into this matter and publish a report on exactly what the state of tracking, monitoring and data mining is within Australian carriers and ISPs.