Xzd29h77 1352419828

Telstra’s revised cyber-safety service could (and should) be better

Telstra listened to customer complaints about data privacy, but they could have done more. gailjadehamilton

Telstra’s revised cyber-safety service could (and should) be better

Telstra listened to customer complaints about data privacy, but they could have done more. gailjadehamilton

Telstra’s first attempt to introduce a cyber-safety service for mobile customers in June was a flop of significant proportions.

Customers and concerned members of the public reacted strongly to the collection and offshoring of user data that was part of the “Smart Controls” cyber-safety service and the service was eventually scrapped.

But earlier this week, Telstra representatives apologised for the first version of Smart Controls and announced the service would be re-introduced in late November 2012 following a suite of revisions.

Privacy concerns

The Smart Controls service was originally introduced to help parents ensure their children were only visiting appropriate websites when surfing the net via a mobile phone.

The service allowed parents to block certain web pages, allow access to other pages, manage the amount of time spent online and a number of other options.

Despite these noble aims, there were many concerns about how the service would be implemented, including:

  • data collection for Smart Controls would be compulsory for all Telstra mobile customers
  • Telstra offered no explanation about what data was collected
  • the collected data was sent to a Canadian-based web-content-filtering company Netsweeper Inc.

It was the last of these that caused the greatest concern, with a thread on the Whirpool broadband forum addressing these issues given the title “Are Telstra hackers?”

Smart Controls 2.0

The process of checking webpages accessed by Smart Controls users has changed little from the original version to the revised version.

That is, when a customer using the service accesses a webpage via their mobile, Telstra checks the requested website against its database of known websites to see if the site is appropriate for minors or not.

And while this process is the same in the revised version of Smart Controls, there are some subtle changes.

One change is the fact that Telstra is only sending data to Netsweeper Inc. if a website accessed by the customer is not listed in the Telstra database.

That is, if the requested page isn’t in Telstra’s database, it then sends the page request to Netsweeper’s more-extensive database to retrieve the page’s classification.

If the page isn’t in Netsweeper’s database then the target site is assessed using an automated process and, if necessary, by Netsweeper staff. Information about the page’s suitability for minors is then sent to Netsweeper’s and Telstra’s databases.

This is in contrast with the original version in which all mobile phone customer data was sent offshore to Netsweeper, albeit with variables and other extra information stripped from URLs first.

Telstra Smart Controls Process. Source: Telstra

Furthermore, and importantly, the revised Smart Controls service is opt-in. As Peter Symons from Telstra Innovation told me via email:

Telstra has re-engineered the product so that only customers subscribed to Smart Controls have URLs they visit compared with a database of classified sites held by Telstra on Telstra local servers.

If the Telstra database does not recognise the website visited by the Smart Controls subscriber, the URL will be stripped of any parameter information in Australia [e.g. from telstra.com.au/index.html?mydata to telstra.com.au/] and sent to a database managed by Telstra’s technology vendor Netsweeper.

Subscribers to the Smart Controls service will need to consent to these arrangements via the product terms.

That’s good, but …

These changes are a step in the right direction but concerns still remain.

Despite requiring customer opt-in, data is still being sent offshore to Netsweeper. Offshoring is a concern because different countries have different privacy laws and US laws are lax compared to Australian privacy laws.

The second concern is the question of what Netsweeper is doing with customers’ information. Is Netsweeper on-selling Telstra customers’ data or information derived from that data?

There is also no explanation offered by Telstra of how Netsweeper is classifying websites.

How is Netsweeper relating websites, content and the legislation concerning what is and what isn’t legal or child-friendly in each country?

Cyber-safety is important

Netsweeper should set up an office in Australia and the three main Australian mobile phone companies (Optus, Telstra and Vodafone) should work together to offer a cyber-safety service that is developed here based on Australian censorship laws.

Companies that have had a website added to the Smart Controls banned list should have the right of appeal – an issue Telstra doesn’t appear to have addressed.

Telstra’s apology for the misstep with the first version of Smart Controls should be accepted and Australians should appreciate that Telstra has worked towards a revised version.

But there are still questions that need to be answered about this service.

Cyber-safety is important and it would be great if Telstra, Optus and Vodafone could work together to build a comprehensive suite of Australian-based cyber-safety services that protect all users.

These services should comply with Australian legislation, society standards and ensure privacy and security are at the forefront of this effort.