Telstra shares browsing history with ASIO under current scheme

While industry, privacy advocates and policymakers are divided on whether mandatory data retention should include URLs in its scope, it has been revealed that Telstra has already been disclosing browsing history to law enforcement and security agencies under current legislation.

The debate over URLs has hinged on whether these web addresses constitute metadata -- that is data that provides details on digital communications (as is the case with dates, times or location of access) -- or whether they in fact go further and reveal the content of a communication.

Prime Minister Tony Abbott and Attorney-General George Brandis have both previously indicated that this information would be swept up as part of mandatory data retention policies, with policy architect George Brandis saying "what will be caught is the web address [Australians] communicate to".

However, Communications Minister Malcolm Turnbull sought to clarify the debate and contradicted these comments saying that "security agencies are not seeking that the Government require telcos to keep a record of your browsing history".

Despite this, a document from the Parliamentary Library, reported by CNET sister publication ZDNet, outlines that telcos have already been providing warrant-less access to this information for the government under current access schemes.

Report author Jaan Murphy provides background on the metadata debate, before adding that disclosure of metadata is already industry practice and that "URLs are currently provided to law enforcement and national security agencies without a warrant".

Murphy outlines that, during the 2012 Parliamentary Joint Committee on Intelligence and Security inquiry into national security legislation "Telstra indicated the type of data it had actually disclosed to law enforcement and national security agencies included '(URLs) to the extent they do not identify the content of the communication'".

As part of the inquiry, Telstra advised this information was being provided to ASIO and law enforcement agencies under the requirements of the Telecommunications (Interception and Access) Act 1979. These sections of the act allow access to ASIO and "to an enforcement agency...for the enforcement of criminal law; or law imposing a pecuniary penalty or for the protection of public revenue".

Speaking at the inquiry [PDF], Darren Kane, Telstra director of corporate security and investigations said Telstra "had a long commitment to work with agencies that, as per the act, are lawfully allowed to access the data".

"There are a large number of agencies or owner codes that we provide information to. It would be more helpful if that were simplified," he said.

Speaking to CNET, a Telstra spokesperson said the provider was complying with its obligations under existing legislation in providing URL metadata.

Like all telecommunications companies that provide services in Australia, we are required by law to assist Australian Government agencies for defined purposes, such as investigating and solving crimes.

Part of our obligation is to act on requests under law for our customer information and carriage service records, and warrants for communications travelling over or held in our network. We only disclose customer information in accordance with the law and we assess any request for information to ensure it complies with the law.

We do not collect and store web browsing history against individual customer accounts.

As the Comms [Communications] Alliance has said, industry welcomes the clarity provided by the Government that web browsing history is not part of the proposal currently being developed.

Update, 4:30 p.m. AEST: Included comments from Telstra.