To: privacy@online.telstra.com From: Mark Newton Subject: Clickstream privacy Hi. I'm a Telstra customer, a subscriber to your NextG Prepaid Plan for iPad. I have noticed that if I use the NextG service to visit web URLs which have not been published to any third party whatsoever, my web server accumulates hits from a cloud provider hosted by Rackspace, Inc in Chicago, Illinois. I have created unique test URLs for the specific purpose of testing this behaviour to confirm it. For example: a visit to "http://my-server/13uf2n232.html" yields this hit from my iPad: 149.135.145.71 - - [25/Jun/2012:17:24:59 +0930] "GET /13uf2n232.html HTTP/1.1" 200 736 "-" "Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3" and, approximately 250 milliseconds later, this hit from 50.57.104.33 in Chicago: 50.57.104.33 - - [25/Jun/2012:17:25:00 +0930] "GET /13uf2n232.html HTTP/1.0" 200 736 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0" It is abundantly clear that data regarding URLs I have visited using my NextG service are being sent to an offshore third-party. Chicago is not within Australian jurisdiction, so the Commonwealth Privacy Act clearly does not control how that third party treats my private data. It is being provided to them without any legal protections at all. According to the Privacy Act, Telstra is required to inform me about the following items: * the purpose for which (you) are collecting (my) personal information * how (you) are going to use it * who (you) are going to give it to * how (I) can access and correct the information (you) hold about (me) (adapted from http://privacy.gov.au/individuals/business) So, with that in mind: * I would like you to tell me why you are sending my private clickstream data to a third party in the United States * I would like you to tell me how that third party is using my data, including detailed information about any protections that are in place to prevent that third party from using my data in ways I do not approve, or in ways which would contravene the Privacy Act if the third party was located inside Australian jurisdiction * I would like you to identify the third party. * I would like you to tell me how I can establish, in detail, exactly what information you have provided to them, so that I can ascertain whether it is accurate. Your immediate cooperation will mitigate against the likelihood of a formal complaint to the Commonwealth Privacy Commissioner. Thanks and regards, - Mark Newton PO Box 8138 Station Arcade SA 5000