Telstra says it has divulged customers' web browsing histories without a warrant.
The federal government has been left red-faced following revelations that law-enforcement agencies have been accessing Australians' web browsing histories without a warrant.
Access to phone and internet data held by telecommunications companies has been the subject of much debate recently, as the government seeks to extend the power of intelligence and law-enforcement agencies to fight terrorism and crime. It has proposed telcos retain customers' metadata for up to two years for investigation.
However, spy agency ASIO and federal police have given assurances that data on what websites Australians visit - know as web history - could only be obtained with warrants.
Now a paper published by the parliamentary library on Monday has revealed an industry practice of providing website addresses (URLs) to law enforcement without warrants.
Telstra confirmed on Tuesday evening it had provided URLs to agencies without a warrant "in rare cases". It did not name the agencies or how many times it provided information.
"The last time we did so was in relation to a life-threatening situation involving a child more than 12 months ago," a Telstra spokeswoman said.
Jaan Murphy, author of the report, said the current regime already appeared to allow for access.
"The current regime for access to metadata arguably allows law enforcement and intelligence agencies to access [Uniform Resource Locators] under the umbrella of 'metadata' (provided the URL does not identify the content of the communication) despite stakeholders holding contradictory perspectives," Murphy wrote.
In the paper, Murphy quotes a little-known submission by Telstra to a previous inquiry which examined, among many things, whether telcos should be required by law to store certain customer data for a period of up to two years.
Telstra's submission indicated that the type of data it had already disclosed to law-enforcement and national security agencies without a warrant included "...(URLs) to the extent they do not identify the content of the communication".
"Industry practice therefore illustrates that URLs are currently provided to law-enforcement and national security agencies without a warrant," Murphy concluded.
A Telstra spokewsoman said despite it divulging URLs in rare instances, the company did "not collect URLs as a normal part of providing customer services".
In further comments published on Telstra's Twitter account, company representatives said it did "not collect and store web browsing history against customer accounts".
In a Senate inquiry discussing comprehensive revisions of the Telecommunications Interception and Access Act last month, outgoing ASIO chief David Irvine said to gain access to web browsing histories agencies such as ASIO needed a warrant.
"Web surfing … is not picked up by us and is not regarded by us as metadata; it is regarded as content, and we need to have a warrant for that," Mr Irvine told Senator Scott Ludlam.
The Act requires Telstra comply with warrantless authorisation requests from law-enforcement agencies for non-content data. Agencies that can access the data include federal, state and territory police, Medicare, Bankstown Council in NSW, WorkSafe Victoria, the RSPCA, the Tax Office, Australia Post, ASIO, ASIC and many others when conducting criminal and financial investigations.
In 2012-13 the Attorney-General's Department reported that such data was accessed 330,640 times, an 11 per cent increass over the previous year and a jump of 31 per cent over two years.
A spokesman for Attorney-General George Brandis declined to comment to Fairfax Media, but told ZDNet that access to URLs should require a warrant.
"Security agencies currently require a warrant to access URLs and this requirement will continue," the spokesman reportedly said.
Earlier this month, the Attorney-General and Prime Minister Tony Abbott said a mandatory data retention regime had been given "in principle" cabinet approval for legislating later this year. They said it was needed to ensure telcos continued to retain data for law-enforcement purposes.
Telstra's contradictory statements and assurance that it doesn't normally collect URLs, but was able to provide them in rare cases, is unlikely to satisfy privacy advocates and civil libertarians.
The Attorney-General's department, which administers the Act, has, over the past month, repeatedly refused to answer Fairfax questions about what constitutes metadata and whether it includes web browsing histories.
Victoria Police and NSW Police have also refused to provide a definition of metadata.
In high-level briefings with intelligence officials in Canberra, journalists were told that web browsing histories did not constitute metadata. Internet surfing history was considered "content". Websites visited were also not metadata, they were told.
Northern Territory Police and Victorian Police have previously lobbied parliament for browsing histories to be stored as part of any data retention regime.
Australian Federal Police Assistant Commissioner and National Manager of high tech crime operations, Neil Gaughan, has also said previously that any data retention regime should include browsing histories, despite deputy commissioner Andrew Colvin recently saying the opposite.
Several Coalition MPs have spoken out about the data retention plan, warning there is a potential for the changes to breach the rights of individuals to privacy.
Prime Minister Abbott's recently appointed Human Rights Commissioner Tim Wilson is also against data retention, as are a number of other civil liberties groups.
Optus said it did not comment on specific data retention practices or law enforcement requests.
"Optus co-operates fully with law enforcement and national security agencies as required by legislation and in accordance with the rules established for access to customer information," an Optus spokeswoman said.
A Vodafone spokeswoman also wouldn't comment, saying instead that the company was "committed to the privacy" of its customers.
"We don’t release any customer data unless required by law," the spokeswoman said.