Telstra is facing scrutiny over the way it proposes to stop information it receives under the definitive agreements with NBN Co being leaked to its retail arm.

The incumbent telco lodged its draft information security plan (pdf) and a supporting submission (pdf) with the Australian Competition and Consumer Commission (ACCC) on October 16.

The security plan is one of six "required measures" that Telstra must gain approval for to finalise the migration of customers from its copper and HFC networks to the NBN.

These measures are effectively disconnection processes for which detail was not available at the time the original NBN migration plan was developed and approved.

Telstra is to receive "a range of information that is of potential commercial value" under definitive agreements it holds with NBN Co, "for the purposes of commencement of supply of fibre services or the disconnection of Telstra's copper or HFC services", the ACCC noted.

Rather than leave it to confidentiality clauses in the definitive agreements, Telstra must provide additional certainty to regulators that it won't use this confidential data to get the jump on rivals in marketing retail NBN services to those migrated customers.

The watchdog has raised concerns (pdf) that exclusions proposed by Telstra — relating to information types and possible reasons for disclosure — go far beyond those permitted by the plan.

Backhaul, transit, rack data out

Telstra argues that "information ... which does not specifically relate to connection/disconnection of premises and does not identify the location of such premises or the timing of connection or disconnection" should be exempt.

"Such information includes, for example, backhaul arrangements or reservations of exchange space, information concerning dark fibre links or information contained in the FIRL, Initial Rollout Plan, Overall Rollout Plan and Exchange Access Information, or long term forecasts of NBN Co's infrastructure requirements, specifically in respect of rack space and dark fibre links," the carrier noted.

The FIRL — forecast infrastructure requirements list — includes exchange buildings, rack spaces and other infrastructure provided under the infrastructure services agreement between Telstra and NBN Co.

"Information concerning exchanges and the Transit Network is too far removed from the connection of premises and commencement of supply of fibre services, or disconnection of premises, such that it does not fall within the definition of NBN Co Migration Information as set out in the Migration Plan," Telstra argued in its supporting submission.

However, the ACCC cast doubt on the assertions, arguing that such data would or should be caught by the internet security plan.

"The ACCC considers that such information would likely be disclosed by NBN Co to Telstra for the purposes of commencement of supply of fibre services using the NBN Co fibre network, to the extent that the relevant infrastructure enables the supply of NBN fibre services," it said in its discussion paper.

"Further, this information would appear to be of commercial value. For example, information relating to rack space reservations could potentially be used to make a more granular assessment of where and when NBN Co may be intending to commence supply of fibre services.

"This may potentially enable Telstra to engage in more targeted marketing of services than would otherwise be possible if Telstra were solely reliant on the rollout information to be published by NBN Co."

The ACCC sought the views of Telstra's rivals on the "competitive harm" that might be invited by granting each individual information exemption.

Another exemption sought by Telstra is to allow retail personnel access to information concerning the "lead-in conduit access service" data on a case-by-case basis, for "service assurance" purposes.

The ACCC questioned if this was consistent with the stated aim of the security plan, which is to prevent such information finding its way into Telstra Retail's hands.

Stamping out subjectivity

The watchdog also warned Telstra over the loose language of the section of the security plan that relates to who among the incumbent's staff might be permitted access to confidential NBN information.

Access to the data would be granted to personnel where it was considered "reasonably necessary ... to perform their duties effectively".

The telco noted a series of examples, using the word "including", which did not overly impress the ACCC.

"These duties do not appear to be exhaustive due to the use of the word 'including'. Further, the phrase "reasonably necessary in order....to perform their duties effectively" introduces some uncertainty into the scope of the permitted use and disclosure," the ACCC noted.

"These subjective qualifiers reduce the strength of the commitment and may permit non-compliance.

"As a general rule, the ACCC prefers objective compliance measures to ensure compliance can be readily monitored and assured."

Other concerns

Of the technical architecture that would manage access to NBN Co-supplied data and prevent inappropriate disclosure, Telstra provided few details other than to say the approach it took would be "systems-based" and involve multiple authentication layers.

The ACCC sought comment on whether the level of detail was enough to satisfy Telstra's compliance obligations.

In the interim, while the IT systems are stood up, Telstra proposes setting up an internal 'NBN Interface Group', which would effectively act as the "primary 'gatekeeper' for an NBN Co migration information supplied to Telstra".