Telstra confirmed on Tuesday evening it had provided URLs to agencies without a warrant "in rare cases". It did not name the agencies or how many times it provided information. "The last time we did so was in relation to a life-threatening situation involving a child more than 12 months ago," a Telstra spokeswoman said. Jaan Murphy, author of the report, said the current regime already appeared to allow for access. "The current regime for access to metadata arguably allows law enforcement and intelligence agencies to access [Uniform Resource Locators] under the umbrella of 'metadata' (provided the URL does not identify the content of the communication) despite stakeholders holding contradictory perspectives," Murphy wrote. In the paper, Murphy quotes a little-known submission by Telstra to a previous inquiry which examined, among many things, whether telcos should be required by law to store certain customer data for a period of up to two years.

Telstra's submission indicated that the type of data it had already disclosed to law-enforcement and national security agencies without a warrant included "...(URLs) to the extent they do not identify the content of the communication". "Industry practice therefore illustrates that URLs are currently provided to law-enforcement and national security agencies without a warrant," Murphy concluded. A Telstra spokewsoman said despite it divulging URLs in rare instances, the company did "not collect URLs as a normal part of providing customer services". In further comments published on Telstra's Twitter account, company representatives said it did "not collect and store web browsing history against customer accounts". "We welcome the clarity from government that browsing history is not part of the current proposal," Telstra added in two subsequent tweets, referring to the controversial data retention proposal.

In a Senate inquiry discussing comprehensive revisions of the Telecommunications Interception and Access Act last month, outgoing ASIO chief David Irvine said to gain access to web browsing histories agencies such as ASIO needed a warrant. "Web surfing … is not picked up by us and is not regarded by us as metadata; it is regarded as content, and we need to have a warrant for that," Mr Irvine told Senator Scott Ludlam. The Act requires Telstra comply with warrantless authorisation requests from law-enforcement agencies for non-content data. Agencies that can access the data include federal, state and territory police, Medicare, Bankstown Council in NSW, WorkSafe Victoria, the RSPCA, the Tax Office, Australia Post, ASIO, ASIC and many others when conducting criminal and financial investigations. In 2012-13 the Attorney-General's Department reported that such data was accessed 330,640 times, an 11 per cent increass over the previous year and a jump of 31 per cent over two years. told ZDNet

"Security agencies currently require a warrant to access URLs and this requirement will continue," the spokesman reportedly said. Earlier this month, the Attorney-General and Prime Minister Tony Abbott said a mandatory data retention regime had been given "in principle" cabinet approval for legislating later this year. They said it was needed to ensure telcos continued to retain data for law-enforcement purposes. But both have struggled to explain exactly what data would be retained under the regime, although Communications Minister Malcolm Turnbull has explicitly ruled out web browsing histories. Telstra's contradictory statements and assurance that it doesn't normally collect URLs, but was able to provide them in rare cases, is unlikely to satisfy privacy advocates and civil libertarians. The Attorney-General's department, which administers the Act, has, over the past month, repeatedly refused to answer Fairfax questions about what constitutes metadata and whether it includes web browsing histories.

Prime Minister Abbott's recently appointed Human Rights Commissioner Tim Wilson is also against data retention, as are a number of other civil liberties groups. Optus said it did not comment on specific data retention practices or law enforcement requests. "Optus co-operates fully with law enforcement and national security agencies as required by legislation and in accordance with the rules established for access to customer information," an Optus spokeswoman said. A Vodafone spokeswoman also wouldn't comment, saying instead that the company was "committed to the privacy" of its customers. "We don’t release any customer data unless required by law," the spokeswoman said.

Vodafone's privacy policy was recently updated to include the fact it collected "the websites you visit and the online searches you perform".