According to his post, "When I accessed a web page on my server which was un-sourced (meaning the link was not embedded in a web page), an ip address which resolved in the USA accessed the same address seconds after my mobile had. It was very strange so I accessed it again by pushing the refresh button on my phone and the IP from the USA didn't access it a second time."
Over the next few days, threadmark's post was greeted with a mixture of tin-foil-hat type responses, by out-and-out disbelief and by confirmation from a bunch of sufficiently technical salts.
The upshot of the research was this:
Whenever a Telstra 3G or 4G device connected to a web page on the second occasion (presumably to ignore typos on the first visit), a second connection to the same page occurred approximately 250ms later from a US-based server. This server was determined to be in a RackSpace hosting facility in Texas and still later was found to be under the control of a Canadian company called NetSweeper (more about them later). This second request grabbed around 800 bytes of data from the web server before closing the connection.
This behaviour was never seen on Optus or Vodafone-hosted devices, neither was it seen on non-mobile Telstra connections. Additionally, it appears this behaviour was universal for personal Telstra hosted phones, and random on business accounts.
When news that this activity was being observed by users started to percolate through Telstra, a gentle denial was fed to a widely read computer security publication. According to Telstra's most senior PR person Craig Middleton, "there is nothing untoward in what the Whirlpool member has observed - it is a normal network operation".
One wonders why Middleton himself felt the need to address this issue; wouldn't it have been better to have a minion do it?