Categories
Privacy

AT&T aided NSA in spying on a massive scale: reports

Thanks to Edward Snowden and reporters at the Times and ProPublica, we now know that AT&T likely handed over to the National Security Agency billions of cellphone calling records over roughly two years beginning in August 2011.

According to documents reported Saturday by the Times, AT&T gave the NSA as many as 1.8 billion sets of data each day about who people called, when and for how long. Though Verizon, also provided the NSA access to similar metadata, AT&T appears to have been a partner without peer. According to ProPublica:

“While it has long been known that American telecommunications companies work closely with the spy agency, the documents we’ve published show that the relationship with AT&T has been considered unique and especially productive. One document described it as “highly collaborative” and another lauded the company’s “extreme willingness to help.”

It appears the calling records allowed intelligence agencies to run queries, relying on orders issued by a court pursuant to the Foreign Intelligence Surveillance Act, on calls that originated overseas but passed across AT&T’s network. In addition, the company reportedly gave the NSA billions of emails that flowed across its network in the dozen years that followed the 9/11 attacks.

AT&T also provided the NSA with access to high-capacity broadband lines that serve the United Nations in New York, according to the documents.

“We do not voluntarily provide information to any investigating authorities other than if a person’s life is in danger and time is of the essence,” Brad Burns, an AT&T spokesman, told ProPublica without elaborating.

Categories
Law Privacy

Phone companies should not be required to store call data, privacy advocates say

A federal rule that orders phone companies to retain records of calls for a year-and-a-half disregards the privacy of millions of Americans, according to a coalition of civil liberties groups that is asking the Federal Communications Commission to rescind the requirement.

As currently configured, the mandate that carriers hold for 18 months the name, address and telephone number of callers, along with numbers called and the dates, times and length of each call exposes consumers to data breaches, thwarts innovation and does little to aid law enforcement, according to a petition filed Tuesday with the FCC by the Electronic Privacy Information Center (EPIC) on behalf of itself and 28 organizations.

The retention requirement makes little sense in an age when phone companies bill customers for unlimited or non-measured calling, compared with a time when companies itemized calls, according to EPIC, which contends that requiring companies to keep such records in bulk results in retention of information about nearly all American adults regardless of whether the government suspects them of wrongdoing.

“These telephone records not only show who consumers call and when, but can also reveal intimate details about consumers’ daily lives,” wrote Marc Rotenberg, EPIC’s president. “These records reveal close contacts and associates, and confidential relationships between individuals and their attorneys, doctors, or elected representatives.”

According to EPIC, the FCC proposed 30 years ago to eliminate the record keeping entirely before the Department of Justice asked the FCC to extend the retention period to 18 from six months, contending that retaining phone records aided investigation and prosecution of criminal conspiracies. But the value of the records has eroded as billing has changed, charges EPIC, which notes that DOJ conceded as much in comments filed with the FCC in 2006. Further, law enforcement agencies still could request that records be retained in connection with investigations, said EPIC.

Retaining calling records also amplifies the risk of data breaches, such as the one recently at the Office of Personnel Management, according to EPIC. “The best strategy to reduce the risk of an attack and to minimize the harm when such attacks do occur is to collect less sensitive information at the outset,” the petition notes.

Discontinuing the requirement that carriers retain call records for 18 months would lower the cost of record keeping and allow phone companies to compete for customers on basis of privacy, “which many believe is the market-based solution to the enormous privacy challenge confronting the nation today,” Rotenberg added.

The FCC declined to comment on the petition.

Revisions last spring to post-9/11 surveillance laws ended bulk collection of phone call metadata by the government. Under the terms of the USA Freedom Act, the National Security Agency can obtain such information from phone companies if authorized by the Foreign Intelligence Surveillance Court. But the act does not require phone companies to collect or store metadata.

Categories
Law

NSA phone records case shows the power of standing

Like many things, legal arguments can have an elegance about them.

Look no further than the arguments advanced by the plaintiffs in the lawsuit that led a federal appeals court to rule last week that the government’s collection of information about the telephone calls of Americans violates the USA Patriot Act.

The decision, which was reported widely, marks the first time an appeals court has declared the surveillance program that the National Security Agency has used to harvest telephone numbers and other details of calls made or received in the US for at least the past nine years to be illegal.

Besides invalidating the bulk collection of so-called metadata, the decision reveals some terrific lawyering by the American Civil Liberties Union, which filed the lawsuit on June 11, 2013, six days after The Guardian, reporting on leaks by former government contractor Edward Snowden, published an order from the FBI to Verizon directing the company to hand over metadata for all calls on its network that either began or ended in the US.

Under the Constitution, federal courts only have the power to resolve actual disputes between real parties. Thus, to sue, a plaintiff must show a concrete personal stake in the outcome of the case, a requirement known as standing. It’s not enough to dislike a law. You have to show injury.

For its lawsuit, the ACLU needed a Verizon customer whose phone records had been collected by the government. A customer who might claim that the government’s collecting his or her phone records harmed the plaintiff in some way. For that, the ACLU looked no further than its own offices.

As the ACLU charged in court papers, the organization was itself a customer of Verizon, which provided the ACLU with landline, Internet and wireless services throughout the period covered by the order. The NSA’s harvesting of the ACLU’s metadata exceeded the government’s authority and constituted a seizure in violation of the Fourth Amendment, the group charged.

In court papers, the ACLU described its standing as follows:

The information collected includes plaintiffs’ numbers, the numbers of their contacts, the time and duration of every single call they placed or received, and the location of plaintiffs and their contacts when talking on mobile phones. This information could readily be used to identify those who contact plaintiff for legal assistance or to report human-rights or civil liberties violations, as well as those whom plaintiffs contact in connection with their work. The fact that the government is collecting this information is likely to have a chilling effect on people who would otherwise contact plaintiff.

In other words, the ACLU communicates with people about matters that are sensitive or privileged and who depend, as the group noted, “on their ability to keep even the facts of their discussions” with the ACLU confidential.

The trial court determined that the ACLU had standing to file the lawsuit.

On appeal, the government took issue with the ruling, charging that the ACLU had failed to demonstrate that the NSA had reviewed any of the metadata collected from the group. Thus, the government charged, the ACLU had failed to allege an injury sufficiently concrete to support standing.

The US Court of Appeals for the 2nd Circuit disagreed, noting that the ACLU had alleged injury from the very collection of metadata, regardless whether the government reviewed the information.

“Whether or not such claims prevail on the merits, appellants surely have standing to allege injury from the collection, and maintenance in a government database, of records relating to them,” wrote US Circuit Judge Gerard Lynch for the majority. “Appellants’ records (among those of numerous others) have been targeted for seizure by the government; the government has used the challenged statute to effect that seizure; the orders have been approved by the [Foreign Intelligence Surveillance Court]; and the records have been collected.”

The appeals court observed that the government admitted that when it searches its database its computers search all of the information stored in it. That means the government searches the ACLU’s records, which are among the millions of records stored in the database, electronically.

Finally, the court noted that the ACLU also had standing to challenge a violation of its right to freedom of association guaranteed by the First Amendment. As the court observed, the government’s forcing a group that’s engaged in advocating for the civil liberties of its membership to disclose its members can itself violate the right to associate freely.

“When the government collects appellants’ metadata, appellants’ members interests in keeping their associations and contacts private are implicated, and any potential ‘chilling effect’ is created at that point,” Lynch added.