By now, we're pretty familiar with the court procedures that let law enforcement agencies request telephone metadata from large companies like Verizon and AT&T. You go to a secret panel of judges, ask for permission, and so long as the intelligence judges agree, you can seize phone records in bulk from the telcos.
But it now appears that the CIA — which, to be clear, is not a domestic law enforcement agency — may have been giving AT&T as much as $10 million a year in exchange for its customer records, according to the New York Times.
Is this legal?
To sort that out, it helps to understand how this differs from the process involving the Foreign Intelligence Surveillance Court. For one thing, we're talking about the CIA, which is not allowed to spy on U.S. citizens living in the United States. At least that much seems above board in this case — AT&T doesn't appear to be handing over American phone numbers in full but rather partially obscuring them from the CIA so that only several digits remain visible.
Under normal circumstances, when a company complies with a data request from the FISA court, the government must by law reimburse the business for the costs of retrieving and submitting the data. Tech companies such as Microsoft have said they comply with the requests because they have to, not because they get paid for it. But that's not what appears to be happening here. The CIA and AT&T are engaged in what's essentially a business deal, not a court proceeding.
While the CIA doesn't seem to be breaking any rules about surveillance, there are another set of rules that could potentially apply to these transactions.
Based solely on this article, it would appear AT&T violated the CPNI rules by giving data to the CIA. http://t.co/rFwT9XFexN
— haroldfeld (@haroldfeld) November 7, 2013
Every telecom operator is governed by regulations on CPNI, or customer proprietary network information. Under the law, phone companies must protect their records from third parties. The only time a telco can release this information is in the course of providing regular telephone service; when a customer asks for the data to be given out; or when the recipient of the information is another communications provider.
There are some exceptions, but none of them cite national security. The closest we ever get is when the law permits phone companies to give out CPNI to "database management services," but only in the context of emergency first response.
The law's definition for customer information "does fairly address the information [AT&T] handed over," said Matt Wood, policy director at the public interest group Free Press. "It doesn't seem like AT&T would have an exemption from their obligation, because this isn't according to a subpoena or other court proceeding, if the Times report is true."
This suggests that AT&T may have stepped out of bounds when it entered into its deal with the CIA and began providing details of U.S.-based phone numbers. Then again, since only part of the numbers in question were visible, it's unclear whether that qualifies as an actual CPNI violation.
What's more, the trouble with CPNI rules is that they were designed to fight excessive marketing. Since the CIA is neither a marketer nor a public first responder, that puts its partnership with AT&T into something of a legal gray zone.
Wood added that he wouldn't be surprised if existing lawsuits against the government over its domestic surveillance activity were amended to include this issue.
"It's a big leap between getting paid for something as compensation for your costs and using it as a revenue center," he said.
Update: Mark Siegel, an AT&T spokesperson, e-mailed in a statement:
"In all cases, whenever any governmental entity anywhere seeks information from us, we ensure that the request and our response are completely lawful and proper. We ensure that we maintain customer information in compliance with the laws of the United States and other countries where information may be maintained. Like all telecom providers, we routinely charge governments for producing the information provided. We do not comment on questions concerning national security."