Here’s how AT&T could get in hot water for sharing customer data with the CIA

December 23, 2013

(philcampbell / Flickr)

AT&T may have committed itself to publishing periodic transparency reports, but here's one thing those disclosures won't cover: secret deals between the company and the Central Intelligence Agency, which  the New York Times has reported amounted to $10 million in annual federal payments. The arrangement had AT&T handing over phone numbers and call records to spies, according to the Times.

Since the CIA isn't considered law enforcement, its relationship with telcos would mostly evade the sunlight that these transparency reports are meant to provide. In light of that, consumer advocates have come up with another tactic: going through telecom regulators.

The Federal Communications Commission has taken up a petition from a bevy of advocates headed by the interest group Public Knowledge. The petition, filed with the FCC on Dec. 11, urges the regulator to classify the anonymized metadata that AT&T reportedly gave the CIA as a type of privileged information subject to consumer protection law.

There are strict rules about when a phone company can give out this information in a non-anonymized format. This generally only applies when it comes to telemarketers who want to share or sell the data to somebody else; they're not allowed to do that unless the customer consents or asks for the data to be shared.

But anonymized metadata is treated differently. The privacy policies of the four major carriers claim the right to share consumer metadata when it's gone through a de-identification process. In the case of the CIA, AT&T reportedly blocks out several digits of each phone number so that it's harder to link the number to a person. According to the consumer advocates' petition, however, the same rules that apply to non-anonymized metadata should still apply to de-identified metadata, given that the government evidently finds it useful for identifying terrorism suspects.

"The carriers’ methods of  'anonymization,' as reported in the media, may be vulnerable to 're-identification,'" the petition reads, "that is, a process that reveals the true identities of individuals in an allegedly 'anonymous' dataset."

If the FCC ultimately agrees that anonymized and non-anonymized data should be treated the same by law, it would become illegal for phone companies to sell or share anonymized metadata without consumers' consent. By opening up the issue to public comments, the FCC has implied it's taking the advocates seriously. So far, none of the carriers have filed responses. I've reached out to them for comment and will update if and when they reply.

Brian Fung covers technology for The Washington Post, focusing on telecom, broadband and digital politics. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.
Comments
Show Comments
Most Read Business
Next Story
Andrea Peterson · December 23, 2013