Protection from prying NSA eyes

A (Classified) proposal

Top three mobile application threats

Another provision of the Stored Communications Act may also apply here, with thanks to Professor Orrin Kerr of GW University for pointing this out.

Title 18 U.S.C. 2702(a)(3) generally makes it a crime for phone companies or ISPs to disclose either the contents of communications or non-content subscriber information, stating:

  • (a) (3) a provider of remote computing service or electronic communication service to the public [say, a phone company like Verizon or AT&T] shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications...to any governmental entity.
  • (c) Exceptions for disclosure of customer records. A provider...may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications...)
(1) as otherwise authorised in section 2703 [18 USCS § 2703];
(2) with the lawful consent of the customer or subscriber;
(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;
(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency;
(5) to the National Centre for Missing and Exploited Children, in connection with a report submitted thereto under section 227 of the Victims of Child Abuse Act of 1990 (42 U.S.C. 13032);
(6) to any person other than a governmental entity.

The statute is pretty clear – it prohibits disclosure to a government entity. When I last checked, the NSA was a government agency. The statute provides for civil penalties and a private right of action against the phone companies for violations. Note here that it is the telephone companies which would be violating the law by acceding to the government's request for data, not the government by requesting the data. Of course, it is possible that the government set up some kind of secret non-governmental corporation (a non-government agency) to receive the data, which then turned it over to the NSA (an ingenious ploy to avoid the statute, since the entity providing the data to the government would not be a provider of electronic communication services.) So far, that's just supposition.

The government could also argue that, by requesting the entire database and no individual records (and by sort-of anonymising the database) the phone companies were not turning over records “pertaining to a subscriber to or customer of such service...” but rather were turning over records pertaining to all subscribers in general, and no subscriber in particular. Because the goal of the statute was to protect the privacy of individuals, the government might assert, the turning over of the massive calling pattern database of all persons doesn’t implicate any individual. Of course, we all know how easily a reverse directory or other database link can be used to turn a database of numbers called into a database of subscribers.

Alternatively, the government could rely on consent, but I don't remember giving such consent, and the language of the phone company's privacy policies discussed later don't seem to support that finding. The statute also allows disclosure to protect the rights or property of the ISP or phone company (usually to prevent fraud or misuse of the network) but allowing disclosure under that exception would seem to eat the rule up entirely. In provisions modified by the USA-PATRIOT Act, the statute also allows disclosure if the phone company has a good faith belief that there is an emergency "involving danger of death or serious physical injury to any person" which requires disclosure without delay of information relating to the emergency.

While in general, preventing terrorist attacks will of course save lives, and while the disclosure of the calling pattern information might prevent future attacks, unless the government could have shown an immediate and pending attack and the disclosure of information about that pending attack, the disclosure would have seemingly violated that statute.

As Professor Kerr points out, the USA Patriot Act expanded the scope of this emergency provision, to allow the phone companies to turn over these records where there is a "good faith" belief that an emergency exists, not just a "reasonable" belief. Perhaps the NSA had this in mind when it suggested the amendment? However, the emergency provisions may not help the government. In 2004, for example, a court found that the government's argument that it was entitled to rely on the emergency provisions as an excuse for a defective search warrant was refuted by evidence that the provider (AOL in that case) did not even turn over the records requested until six days after the request – six days wasn't enough of an emergency to warrant the statute. The emergency provisions were really intended in cases like a kidnapping where death or bodily injury would occur if the information was not disclosed immediately. Essentially, where there was no time to get an appropriate court order, not where, as here, no order was ever going to be sought.

To date, at least two class action lawsuits have been filed against the telcos for giving data to the NSA, one in Fresno, California and one in federal court in Manhattan. The Electronic Frontier Foundation had already filed a suit with other civil liberties groups against the phone companies for their voluntary participation in what the administration now calls the "Terrorist Surveillance Network," and the Department of Justice has recently requested permission to intervene in that lawsuit to assert national security as grounds to dismiss the case.

Even if the government can't stop the lawsuit under the "state secrets" doctrine, and none of the exceptions that would permit the telcos to have given the documents over to the government apply, its not completely clear that they would have liability. The statute provides one other out for the phone companies. 18 U.S.C. 2707(e) provides that the phone company won't have civil or criminal liability if they relied, in good faith on, "(1) a court warrant or order, a grand jury subpoena, a legislative authorisation, or a statutory authorisation (including a request of a governmental entity under section 2703 (f) of this title); (2) a request of an investigative or law enforcement officer under section 2518 (7) of this title; or (3) a good faith determination that section 2511 (3) of this title permitted the conduct complained of."

Now the provision of 2518(7) cited allows the disclosure of communications when an appropriate law enforcement official, "reasonably determines that..."an emergency situation exists that involves...conspiratorial activities threatening the national security interest...and (b) there are grounds upon which an order could be entered under this chapter to authorise such interception". Essentially, this is supposed to mean that if you could have gotten a court order for the information, but you didn't because it was an emergency, and you told the phone company this, and they relied on it in good faith, then they can't be successfully sued. That's a lot of steps for the phone company to go through.

Protection or Non-Protection of "Customer Proprietary Network Information"

There are two other laws that might govern the privacy of the numbers dialed. First, the Federal Communications Commission mandates that phone companies protect the privacy of customer data or what is called, "Customer Proprietary Network Information" or CPNI. This CPNI is defined under the statute as "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier." So the numbers I call, and how long I am on the phone, who I talk to, and when, would all be protected CPNI.

Top three mobile application threats

Next page: Privacy policies

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.