Protection from prying NSA eyes
A (Classified) proposal
The statute says that, "Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories."
In essence, this means that the phone company can't give out the records of who I have called, or who has called me unless otherwise required by law – not just permitted by law.
This apparently was the interpretation taken by the CEO of Qwest Communications, when he refused to turn over the records to the government. There was reportedly no subpoena, no court order under Title III, no trap and trace or pen register order, no Executive Order under the Authorisation for the Use of Military Force, or no other legal compulsion to produce these records delivered to Qwest. Nothing more than a request for Qwest and the other telcos to do their patriotic duties and pony records over to the government. Thus, Qwest figured, the government was seeking CPNI in excess of legal mandate, and therefore Qwest was prohibited by law from turning it over. Or were they?
The same statute specifically excludes from coverage "aggregate" subscriber information, which it defines as "collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed." For this data, the phone company, "may use, disclose, or permit access to aggregate customer information" for any purposes, apparently. So if the identifying information is stripped out – that is, all that is disclosed to the NSA is records that one telephone number called another at a particular date and time, the information may be entitled to no legal protection.
It's not content information, so not protected under ECPA or SCA. It's not protected under the Fourth Amendment under Smith v. Maryland. It's not CPNI, so not protected under that law. This is true despite the fact that it is trivial to turn this "aggregate" information from which customer identity has been stripped into identifiable information by cross referencing any directory or other database. Legal limbo. What is worse, courts have held that even if the phone company is improperly releasing CPNI, you cant go to court to get an injunction to prevent it, and you have to show that you were personally damaged (and have to specify your actual damages) resulting from the release. Since the NSA is unlikely to tell you whether your records have been reviewed and what was done with them, it will be impossible to demonstrate damages.
Finally, there are the privacy policies of the carriers themselves. I have previously written about companies not following their privacy policies because the government has made requests of them.
Verizon promises its customers that, "access to databases containing customer information is limited to employees who need it to perform their jobs - and they follow strict rules when handling that information" while also reminding them that, "[s]ubject to legal and safety exceptions, Verizon will share individual customer information only with persons or entities outside the company when the customer has consented, or when we have advised the customer of the opportunity to 'opt-out' (to choose not to have the information disclosed)". Apparently, sharing with the NSA fits within these "legal and safety" exceptions.
AT&T similarly claims to protect privacy, with the caveat that: "We must disclose information, when requested, to comply with court orders or subpoenas. We will also share information when necessary to prevent unlawful use of communications services, when necessary to repair network outages, and when a customer dials 911 and information regarding their location is transmitted to a public safety agency." Nothing there about disclosing information on request by the NSA.
Some have suggested that these telco privacy policies created consent to the production of these records. The Washington Post quoted "[o]ne government lawyer who has participated in negotiations with telecommunications providers", who reportedly said: "The Bush administration has argued that a company can turn over its entire database of customer records - and even the stored content of calls and e-mails - because customers 'have consented to that' when they establish accounts. The fine print of many telephone and internet service contracts includes catchall provisions, the lawyer said, authorising the company to disclose such records to protect public safety or national security, or in compliance with a lawful government request."
Now that would be a dangerous and unreasonable interpretation of these privacy policies. Indeed, saying that you may turn a record over in response to a "lawful" demand essentially puts the cart before the horse - interpreting a demand which is not unlawful as therefore being a lawful demand or request. Moreover, these "consent" loopholes could be used not only to disclose calling pattern data, but the contents of emails, telephone calls, instant messages, chat room conversations – indeed, anything, since federal law generally permits disclosure with consent of one party.
All of this puts not only the telephone companies, but others who receive "classified" demands or requests from the government for information that would otherwise violate a company's legal privacy requirements or privacy guarantees in a quandary. For example, the Department of Justice filed a report with Congress in early May that indicated that they issued more than 9,700 "National Security Letters" – classified demands for information, akin to a subpoena but without any judicial oversight.
A modest (but Classified) proposal
One idea would be to allow the recipient of a National Security Letter, or a sealed or classified subpoena or demand for documents, or of a friendly "request" by a secret government agency for information to have access to a super-secret court, similar to the construction of the FISA court. As currently constructed, the FISA court's sole reason for existence is to review and ultimately approve (occasionally to modify, and extremely rarely to reject) applications by the government for wiretap, interception, or search or seizure orders. These applications are handled in secret, and the applications themselves are always ex parte – that is, with only one party (the government) present. Indeed, there is no party like an ex parte!
Why not open the process up a bit? Allow those aggrieved by classified demands or requests for information to go to the court in camera and under seal, with privacy, secrecy and national security protected, and ask the court whether they are permitted to and/or required to do what the government requests or demands? The court could then review the governments' stated rationale for the information, and their legal authority for the demand or request, and if reasonable and supported by the law, grant it. If not, the court could enjoin the enforcement or the request. The court might be empowered to go even further – granting the recipient of the demand or request with immunity from liability for complying, or requiring the government to post a bond or indemnify the recipient from liability for complying. In other words, determining whether the actions are legal before they are done.
Wait a second, a court actually adjudicating things? What has this country come to?
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus
SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as senior vice president and chief security counsel at Solutionary Inc.
Sponsored: DevOps and continuous delivery