Original URL: https://www.theregister.com/2006/07/03/atandt_privacy_policy/

AT&T privacy policy overreaches, lawyers say

What's yours is mine

By Robert Lemos, SecurityFocus

Posted in Legal, 3rd July 2006 08:39 GMT

A recent change to AT&T's privacy policy for broadband and video users is overbroad and likely will leave the courts or Congress to decide whether the company's practices are standard or sinister, legal experts said.

The policy change, which comes as the telecommunications giant is defending itself in court against multiple lawsuit stemming from its alleged cooperation with a surveillance program conducted by the National Security Agency, states that "while your account information may be personal to you, these records constitute business records that are owned by AT&T".

The language, if accepted by consumers and supported by the courts, could redraw the current lines in the battle between privacy advocates and companies that retain significant data on their customers, said Charles Kennedy, an attorney specialising in privacy law and Of Counsel at Morrison & Foerster.

"The playing field has just tilted about 45 degrees with AT&T saying they can do this," Kennedy said. "This means that they could get the whole enchilada if they win. It's a pretty powerful change."

The claim to own, without reservation, its customers private data comes as AT&T and other telecommunications firms have come under fire for turning over customer data to the government outsides of the confines of established legal practices.

While evidence regarding the domestic surveillance activities of the NSA have mounted, the Bush Administration has stepped in and cited "state secret privilege" to quash the increasing number of court actions.

Some legal experts have labeled AT&T's privacy policy change as an attempt to strengthen its legal defense in court, but the company denied the allegations.

"We did this for two reasons," said Walter Sharp, a spokesman for the company. "One is that we merged two companies (SBC and AT&T) and we needed to merge two privacy policies. The second is that we are about to launch a video service, so we needed a policy to cover that."

The changes to the privacy policy, first brought to light by the San Francisco Chronicle, were in the works since before the original New York Times story broke the story of the NSA's activities in December, Sharp maintained.

The revised language, appearing under the heading "Legal Obligations/Fraud" and only accessible to AT&T customers, states:

While your account information may be personal to you, these records constitute business records that are owned by AT&T. As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process. Specifically, AT&T provides account information to collection agencies and/or credit bureaus. We may disclose your information in response to subpoenas, court orders, or other legal process, or to establish or exercise our legal rights or defend against legal claims. We may also use your information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Service Terms or the Acceptable Use Policy, or as otherwise required or permitted by law.

While the first half of the revised section discusses only "account information" - defined in the privacy policy as contact, billing and equipment information but not usage data - the latter part of the new language uses the more general term, with no hint of irony, of "your information."

Legally, the change may not amount to much, except as a hint that AT&T will feel unfettered to do what they want with data that has historically been protected by privacy laws, said Eric Goldman, an assistant professor at Santa Clara University and the director of the school's High-Technology Law Institute. Companies frequently talk about the ownership of data in end-user agreements and contract between companies, but the phrase is overbroad, he said.

"It really doesn't make sense to talk about owning data," Goldman said. "You can own it under copyright law, and you can own it under patent law, but oftimes the data talked about in these agreements does not match any of those models."

Privacy-concerned customers and pundits have hammered AT&T for the change over the past week. Ira Winkler, an independent security consultant and author of the book Spies Among Us, said any AT&T customers should leave the company over the telecommunications giant's conduct and claimed that he decided to stop transferring his cell phone service to AT&T Wireless on account of the privacy policy change.

"If there isn't a big backlash other companies are going to follow suit," Winkler said. "This change to the policy allows companies to make money in any way shape or form with your data."

Under the federal laws and many state statutes, the privacy policy might not be legal. Federal law already dictates what broadband internet providers can do with data. The collection and use of information by telecommunications and cable companies are subject to the Electronic Communications Privacy Act of 1986 and the Stored Communications Act of 1986. Meanwhile, the handling of customer data and viewing habits by cable companies is governed by the Cable Communications Policy Act of 1984, important because the latest policy states that AT&T plans to track customer viewing habits when they use the company's video services.

"AT&T is trying to get their customers to waive their rights as a prerequisite of using their service," said attorney Kennedy. "But I don't think this privacy policy is sufficiently clear. The language is very tricky, and the average lay person cannot be expected to know what that this means, so I don't think there is any waiver here at all."

Moreover, companies can't make use of their service contingent on their customers waiving certain rights, said Chris Calabrese, counsel for the Technology and Liberty program at the American Civil Liberties Union (ACLU). Not that laws seem to stop much of the surveillance going on today, he said.

"It is part of a dismaying pattern of keeping things secret and saying laws don't apply to you - -we see that right now in a lot of government contexts," Calabrese said.

AT&T supporters argued that the company is being unfairly punished for being forthright about its use of data.

While many may not like the change, calling AT&T secretive about its privacy policy is disingenuous, said John Tomaszewski, vice president of legal policy and compliance for TRUSTe, the industry-supported group that certifies corporate privacy policies. AT&T uses, and has paid, the group to certify the telecommunications giants privacy policies.

"In terms of pro-privacy protections, one of the facets of privacy is disclosure," Tomaszewski said. "Even though they are claiming ownership, they are only saying that they intend to do a limited number of things with your data."

Yet, for the ACLU's Calabrese, disclosure of unacceptable license terms after the secretive acts allegedly attributed to AT&T is too little, too late.

"I would like to say democracy is working as it should here, but it is not," he said. "The state secrets provision is being used repeatedly to circumvent oversight, and perhaps worse, Congress is abdicating its responsibility for oversight."

The ACLU filed a lawsuit in January against the NSA for spying on US citizens in direct contravention of the Foreign Intelligence Surveillance Act (FISA).

Calabrese hopes that the attention being paid to AT&T's actions will convince more people to take action.

"The secrecy will stop only when people demand that it stop," he said.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus