It’s like getting Al Capone for tax evasion.
The CIA and AT&T figured out how to get around legal restrictions on giving the CIA access to domestic phone call information, but in doing so they violated a Federal Communications Commission (FCC) rule that protects you against telemarketing.
According to this story in the New York Times, the CIA paid AT&T to provide them with information on calls passing through its international telephone system. Because federal law prevents the CIA from spying inside the United States, the CIA could not legally get info on calls terminating in the U.S. because they are not eligible for any of the mammoth sized loopholes Congress has already punched in the fabric of our civil liberties. But, of course, calls from suspected foreign terrorists (aka “anyone outside the United States”) that terminate in the United States are the most interesting to the CIA.
So what’s a poor spy agency and a patriotic mega-Corp who understand that sometimes you have to break few privacy eggs to make a freedom omelet gonna do? According to the article, when a call originated or terminated in the United States, AT&T would “mask” the identity by revealing only some of the digits of the phone number and not the identity. The CIA could then refer this information to the FBI, which can use all those mammoth sized loopholes Congress punched in our civil liberties to get a court order and require AT&T to provide the rest of the phone number and all other relevant identifying information. Then the FBI can kick that back that information to the CIA.
Unfortunately for AT&T, this pretty clearly violates the Customer Proprietary Network Information rule (CPNI). Fortunately for AT&T, it can solve this problem fairly easily by notifying customers of the possibility the CIA might ask for their phone number if they get a call from outside the country and asking customers who don’t want this exciting new service to opt out. Please start with Senator Feinstien and ask her if she wants to opt out of having her international calls monitored by the CIA. Given her legislative track record on this, I’m sure she won’t mind.
Some analysis of why this violates the CPNI rules below . . .
Unfortunately for the CIA and AT&T, Section 222 of the Communications Act, also known as the rule on “customer proprietary network information” (CPNI), prohibits AT&T from selling anyone information on who you call or who calls you without your consent. Nor does this contract with the CIA fit into any of the statutory exemptions. This is a private contract, just the same as if AT&T had contracted with Blue Cross to let them know if anyone Blue Cross insured sent out too many times for pizza and other unhealthy food.
The fact that AT&T did not fully disclose the phone number or the identity of the subscriber associated with the call does not make it any less of a violation. Under the law, AT&T violates the CPNI rules just by looking at any records associated with the phone number for any purpose other than actually providing service, billing, 9-1-1, or other exemptions found in the statute. The phone company doesn’t have to disclose the information to anyone else to violate the law.
This point was settled some years ago in a case called Verizon of California v. FCC. Back in ’07, Verizon had what it called a “customer retention” program. When a cable operator persuades a subscriber to switch from Verizon’s phone service to the cable voice service, the cable company submits a request to Verizon to move the phone number from Verizon’s system over to the cable operator’s system. Under its “customer retention program,” Verizon would then call that customer and try to woo the customer back. Verizon did not delay the transfer of the phone number or otherwise try to interfere with the transfer. All it did was call the customer before the transfer took place and make one last sales pitch.
The cable folks complained to the FCC that this violated the CPNI rules. The FCC agreed, and the D.C. Circuit in Verizon of California v. FCC affirmed. It did not matter that Verizon was keeping the phone number “private” in the conventional sense. It did not matter that Verizon was not interfering with the actual request to transfer the phone number. What mattered was that Verizon was using information covered by the Section 222 CPNI rules for a purpose other than providing phone service.
The same logic applies here. AT&T is accessing the U.S. subscriber’s call information for pure commercial gain utterly unrelated to providing phone service, and without the customer’s consent. Remember, this is not a law enforcement or security investigation which falls into one of the CPNI exceptions. This is a voluntary commercial contract with the CIA.
It’s also important to note that AT&T could have honored its contract with the CIA on the foreign phone information without violating the CPNI Rules. If it had limited itself to reporting to the CIA “this call terminates in the United States, we cannot access information with regard to any U.S. call record,” that would have been fine under the rules. But then the CIA would not have enough information to give the FBI so the FBI could legally request a court order. Alternatively, if the CIA had actual probable cause to believe the call was related to terrorist activity, it could have turned that information over to the FBI and then the FBI could have gotten an order for the U.S. call record.
But the CIA contract didn’t involve actual probable cause for anything. It was exactly the kind of overreaching domestic spying that the law prevents. Which is why the CIA had to outsource Big Brother in this kludge-y way to try to work around the law.
The good news for the CIA and AT&T is that they can still continue this program despite Section 222. According to the FCC’s rules on the “use of customer proprietary network information,” all AT&T needs to do is send its customers a notice of the disclosure and ask customers if they want to opt out of their CIA spying program.
I advise AT&T customers look closely at next month’s bill. Just in case you want to opt out.