It’s like getting Al Capone for tax evasion. The CIA and AT&T figured out how to get around legal restrictions on giving the CIA access to domestic phone call information, but in doing so they violated a Federal Communications Commission (FCC) rule that protects you against telemarketing.
According to this story in the New York Times, the CIA paid AT&T to provide them with information on calls passing through its international telephone system. Because federal law prevents the CIA from spying inside the United States, the CIA could not legally get info on calls terminating in the U.S. But, of course, calls from suspected foreign terrorists (aka “anyone outside the United States”) that terminate in the United States are the most interesting to the CIA.
So what’cha gonna do if you’re a poor spy agency or a patriotic mega-corp who understand that sometimes you have to break few privacy eggs to make a freedom omelet? According to the article, when a call originated or terminated in the United States, AT&T would “mask” the person’s identity by revealing only some of the digits of their phone number. The CIA could then refer this information to the FBI, which can get a court order and require AT&T to provide the rest of the phone number and all other relevant identifying information. Then the FBI can kick that information back to the CIA.
Unfortunately for the CIA and AT&T, while this might work to get around the limits Congress imposed on the CIA, it looks like it violates the law requiring phone companies like AT&T to protect your privacy. Section 222 of the Communications Act, also known as the rule on “customer proprietary network information” (CPNI), prohibits AT&T from selling anyone information on who you call or who calls you without your consent. Nor does this contract with the CIA fit into any of the law’s exemptions for information sharing. This is a private contract, just the same as if AT&T had contracted with Blue Cross to let them know if anyone Blue Cross insured sent out too many times for pizza and other unhealthy food.
The fact that AT&T did not fully disclose the full phone number or the name of the subscriber associated with the call does not make it any less of a violation. Under the law, AT&T violates the CPNI rules just by looking at any records associated with the phone number for any purpose other than actually providing service, billing, 9-1-1, or other exemptions found in the statute. The phone company doesn’t even have to disclose the information to anyone else (which, of course, it did, and which, of course, is also illegal) to violate the law.
This point was settled some years ago in a case called Verizon of California v. FCC. Back in ’07, Verizon had what it called a “customer retention” program. When a cable operator persuades a subscriber to switch from Verizon’s phone service to the cable voice service, the cable company submits a request to Verizon to move the phone number from Verizon’s system over to the cable operator’s system. Under its “customer retention program,” Verizon would then call that customer and try to woo the customer back. Verizon did not delay the transfer of the phone number or otherwise try to interfere with the transfer. All it did was call the customer before the transfer took place and make one last sales pitch.
The cable folks complained to the FCC that this violated the CPNI rules. The FCC agreed, and the D.C. Circuit in Verizon of California v. FCC affirmed. It did not matter that Verizon was keeping the phone number “private” in the conventional sense. It did not matter that Verizon was not interfering with the actual request to transfer the phone number. What mattered was that Verizon was using information covered by the Section 222 CPNI rules for a purpose other than providing phone service.
The same logic applies here. AT&T is accessing the U.S. subscriber’s call information for pure commercial gain utterly unrelated to providing phone service, and without the customer’s consent. Remember, this is not a law enforcement or security investigation that falls into one of the exceptions to the law. This is a voluntary commercial contract with the CIA.
It’s also important to note that if the CIA had actual probable cause to believe that a call was related to terrorist activity, it could have turned that information over to the FBI and then the FBI could have gotten an order for the U.S. call record.
But the CIA contract didn’t involve actual probable cause for anything. It was exactly the kind of overreaching domestic spying that the law prevents. Which is why the CIA had to outsource Big Brother in this kludge-y way to try to work around the law.
The good news for the CIA and AT&T is that they could theoretically still continue this program despite Section 222. According to the FCC’s rules on the “use of customer proprietary network information,” all AT&T would arguably need to do is send its customers a notice of the disclosure and ask customers if they want to opt out of their CIA spying program.
I advise AT&T customers look closely at next month’s bill. Just in case you want to opt out.