Back in 2013, the NY Times broke a story that AT&T routinely sold “de-identified” phone data to the CIA. Because the CIA is not allowed to do domestic spying, AT&T would sell supposedly anonymous data to the CIA, which would then give the information to the FBI. The FBI would then use its domestic spy powers to get the information from AT&T. In addition to being a rather outrageous work around of laws designed to protect Americans from domestic spying, I argued that AT&T’s program violated federal telemarketing and phone privacy rules, aka Section 222 of the Communications Act of 1934 (47 U.S.C. 222) also known as the “customer proprietary network information” (CPNI) rules. So my employer Public Knowledge, with a number of other public interest and privacy advocates, filed this Request for Declaratory Ruling with the Federal Communications Commission (FCC) asking the FCC to declare that AT&T selling “de-identified” phone information without customer consent violated the CPNI Rules.
Yesterday, the Daily Beast reported that AT&T continues to engage in precisely this practice nearly 3 years after we asked the FCC to declare it violated their privacy rules. In fact, the sale to the CIA turned out to be the just part of a larger AT&T “product” called “Project Hemisphere.” According to the Daily Beast and others, law enforcement agencies pay millions of dollars annually to circumvent warrant requirements and gain access to all sorts of call information the law purportedly protects.
Which raises the interesting question — why didn’t the FCC do anything on our 3 year old complaint? The FCC diligently put the Petition out for public comment in 2013. The phone carriers (not just AT&T) filed their arguments in the beginning of 2014. And we’ve been waiting for the FCC to issue a decision ever since. So 3 years after we filed our request to the FCC to resolve the question of whether this violates its own rules, and about 10 years after AT&T launched “Project Hemisphere” as a “product” for law enforcement in 2007, AT&T has a thriving side business violating your privacy.
Why did we wait for the FCC to take 3 years to act? AT&T includes provisions in its customer contracts requiring “forced arbitration” and prohibiting class actions. So if you are an AT&T customer, you can’t bring a private lawsuit against AT&T for spying on you and selling your information to law enforcement. You can’t even sue and get discovery. If you think AT&T is spying on you as part of Project Hemisphere, you can either (a) complain to the FCC; or (b) submit to arbitration under procedures AT&T set up in your contract.
For those recognizing that (b) is a waste of time, I have some good news and bad news. The good news is that the FCC appears ready to resolve the central question, whether carriers like AT&T can sell “de-identified” information without asking permission from their customers tomorrow! The bad news, is that it looks like the FCC is going to give AT&T a green light to keep doing what it’s doing.
Broadband Privacy and “Anonymized Data.”
If you look at AT&T’s basic defense in response to our 2013 Petition (including other comments filed in response by carriers available here), AT&T argues that it does not violate the FCC’s rules if you “de-identify” or “anonymize the data.” In other words, if AT&T (or another carrier) removes the name, address or other information “linking” the data sold to a third party with the actual person who made the call (or is the object of the call), then the disclosure doesn’t violate the CPNI rules. While that sounds fine (who cares about the information if it doesn’t relate back to a person?) the experience with Project Hemisphere shows just how flimsy the concept of “de-identification” can be. If law enforcement agents have a suspicion about someone, but not enough to actually justify a court providing a warrant, the law enforcement agency can “re-identify” the information with trivial ease. Law enforcement and AT&T can continue to go back and forth until the law enforcement agency (or any third party) triangulates the information to identify the individual despite AT&T “de-identifying” it.
So the FCC in 2014 faced a question, do the phone privacy regulations apply where a phone company claims it has “anonymized” the information? And if so, do we just take the phone company’s word for it that it has properly “de-identified” the information to comply with the law?
Rather than answer the question in response to our Petition for Declaratory Ruling, the FCC punted to a broader rulemaking on broadband privacy it started in the spring of 2016. Technically, this proceeding had nothing to do with the telephone privacy rules that our Petition argued AT&T violated in 2013 (and continues to violate by operating Project Hemisphere). But the FCC asked front and center in the 2016 broadband privacy rulemaking the question raised by AT&T as a defense to our 2013 Petition: can a carrier share with third parties — without any notice to subscribers or need to provide even an opportunity to “opt out” of sharing the “de-identified” information? The FCC also asked whether it should “harmonize” its broadband privacy rules with its existing CPNI rules.
In other words, asked the FCC, if we decide that carriers can share de-identified anonymized information with third parties for broadband, should we allow carriers to do the same thing for phone information?
The FCC Set To Adopt “De-Identification,” With Limits.
Three weeks ago, FCC Chairman Tom Wheeler circulated a draft Order to the full Commission for a vote scheduled for Thursday October 27 (tomorrow). According to the fact sheet published by the Chairman’s office, the proposed rules will allow for “de-identification,” subject to certain protections. Of particular relevance here, carriers that certify data is anonymized must not re-identify the data, and must have contractual limits that prevent third parties from re-identifying the data.
It’s not clear until we see the rules what this does to Project Hemisphere, in part because it’s not clear exactly how much information law enforcement agencies using AT&T’s Project Hemisphere “product” have that allows them to re-identify a third party. After all, if the law enforcement agencies had enough information to link a suspect to a warrant, they could get a warrant and avoid this end run around the law. It may well be that the protections the FCC intends to incorporate to protect data from being “re-identified” will prove sufficient to end Project Hemisphere and other “products” that let law enforcement evade the laws they find inconvenient.
I remain skeptical, however, because there are simply too many ways to re-identify information if I have a person of interest but no actual evidence. It is much more likely that “de-identification” becomes a convenient way to achieve “pay-for-surveillance,” without any disclosure or opportunity to opt out. It would be nice to believe that we lived in a world where law enforcement agencies would not actively pay private companies to circumvent the laws designed to protect our Constitutional rights. Unfortunately, as the multimillion dollar success of AT&T’s Project Hemisphere shows, we live in a world where our intelligence community and law enforcement agencies will cheerfully pay private companies to end run the laws put in place to protect us from illegal surveillance. Similarly, while I applaud the FCC for taking a pro-consumer approach on privacy generally, it is profoundly disappointing that the FCC’s rules will transform AT&T’s Project Hemisphere from a violation of the Communications Act into a perfectly legal pay-for-surveillance product.