Telecommunications companies must join the debate on surveillance
Commentary, 17 June 2013
By Lucy Purdon, Policy Officer, Privacy International; Research Fellow, IHRB
In Part I of IHRB’s series analysing NSA data gathering revelations, Salil Tripathi discussed the human rights responsibilities of Internet companies in light of the disclosures regarding Prism. In Part II, Lucy Purdon looks at how Verizon and other telephone operators have responded to government requests and what they need to do now.
The day before The Washington Post and The Guardian revealed the extent of the US National Security Agency’s (NSA) domestic surveillance of Internet activity, another programme of widespread surveillance was revealed. It involved disclosure of a top secret Foreign Intelligence Surveillance Court (FISC) order requiring the US telecom carrier Verizon, to provide the NSA with an electronic copy of “tangible things” on an “ongoing daily basis”. The list of “tangible things” specifies “all call detail records” or “telephony metadata” which includes telephone numbers of both the caller and the recipient, the time and duration of call, unique identifying numbers (each subscriber is allocated one, as is each mobile device) and location data.
Phone companies routinely collect such data for billing purposes. The order does not require Verizon to hand over the content of any communication, or name, address or financial information of any customer. Aside from some rumblings in Washington, the US government and people seemed to give a collective shrug and carry on.
The next day’s revelations, focusing on the NSA’s surveillance programme, Prism, pushed Verizon off the headlines. Prism involves nine Internet companies whose services are used worldwide (unlike Verizon, which primarily operates in the United States). The Internet companies were said to have “joined” Prism, with newspapers alleging they provided the NSA with “direct access” to their servers (a claim which many analysts don’t find credible). One by one, the companies issued vehement denials: Google (which owns YouTube, another company implicated), ) Yahoo!, Facebook, AOL and Microsoft.
Apple, Paltalk (an online chat room) and Dropbox (listed as “coming soon” to joining Prism in the slides) also issued a denial via the media.
While their statements denied that the NSA has direct access to their servers, the companies do admit they respond to individual government requests for data in accordance with the law. David Drummond, Chief Legal Officer of Google, said in a televised BBC interview that any “National Security orders” Google receives covers a “tiny fraction of the hundreds of millions of users Google has”. Both Google and Facebook said they have never received the kind of “blanket” court order that Verizon has.
The differences between the information leaked so far about Internet and telecommunication companies raise serious human rights concerns. Firstly, the quality of the evidence: the information available about Internet companies involved in Prism is, so far, a few slides from a Powerpoint presentation. It is therefore difficult to reach concrete conclusions about what exactly is going on, how far-reaching it is, and, indeed, if any abuses have taken place. However, the response from the Internet companies indicates that even the top-secret orders they receive from FISC are targeted towards certain people suspected as being involved in criminal activities; they appear not to be as far reaching as the order received by Verizon.
The little we know about the demands made of Verizon is not comforting. The information comes from a leaked secret court order requiring that Verizon provide the NSA with all records on a daily basis. This indicates the NSA is not separating suspect from citizen, perhaps intending to sift through the phone records looking for a suspect. It appears to be genuine mass surveillance, and clearly vulnerable to abuse. When President Obama says, “Nobody is listening to your calls,” his words are not as reassuring as they may sound. Why? Because although the metadata Verizon is required to provide does not include the content of communications or the name, address or financial information of the subscriber, it can nevertheless provide a comprehensive picture of a person’s movements, relationships and day-to-day life. A person’s identity can be revealed when the metadata is cross-checked against other records.
Over the past decade, the US government has allegedly used telecommunication companies at different times to spy on citizens. In 2005, Mark Klein, a retired AT&T technician, passed documents to the New York Times and the Electronic Frontier Foundation (EFF), which disclosed the existence of what he called a secret room in AT&T’s headquarters in San Francisco where AT&T staff security cleared by the NSA allegedly collected all web traffic and phone calls in the country, apparently without a warrant or judicial oversight. These remained allegations because even though EFF brought several cases against AT&T, they were eventually dismissed as the government and AT&T executives were granted retroactive immunity under the FISA Amendments Act (FAA) of 2008.
In defending Prism, the US government has said (as it did in the 2005 AT&T case, that the programme was not targeted at Americans, but at people overseas, albeit those that have contact with people within US borders. Prism also targets Americans with overseas contacts, but the the Verizon court order goes further, requiring Verizon to deliver records of calls “wholly within the United States” as well as “between the United States and abroad”.
What the Verizon court order demonstrates is how difficult it is to define precisely what ‘lawful surveillance’ is. As Clay Shirky of New York University who writes and teaches on the social and economic effects of Internet technology, wrote “The distinction between gathering information on particular targets of investigation and members of the general public has collapsed, while the loophole for gathering ‘incidental’ information has expanded so broadly as to allow for wholesale acquisition and storage of electronic communications of any person anywhere, forever.”
A carefully worded note was sent to Verizon employees on June 6th which acknowledges The Guardian’s story about an “alleged” court order. The note says the company will not comment on the accuracy of the report “or the documents referenced” but does make clear that Verizon is required to comply with orders from a federal court. This guarded response is understandable given that companies are prohibited from disclosing even the existence of orders under FISA. The leaked court order covers telephony, but Verizon also supplies Internet access to millions of people through Verizon Wireless, a joint venture between Verizon and Vodafone, which has a 45% stake. How far do the orders go? Are companies being asked to hand over web browsing records, and content? We don’t know. The government won’t reveal and the companies can’t disclose.
Internet companies are now rightly asking the US government to allow greater transparency and disclosure of requests. So far there has not been a similar public call from the telecommunications sector. Telecommunication companies need to join this debate and demonstrate how they ensure respect for human rights – including to free expression and to privacy. Mass surveillance is against their interests. Google’s Drummond said in the same BBC interview that if Google had received the kind of “blanket” order that Verizon is supposed to have received, it would “fight back” and “push hard against it”.
If telecom companies join their collective voice with Internet companies to push for greater transparency and to provide the means to protect customers from intrusive surveillance, then their customers will be reassured these companies takes their responsibility to respect human rights seriously. That may help change US policies, aligning them more with international human rights law, and the spirit of the US Constitution.