AT&T Tech Paints Stark Picture of NSA Telecom Spying

AT&T employee-turned-whistleblower Mark Klein, a 62-year-old retired telecommunications technician, was in Washington Wednesday to meet with members of Congress to convince them that telecommunications companies shouldn’t get immunity for the part they played in helping the National Security Agency (NSA) collect and record massive amounts of Americans’ Internet communications.

When Klein worked for AT&T in 2002, he said he received e-mails from higher management advising technicians of a special visit from the NSA and that an NSA agent was going to interview another technician for a “special job.” In January 2003, he toured AT&T’s Folsom Street facility in San Francisco, where a new 24-by-48-foot secret room was being built adjacent to telecommunications switches.

At the time, Klein was a fiber optics technician, and he said he became aware that AT&T’s WorldNet Internet service’s optical circuits had been split so that electronic voice and data traffic from AT&T’s customers could be copied and diverted to the secret room, which was locked and controlled by the NSA.

“My job required me to enable the physical connections between AT&T customers’ Internet communications and the NSA’s illegal, wholesale copying machine for domestic e-mails, Internet phone conversations, Web surfing and all other Internet traffic. I have first-hand knowledge of the clandestine collaboration between one giant telecommunications company, AT&T, and the National Security Agency to facilitate the most comprehensive illegal domestic spying program in history,” Klein stated.

Evidence for a Class Action Lawsuit

The Electronic Frontier Foundation (EFF) filed a class action lawsuit against AT&T in January 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the NSA in its massive program to wiretap and data-mine Americans’ communications, actions which the EFF said are illegal. On July 20, 2006, a federal judge denied the government’s and AT&T’s motions to dismiss the case, chiefly on the ground of the States Secrets Privilege, allowing the lawsuit to go forward. On Aug. 15, the case was heard by the Ninth Circuit Court of Appeals.

The EFF lawsuit arose from news reports in December 2005, which first revealed that the NSA had been intercepting Americans’ phone calls and Internet communications without any court oversight, which the EFF said violates privacy safeguards established by Congress and the U.S. Constitution. This surveillance program, purportedly authorized by President Bush as early as 2001, intercepts and analyzes phone and Internet communications of millions of ordinary Americans. EFF has complied and published supporting documents, reports and court materials on its AT&T Class Action area on its Web site.

On behalf of a nationwide class of AT&T customers, EFF says it’s suing “to stop this illegal conduct and hold AT&T responsible for violating the law and the fundamental freedoms of the American public.”

The EFF scored a minor victory Tuesday when a federal judge ruled that AT&T must either halt any routine destruction of documents or arrange the preservation of accurate copies.

The Plot Thickens

Meanwhile, the Justice Department has reportedly sought to block the lawsuit — and as many as 40 other, similar suits with telecoms around the country — by using the state secrets privilege, which would block the release of any information that might endanger national security.

Last month, the Senate Intelligence Committee approved a bill that would reduce the government’s ability to eavesdrop on terrorism suspects and protect civil liberties, but which also includes a clause that would grant the telecommunications companies, including but not limited to AT&T, immunity from lawsuits stemming from privacy violations with the NSA.

Sen. Leahy and the White House

Sen. Patrick Leahy, a Vermont Democrat and chairman of the Senate Judiciary Committee, called out the immunity issue as a concern a week ago, both to the privacy of Americans as well as a shield for the Bush Administration.

“At the outset I should acknowledge the grave concern I have with one aspect of S.2248. It seeks to grant immunity — or, as Senator [Christopher] Dodd (D-Conn.) has called it, ‘amnesty’ — for telecommunications carriers for their warrantless surveillance activities from 2001 through this summer, which would seem to be contrary to FISA (Federal Intelligence Surveillance Act) and in violation of the privacy rights of Americans,” Leahy noted.

“I am considering carefully what we are learning from these materials,” he added. “Congress should be careful not to provide an incentive for future unlawful corporate activity by giving the impression that if corporations violate the law and disregard the rights of Americans, they will be given an after-the-fact free pass. If Americans’ privacy is to mean anything, and if the rule of law is to be respected, that would be the wrong result. A retroactive grant of immunity or preemption of state regulators does more than let the carriers off the hook. Immunity is designed to shield this administration from any accountability for conducting surveillance outside the law. It could make it impossible for Americans whose privacy has been violated illegally to seek meaningful redress.”

Rock and a Hard Place

Right or wrong, it is hard to imagine that the executives at any telecom were pleased to see the NSA show up at their doorsteps.

“My initial impression is that these companies are stuck. If they don’t give the government what it wants, the government comes after them. If they give the government what it wants, then private parties comes after them,” Jeff Kagan, a telecommunications industry analyst, told the E-Commerce Times. “Either way, they are exposed. I don’t think there’s a path for them to take that’s good for the shareholders or for the company.”

The people running the telecoms, it is easy to imagine, would likely have had some interest in helping protect Americans from terrorists, but at the same time they also have an interest in protecting those same Americans’ civil liberties — not to mention their own public images. “Those can be two competing thoughts — there’s not a solution that would satisfy everyone,” Kagan noted. “That’s the world we live in today whether we like it or not.”

The only major telecom widely reported to have stood up against the NSA request is Qwest.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

CRM Buyer Channels

Pandemic, Compliance Driving Increased Privacy Spending

The global pandemic and the need to comply with laws governing consumer data are fueling increases in privacy budgets, according to a report by an association for privacy professionals and a multinational professional services firm.

The Privacy Governance Report for 2021 produced by the International Association of Privacy Professionals, EY and EY Law discovered through a survey of privacy professionals around the world that privacy spending has increased significantly over 2020, with the average privacy spend amounting to $873,000 and the median budget $330,000.

It also noted that 60 percent of the privacy pros surveyed expect their budgets to increase in 2022, and almost none anticipate budget cuts.

As with many workers since the pandemic began, privacy pros are working from home in greater numbers.

More than eight in 10 privacy pros (81 percent) are working exclusively or mostly from home, surveyors found. That’s expected to continue for the rest of 2021, with 78 percent of the privacy pros expecting to remain remote or hybrid workers.

There appears to be no change in sight. For next year, 82 percent of the privacy pros are still expecting to be working mostly remotely or in some form of hybrid arrangement, dividing their working hours between home and office,

Compliance Is Top Priority

The report noted that compliance with the European General Data Protection Regulation, California Consumer Privacy Act, California Privacy Rights Act and other U.S. state privacy laws, as well as other global laws, has been a top priority for most privacy teams over the past year.

It revealed that 26 percent of the companies subject to the CCPA were in full compliance and 41 percent were “very compliant.” GDPR compliance was lower, with 20 percent in full compliance and 43 percent very complaint.

“Privacy laws have had a significant impact on how companies are approaching privacy, but it has been mainly internal to the companies’ operations,” observed Rob Shavell, CEO and co-founder of Boston-based Abine, maker of Blur, a combination password manager, email masker and ad tracker blocker.

“It’s not something that consumers have felt much of a difference,” he told TechNewsWorld.

“It’s a big change for companies because they have to hire a bunch of people and pay attention to where data is stored and who it’s shared with, more so than they did before these laws were passed,” he added.

Customizing Privacy

Liz Miller, vice president and a principal analyst with Constellation Research, a technology research and advisory firm in Cupertino, Calif. explained that lots of organizations have fundamentally changed how they operate because of privacy laws.

“The challenge is they haven’t redefined what privacy means to them,” she told TechNewsWorld.

“They’re complying with the laws without asking what does privacy mean to us and how is protecting our customers’ data and privacy fundamental to the way we operate?” she said.

“They’re checking off the boxes, but the more interesting organizations are redefining what privacy means to them and making it something the customer is driving and not something to be exploited,” Miller observed.

“They’re asking their customers what they want from the company that has value to them,” she added.

“That’s a residual benefit to consumers from this wave of regulation,” she continued. “More people are becoming aware that privacy is an opportunity to create a conversation about what everyone wants — a durable, lasting relationship with the customer.”

Help Wanted

The report also noted that nearly half the pros (45 percent) revealed their organizations are planning to hire at least one or two new privacy professionals over the next six months.

Those extra bodies will be needed when the California Privacy Rights Act takes effect on January 1.

“The CPRA is going to have a considerable effect on privacy,” observed Timothy Toohey, an attorney with the Greenberg Glusker law firm in Los Angeles.

He explained that the law will be giving consumers new rights, including the right to see information that a company has collected about them.

“That can be quite burdensome on companies,” he told TechNewsWorld.

In addition, the law imposes data and privacy requirements on vendors of companies.

“In this next year, there’s going to be a lot of scrambling by companies putting new agreements into effect with their vendors,” Toohey said.

“Some companies can have hundreds of vendors,” he added.

Legal Jungle

An increasing number of privacy laws — both at the state level in the U.S., as well as at the national level around the world — make privacy operations increasingly central to what an organization does, the report noted.

The proliferation of those laws, especially in the United States, can also complicate the compliance task for companies.

“It’s created a problem,” Toohey acknowledged.

“We have three states with comprehensive laws — California, Virginia and Colorado — and a lot states are considering them, particularly in light of the pandemic and work-from-home, because of the proliferation of information online,” he said.

“Whenever you have laws worded slightly differently, as all these laws are,” he explained, “it creates potential compliance headaches.”

“You have to reframe your agreements,” he continued. “You have to look at your privacy policies, and you have to comply with consumer requests from various jurisdictions, since there is no standard federal law — nor is there likely to be one in the immediate future,” Toohey added.

Pandemic Affects Privacy

However, Shavell maintained businesses may be complaining too much about the plethora of privacy laws in the United States.

“Companies say it’s difficult to comply with the growing number of privacy laws. That’s hyperbole,” he said.

“Companies say it because they want to act like everything is hard, so they don’t have to do it,” he continued. “In reality, these laws are very similar. Most of them are just subsets of one another. The CCPA, for example, is just a subset of the GDPR.”

While companies are beefing up their privacy teams, they’re also beefing up their surveillance tools, largely due to the pandemic. “One pattern we see in the shift to remote work is that companies are hunting for ways to monitor output and productivity without a manager physically observing employees,” observed Julian Sanchez, a senior fellow at the Cato Institute, a public policy think tank in Washington, D.C.

“For many, the answer is tools like InterGuard, ActivTrak, Hubstaff and TimeCamp, which are essentially spyware that can track what workers are doing on their computers in incredibly granular ways,” he told TechNewsWorld.

“The pandemic didn’t invent these tools, of course, and plenty of businesses had them installed on in-office computers before Covid, but the shift to more remote work led to a significant spike in adoption,” he said.

Vaccine mandates can also pose a risk to privacy.

“Vaccine mandates are creating all these little databases at places requiring proof of vaccination for service,” Shavell explained. “There’s no real control over those databases.”

“What we advocate is a low-tech approach,” he said. “Check for a vaccine card, but don’t create a database. There’s no need to enter that information where hackers, scammers or marketers can get it.”

The complete IAPP-EY Annual Privacy Governance Report 2021 is available here.

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Privacy

Apple Privacy Rule Cost Tech Titans Estimated $9.85 Billion in Revenue

Facebook, Twitter, YouTube and Snap lost an estimated $9.85 billion in revenue during the first half of 2021 due to a new privacy tool launched by Apple that requires applications to ask for a user’s permission before tracking their activity on the internet, the Financial Times reported Sunday.

The report, based on data from advertising research firm Lotame, noted the companies lost an average of 12 percent of revenues during the period.

Some analysts, though, consider that estimate high. “It’s too much of an impact,” observed Gene Munster, co-founder of Loup Ventures, a venture capital firm in Minneapolis.

That’s especially true in light of continuing improvements being made by advertisers. “Eventually the measurement tools will improve for the ad industry, with or without IDFA,” he told TechNewsWorld.

IDFA — Identifier for Advertisers — is Apple’s mobile ID which is used to make mobile in-app advertising and measurement easier. With the new tool, it can’t be used to track users without their permission.

Yoram Wurser, a principal analyst at eMarketer Insider Intelligence, an e-commerce and retail analysis firm in New York City, was doubtful but did not entirely dismiss the size of the losses. “The nine billion is on the high end, but it’s possible,” he told TechNewsWorld.

Lotame did not respond to our request for comment for this story.

Negotiating Headwinds

During Facebook’s most recent earnings call, Sheryl Sandberg, chief operating officer of Meta Platforms, which operates Facebook, acknowledged that Apple’s actions had created some “headwinds” for the social network which, by some estimates, depends on targeted advertising for 98 percent of its revenue.

“We’ve been open about the fact that there were headwinds coming — and we’ve experienced that in Q3,” she said.

“The biggest is the impact of Apple’s iOS 14 changes, which have created headwinds for others in the industry as well, major challenges for small businesses, and advantaged Apple’s own advertising business,” she observed.

“We started to see that impact in Q2, but adoption on the consumer side ramped up by late June, so it hit critical mass in Q3,” she continued.

“As a result, we’ve encountered two challenges,” Sandberg added. “One is that the accuracy of our ads targeting decreased, which increased the cost of driving outcomes for our advertisers. And the other is that measuring those outcomes became more difficult.”

iOS14 App Tracking Transparency screen

Apple’s App Tracking Transparency feature that requires apps to get the user’s permission before tracking their data across apps or websites owned by other companies has cost Big Tech firms billions in ad revenue this year. [Credit: Apple]

At its most recent earnings call, Twitter played down the impact of the App Tracking Transparency tool.

“It’s still too early for Twitter to assess the long-term impact of Apple’s privacy-related iOS changes, but the Q3 revenue impact was lower than expected, and we’ve incorporated an ongoing modest impact into our Q4 guidance,” said CFO Ned Segal.

“We’ve seen our revenue product development, both related to and distinct from ATT, improved the performance of our products, and we expect that to continue,” he added.

Living Off Targeted Ads

Ross Rubin, the principal analyst with Reticle Research, a consumer technology advisory firm in New York City, explained that YouTube and Facebook are two of the highest grossing revenue sites on the internet, largely because they can offer targeting data about their audiences.

“A big part of that comes from knowing where else their visitors are going when they’re not on those sites,” he told TechNewsWorld. “So Apple’s requirement for consumers to opt-in to that kind of tracking has diminished their ad pitch about the precision of their ad data.”

Targeted ads are particularly lucrative on smartphones because of the rich nature and amount of user data that can be collected on those platforms, noted Michela Menting, digital security research director at ABI Research, a global technology intelligence firm.

“Smartphones are much more widely used than laptops or PCs for consumers, and also very personal,” she told TechNewsWorld.

“The targeted ads market is one that very much happens behind the scenes, and hidden as much as possible from consumers,” she continued.

“This speaks volumes about the fact that in the targeted ad business, most stakeholders are aware that this is not a big selling point for users,” she said. “Barring transparent action by those in that value chain — social media platforms, smartphone OEMs, marketers — the business is one that is likely worth billions in revenue.”

Business Basics

Clearly, Menting continued, Apple’s privacy policy has had a very significant impact on the targeted ad business.

“By providing clear guidance and information to users, with a choice to opt-out of tracking, consumers have done what those in the social media business feared most: opted out,” she observed.

“This policy is great for users,” she maintained. “Ad tracking should be transparent and, quite honestly, remunerated.”

“If the consumer is the product and they know and understand how it works, and they are asked for permission, it is unsurprising that the majority will not consent to tracking if there is nothing in it for them,” she said. “It’s business basics.”

“So while I can’t comment on the revenue loss, I am not surprised at the amount stated, and it is likely that the loss will continue to escalate,” she noted.

Impact on Developers

Apple’s new privacy policies will also impact app developers, especially those who depend on the “freemium” model, Menting added.

“Privacy policies may curtail the ability for them to engage with advertisers going forward,” she explained. “Overall, what Apple has done is a big win for consumers and their privacy generally, and a huge obstacle for social media.”

“Those that have diversified their business models will probably do alright,” she said. “Those that have not, and don’t change quickly, will lose big.”

Rubin noted that companies are looking at a range of diversification options.

“One is upselling to premium services,” he said. “Another is different kinds of subscription services.”

However, both those strategies could benefit Apple. “Those approaches play into Apple’s wheelhouse because its customers are more affluent and more likely to have the income to buy those services,” he explained.

As for advertisers, Menting predicted they will simply find other ways to place their ads, such as with influencers rather than through ad tracking.

“The ad market is not going anywhere and will ultimately always adapt,” she said.

Munster maintained the developer market isn’t going anywhere, either. “While transparency makes it more difficult for the app developers to make money on iOS, it’s still the best platform for monetization,” he said. “Developers aren’t going anywhere anytime soon.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Privacy