White House, Judges Grapple Over State Secrets in AT&T Spy Suit

The Bush administration is urging the U.S. Court of Appeals for the 9th District in San Francisco to dismiss a lawsuit filed by consumers and privacy advocates against AT&T for its role in a program that enables eavesdropping on phone calls and e-mails, saying allowing the case to proceed would put intelligence efforts at risk.

Permitting the case — which the Electronic Frontier Foundation (EFF) brought as a class action on behalf of AT&T customers — to go to trial would “reveal the sources, methods and operational details” of covert intelligence agencies such as the National Security Agency (NSA), Deputy Solicitor General Gregory Garre said during a hearing Wednesday.

The appeals court held the hearing on motions by the government to dismiss two lawsuits — the AT&T case being one of them — filed in connection with the NSA spying program.

The EFF said the argument, which the government has used throughout the proceedings, falls short, and amounts to efforts to avoid responsibility for using a private company such as AT&T to help the government spy on its own citizens.

“The courts are well-equipped to protect state secrets” even while allowing the trial to take place to help determine if the program was illegal, said EFF Legal Director Cindy Cohn.

Out of Balance?

The appeals court took the matter under consideration, and is expected to rule in a matter of weeks. The three judges on the panel peppered both sides in the case with questions, aiming many of their inquiries at Garre. For instance, they asked about how a court should determine if something is a state secret and requires protection on security grounds.

“Who decides what’s a state secret?” Judge Harry Pregerson asked. “Are we just a rubber stamp? We’re just supposed to take the word of the executive?”

In response, Garre argued the court should give the “utmost deference” to the executive branch if such a claim is made.

The main case is known as “Hepting v. AT&T,” and is a class action brought on behalf of AT&T customers who say their right to privacy was violated when AT&T took part in a NSA-sponsored program to channel Internet traffic — including VoIP phone calls and e-mail messages — through government systems that enable eavesdropping.

Spying on Millions?

The EFF has said it has a sworn affidavit from a former AT&T employee who was aware of a room within AT&T’s regional operations facility that only NSA employees had access to. The group says such surveillance requires a search warrant under federal law.

The second suit involves a direct complaint alleging illegal wiretapping. The Al-Haramain Islamic Foundation claims federal agents violated the law when they tapped into phone calls between the charity and its outside attorneys.

The Bush administration is making the same argument in that case — that any trial would make public spying techniques that could weaken efforts to protect the U.S. against future terrorist attacks.

“The government is hoping to avoid accountability for spying on millions of AT&T customers,” EFF Staff Attorney Kevin Bankston told the E-Commerce Times.

A vigorous hearing in the courts would be part of the “system of checks and balances that is supposed to thwart abuses of power,” he added.

“The White House is trying to wiggle out of those checks by taking the courts out of the picture,” Bankston said.

Taking Sides

Lawmakers last month granted the president additional power under the Protect America Act of 2007 to conduct surveillance of international communications involving U.S. citizens without a warrant.

In passing that extension and expansion of the Foreign Intelligence Surveillance Act (FISA), Congress backed up the president’s sweeping surveillance efforts, said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC).

“It is the most dramatic change in the 30 year history of the FISA and will leave millions of Americans subject to electronic surveillance, without court review, regardless of whether they are suspected of any wrongdoing,” Rotenberg told the E-Commerce Times.

Still, Congress will likely debate the issue again as the extension expires in about six months and could add in some means of providing oversight to prevent abuses. Meanwhile, the courts are another key battleground in the privacy front.

There have been numerous court cases launched since the NSA program was first revealed last year. Last month, a federal judge said five states — Missouri, Maine, New Jersey, Connecticut and Vermont — could continue with investigations into AT&T’s involvement with the surveillance program. In fact, a U.S. District Court judge has already ruled that the Hepting case could continue despite government claims of the need for secrecy.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Keith Regan
More in Privacy

CRM Buyer Channels

Pandemic, Compliance Driving Increased Privacy Spending

The global pandemic and the need to comply with laws governing consumer data are fueling increases in privacy budgets, according to a report by an association for privacy professionals and a multinational professional services firm.

The Privacy Governance Report for 2021 produced by the International Association of Privacy Professionals, EY and EY Law discovered through a survey of privacy professionals around the world that privacy spending has increased significantly over 2020, with the average privacy spend amounting to $873,000 and the median budget $330,000.

It also noted that 60 percent of the privacy pros surveyed expect their budgets to increase in 2022, and almost none anticipate budget cuts.

As with many workers since the pandemic began, privacy pros are working from home in greater numbers.

More than eight in 10 privacy pros (81 percent) are working exclusively or mostly from home, surveyors found. That’s expected to continue for the rest of 2021, with 78 percent of the privacy pros expecting to remain remote or hybrid workers.

There appears to be no change in sight. For next year, 82 percent of the privacy pros are still expecting to be working mostly remotely or in some form of hybrid arrangement, dividing their working hours between home and office,

Compliance Is Top Priority

The report noted that compliance with the European General Data Protection Regulation, California Consumer Privacy Act, California Privacy Rights Act and other U.S. state privacy laws, as well as other global laws, has been a top priority for most privacy teams over the past year.

It revealed that 26 percent of the companies subject to the CCPA were in full compliance and 41 percent were “very compliant.” GDPR compliance was lower, with 20 percent in full compliance and 43 percent very complaint.

“Privacy laws have had a significant impact on how companies are approaching privacy, but it has been mainly internal to the companies’ operations,” observed Rob Shavell, CEO and co-founder of Boston-based Abine, maker of Blur, a combination password manager, email masker and ad tracker blocker.

“It’s not something that consumers have felt much of a difference,” he told TechNewsWorld.

“It’s a big change for companies because they have to hire a bunch of people and pay attention to where data is stored and who it’s shared with, more so than they did before these laws were passed,” he added.

Customizing Privacy

Liz Miller, vice president and a principal analyst with Constellation Research, a technology research and advisory firm in Cupertino, Calif. explained that lots of organizations have fundamentally changed how they operate because of privacy laws.

“The challenge is they haven’t redefined what privacy means to them,” she told TechNewsWorld.

“They’re complying with the laws without asking what does privacy mean to us and how is protecting our customers’ data and privacy fundamental to the way we operate?” she said.

“They’re checking off the boxes, but the more interesting organizations are redefining what privacy means to them and making it something the customer is driving and not something to be exploited,” Miller observed.

“They’re asking their customers what they want from the company that has value to them,” she added.

“That’s a residual benefit to consumers from this wave of regulation,” she continued. “More people are becoming aware that privacy is an opportunity to create a conversation about what everyone wants — a durable, lasting relationship with the customer.”

Help Wanted

The report also noted that nearly half the pros (45 percent) revealed their organizations are planning to hire at least one or two new privacy professionals over the next six months.

Those extra bodies will be needed when the California Privacy Rights Act takes effect on January 1.

“The CPRA is going to have a considerable effect on privacy,” observed Timothy Toohey, an attorney with the Greenberg Glusker law firm in Los Angeles.

He explained that the law will be giving consumers new rights, including the right to see information that a company has collected about them.

“That can be quite burdensome on companies,” he told TechNewsWorld.

In addition, the law imposes data and privacy requirements on vendors of companies.

“In this next year, there’s going to be a lot of scrambling by companies putting new agreements into effect with their vendors,” Toohey said.

“Some companies can have hundreds of vendors,” he added.

Legal Jungle

An increasing number of privacy laws — both at the state level in the U.S., as well as at the national level around the world — make privacy operations increasingly central to what an organization does, the report noted.

The proliferation of those laws, especially in the United States, can also complicate the compliance task for companies.

“It’s created a problem,” Toohey acknowledged.

“We have three states with comprehensive laws — California, Virginia and Colorado — and a lot states are considering them, particularly in light of the pandemic and work-from-home, because of the proliferation of information online,” he said.

“Whenever you have laws worded slightly differently, as all these laws are,” he explained, “it creates potential compliance headaches.”

“You have to reframe your agreements,” he continued. “You have to look at your privacy policies, and you have to comply with consumer requests from various jurisdictions, since there is no standard federal law — nor is there likely to be one in the immediate future,” Toohey added.

Pandemic Affects Privacy

However, Shavell maintained businesses may be complaining too much about the plethora of privacy laws in the United States.

“Companies say it’s difficult to comply with the growing number of privacy laws. That’s hyperbole,” he said.

“Companies say it because they want to act like everything is hard, so they don’t have to do it,” he continued. “In reality, these laws are very similar. Most of them are just subsets of one another. The CCPA, for example, is just a subset of the GDPR.”

While companies are beefing up their privacy teams, they’re also beefing up their surveillance tools, largely due to the pandemic. “One pattern we see in the shift to remote work is that companies are hunting for ways to monitor output and productivity without a manager physically observing employees,” observed Julian Sanchez, a senior fellow at the Cato Institute, a public policy think tank in Washington, D.C.

“For many, the answer is tools like InterGuard, ActivTrak, Hubstaff and TimeCamp, which are essentially spyware that can track what workers are doing on their computers in incredibly granular ways,” he told TechNewsWorld.

“The pandemic didn’t invent these tools, of course, and plenty of businesses had them installed on in-office computers before Covid, but the shift to more remote work led to a significant spike in adoption,” he said.

Vaccine mandates can also pose a risk to privacy.

“Vaccine mandates are creating all these little databases at places requiring proof of vaccination for service,” Shavell explained. “There’s no real control over those databases.”

“What we advocate is a low-tech approach,” he said. “Check for a vaccine card, but don’t create a database. There’s no need to enter that information where hackers, scammers or marketers can get it.”

The complete IAPP-EY Annual Privacy Governance Report 2021 is available here.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

Apple Privacy Rule Cost Tech Titans Estimated $9.85 Billion in Revenue

Facebook, Twitter, YouTube and Snap lost an estimated $9.85 billion in revenue during the first half of 2021 due to a new privacy tool launched by Apple that requires applications to ask for a user’s permission before tracking their activity on the internet, the Financial Times reported Sunday.

The report, based on data from advertising research firm Lotame, noted the companies lost an average of 12 percent of revenues during the period.

Some analysts, though, consider that estimate high. “It’s too much of an impact,” observed Gene Munster, co-founder of Loup Ventures, a venture capital firm in Minneapolis.

That’s especially true in light of continuing improvements being made by advertisers. “Eventually the measurement tools will improve for the ad industry, with or without IDFA,” he told TechNewsWorld.

IDFA — Identifier for Advertisers — is Apple’s mobile ID which is used to make mobile in-app advertising and measurement easier. With the new tool, it can’t be used to track users without their permission.

Yoram Wurser, a principal analyst at eMarketer Insider Intelligence, an e-commerce and retail analysis firm in New York City, was doubtful but did not entirely dismiss the size of the losses. “The nine billion is on the high end, but it’s possible,” he told TechNewsWorld.

Lotame did not respond to our request for comment for this story.

Negotiating Headwinds

During Facebook’s most recent earnings call, Sheryl Sandberg, chief operating officer of Meta Platforms, which operates Facebook, acknowledged that Apple’s actions had created some “headwinds” for the social network which, by some estimates, depends on targeted advertising for 98 percent of its revenue.

“We’ve been open about the fact that there were headwinds coming — and we’ve experienced that in Q3,” she said.

“The biggest is the impact of Apple’s iOS 14 changes, which have created headwinds for others in the industry as well, major challenges for small businesses, and advantaged Apple’s own advertising business,” she observed.

“We started to see that impact in Q2, but adoption on the consumer side ramped up by late June, so it hit critical mass in Q3,” she continued.

“As a result, we’ve encountered two challenges,” Sandberg added. “One is that the accuracy of our ads targeting decreased, which increased the cost of driving outcomes for our advertisers. And the other is that measuring those outcomes became more difficult.”

iOS14 App Tracking Transparency screen

Apple’s App Tracking Transparency feature that requires apps to get the user’s permission before tracking their data across apps or websites owned by other companies has cost Big Tech firms billions in ad revenue this year. [Credit: Apple]


At its most recent earnings call, Twitter played down the impact of the App Tracking Transparency tool.

“It’s still too early for Twitter to assess the long-term impact of Apple’s privacy-related iOS changes, but the Q3 revenue impact was lower than expected, and we’ve incorporated an ongoing modest impact into our Q4 guidance,” said CFO Ned Segal.

“We’ve seen our revenue product development, both related to and distinct from ATT, improved the performance of our products, and we expect that to continue,” he added.

Living Off Targeted Ads

Ross Rubin, the principal analyst with Reticle Research, a consumer technology advisory firm in New York City, explained that YouTube and Facebook are two of the highest grossing revenue sites on the internet, largely because they can offer targeting data about their audiences.

“A big part of that comes from knowing where else their visitors are going when they’re not on those sites,” he told TechNewsWorld. “So Apple’s requirement for consumers to opt-in to that kind of tracking has diminished their ad pitch about the precision of their ad data.”

Targeted ads are particularly lucrative on smartphones because of the rich nature and amount of user data that can be collected on those platforms, noted Michela Menting, digital security research director at ABI Research, a global technology intelligence firm.

“Smartphones are much more widely used than laptops or PCs for consumers, and also very personal,” she told TechNewsWorld.

“The targeted ads market is one that very much happens behind the scenes, and hidden as much as possible from consumers,” she continued.

“This speaks volumes about the fact that in the targeted ad business, most stakeholders are aware that this is not a big selling point for users,” she said. “Barring transparent action by those in that value chain — social media platforms, smartphone OEMs, marketers — the business is one that is likely worth billions in revenue.”

Business Basics

Clearly, Menting continued, Apple’s privacy policy has had a very significant impact on the targeted ad business.

“By providing clear guidance and information to users, with a choice to opt-out of tracking, consumers have done what those in the social media business feared most: opted out,” she observed.

“This policy is great for users,” she maintained. “Ad tracking should be transparent and, quite honestly, remunerated.”

“If the consumer is the product and they know and understand how it works, and they are asked for permission, it is unsurprising that the majority will not consent to tracking if there is nothing in it for them,” she said. “It’s business basics.”

“So while I can’t comment on the revenue loss, I am not surprised at the amount stated, and it is likely that the loss will continue to escalate,” she noted.

Impact on Developers

Apple’s new privacy policies will also impact app developers, especially those who depend on the “freemium” model, Menting added.

“Privacy policies may curtail the ability for them to engage with advertisers going forward,” she explained. “Overall, what Apple has done is a big win for consumers and their privacy generally, and a huge obstacle for social media.”

“Those that have diversified their business models will probably do alright,” she said. “Those that have not, and don’t change quickly, will lose big.”

Rubin noted that companies are looking at a range of diversification options.

“One is upselling to premium services,” he said. “Another is different kinds of subscription services.”

However, both those strategies could benefit Apple. “Those approaches play into Apple’s wheelhouse because its customers are more affluent and more likely to have the income to buy those services,” he explained.

As for advertisers, Menting predicted they will simply find other ways to place their ads, such as with influencers rather than through ad tracking.

“The ad market is not going anywhere and will ultimately always adapt,” she said.

Munster maintained the developer market isn’t going anywhere, either. “While transparency makes it more difficult for the app developers to make money on iOS, it’s still the best platform for monetization,” he said. “Developers aren’t going anywhere anytime soon.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Privacy