More news has arrived on AT&T's willing accommodation of every government agency that asks for a peek at the numbers (or a never ending, rolling 3-month haul of all records). At least this time, it's getting something more in return than boilerplate court orders with that new ink pad smell. As the New York Times reports, the CIA wants in on the action, and it doesn't need court orders -- just a big stack of cash.
The C.I.A. is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company's vast database of phone records, which includes Americans' international calls, according to government officials.
This is all purely voluntary ($10mil of greased palms/wheels notwithstanding), hence the lack of court orders or subpoenas. Oddly enough, this voluntary system actually protects the privacy of Americans much better than the "legal" Section 215 collections.
The C.I.A. supplies phone numbers of overseas terrorism suspects, and AT&T searches its database and provides records of calls that may help identify foreign associates, the officials said…
Because the C.I.A. is prohibited from spying on the domestic activities of Americans, the agency imposes privacy safeguards on the program, said the officials, speaking on the condition of anonymity because it is classified. Most of the call logs provided by AT&T involve foreign-to-foreign calls, but when the company produces records of international calls with one end in the United States, it does not disclose the identity of the Americans and “masks” several digits of their phone numbers, the officials said.
Of course, these "masked" records can be very simply unmasked by "tipping" them to other agencies, like the FBI, which then acquires a subpoena/court order to "unmask" the records. This just goes to show that these agencies can
cooperate, as long as its in the interest of furthering domestic surveillance.
Ultimately though, this news isn't surprising. Phone companies have been collecting government paychecks
in exchange for data for a very long time. True, the telcos don't want to appear as though they're selling Americans' data for cash, but that's exactly what's happening. The CIA's primary focus is foreign surveillance and, thanks to AT&T, there's some minimization in place to keep the agency focused on its purview.
More interesting, however, is how this news affects General Alexander's "generous" offer
to store data at a "neutral site" in order to alleviate privacy concerns. As was noted back when he made this offer, American telcos are hardly "neutral sites" given their history of swiftly coughing up anything requested with a minimum of pushback.
So, AT&T (and Verizon, etc.) are not "neutral" in any true sense of the word, but at least storing the data there would put the NSA in the position of having to bring its selectors to a third party before accessing stored records, rather than just having them conveniently available (and exploitable) in its own storage for an indefinite period of time. This would trim down the "accidental" abuse
that has been displayed by the agency in the past.
More recently, ODNI lawyer Robert Litt (along with the FBI's general counsel) suggested storing data with the originators would lead to less privacy
. Given what we know about the CIA's paid data plans, he might be correct, even if his motives for making that claim were completely disingenuous.
It would introduce extra steps, but it appears as though there would be a way to "tip" domestic data to the NSA by simply using the process it uses with the FBI. Restrictions on both the NSA and CIA are meant to minimize the amount of unrelated domestic metadata they have access to. The CIA's restrictions are harsher than the NSA's, but the CIA can still grab and let the NSA wrangle the paperwork needed to unmask numbers. Or vice versa. The NSA can access its on-site metadata stores (with unmasked numbers) and tip domestic call data back to the CIA.
Both of these scenarios are unlikely, but storing the data at AT&T seems to offer very minimal privacy advantages over storing it in the NSA's data centers. At best, this creates some mild speed bumps for the agency to deal with in exchange for a small amount of "peace of mind" privacy-wise. Most telcos have seemed even less
interested protecting Americans' privacy than the inquiring agencies themselves. As you'll recall, AT&T went out of its way to perform phone record queries for the FBI for agents armed with nothing more legally binding than a Post-It note
The other thing to note is that this is another bit of evidence that undercuts the telcos' repeated assurance that they "value their customers' privacy." This sentence is usually followed directly by defensive wording about "complying" with "applicable laws" -- which actually means "complying with intelligence agencies." There's very little true concern on display and little to no evidence AT&T (and Verizon) have ever made any serious attempt to push back on government requests.