'Trusted Third Parties' Add One More Link In The Supply Chain Between Your Data And Government Requests

from the a-new-wave-of-data-brokers dept

Just how many entities have their hands on your data when the NSA makes requests? Well, it’s not just the service providers and any number of analysts at the NSA. There’s a whole industry subset of third parties that actually handle requests, implement wiretaps, direct searches for communications/data and deliver this information to the intelligence agency.

ZDNet’s Zack Whittaker has the details.

With permission from their ISP customers, these third-parties discreetly wiretap their networks at the behest of law enforcement agencies, like the Federal Bureau of Investigation (FBI), and even intelligence agencies like the National Security Agency (NSA).

By implementing these government data requests with precision and accuracy, trusted third-parties — like Neustar, Subsentio, and Yaana — can turn reasonable profits for their services.

Little is known about these types of companies, which act as outsourced data brokers between small and major U.S. ISPs and phone companies, and the federal government. Under the 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), any company considered a “communications provider” has to allow government agencies access when a valid court order is served. No matter how big or small, even companies whose legal and financial resources are limited do not escape federal wiretapping laws.

Subpoenas, search warrants, court orders — even those from the FISA court — run through these trusted third parties. From the information Whittaker has gathered, this market seems to have evolved out of limited legal resources retained by smaller ISPs and service providers. Incoming requests are forwarded to these companies, which vet them for legal issues and determine what exactly needs to be done to satisfy them. Some of this is just CYA — an extra insulating layer to serve as a buffer between the service provider and the possibly aggrieved customer(s). Some of it is due to practicality. Smaller ISPs and service providers do not retain lawyers with the security clearance needed to inspect/challenge certain orders.

One of those attorneys, who declined to be named for the story because the person holds top-secret security clearance, explained that although hundreds of lawyers have the same clearance — including those serving terror suspects in Guantanamo Bay — very few have been in front of the FISA Court to defend their clients. These clearance-holding lawyers have been in high demand over the past year representing major Silicon Valley companies implicated in the NSA’s surveillance programs.

For the majority of smaller companies (as well as larger ones, who have refused to comment on challenging such warrants), complying with data demands may be their only option. The vast majority, however, do not have the resources to handle such requests.

“If they don’t have an internal lawyer [reviewing FISA warrants], they could use a third-party service. That third-party can’t provide legal advice, but it can create a system for reviewing the data, pulling, and processing the data,” the security clearance-holding attorney said.

Because these companies have the sort of clearance the ISPs lack, smaller ISPs are often nothing more than dumb terminals for government agencies to manipulate. The trusted third parties are often the only entities that see certain court orders and requests, and ISP participation in the approval and response processes is often non-existent. In many cases, the ISP cannot even see the court order it’s being directed to comply with.

“Of what worth is our permission when we don’t even know what we’re being asked to give access to?” a senior staffer at [ISP] Cbeyond admitted.

In the unlikely event that a request is rejected, it’s usually done by the third parties, again without the participation of the ISP itself. The trusted third parties are better equipped — in terms of legal team security clearance — to do this than smaller ISPs are, but that additional expertise is of little use should ISPs decide to directly challenge a court order.

If the ISP or phone company decides to fight a warrant, the third-party can stand back and wash its hands of it.

Burr said Neustar “has and will” reject subpoenas that are inadequate for one reason or another. But should its clients choose to fight a FISA warrant or court order it believes to be overbroad, Neustar will not join the battle in court.

Other trusted third-parties take a similar approach.

“We’re out of the picture,” said Marcus Thomas, chief technology officer at Subsentio, another trusted third-party company, founded in 2004, and based out of Littleton, Colorado.

While the third parties may be collecting money from ISPs for handling data and intercept requests, their desire to stay in the government’s good graces appears to outweigh any loyalty to the businesses that retain their services.

“It’s the provider’s problem,” [Yaana Executive VP Tony] Rutkowski said. “The nice part about the trusted third-party business is that just from a liability standpoint, we don’t want to be left holding the bag here.” [Yaana CTO David] Grootwassink agreed. “We provide the gears. We don’t get involved in fights between the governments and our clients.”

And therein lies part of the problem. While it may be easier to turn over what is largely a compliance function to third parties, there’s very little oversight into these companies’ actions and processes. Even the ISPs that hire them seem to have limited insight into what’s actually being done. These go-betweens have carefully dodged liability by refusing to be involved in legal challenges, leaving underequipped ISPs to fight their own battles. While some trusted third parties have issued transparency reports detailing the requests they’ve facilitated, this basically leaves the public to perform the oversight, something of very limited use. About all the public can do is switch providers, which, if even an option, only puts them in the hands of another company using the same practices.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “'Trusted Third Parties' Add One More Link In The Supply Chain Between Your Data And Government Requests”

Subscribe: RSS Leave a comment
John Fenderson (profile) says:

I thought I couldn't be surprised

In many cases, the ISP cannot even see the court order it’s being directed to comply with.

That surprised me. I thought that secret laws were about as bad as it could get, but no — they found something even worse.

It’s the purest of bureaucratic insanity. Under no circumstances should any entity be required to comply with a court order it can’t even read. The illogic of it could threaten the space-time continuum.

GEMont (profile) says:

Come one, come all. Sorry, public not allowed.

I’m beginning to think that it might be far easier to list the people who DO NOT have access, in one way or another, to the public’s communication information.

Every month it seems there’s a new layer of corporate businesses with their fingers dug deeply into the public pie, assisting the primary spooks in their over-whelming task of gathering everyone’s private and personal information into a useable portfolio for blackmail, theft and abuse.

Trusted third parties indeed.

Whoever said there was no Trust between thieves?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...