'Trusted Third Parties' Add One More Link In The Supply Chain Between Your Data And Government Requests

Privacy

from the a-new-wave-of-data-brokers dept

Just how many entities have their hands on your data when the NSA makes requests? Well, it’s not just the service providers and any number of analysts at the NSA. There’s a whole industry subset of third parties that actually handle requests, implement wiretaps, direct searches for communications/data and deliver this information to the intelligence agency.

ZDNet’s Zack Whittaker has the details.

With permission from their ISP customers, these third-parties discreetly wiretap their networks at the behest of law enforcement agencies, like the Federal Bureau of Investigation (FBI), and even intelligence agencies like the National Security Agency (NSA).

By implementing these government data requests with precision and accuracy, trusted third-parties — like Neustar, Subsentio, and Yaana — can turn reasonable profits for their services.

Little is known about these types of companies, which act as outsourced data brokers between small and major U.S. ISPs and phone companies, and the federal government. Under the 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), any company considered a “communications provider” has to allow government agencies access when a valid court order is served. No matter how big or small, even companies whose legal and financial resources are limited do not escape federal wiretapping laws.

Subpoenas, search warrants, court orders — even those from the FISA court — run through these trusted third parties. From the information Whittaker has gathered, this market seems to have evolved out of limited legal resources retained by smaller ISPs and service providers. Incoming requests are forwarded to these companies, which vet them for legal issues and determine what exactly needs to be done to satisfy them. Some of this is just CYA — an extra insulating layer to serve as a buffer between the service provider and the possibly aggrieved customer(s). Some of it is due to practicality. Smaller ISPs and service providers do not retain lawyers with the security clearance needed to inspect/challenge certain orders.

One of those attorneys, who declined to be named for the story because the person holds top-secret security clearance, explained that although hundreds of lawyers have the same clearance — including those serving terror suspects in Guantanamo Bay — very few have been in front of the FISA Court to defend their clients. These clearance-holding lawyers have been in high demand over the past year representing major Silicon Valley companies implicated in the NSA’s surveillance programs.

For the majority of smaller companies (as well as larger ones, who have refused to comment on challenging such warrants), complying with data demands may be their only option. The vast majority, however, do not have the resources to handle such requests.

“If they don’t have an internal lawyer [reviewing FISA warrants], they could use a third-party service. That third-party can’t provide legal advice, but it can create a system for reviewing the data, pulling, and processing the data,” the security clearance-holding attorney said.

Because these companies have the sort of clearance the ISPs lack, smaller ISPs are often nothing more than dumb terminals for government agencies to manipulate. The trusted third parties are often the only entities that see certain court orders and requests, and ISP participation in the approval and response processes is often non-existent. In many cases, the ISP cannot even see the court order it’s being directed to comply with.

“Of what worth is our permission when we don’t even know what we’re being asked to give access to?” a senior staffer at [ISP] Cbeyond admitted.

In the unlikely event that a request is rejected, it’s usually done by the third parties, again without the participation of the ISP itself. The trusted third parties are better equipped — in terms of legal team security clearance — to do this than smaller ISPs are, but that additional expertise is of little use should ISPs decide to directly challenge a court order.

If the ISP or phone company decides to fight a warrant, the third-party can stand back and wash its hands of it.

Burr said Neustar “has and will” reject subpoenas that are inadequate for one reason or another. But should its clients choose to fight a FISA warrant or court order it believes to be overbroad, Neustar will not join the battle in court.

Other trusted third-parties take a similar approach.

“We’re out of the picture,” said Marcus Thomas, chief technology officer at Subsentio, another trusted third-party company, founded in 2004, and based out of Littleton, Colorado.

While the third parties may be collecting money from ISPs for handling data and intercept requests, their desire to stay in the government’s good graces appears to outweigh any loyalty to the businesses that retain their services.

“It’s the provider’s problem,” [Yaana Executive VP Tony] Rutkowski said. “The nice part about the trusted third-party business is that just from a liability standpoint, we don’t want to be left holding the bag here.” [Yaana CTO David] Grootwassink agreed. “We provide the gears. We don’t get involved in fights between the governments and our clients.”

And therein lies part of the problem. While it may be easier to turn over what is largely a compliance function to third parties, there’s very little oversight into these companies’ actions and processes. Even the ISPs that hire them seem to have limited insight into what’s actually being done. These go-betweens have carefully dodged liability by refusing to be involved in legal challenges, leaving underequipped ISPs to fight their own battles. While some trusted third parties have issued transparency reports detailing the requests they’ve facilitated, this basically leaves the public to perform the oversight, something of very limited use. About all the public can do is switch providers, which, if even an option, only puts them in the hands of another company using the same practices.

Filed Under: 4th amendment, data, isps, phones, records, surveillance, third parties