Wednesday, October 26, 2016

AT&T provides mass-surveillance for hire

AT&T is the USA's largest provider of cellphone landlines, and its second-largest cellphone provider. This obviously makes it a prime target for anyone like the NSA looking at mass-surveillance. But instead of acting only in response to lawful court-orders and providing only what is requested, AT&T provides mass-surveillance for hire, selling searches of its huge metadata database as a subscriber service to law enforcement:

Telecommunications giant AT&T is selling access to customer data to local law enforcement in secret, new documents released on Monday reveal.

The program, called Hemisphere, was previously known only as a “partnership” between the company and the US Drug Enforcement Agency (DEA) for the purposes of counter-narcotics operations.

It accesses the trove of telephone metadata available to AT&T, who control a large proportion of America’s landline and cellphone infrastructure. Unlike other providers, who delete their stored metadata after a certain time, AT&T keeps information like call time, duration, and even location data on file for years, with records dating back to 2008.

But according to internal company documents revealed Monday by the Daily Beast, Hemisphere is being sold to local police departments and used to investigate everything from murder to Medicaid fraud, costing US taxpayers millions of dollars every year even while riding roughshod over privacy concerns.

And they do this in secret, under an agreement which requires those agencies to perjure themselves in court to protect the source of the information they are relying on. And that's not done for any valid law-enforcement reason, but to protect AT&T's stock price from public backlash.

This simply is not ethical behaviour from a telecommunications provider. It also points to the danger of allowing providers to retain large databases of metadata. While some information needs to be retained for billing and technical purposes, there's absolutely no need to retain everything permanently (AT&T's cellphone database goes back to 2008; its landline records to 1987. If you've ever made a call in or to the US to someone who uses AT&T, you're probably in there).

It also raises obvious questions about how long New Zealand telecommunications providers retain metadata for. The Privacy Act requires that they not keep personal information for longer than it is required for, and I'd be fascinated to find out how long each of them thinks that is. A query for the Privacy Commisisoner or TechLiberty, perhaps?