The New York Times has reported that US telecoms giant AT&T voluntarily (i.e. without court orders, subpoenas, national security letters, or any other form of coercion) allows the CIA access to its huge database of phone records (including US citizens international calls) in exchange for $10 million a year.
According to an anonymous government official (NYT reports), AT&T not only hands over the phone numbers of overseas terrorism suspects, but also gives the CIA free rein to rifle through its vast archive of phone data (including all data handled by its equipment, and therefore including data relating to not just its own customers).
Coming hot on the heels of Edward Snowden’s on-going revelations on the scale of US tech giants’ co-operation with the NSA, this is yet further confirmation of the cosy relationship between business and US government interests. One major difference is that with the NSA scandals, companies have been keen to insist that they were not to blame as they were coerced into betraying their customers, while in this case it is clear that AT&T chose to let the CIA in.
It does seem that with the CIA there is greater legal oversight, more checks and balances, and a more targeted approach than is seen with the NSA blanket data trawl, but any legal protections provided apply only to US citizens,
“The C.I.A. is expressly forbidden from undertaking intelligence collection activities inside the United States ‘for the purpose of acquiring information concerning the domestic activities of U.S. persons,’ and the C.I.A. does not do so”, says CIA spokesman Dean Boyd.
However thanks to a rather complicated legal dance, information can be passed from the CIA to the FBI, who can subpoena AT&T for full, uncensored records relating to domestic data.
AT&T has had a long history of cooperating with US government agencies, including assisting the Bush administration with its warrantless surveillance program, embedding employees in an FBI facility to help the FBI use AT&T databases to analyse calls, and embedding employees to assist the DEA in tracking drug dealers.
As we noted in our Ultimate Privacy Guide, conventional phone calls (either landline or mobile) should never be considered secure, and yet again a US tech giant has shown that it simply cannot be trusted to make any effort towards protecting its customers’ (and in this case not just its customers, but anyone whose calls passed through its equipment) privacy.
The only way to communicate with any degree of privacy is to use strong encryption, connecting to the internet using VPN (or similar services such as Tor), and talking to each other directly using securely encrypted end-to-end software, such as Silent Circle or Pidgin + OTR.