The negative impact of AT&T's purchase of T-Mobile on the market for privacy

Yesterday, AT&T announced that it will be purchasing T-Mobile, the fourth largest wireless carrier in the US. While there are many who have raised antitrust concerns about this deal due to the impact it will have on the price of wireless services and mobile device/application choice, I want to raise a slightly different concern: the impact this will have on privacy.

While it is little known to most consumers, T-Mobile is actually the most privacy preserving of the major wireless carriers. As I described in a blog post earlier this year, T-Mobile does not have or keep IP address logs for its mobile users. What this means is that if the FBI, police or a civil litigant wish to later learn which user was using a particular IP address at a given date and time, T-Mobile is unable to provide the information.

In comparison, Verizon, AT&T and Sprint all keep logs regarding the IP addresses they issue to their customers, and in some cases, even the individual URLs of the pages viewed from handsets.

While privacy advocates encourage companies to retain as little data about their customers as possible, the Department of Justice wants them to retain identifying IP data for long periods of time. Enough so that T-Mobile was called out (albeit not by name) by a senior DOJ official at a data retention hearing at the House Judiciary Committee back in January:

"One mid-size cell phone company does not retain any records, and others are moving in that direction."

If and when the Federal government approves this deal, T-Mobile's customers and infrastructure will likely be folded into the AT&T mothership. As a result, T-Mobile's customers will lose their privacy preserving ISP, and instead have their online activities tracked by AT&T.

After this deal goes through, there will be three major wireless carriers, all of whom have solid track records of being hostile to privacy:

AT&T, a company that voluntarily participated in the Bush-era warrantless wiretapping program in which it illegally disclosed its customers communications to the National Security Agency.

Verizon, a company that similarly voluntarily participated in the warrantless wiretapping program, and then when sued by the Electronic Frontier Foundation, argued in court that it had free speech right protected by the 1st Amendment to disclose that data to the NSA.

Sprint, a company that established a website so that law enforcement agencies would no longer have to go through the trouble of seeking the assistance of Sprint employees in order to locate individual Sprint customers. This website was then used to ping Sprint users more than 8 million times in a single year.

The market for privacy

Today, privacy is largely an issue risk mitigation for firms. Chief Privacy Officers are tasked with protecting against data breaches, and class action lawsuits related to the 3rd party cookies that litter companies' homepages. The privacy organizations within companies do not bring in new customers, or improve the bottom line, but protect the firm from regulators and class action lawyers.

Recently, there are signs that this may be changing. Microsoft and Mozilla are now visibly competing on privacy features such as "Do Not Track" built into their web browsers. Several venture capital firms have invested cash into firms like Reputation.com and Abine who are selling privacy enhancing products to consumers.

To be clear, the market for privacy is in its infancy. As such, the government should be doing everything possible to nurture and encourage such growth. It is for that reason that the FTC should not permit the one and only privacy protecting major wireless carrier to be swallowed up by AT&T, a company that has repeatedly violated the privacy of its customers.

The FTC should lead the government's investigation into this deal, and should reject it on privacy grounds

When the FTC approved Google's merger with Doubeclick in 2007, then Commissioner Pamela Jones Harbour raised the issue of privacy in her dissent (pages 9-12). As I think history now confirms, the FTC erred in ignoring Commissioner Harbour and not considering the issue of privacy in the Google deal. However, many of her comments similarly apply to the AT&T/T-Mobile deal.

While the FTC cannot turn back the clock on Google/Doubleclick, it can and should protect the privacy of the millions of T-Mobile subscribers. The FTC should block this merger. However, even if the deal is permitted to go through, the FTC should at least extract strict privacy guarantees from AT&T that include a policy of not retaining IP address allocation or other Internet browsing logs.

If the FTC, Commerce Department and Congress want the market to provide privacy to consumers, then they need to make sure that consumers have options in this area. Without options, informed consumers cannot vote with their wallets. Companies that choose to go the extra mile to protect privacy should be rewarded for doing so, and not, when the market for privacy is so young, be swallowed up by those that steamroll over their customers' desire to keep their data safe.

Praise for AT&T's gutsy defense of customer privacy

I'm about to do something I never thought I would do: Praise AT&T for taking a strong stand on privacy by refusing to disclose a customer's communications records to the government without a court order.

Fresh from Wikileaks

On April 30th, a fascinating email showed up on Wikileaks, purporting to be from a Special Agent in the Florida Computer Crime Center, writing to other law enforcement colleagues to complain about his experience in trying to obtain identifying information on AT&T and Yahoo customers.

There is no way to verify the authenticity of the email message, however, a quick Google search reveals that Mike Duffey does indeed work for the Florida Computer Crime Center.

While the email is worth reading in full, I'll summarize it here.

Warning: the details of this case are not very nice -- if you don't think terrorists, drug dealers and pedophiles deserve the benefit of due process and 4th amendment rights, you may want to stop reading now -- or you'll just get angry and or upset.

On June 24, Special Agent Mike Duffey and his team were investigating a tip off regarding a gentleman who had reportedly bragged about molesting his six year old daughter on a Yahoo chat room and via Yahoo instant messenger.

Duffey's colleagues were able to find a MySpace page which listed the same Yahoo account in its contact information, and soon began to try and locate identifying information on several suspects.

First, Duffey's team contacted MySpace, claimed exigent circumstances, and were able to obtain the suspects' subscriber information and 30 days worth of historical IP address information, revealing the Internet address where the suspects had used to access their MySpace accounts. MySpace responded to Duffey's request within 20 minutes, and within 45 minutes had provided the agents with all the information they requests, all without requiring a subpoena or any other form of court order. The police simply claimed that this was a case of life or death, and MySpace handed over the information, no questions asked.

Second, Duffey's team contacted Yahoo in order to try and learn which IP addresses were used during the alleged chat room confession. Yahoo took three hours to respond to Duffey's request, at which point, the company rejected the "exigent circumstances" argument. In a follow-up conversation with Yahoo employees, Duffey was told that the company would be unable to provide any IP address information until 48 hours after they occurred. A further seven hours later, Yahoo provided 48 hour old IP address information, which, like the MySpace logs, pointed to an AT&T customer as the source.

Third, Duffey's team then contacted AT&T, who like Yahoo, refused his attempt to claim exigent circumstances. AT&T told him that they would not provide any information without a subpoena, which in Florida, must be issued by a court clerk.

Seven hours after initially contacting AT&T, Duffey obtained a subpoena, after which, AT&T immediately provided him with the name and address of the customer whose IP address had shown up in the most recent MySpace logs.

Two hours later, the suspect was arrested at his home, and quickly confessed.

Analyzing the law

The Electronic Communications Privacy Act strictly regulates service providers' sharing of customer information the government.

As Susan Brenner has described in greater depth:

18 U.S. Code § 2703(c) says that a government entity can “require a provider of electronic communication service . . . to disclose a record or other information pertaining to a . . . customer . . . (not including the contents of communications) only when the government” does one of the following: gets a search warrant; uses a subpoena or court order; or “has the consent of the . . . customer to such disclosure”...

8 U.S. Code § 2702(b)(8) says an ISP service provider can give information “to a governmental entity, if the provider . . . believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency”.

The difference between § 2703 and § 2702 is that § 2703 deals with law enforcement’s ability to compel an ISP to provide subscriber information, while § 2702 sets out the conditions under which an ISP can voluntarily share such information.

So essentially, by claiming exigent circumstances, Special Agent Mike Duffey gave MySpace, Yahoo and AT&T the legal protection to voluntarily disclose their customer's information to the police.

MySpace jumped at the opportunity to share this data, Yahoo spun its wheels before eventually coughing up some data, while AT&T ultimately refused, as it was legally permitted to do so. That is, while the exigent circumstances enable an ISP to voluntarily share data on their customers, § 2703 still prohibits the government from compelling the production of customer records without a court order. Until the government produces a subpoena, the ISP can always lawfully say no.

Exigent Circumstances

Why should AT&T refuse to provide critical information to police in what is clearly a life and death situation involving a small child and a pedophile?

Well, it turns out that law enforcement doesn't have the best track record when it comes to its use of exigent circumstances. As the EFF's Kurt Opsahl described back in 2007:

We already knew that the FBI’s use of “exigent circumstances” letters was illegal. DOJ’s Inspector General Fine already condemned them in a well-publicized IG report that outlined how hundreds of requests were made where there was no immediate danger of death or serious physical injury and, in any event, “the letters did not recite the factual predication necessary to invoke [the emergency] authority.”

Now I'm sure that in this case that the Florida police were telling the truth. However, in the past, both local police and federal law enforcement officers have been repeatedly caught fudging the truth in order to obtain these so called exigent circumstances. Furthermore, there is a fairly large body of case law in which police put people's lives at risk in order to create exigent circumstances -- in such cases, the courts have rightfully thrown out the searches.

AT&T is likely going to take a lot of heat for refusing the exigent request if and when it hits the news. Who knows, perhaps that is the reason this email was leaked in the first place.

It is thus important that members of the privacy community rally around AT&T and support the company for its legally justified insistence upon a court order in this case, no matter how much we all continue to detest AT&T's completely illegal in the NSA warrantless wiretapping program.

Perhaps subpoenas take an excessive amount of time to get. Certainly, it took the officers in this case more than 7 hours in order to obtain theirs. I am sure there would be no objection to speeding up this process -- perhaps by allowing police officers to submit their requests to the clerk of the court via a special website, for example? There is no reason why inefficiencies and wasted time in the subpoena process cannot be eliminated -- rather than permitting police to simply ignore the process altogether and claim exigent circumstances.

In this case, the police waited more than three hours for Yahoo to respond to their initial request -- which, if the system worked, should be more than enough time to obtain a subpoena.

Shining the light on a shadowy practice

Those of you who might be shocked by MySpace's total willingness to disclose customer records without a court order should not be -- it is quite possibly the norm in the industry.

While it is not known to the general public, practically every Internet company gets requests, daily, from law enforcement agents wishing to dig up information on that company's customers. In order to deal with these requests, these firms all have "legal compliance" departments, some of which are open 24 hours a day, 7 days per week. A full list of these can be found here.

Of course, these firms don't like to discuss the fact that they routinely disclose their customer's private information to law enforcement. See, for example:

"We do not comment on specific requests from the government. Microsoft is committed to protecting the privacy of our customers and complies with all applicable privacy laws. In particular, the Electronic Communications Privacy Act ("ECPA")
protects customer records and the communications of customers of online services."

“Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws.”

Q: How many subpoenas for server log data does Google receive each year?
A: As a matter of policy, we don’t provide specifics on law enforcement requests to Google.

Facebook is the only company to even discuss the topic and provide ballpark numbers, telling Newsweek just a few weeks ago that the company receives between 10-20 requests from police every day. That is, somewhere between 3600-7300 requests per year.

Wolves watching the sheep

Who is responsible for judging the requests for customer information from law enforcement, in order to determine if they are appropriate, lawful and do not request excessive information?

In many cases, it is former law enforcement agents and prosecutors.

The Chief Security Officer at MySpace, Hemanshu Nigam, is a former deputy district attorney from Los Angeles County, where he specialized in child exploitation and rape prosecutions.

Who is Google's new Senior Counsel in charge of Law Enforcement and Information Security? Richard Salgado, a former Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice.

What about Google's Privacy Counsel? That would be Jane Horvath, formerly the Chief Privacy Officer at the US Department of Justice under Alberto Gonzales,

What about Microsoft? The company's Senior Director for Global Criminal Compliance, Online Services Security & Compliance is Susan Koeppen and like Google's Salgado, she was formerly a Senior Attorney at Computer Crime and Intellectual Property Section of the United States Department of Justice.

This is not to say that these companies do not follow the law -- I am sure they follow it to the letter. Merely that when the police and FBI call up these companies to request customer information, the person on the other end of the phone is often very sympathetic to their point of view -- because often, they are former colleagues.

While there are certainly former staffers from the Electronic Frontier Foundation and other public interest groups working for Google and some of the other firms, you can bet your bottom dollar they are not let anywhere near sensitive issues like subpoenas, search warrants and national security letters where the companies might not be as pro-privacy as it they like people to believe.

Facebook is perhaps the only company to break from this norm -- by hiring a "privacy hawk" and former ACLU lawyer to be the company's point man on privacy issues.

A need for transparency

While it is clear that all Internet companies receive requests, what is unclear is the way they respond to them -- that is, do Google and Microsoft voluntarily disclose data whenever law enforcement officers claim exigent circumstances, or do they, like AT&T, push back and demand a subpoena?

The policy approach taken to these situations likely depends upon the people receiving and responding to the requests...and as I described above, they are often former colleagues of those agents who are attempting to circumvent the requirement for a subpoena in the first place.

What we need, desperately, is transparency. All Internet companies should follow Facebook's lead, and provide at least some aggregate numbers on the number of requests that they receive every year from law enforcement agents.

Furthermore, they should disclose how many of those requests the companies provide the relevant information without first requiring a subpoena or court order, and instead voluntarily disclose it after receiving an exigent circumstances letter.

We need transparency, and we need it now.

(H/T to Pogowasright for first spotting the letter on Wikileaks.)

Disclosure: I haven't discussed this case with anyone from AT&T nor have I ever received any funds from the company.

Avoiding the NSA through gmail

I've been thinking a fair bit about the EFF's lawsuit against AT&T. According to court papers and press reports, AT&T is giving the NSA a direct network tap at multiple locations around the country, giving the US government access to all unencrypted email/IM conversations and web traffic that flow through AT&T's network. It's probably fair to assume that a few other backbone providers are also doing the same thing.

Consider the following situation:

Alice sends an email from her home computer (connected via Verizon DSL Connection) to her friend Bob, who checks his email from his desktop computer at work. Alice uses Hotmail, and Bob uses his company's email servers.

Alice's web connection to hotmail will most likely flow across AT&T's backbone, and if it doesn't, it'll cross one of the other Big Boys, like Level 3. Once Alice has created her email, it'll flow from Microsoft's email servers to Bob's employer's email server - unencrypted, again, probably over one of the major backbones, until it reaches Bob's desk.

There will be at least a couple chances for the NSA to sniff this.

What if Alice sends an email to her pal Charlie, who also uses hotmail?

Well, again, the spooks will have a chance to watch Alice construct the email, and then will be able to see Charlie login to hotmail and read it. Key to note here, is that since the email stays within Hotmail's network, it never has to flow across the Internet to go from Alice to Charlie.

Which brings me to the subject of gmail.

Google is nice enough to allow SSL encrypted sessions. Whereas Yahoo and Hotmail merely allow you to login via SSL (just to stop a passive network sniffer learning your email password), google allows the entire session to remain encrypted. Thus, any interaction between a user at their home computer, and Google's gmail servers remains secret, providing the user changes the url to be https://

Let us now consider a situation where Alice and Charlie each have gmail accounts, and each login via ssl. Alice's connection to google is encrypted, the email flows from one gmail user to another, so it never leaves google's network as it is transmitted from Alice's outbox to Charlie's inbox, and then Charlie's connection to Google is SSL encrypted, so the contents of his email is not revealed to anyone watching his packets cross the backbone.

Right now, very few of gmail's users are using SSL. It us turned off by default (mainly for performance reasons, I'm guessing. 10 million users all requiring an SSL handshake is expensive in processing power).

As gmail's user base grows, and if their users can be convinced to embrace SSL, the NSA's wholesale data slurping from the backbone will increasingly become less useful.

"If we all use encrypted email (PGP/GPG), we won't have this problem" - this is the very true. However, I cannot convince my less technically savvy friends/relatives to use PGP. It has far too many usability problems - still.

However, most of my friends already use gmail - due to the way accounts were given out in the early days, gmail has a very geeky user base. All I need to do now, is to convince them to use SSL... Which is where the Customize Google firefox extension comes in useful.

Customize Google is mainly used to screen out google's advertising - both in gmail, and in the "ads by goooogle" that you see everywhere on the web. I typically install this on the computers of most of my less tech savvy friends. In addition to blocking out ads, Customize Google also turns on SSL for all gmail/google calendar sessions, without requiring that the user do any fiddling themselves. Problem solved!

Small Print:

This only stops the massive sniffing of data currently done by the US government of backbone traffic. This in no way protects you from the feds asking Google for the contents of your email - either by presenting a warrant, or more likely (since it doesn't involve asking a judge), a national security letter. I have good reason to believe that the FBI did this to me - but that's beside the point. This at least requires them to know who you are, and to be interested in you - whereas under the current NSA sniffing scheme, they can watch all email flow by, and analyze it without knowing who they're interested in spying on.