Well, they Did Get Capone for Tax Evasion

So I am amused that AT&T might be liable for violation of telemarketing rules over its data sharing with the CIA:

It’s like getting Al Capone for tax evasion. The CIA and AT&T figured out how to get around legal restrictions on giving the CIA access to domestic phone call information, but in doing so they violated a Federal Communications Commission (FCC) rule that protects you against telemarketing.

According to this story in the New York Times, the CIA paid AT&T to provide them with information on calls passing through its international telephone system. Because federal law prevents the CIA from spying inside the United States, the CIA could not legally get info on calls terminating in the U.S. But, of course, calls from suspected foreign terrorists (aka “anyone outside the United States”) that terminate in the United States are the most interesting to the CIA.

So what’cha gonna do if you’re a poor spy agency or a patriotic mega-corp who understand that sometimes you have to break few privacy eggs to make a freedom omelet? According to the article, when a call originated or terminated in the United States, AT&T would “mask” the person’s identity by revealing only some of the digits of their phone number. The CIA could then refer this information to the FBI, which can get a court order and require AT&T to provide the rest of the phone number and all other relevant identifying information. Then the FBI can kick that information back to the CIA.

Unfortunately for the CIA and AT&T, while this might work to get around the limits Congress imposed on the CIA, it looks like it violates the law requiring phone companies like AT&T to protect your privacy. Section 222 of the Communications Act, also known as the rule on “customer proprietary network information” (CPNI), prohibits AT&T from selling anyone information on who you call or who calls you without your consent. Nor does this contract with the CIA fit into any of the law’s exemptions for information sharing. This is a private contract, just the same as if AT&T had contracted with Blue Cross to let them know if anyone Blue Cross insured sent out too many times for pizza and other unhealthy food.

The fact that AT&T did not fully disclose the full phone number or the name of the subscriber associated with the call does not make it any less of a violation. Under the law, AT&T violates the CPNI rules just by looking at any records associated with the phone number for any purpose other than actually providing service, billing, 9-1-1, or other exemptions found in the statute. The phone company doesn’t even have to disclose the information to anyone else (which, of course, it did, and which, of course, is also illegal) to violate the law.

If you have AT&T, you might want to call them and opt out of this program, which is your right under federal regulations.

Better yet, get a lawyer, and get a class action on.