Verizon, NSA Case Puts Companies on Notice

A shadowy “three-letter” U.S. government agency calls your company and asks for copies of your private customer data—the kind you don’t share with outsiders and can get sued for losing. The agency says it needs the data to track terrorists, but won’t get too specific about how.

Your choices:

A. Send the information right over.

B. Ask to see a court-issued warrant.

C. Pretend you’ve got a bad connection and hang up.

This is more than an academic exercise. According to reports in USA Today, major U.S. telecom carriers turned over the telephone records of millions of residents to the U.S. National Security Agency (NSA) for use in tracking domestic terrorist communications.

Reports about the program have put the telecom carriers in a difficult position. AT&T, BellSouth and Verizon all face class-action lawsuits, filed in recent days, seeking US$200 billion in damages for violating customer privacy.

With the threat of another Sept. 11-style attack on one side and cherished Fourth Amendment protections on the other, telecom carriers are damned if they do and damned if they don’t, says Jeff Kagan, an independent telecom analyst.

Reports about the phone-call monitoring claim AT&T, BellSouth and Verizon turned over customer information. Qwest, another “Baby Bell,” did not. That company denied the NSA request when government agents could not produce a court-issued warrant, said Herbert J. Stern, lawyer for ex-CEO Joseph Nacchio.

Telecom carriers aren’t alone in receiving government requests for private data. Google this year fought a Department of Justice (DoJ) request for search records in a case involving the Child Online Protection Act. In March, a Freedom of Information Act request revealed that the DoJ also subpoenaed 34 ISPs, including Verizon and major Internet search and security firms in that case. According to the documents obtained by InformationWeek, some of those companies, including Verizon, objected to the requests, citing the sensitivity of the data being requested.

Bolstered by the PATRIOT Act, the FBI has increased the use of “National Security Letters,” an arcane tool with roots in the Cold War that allows the government to demand customer records and sensitive data without court approval. Under PATRIOT Act provisions, recipients are barred from even acknowledging that they received such a letter.

The companies in question in the NSA case maintain that the requests were not for wiretapping access and that they were complying with the law when they turned over the call records. With no end in sight to the war on terror and the U.S. government casting an ever wider net in its search for domestic terrorists, companies need to weigh their options carefully, said Jody Westby, CEO of Global Cyber Risk, an IT consultancy.

Companies have several options, including fighting the requests in court. When weighing the public relations and stock-price risks, companies may find that the public expectation of privacy trumps government demands, Westby said. “Whether or not the government follows its due process, companies have an obligation to follow theirs.”

– Grant Gross, IDG News Service

Keep checking in at our CSO Security Feed page for updated news coverage.