It recently was revealed that AT&T was selling call data to the CIA for $10 million a year. This is in addition to the millions of dollars the company was paid by the NSA for participating in the NSA’s FISA telephony metadata whereby the company, together with other U.S. telephone companies, routinely provided the NSA with all of the call data of U.S. calls (calls made, received, dates, times, duration, etc.) pursuant to an order from the Foreign Intelligence Surveillance Court.
Apart from the civil liberties and privacy aspects of these programs, they reveal a significant problem. Subpoena compliance and government cooperation has moved from an obligation of the company to a potential profit center.
As such, it has created perverse incentives for these companies to increase the number and detail of records provided to governments, to encourage rather than resist subpoenas and demands for documents, and to conceal rather than reveal the existence of such demands. In other words, users and subscribers are no longer the customers. The government is the customer. The user is the product.
Subpoena Compliance
The government has many different ways to compel a company to produce documents and records about its customers, depending upon the nature of the company, the nature of the documents sought, the identity of the organization making the request or demand, and the reason for the request. They run the gamut from a simple request for preservation or production, an emergency demand for preservation or production, a National Security Letter (NSL) issued under section 505 of the USA PATRIOT Act for preservation or production, an administrative, IG or Attorney General subpoena (in some States) for production, a grand jury subpoena for production, a Court order for production of records (GPS or location data, a trap and trace order, a pen register order under 18 U.S.C. §§ 3121-27), a search warrant for production of records, a FISA production order, an interception order either under Title III or the Foreign Intelligence Surveillance Act, 50 U.S.C. §§ 1801-1862.
In addition, the FCC or state regulators may demand production of records as part of their regulatory authority, and laws like Communication Assistance to Law Enforcement Act (CALEA) 47 USC 1001-1010, require telephone companies (and now VOIP providers) to configure their systems in a manner to be able to produce records upon demand by law enforcement.
47 USC 1003(e) and 47 USC 1007(C)(3)(A) and 47 USC 1008(B)(2) permits the Attorney General to allow the telcos to be reimbursed for the costs associated with reconfiguring their systems to be compliant, but makes no provision for paying for individual demands for information. Conversely, the FCC prohibits telephone companies from producing user data absent a lawful demand (47 USC § 222). Needless to say, the laws regarding protection of the privacy of telecom data and its production for law enforcement, regulatory and intelligence purposes is muddled.
Who Pays?
As a general rule, companies which retain records, whether it’s the local convenience store, a bank, an Internet Service Provider, a local hospital or a telecommunications provider has to provide the government with documents or records in response to a lawful demand or request. In fact, if you look at the privacy policies of each of these companies they should have language in which they explain that, irrespective of the promises they make, they will produce records in response to “a lawful demand” or “a lawful request” or “a lawful court order” or “a lawful subpoena.” Even if such language does not appear in the privacy policy, the recipient of a “lawful court order” is compelled to comply with the order, or face the risk of contempt of court.
But when the convenience store or phone company receives a grand jury or administrative subpoena from the prosecutor, the general assumption is that the company will pay for the costs of compliance with the subpoena. When a mafia don gets a subpoena for his records, he doesn’t present the government with a bill for photocopying. Unlike civil subpoenas, subpoenas in criminal investigations make no distinction between subpoenas to “parties” and subpoenas to non-parties (like the phone company). This is because the grand jury is empowered to search for the truth (in theory). There are no parties except the prosecution. Thus, the phone company has to foot the bill for complying with subpoenas.
Search warrants are slightly different. A search warrant is an order from a court ordering a law enforcement officer to search for and seize whatever documents or records are called for in the court order – and only those records. The obligation to search lies with the law enforcement officer who is technically “commanded” to execute the warrant.
As a practical matter however, police and prosecutors (and phone companies) ignore the language of these court orders. The phone company doesn’t really want a bunch of gendarme rummaging through their servers to find records. Instead, the cops fax over the search warrant, and the phone company faxes or emails the records back. A win-win, except that that’s not what the judge commanded. And the law makes no provision for the phone company to be paid for doing something that the court never ordered them to do. Can you imagine the police coming to your house with a search warrant, and asking you to open the door, and you saying, “sure, that will be a $50 door opening fee, and another $50 escort you inside fee…” See how well that works out for you.
Some statutes do permit phone companies to be reimbursed for costs – technically by requiring the phone company to cooperate. Thus, under the federal wiretap law 18 U.S.C. § 2518(4) a court order may compel providers of wire or electronic communication services, landlords, custodians, or other persons to furnish the police with the facilities, information, and technical assistance necessary to carry out the interception unobtrusively and with a minimum of interference to the services that are being provided to the person whose communications are to be intercepted.
Before rendering assistance, however, the phone company must receive either a court order directing the assistance or a written certification from an authorized official establishing that no warrant is required for the interception, that the statutory provisions have been satisfied, and that the assistance is needed. See id. § 2511(2)(a)(ii)(B). Then, and only then is the phone company entitled to be compensated by the police for “reasonable expenses incurred in providing such facilities or assistance.”
Chinese Menu
The telcos have negotiated a “Chinese menu” of rates for ponying up your most intimate secrets to cops, prosecutors or intelligence agencies – not just in the United States, but presumably, anywhere. Want to install a wiretap? $500 bucks a month per telephone number. $60 for a voicemail message. Only $30 for a text message. Want to track someone’s movements in real time? A bargain at $30 bucks a day on Sprint. T-Mobile costs $100 a day. For $150 an hour, T-Mobile will give you a “tower dump” – a record of every telephone that was in the vicinity of a specific tower. AT&T is a bargain at only $75 an hour for a tower dump, but there is a two drink – I mean two hour – minimum.
Comcast charges for a wiretap include a $1,000.00 initial start-up fee, a Court Ordered Pen Register/Trap and Trace, Wiretap, or interception and $750.00 per month. For telephone records (call detail records) Comcast charges $150.00 a week, or more if you want them more than once a week.
These charges apply whether or not there is an actual additional cost to the telco to produce the records, and there is no specific finding by any court that these costs are actual reimbursements, and whether or not they are “reasonable.”
What is interesting about these charges is that some carriers call them “CALEA” charges – named after the law that mandated that telcos build systems that could be wiretapped. CALEA allowed telcos to recover certain engineering costs associated with building “wiretap compliant” systems, but the FCC specifically rejected an argument that CALEA authorized “per-intercept” charges. In 1996, the FCC specifically observed that intercept charges “would be inconsistent with the cost recovery methodology set forth in CALEA” and that it was expected that carriers would “absorb the costs of CALEA compliance as a necessary cost of doing business, or … from their subscribers.”
In the meantime, the police are avoiding all of these pesky costs and warrants too by deploying technologies like Stingray that send out a fake cell phone signal that can be tracked and create a searchable database belonging to the police. Last year in United States v. Ringmaiden, the Government conceded that to track the suspect they used a “mobile tracking device [that] simulated a cell site.” In other words, rather than rely on the cell company’s tracking data, they created their own. No muss, no fuss, no pesky court orders of exorbitant fees.
Lawful Demands
There was a time when the main thing phone companies did was provide telecom services. Now, every telecom, every search engine, every cable provider, every ISP has teams of people dedicated to doing nothing more than providing information to police, prosecutors and intelligence agencies in response to “lawful” demands. I use the term “lawful” in quotes because these entities rarely if ever challenge the lawfulness of a subpoena or demand. Why should they? They make money on complying, and lose money challenging the demand.
Ordinarily, when an entity receives a subpoena from the government, it challenges the scope, duration, and extent of the subpoena. It can challenge compliance as being burdensome and oppressive, too difficult, or for calling for confidential or sensitive (or privileged) information. It can challenge the subpoena on the grounds that the police lied in the application, that the subpoena calls for production of records outside the geographic area of the court’s jurisdiction (like a California court demanding production by a Virginia ISP), or that the matters under investigation are outside the lawful authority of the grand jury (for example, a Virginia grand jury investigating a crime which could only have occurred in California.)
Other kinds of demands for phone or other records similarly require specific forms of approval or notice. NSL’s must be approved by the FBI Director or his (or her) designee – typically at the Assistant Special Agent in Charge (ASAC) level. They must meet specific statutory requirements for issuance, as must IG subpoenas and other demands.
In fact, I would assume that EVERY subpoena, EVERY demand, and EVERY request was unlawful unless and until it was challenged and upheld by a court.
Actually, while we treat a grand jury subpoena as a “court order” (and it has the seal of a court and states “you are required to produce by order of the court” a subpoena is NOT technically a court order. In order to enforce a subpoena you need an order to compel production.
But phone companies make no money challenging subpoenas, and simply annoy police, prosecutors, judges and regulators when they do. Which is better – make $150 bucks by giving up the records or pay $500 an hour to a lawyer to refuse to give it up? All the better because, if you DO give up the records, the customer never knows.
Secrecy
As a result of the Supreme Court’s holding in Smith v. Maryland the records you think are YOUR phone records are not. They are the phone company’s records. With the exception of the FCC regulations on consumer privacy, the phone company can do whatever it wants with them. As Lily Tomlin’s Ernestine would say, “we don’t care; we don’t have to. We’re the phone company.”
Thus, there is no reason for the phone company to tell you that some policeman somewhere wants to peek at your phone calls, track your movements, or read your text messages. Now there are plenty of times when the police would not want you to know that they are investigating you – or using your records to investigate someone else. In those cases, the police can get an order from a court sealing the request and ordering the telco not to inform the customer. If the cops can show specific and articulable facts indicating that disclosure of the court order will have a specific harm to the investigation, then by all means they should keep it secret. But that’s not the way it works.
Even though you are the customer – the one paying the phone company for service, they are not responsive to you – they are responsive to the police and prosecutors (and the NSA). The presumption is that they will NOT tell you if they pony up your records – even if you ask nicely. That’s just messed up.
In fact, federal law (Rule 41, F.R. Crim. P.) requires that a copy of the warrant be provided to the person whose place is searched. The warrant itself indicates that the police “must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken.”
But the warrant is “served” on the telco, not the subscriber. So the telco gets a copy of the warrant, not the subscriber. And the telco can challenge the scope of the warrant, not the subscriber. And the telco gets paid for helping “execute” the warrant. So why should they challenge it, or why should they bother to tell the subscriber (that is, their customer who is paying their bill) about the warrant? So the presumption in the law is for openness, but that is only openness between the police and the telcos. The subscriber is left in the dark.
Perverse Incentives
By making production of records to cops, prosecutors or intelligence agencies a profit center (or at least not a loss center), the phone company has an incentive to encourage such demands.
Looking a little shaky in Q3? How bout a nice document demand to bolster the bottom line? How bout charging to the highest bidder – if the NSA wants documents, you can say, “well… the CIA was willing to pay $10 million a year…how much would YOU pay?”
Foreign governments can get into the act too. Start a bidding war between the Russian Foreign Intelligence Service and the Syrian General Security Directorate. Maybe get the Mossad or Iranian VEVAK involved too. A bargain!
Companies like AT&T, Verizon and Sprint have little enough incentive to challenge court orders or demands. Less so if the NSA, CIA, FBI and others are multi-billion dollar customers. And even less so if the relationships and disclosures are secret.
So you are no longer a customer of AT&T. You are the product they are selling. As Humphrey Bogart would say in Casablanca, “For a price, Ugarte, for a price.”