AT&T Tech Paints Stark Picture of NSA Telecom Spying

AT&T employee-turned-whistleblower Mark Klein, a 62-year-old retired telecommunications technician, was in Washington Wednesday to meet with members of Congress to convince them that telecommunications companies shouldn’t get immunity for the part they played in helping the National Security Agency (NSA) collect and record massive amounts of Americans’ Internet communications.

When Klein worked for AT&T in 2002, he said he received e-mails from higher management advising technicians of a special visit from the NSA and that an NSA agent was going to interview another technician for a “special job.” In January 2003, he toured AT&T’s Folsom Street facility in San Francisco, where a new 24-by-48-foot secret room was being built adjacent to telecommunications switches.

At the time, Klein was a fiber optics technician, and he said he became aware that AT&T’s WorldNet Internet service’s optical circuits had been split so that electronic voice and data traffic from AT&T’s customers could be copied and diverted to the secret room, which was locked and controlled by the NSA.

“My job required me to enable the physical connections between AT&T customers’ Internet communications and the NSA’s illegal, wholesale copying machine for domestic e-mails, Internet phone conversations, Web surfing and all other Internet traffic. I have first-hand knowledge of the clandestine collaboration between one giant telecommunications company, AT&T, and the National Security Agency to facilitate the most comprehensive illegal domestic spying program in history,” Klein stated.

Evidence for a Class Action Lawsuit

The Electronic Frontier Foundation (EFF) filed a class action lawsuit against AT&T in January 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the NSA in its massive program to wiretap and data-mine Americans’ communications, actions which the EFF said are illegal. On July 20, 2006, a federal judge denied the government’s and AT&T’s motions to dismiss the case, chiefly on the ground of the States Secrets Privilege, allowing the lawsuit to go forward. On Aug. 15, the case was heard by the Ninth Circuit Court of Appeals.

The EFF lawsuit arose from news reports in December 2005, which first revealed that the NSA had been intercepting Americans’ phone calls and Internet communications without any court oversight, which the EFF said violates privacy safeguards established by Congress and the U.S. Constitution. This surveillance program, purportedly authorized by President Bush as early as 2001, intercepts and analyzes phone and Internet communications of millions of ordinary Americans. EFF has complied and published supporting documents, reports and court materials on its AT&T Class Action area on its Web site.

On behalf of a nationwide class of AT&T customers, EFF says it’s suing “to stop this illegal conduct and hold AT&T responsible for violating the law and the fundamental freedoms of the American public.”

The EFF scored a minor victory Tuesday when a federal judge ruled that AT&T must either halt any routine destruction of documents or arrange the preservation of accurate copies.

The Plot Thickens

Meanwhile, the Justice Department has reportedly sought to block the lawsuit — and as many as 40 other, similar suits with telecoms around the country — by using the state secrets privilege, which would block the release of any information that might endanger national security.

Last month, the Senate Intelligence Committee approved a bill that would reduce the government’s ability to eavesdrop on terrorism suspects and protect civil liberties, but which also includes a clause that would grant the telecommunications companies, including but not limited to AT&T, immunity from lawsuits stemming from privacy violations with the NSA.

Sen. Leahy and the White House

Sen. Patrick Leahy, a Vermont Democrat and chairman of the Senate Judiciary Committee, called out the immunity issue as a concern a week ago, both to the privacy of Americans as well as a shield for the Bush Administration.

“At the outset I should acknowledge the grave concern I have with one aspect of S.2248. It seeks to grant immunity — or, as Senator [Christopher] Dodd (D-Conn.) has called it, ‘amnesty’ — for telecommunications carriers for their warrantless surveillance activities from 2001 through this summer, which would seem to be contrary to FISA (Federal Intelligence Surveillance Act) and in violation of the privacy rights of Americans,” Leahy noted.

“I am considering carefully what we are learning from these materials,” he added. “Congress should be careful not to provide an incentive for future unlawful corporate activity by giving the impression that if corporations violate the law and disregard the rights of Americans, they will be given an after-the-fact free pass. If Americans’ privacy is to mean anything, and if the rule of law is to be respected, that would be the wrong result. A retroactive grant of immunity or preemption of state regulators does more than let the carriers off the hook. Immunity is designed to shield this administration from any accountability for conducting surveillance outside the law. It could make it impossible for Americans whose privacy has been violated illegally to seek meaningful redress.”

Rock and a Hard Place

Right or wrong, it is hard to imagine that the executives at any telecom were pleased to see the NSA show up at their doorsteps.

“My initial impression is that these companies are stuck. If they don’t give the government what it wants, the government comes after them. If they give the government what it wants, then private parties comes after them,” Jeff Kagan, a telecommunications industry analyst, told the E-Commerce Times. “Either way, they are exposed. I don’t think there’s a path for them to take that’s good for the shareholders or for the company.”

The people running the telecoms, it is easy to imagine, would likely have had some interest in helping protect Americans from terrorists, but at the same time they also have an interest in protecting those same Americans’ civil liberties — not to mention their own public images. “Those can be two competing thoughts — there’s not a solution that would satisfy everyone,” Kagan noted. “That’s the world we live in today whether we like it or not.”

The only major telecom widely reported to have stood up against the NSA request is Qwest.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

LinuxInsider Channels

Many Consumers Fail To Protect Privacy After Receiving Data Breach Notice

Few consumers take strong action to protect their privacy and identities after receiving a data breach notice, according to a report by the Identity Theft Resource Center and research firm DIG.Works.

The report, based on a survey of 1,050 U.S. adult consumers, found that 16 percent of the participants in the research took no action after receiving notice of a data breach affecting their accounts. Information from breached accounts can be used for identity fraud or to make employers vulnerable to cyberattacks, including ransomware and business email compromise (BEC) scams.

What’s more, less than half the participants (48 percent) changed the passwords on the accounts affected by the breach, and only 22 percent changed all their passwords after they were notified of an attack.

“When we asked the 16 percent why they didn’t act when they received a data breach notice, 26 percent said their data is already out there, and they can’t do anything about it,” said Eva Velasquez, president and CEO of the ITRC, a San Diego-based non-profit organization founded to provide identity theft victim assistance and consumer education.

“But there are actions they can take, depending on what data was compromised, that will help them minimize their risk,” she told TechNewsWorld. “We’re not doing a good job of explaining that.”

Ignorance and Apathy

Velasquez added that 17 percent of the consumers who did not act when they received a breach notice didn’t know what to do when they received it and 14 percent thought the correspondence was a scam.

“When we look at those reasons, it lets us know that how we notify people, how we present that information, is completely ineffective, and we need to reevaluate how we’re informing people that their data has been compromised in a breach,” she said.

Another 29 percent of those not acting on a breach notice believed that it was up to the organization breached to address the issue. “That’s not true,” Velasquez observed, “so there has to be more communication about where that responsibility begins and ends.”

“Receiving notification that your personal data has been stolen is chilling, but apparently not chilling enough to do anything significant about it,” quipped Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.

“Part of this issue,” she told TechNewsWorld, “is that users default to thinking that nothing bad will happen to their accounts.”

Ray Pugh, security operations manager for Expel, a SOC as a service provider inHerndon, Va. agreed that ignorance and apathy may play a role in ignoring data breach notices.

“Some users may not fully understand what a data breach notification truly means and what the implications are,” he told TechNewsWorld, “while others understand the scope but have become apathetic to the topic.”

Growing Cynicism

The number of consumers ignoring data breach notices shouldn’t be surprising because of the lack of training available to them on the subject, maintained James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“If they suffer a breach, most users will believe they are powerless and may not know who to contact,” he told TechNewsWorld.

“Without any proper training or awareness — which is not easy to find, unless they work for an organization that provides it — many people do not search out those skills,” he told TechNewsWorld.

John Gilmore, director of research at Abine, a privacy solutions company inBoston, noted that the ITRC/DIG findings are consistent with similar studies released this year.

“About 85 percent of consumers will say they’re extremely concerned about online privacy and there’s always 15 to 20 percent who just don’t care,” he told TechNewsWorld.

He added that the surveys also find that there’s a steady decline in privacy as consumers move from awareness to action. So 85 percent will say they’re concerned about privacy, but only 79 percent will say they’re willing to act to protect their privacy and around 50 percent will actually act on their privacy concerns.

When it comes to consumers who are proactive in protecting their privacy, he continued, the needle dips even further: around 30 percent.

“People are very skeptical about these things,” he said. “They’ll spend time modifying privacy settings, but at the same time they’ll say they don’t think it makes much of a difference.”

“It’s part of a growing cynicism in the public about the sincerity of institutions to do what they say they’re going to do,” he added.

Avoiding Credit Freezes

The ITRC/DIG survey also revealed that after being notified of a breach, only three percent of respondents said they put a credit freeze in place to block the creation of new accounts that require credit checks such as new loans, credit cards and other major purchases.

Velasquez acknowledged that accounts don’t have to be frozen for every data breach.

“If you’re part of a breach where usernames and passwords are the data that is breached, your first step shouldn’t be to freeze your credit,” she said. “That wouldn’t make any sense. Your first step would be to change your user names and passwords.”

“On the other hand,” she continued, “if social security numbers and all the data required to open a new financial account in your name have been breached, then freezing accounts should be higher up on your to-do list.”

Pugh noted that consumers may shy away from freezing credit because they see it as unnecessary and inconvenient.

“They may be thinking that there were thousands of people involved in the breach, and that they’d rather bet on the odds that the information won’t be leveraged to harm them personally,” he said.

“Freezing accounts can be more trouble than it’s worth because you have to go back and unfreeze the accounts at some point and there’s a whole rigmarole involved with that,” Gilmore added.

“Most people are willing to roll the dice,” he continued. “It’s not worth the time.”

Reusing Passwords

On the password front, the ITRC/DIG researchers found that only 15 percent of respondents claim to use unique passwords for each of their accounts.

The remaining 85 percent admitted to reusing passwords on multiple accounts, although some claimed a still risky practice of using variations of the same password on different accounts.

In addition, only eight percent of respondents said they closely guard their passwords as a way of preventing identity theft and fraud.

“It is convenient and easier to use the same password than having to remember different passwords,” noted McQuiggan.

“Users are told to create strong passwords and always check links, but this is a habit foreign to them,” he explained. “They also believe they probably will not get hacked because they do not have anything the cybercriminals would want to steal.”

“Complex passwords are hard to remember, and resetting a forgotten password is a pain that busy people are looking to avoid,” added Pugh.

The days of compromised passwords, though, may be numbered.

“In general, the password, as a concept, is on the way out,” Gilmore said. “It’s been around too long and right now, lots of people are looking around for ways to replace it.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Privacy

Pandemic, Compliance Driving Increased Privacy Spending

The global pandemic and the need to comply with laws governing consumer data are fueling increases in privacy budgets, according to a report by an association for privacy professionals and a multinational professional services firm.

The Privacy Governance Report for 2021 produced by the International Association of Privacy Professionals, EY and EY Law discovered through a survey of privacy professionals around the world that privacy spending has increased significantly over 2020, with the average privacy spend amounting to $873,000 and the median budget $330,000.

It also noted that 60 percent of the privacy pros surveyed expect their budgets to increase in 2022, and almost none anticipate budget cuts.

As with many workers since the pandemic began, privacy pros are working from home in greater numbers.

More than eight in 10 privacy pros (81 percent) are working exclusively or mostly from home, surveyors found. That’s expected to continue for the rest of 2021, with 78 percent of the privacy pros expecting to remain remote or hybrid workers.

There appears to be no change in sight. For next year, 82 percent of the privacy pros are still expecting to be working mostly remotely or in some form of hybrid arrangement, dividing their working hours between home and office,

Compliance Is Top Priority

The report noted that compliance with the European General Data Protection Regulation, California Consumer Privacy Act, California Privacy Rights Act and other U.S. state privacy laws, as well as other global laws, has been a top priority for most privacy teams over the past year.

It revealed that 26 percent of the companies subject to the CCPA were in full compliance and 41 percent were “very compliant.” GDPR compliance was lower, with 20 percent in full compliance and 43 percent very complaint.

“Privacy laws have had a significant impact on how companies are approaching privacy, but it has been mainly internal to the companies’ operations,” observed Rob Shavell, CEO and co-founder of Boston-based Abine, maker of Blur, a combination password manager, email masker and ad tracker blocker.

“It’s not something that consumers have felt much of a difference,” he told TechNewsWorld.

“It’s a big change for companies because they have to hire a bunch of people and pay attention to where data is stored and who it’s shared with, more so than they did before these laws were passed,” he added.

Customizing Privacy

Liz Miller, vice president and a principal analyst with Constellation Research, a technology research and advisory firm in Cupertino, Calif. explained that lots of organizations have fundamentally changed how they operate because of privacy laws.

“The challenge is they haven’t redefined what privacy means to them,” she told TechNewsWorld.

“They’re complying with the laws without asking what does privacy mean to us and how is protecting our customers’ data and privacy fundamental to the way we operate?” she said.

“They’re checking off the boxes, but the more interesting organizations are redefining what privacy means to them and making it something the customer is driving and not something to be exploited,” Miller observed.

“They’re asking their customers what they want from the company that has value to them,” she added.

“That’s a residual benefit to consumers from this wave of regulation,” she continued. “More people are becoming aware that privacy is an opportunity to create a conversation about what everyone wants — a durable, lasting relationship with the customer.”

Help Wanted

The report also noted that nearly half the pros (45 percent) revealed their organizations are planning to hire at least one or two new privacy professionals over the next six months.

Those extra bodies will be needed when the California Privacy Rights Act takes effect on January 1.

“The CPRA is going to have a considerable effect on privacy,” observed Timothy Toohey, an attorney with the Greenberg Glusker law firm in Los Angeles.

He explained that the law will be giving consumers new rights, including the right to see information that a company has collected about them.

“That can be quite burdensome on companies,” he told TechNewsWorld.

In addition, the law imposes data and privacy requirements on vendors of companies.

“In this next year, there’s going to be a lot of scrambling by companies putting new agreements into effect with their vendors,” Toohey said.

“Some companies can have hundreds of vendors,” he added.

Legal Jungle

An increasing number of privacy laws — both at the state level in the U.S., as well as at the national level around the world — make privacy operations increasingly central to what an organization does, the report noted.

The proliferation of those laws, especially in the United States, can also complicate the compliance task for companies.

“It’s created a problem,” Toohey acknowledged.

“We have three states with comprehensive laws — California, Virginia and Colorado — and a lot states are considering them, particularly in light of the pandemic and work-from-home, because of the proliferation of information online,” he said.

“Whenever you have laws worded slightly differently, as all these laws are,” he explained, “it creates potential compliance headaches.”

“You have to reframe your agreements,” he continued. “You have to look at your privacy policies, and you have to comply with consumer requests from various jurisdictions, since there is no standard federal law — nor is there likely to be one in the immediate future,” Toohey added.

Pandemic Affects Privacy

However, Shavell maintained businesses may be complaining too much about the plethora of privacy laws in the United States.

“Companies say it’s difficult to comply with the growing number of privacy laws. That’s hyperbole,” he said.

“Companies say it because they want to act like everything is hard, so they don’t have to do it,” he continued. “In reality, these laws are very similar. Most of them are just subsets of one another. The CCPA, for example, is just a subset of the GDPR.”

While companies are beefing up their privacy teams, they’re also beefing up their surveillance tools, largely due to the pandemic. “One pattern we see in the shift to remote work is that companies are hunting for ways to monitor output and productivity without a manager physically observing employees,” observed Julian Sanchez, a senior fellow at the Cato Institute, a public policy think tank in Washington, D.C.

“For many, the answer is tools like InterGuard, ActivTrak, Hubstaff and TimeCamp, which are essentially spyware that can track what workers are doing on their computers in incredibly granular ways,” he told TechNewsWorld.

“The pandemic didn’t invent these tools, of course, and plenty of businesses had them installed on in-office computers before Covid, but the shift to more remote work led to a significant spike in adoption,” he said.

Vaccine mandates can also pose a risk to privacy.

“Vaccine mandates are creating all these little databases at places requiring proof of vaccination for service,” Shavell explained. “There’s no real control over those databases.”

“What we advocate is a low-tech approach,” he said. “Check for a vaccine card, but don’t create a database. There’s no need to enter that information where hackers, scammers or marketers can get it.”

The complete IAPP-EY Annual Privacy Governance Report 2021 is available here.

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Privacy