AT&T takes first step toward transparency

Following close on Verizon’s heels, AT&T today announced it will begin to publish a semi-annual online transparency report in early 2014.

The US-based telecoms giant will disclose the number of law enforcement requests for customer information that it receives, in each country of operations. Notably, the company is far more circumspect on what details of intelligence and national security-related assistance to the government it will disclose.

This announcement is an abrupt about-face for the company, which only two weeks ago requested that the SEC allow it to ignore a shareholder proposal calling for exactly such transparency. Verizon had received a similar shareholder proposal, and never expressed opposition.

Telcos and transparency
Transparency reports were pioneered by Google in 2010 — see our blog on its latest one here — and now virtually all major internet platforms and a host of smaller providers issue them as well. To date, telcos have released this type of data only in response to congressional inquiries. In particular, US Senator Edward Markey’s queries have produced responses from US wireless carriers for two years running.

Regular, updated transparency reporting was not even discussed by telcos until yesterday’s announcement by Verizon. Members of the Telecommunications Industry Dialogue, a group of operators and vendors who jointly address freedom of expression and privacy rights in the sector, have resisted calls to release similar data.

AT&T will be the first among the 9 member companies of the Industry Dialogue to begin transparency reporting, and Access expects the remainder of the ID’s telecoms operators, including UK-based Vodafone, Spain’s Telefonica, and France’s Orange, to quickly follow its lead and issue regular reports on their assistance to governments worldwide.

Devil in the details: What AT&T’s report will and won’t include
For each country of its operations, AT&T promises to disclose:

  • The total number of law enforcement agency requests received from government authorities in criminal cases;
  • Information on the number of subpoenas, court orders and warrants;
  • The number of customers affected; and
  • Details about the legal demands AT&T receives, as well as information about requests for information in emergencies.

Unlike Verizon, AT&T has explicitly pledged to release data on the number of customers affected. As we noted yesterday, it is essential that reports list the number of accounts affected, since one request can target millions of users.

However, it appears AT&T will be leaving a fairly significant chunk of the government surveillance requests — and affected customers — out of its report. In its announcement, the company implied that it would not disclose data on National Security Letters it receives, or other intelligence and national security-related requests, including orders from the FISA court. AT&T reasons that “disclosures regarding classified information should come from the government,” whose job it is to determine whether they implicate “national security.”

It is that very type of classified “national security” order, including one from the Foreign Intelligence Surveillance Court (FISC) to Verizon last June, which enables the government’s bulk acquisition of data on millions of users in the US and elsewhere.

The company’s silence on the national security debate is not a sustainable position. Rather, it seems to send a message that AT&T accepts the shaky legal foundation for the government’s overbearing surveillance programs, a foundation that is under attack by US courts, the President’s own NSA review panel, and civil society worldwide. AT&T should not continue to quietly accede to secret US government requests, and instead should join the growing chorus of ICT companies pushing back via lobbying, disclosures, and lawsuits.

For its part, the US government must act quickly to declassify and disclose this information in its own transparency reports. The transparency report that the Office of the Director of National Intelligence promised earlier this year is not enough. Furthermore, Congress should follow the advice of the President’s Review Group on Intelligence and Communications Technologies and pass legislation allowing companies to release data on national security requests.

Voluntary agreements
AT&T carefully addresses the issue of government access to its networks, saying, “We do not allow any government agency to connect directly to our network to gather, review or retrieve our customers’ information.”

Yet, the company’s name has surfaced in relation to a number of programs where police and intelligence agencies were given quick and comprehensive access to user data. Most clearly, the company was shown to have created a secret room in its San Francisco backbone facility allowing the NSA to split off a copy of all traffic for surveillance purposes.

Other examples include:

  • “national security agreements,” or contracts between US defense and intelligence agencies and telcos that promise unimpeded, convenient access to networks and facilities;
  • Hemisphere, a program where US drug enforcement units pay for streamlined access to databases of retained data; and
  • perhaps most troublingly, reports that intelligence agencies pay telcos from a “black budget” for direct access to the “backbone” or upstream fiber-optic cables and infrastructure that transmit large amounts of data belonging to their customers as well as users of other providers worldwide.

Many of these programs target information on users outside the US, whose traffic flows through AT&T’s American networks without their knowledge. Given the limited protections for non-US persons under US surveillance law, this is particularly concerning.

Moving forward
It seems likely that there will be future battles over the details of company reporting. Yet the announcements over the past two days show that the telco sector, for all its reluctance to embrace its human rights responsibilities to respect privacy and freedom of expression, can be influenced by a determined group of stakeholders. Access will continue pushing the sector to achieve human rights goals, and these announcements give us hope that we’ll be able to count telcos as partners in that effort.