Why AT&T Is Still Spying On Your Phone Calls Three Years After We Complained to the FCC. And Why That May Or May Not Change Tomorrow.

[Commentary] Back in 2013, the NY Times broke a story that AT&T routinely sold “de-identified” phone data to the CIA. Because the CIA is not allowed to do domestic spying, AT&T would sell supposedly anonymous data to the CIA, which would then give the information to the FBI. The FBI would then use its domestic spy powers to get the information from AT&T. In addition to being a rather outrageous work around of laws designed to protect Americans from domestic spying, I argued that AT&T’s program violated federal telemarketing and phone privacy rules, aka Section 222 of the Communications Act of 1934 (47 U.S.C. 222) also known as the “customer proprietary network information” (CPNI) rules. So my employer Public Knowledge, with a number of other public interest and privacy advocates, filed a Request for Declaratory Ruling with the Federal Communications Commission asking the FCC to declare that AT&T selling “de-identified” phone information without customer consent violated the CPNI Rules.

Recently, the Daily Beast reported that AT&T continues to engage in precisely this practice nearly 3 years after we asked the FCC to declare it violated their privacy rules. In fact, the sale to the CIA turned out to be the just part of a larger AT&T “product” called “Project Hemisphere.” According to the Daily Beast and others, law enforcement agencies pay millions of dollars annually to circumvent warrant requirements and gain access to all sorts of call information the law purportedly protects. Which raises the interesting question — why didn’t the FCC do anything on our 3 year old complaint? Recently, FCC Chairman Tom Wheeler circulated a draft Order to the full Commission for a vote scheduled for Oct 27. According to the fact sheet published by the Chairman’s office, the proposed rules will allow for “de-identification,” subject to certain protections. Of particular relevance here, carriers that certify data is anonymized must not re-identify the data, and must have contractual limits that prevent third parties from re-identifying the data.

[Harold Feld is senior vice president for Public Knowledge]