One year after Snowden, phone giants' privacy policies are laughable at best

One year after Snowden, phone giants' privacy policies are laughable at best

Summary: The U.S. government relies on intelligence from an unknown number of U.S. telecoms for its mass surveillance programs. What's the state of phone privacy in the post-NSA world?

TOPICS: Security, Privacy
(Image via Washington Post; Guardian)

If you didn't laugh, you'd probably cry.

It's been one year to the day since we first learned about PRISM, the surveillance program authorized under Section 702 of the FISA Amendments Act, which allows targeted acquisitions of your Facebook, Google, Microsoft, and Yahoo data — among others.

Known internally as the "702 Program" by senators and congresspeople alike, the highly-controversial program relies on two methods of data acquisition: from the ISP or Internet company level, as well as "Upstream" data from high-level internet infrastructure. This works in conjunction with the U.K. government's "Tempora" program, which helps the U.S. National Security Agency collect data in Europe and further afield.

That relies on the telecom giants. Which phone giants? We don't know, because the U.S. government is holding those secret "relationships" — which are not entirely consensual on the corporate level — close to its chest. 

Co-operation with the U.S. and U.K. government is mandatory under telecom regulations and law on both sides of the Atlantic. But the language of these companies' privacy policies are not — repeat not — governed by law.

In fact the irony is that despite the disclosures, and many of these companies being thrown under the bus by the Snowden leaks, they are still, in some cases one year after the fact, still promoting peace, love, happiness, and above all else — privacy.

Which in itself is a loose term.

While we are still not yet sure in every case which companies are handing data over to the U.S. and U.K. governments — among others — the fact of the matter is that the telecom system is broken. The telcos as they stand are legally required to hand over some or all of your data as it flows over their pipes. The global telco system can't be trusted to promote or protect your privacy.

It's not a secret. And the Snowden disclosures only reaffirmed what we knew before. Laws are public for a reason. But their privacy policies are laughable at best. To wit:

BT — U.K.'s largest telecoms provider

As the largest British telecom provider in the U.K., you would think the company would dish out a privacy policy, akin to its American counterparts. No such luck. The company has yet to reveal any government figures, despite being named as a partner in the U.K. government's Tempora program, codenamed "Remedy."

But it does say on its privacy policy, buried way down the page, that: 

"We are serious about guarding the security of your personal information and the details of any transactions made. We take appropriate organisational and technical security measures to protect your data against unauthorised disclosure or processing."

Although it falls under European data protection law, each country in the European Union is responsible for its own national security. Often is the case, national security trumps data protection law, because it's secret and nobody will find out. At least the theory goes.

Verizon — U.S. largest telecoms provider, cable operator

Verizon isn't just a phone company. It also provides submarine fiber cables that connect countries to each other. And it probably wins the award for the most laughable privacy policy of all.

Verizon states that it is "committed to protecting your privacy" on its main privacy policy page, adding:

"At Verizon, we are committed to maintaining strong and meaningful privacy protections for customers. Our privacy policy is designed to inform you about the information we collect, how we use it, and your options about certain uses of information."

Not once on this page does it mention anything about handing over data legally to the U.S. government or others, but it does ask you to "read more" — burying it on a second page out of sight.

Let's not forget this is the company that was named and shamed in the leaked FISA Court ruling that forces it to hand over every shred of metadata that it has under Section 215 of the Patriot Act for the U.S. government's bulk metadata program.

Since the disclosures, Verizon served up its own transparency report. It's not easy to find on the website, but it's there. As far as we could tell, there's no word of the transparency report on its privacy policy, either.

AT&T — Major U.S. telecoms provider, cable operator

AT&T hasn't been directly to the wolves by the Snowden disclosures — yet — but the company remains on tetchy ground with the public after it rolled over to the U.S. government a few years ago by letting it (albeit without much say) tap into its network.

On its transparency report website, AT&T says:

"We take our responsibility to protect your information and privacy very seriously, and we pledge to continue to do so to the fullest extent possible and always in compliance with the law of the country where the relevant service is provided."

It was less than a decade since Room 641A, the secret San Francisco, California-based room that was being used by the National Security Agency to vacuum up copies of vast amounts of data flowing through it.

Discovered by an AT&T whistleblower, it led to the disclosures of vast domestic surveillance under the Bush administration, which in turn led to the FISA Amendments Act of 2008 — designed to curtail surveillance of Americans on U.S. soil.

Vodafone — European phone giant, cable operator

Vodafone, which now includes Cable & Wireless, are U.K.-based providers of cell service, landline service, and fiber cables around the world.

The company took a somewhat different approach in its transparency report by blowing wide open, "not without risk," the fact that it has secret government cable taps. Vodafone probably broke half-a-dozen U.K. laws in the process, but the British public will likely thank it for its actions in the end.

In most places Vodafone retains control over its systems used for lawful interception of communications, it became the first telco to disclose that in a number of undisclosed countries where it operates, the authorities have "direct access" to its networks, bypassing Vodafone completely.

Vodafone's report remains the most comprehensive transparency report to date.

That said, its initial privacy statement seems to be at odds with its own transparency report:

"Customers trust us with their privacy and maintaining this trust is at the heart of everything we do. Our aim is to create a culture of privacy at Vodafone, and our Privacy Commitments set out the principles that govern our approach."

Maintaining that trust is all good and well, and Vodafone does a better job of highlighting its need to disclose data to governments and their intelligence agencies. But its privacy-focused sustainability pages are buried from the main site, along with its transparency report, and it's not exactly easy to find if you're a privacy-conscious user. 

There's a simple lesson to learn from this. Although the Snowden disclosures have been eye-opening to the vast global surveillance system we live in today, U.S. and U.K. companies complying with secret requests under their own respective jurisdictions are still not allowed to talk about any involvement, co-operation, or collaboration with state agencies.

It's not a carte blanche anti-transparency movement. The surveillance and intelligence laws (even if their interpretations are secret) are available to read and a matter of record.

But the weaselling and dodging of the issues by some of the major companies only hurts the confidence in the public using their services.

Hey, if it's just the general public that suffers at the end of the day, and not the profits of these corporate giants — then who the hell cares... he says with a hearty dose of sarcasm.

Topics: Security, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • back in the 90s

    As far back as the nineties I remember hearing about how AT&T installed a lot of the older PABX systems used by telecom companies around the world as far back as the 50s/60s and that all of them were tied into echelon.

    And also related to echelon was the alleged scanning of all email traffic going in and out of the US which is why things like PGP were created so that the NSA didn't have a backdoor through the keys.

    Even stuff like the encryption used for products like Lotus Notes during the nineties ran at a lower level outside the US than inside it - the conjecture was that companies could only export products whose primary encryption keys had already been given to, or could be easily broken by the NSA.

    So its not like the snooping is anything new, just the public is finally making a noise about it.
  • Bitter fruit

    Back in the G.W. Bush years, Congress (under pressure from the Administration) enacted a law exempting corporations from liability for voluntarily cooperating with the feds; even if that cooperation was illegal. It should never have been enacted and ought to be repealed in full.

    Telecommunications companies (like all other businesses) are trustees for their customers. The communcations they facilitate should be presumed to be private and a warrant based on sworn statements and probable cause should be required for them to hand over any data that they would be unwilling to publish to the world.
    John L. Ries
  • 9/11 destroyed privacy

    After 9/11 everyone was thinking more about revenge then about privacy. Give up some privacy and let's get the bad guys. Now, today over a decade later we now whine about our lost privacy.
    When in fact even if 9/11 never happened. Privacy was slowly dying, to a point where technology and your information was destine to be accessed by governments, hackers, and thieves. When paper documents became replaced by data on a server. Your information became significantly more accessible.
  • So are you saying

    That there should be no mechanism where companies can be compelled to hand over information to the government?
    luke mayson
    • That wouldn't be me

      Warrants issued by a court on the basis of probable cause supported by sworn testimony is a time tested approach that works well. What isn't acceptable is an official making that decision on his own because he doesnt want to have to justify it to a court, or a corporate executive breaching confidentiality because an official asked him to.
      John L. Ries
      • Noting...

        ..that criminal defendants are accorded the privilege of compelling testimony and production of other evidence in their defence; but prosecutors shouldn't be allowed to do that until there is a case. Indviduals should have the privilege of voluntarily cooperating with the authorities (to the extent they're not the trustees of other people's data or property), but corporations are institutions managed by executives on behalf of their owners/stockholders (they're trustees, not principals), putting them in a fundamentally different position from that of individuals, even if the latter own businesses.
        John L. Ries
        • Correction

          Prosecutors should only be allowed to compel production of evidence in conjunction with a formal investigation which should only take place if justified by publicly available (or volunteered) evidence. I'm not even convinced that subpeonas should be issued unilaterally (I think a case could be made that they should require court approval, at least in criminal cases).
          John L. Ries
  • Short term gain, long term pain

    Companies that are happy to spy on their customers for governments figure that it is relatively pain-free, and that they can benefit from the results.

    Long term, however, they are encouraging customers to look for alternatives. The telecommunications giants of today will have trouble operating in other countries' back yards when nobody trusts them. Just ask Brazil. Ask China, for that matter, why the Chinese government is dumping Windows. Ask Germany whether it may work towards long-term actions to shut out these companies. The Internet companies recognise this instinctively, and so were knocking on legislators' doors immediately asking for some form of escape clause. Telecoms giants may be a little slower in thinking through the implications of the revelations, but they will eventually realise how much long term trouble they have bought through the betrayal of their customers.

    The disclosures of bad behaviour by English-speaking countries' spy agencies will reverberate long after their respective governments have forgiven them on behalf of the people who were spied upon. It will be interesting to see if Silicon Valley and similar "innovation centres" survive the next ten to twenty years when the world no longer trusts them. My bet is no.
  • benefit to the people?

    I have no problem with government snooping provided that they use the intelligence to uphold the law.

    short list:

    1. enforce canspam act
    2. shut down botnets
    3. enforce national no-call list
    4. enforce rule against using auto-dialiers on cell nets
    5. track down and prosecute those engage in illegal wirefraud: Carders Forms and such :

    we need more *positive* results from their snooping activity.
    • The question is... is it to be done? Or more specifically, should the police have a privileged back door it can use for law enforcement and/or "national security"? Or rather, should it rely on the same investigative techniques it has always been expected to use (at least until there is sufficient evidence to justify more invasive ones)? And is what amounts to domestic espionage *really* more effective than the sophisticated use of publicly available information and asking good questions of those willing to answer them?

      The problem with special privileges for the police is that they tend to be abused. To the extent that people can be trusted not to abuse authority, they should be revered; but such people are far too few in any organization. Thus my position remains that until there is probable cause, the police should only have access to the same data that any one else has. If the police catch someone breaking the law and they need to be arrested, then by all means, search them and their vehicles (assuming individual was driving). But aside from that, until the court issues the warrant, they should have no greater privileges than anyone else.
      John L. Ries