Meet the shadowy tech brokers that deliver your data to the NSA
These so-called "trusted third-parties" may be the most important tech companies you've never heard of. ZDNet reveals how these companies work as middlemen or "brokers" of customer data between ISPs and phone companies, and the U.S. government.
NEW YORK — Picture two federal agents knocking at your door, ready to serve you a top secret order from the U.S. government, demanding that you hand over every shred of data you own — from usernames and passwords, phone records, emails, and social networking and credit card data.
You can't tell anyone, and your only viable option is to comply.
For some U.S. Internet service providers (ISP) and phone companies, this scenario happens — and often. Just one ISP hit by a broad-ranging warrant has the potential to affect the privacy of millions of Americans.
But when one Atlanta, Georgia-based Internet provider was served a top-secret data request, there wasn't a suited-and-booted federal agent in sight.
Why? Because the order was served on a so-called "trusted third-party," which handles the request, served fresh from the secretive Washington D.C.-based Foreign Intelligence Surveillance (FISA) Court. With permission from their ISP customers, these third-parties discreetly wiretap their networks at the behest of law enforcement agencies, like the Federal Bureau of Investigation (FBI), and even intelligence agencies like the National Security Agency (NSA).
By implementing these government data requests with precision and accuracy, trusted third-parties — like Neustar, Subsentio, and Yaana — can turn reasonable profits for their services.
Little is known about these types of companies, which act as outsourced data brokers between small and major U.S. ISPs and phone companies, and the federal government. Under the 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), any company considered a "communications provider" has to allow government agencies access when a valid court order is served. No matter how big or small, even companies whose legal and financial resources are limited do not escape federal wiretapping laws.
On a typical day, these trusted third-parties can handle anything from subpoenas to search warrants and court orders, demanding the transfer of a person's data to law enforcement. They are also cleared to work with classified and highly secretive FISA warrants. A single FISA order can be wide enough to force a company to turn over its entire store of customer data.
For Cbeyond, a Nasdaq stock exchange-listed ISP based in Atlanta, Georgia, data requests can be put almost entirely out of mind. The company generates more than $450 million in revenue each year and serves more than 50,000 business customers — primarily small to medium-sized companies — in more than a dozen U.S. states.
The ISP's legal resources are razor thin, according to an executive at the company, who did not want to be named for the story. As a result, the company does not always directly handle government data requests.
The company outsources a good portion of its legal and compliance responsibilities to Neustar, which bought its way into the wiretapping business following its 2005 acquisition of compliance firm, Fiducianet.
Cbeyond can receive as many as five to ten subpoenas per week. These data requests are regularly forwarded to Neustar, which acts as the ISP's "custodian of records." They are validated, and — more often than not — data is handed over to the requesting law enforcement agency.
But on the rare occasion Cbeyond receives a top-secret FISA warrant — two per year on average, according to a senior staffer, who has direct knowledge of the matter, Neustar pulls the data from the ISPs networks and hands it to the requesting government agency.
These warrants can allow the FBI or the NSA to collect an unknown but potentially limitless amount of data on millions of Americans and foreigners.
"Hidden, but not visible"
Created by its namesake law, the Foreign Intelligence Surveillance Act in 1978, the FISA Court issues more than a thousand classified warrants a year for Americans' data. One former NSA analyst likened it to a "kangaroo court with a rubber stamp," as it keeps very few records, of which many are kept in the utmost secrecy and away from public scrutiny.
Only documents leaked by former U.S. intelligence contractor Edward Snowden have helped lift the lid on the shadowy world of these secret so-called FISA warrants. Signed off by the court, these warrants give the FBI and the NSA wide-ranging access to American data, in spite of Fourth Amendment protections designed to protect against overreaching domestic government surveillance.
The first classified document leaked by the former U.S. government contractor showed how the Obama administration forced Verizon to turn over its entire store of metadata on a rolling basis to the NSA.
When these secretive FISA orders are issued, there is little indication to Cbeyond, or any other local or major ISP or phone company, what the requested data may be used for. It could be for a terrorism case, or it could be a small part of an undisclosed NSA program. That also poses a problem for the companies wanting to fight back — and some companies have found the process notoriously difficult — not least because it requires an attorney with top-secret security clearance.
One of those attorneys, who declined to be named for the story because the person holds top-secret security clearance, explained that although hundreds of lawyers have the same clearance — including those serving terror suspects in Guantanamo Bay — very few have been in front of the FISA Court to defend their clients. These clearance-holding lawyers have been in high demand over the past year representing major Silicon Valley companies implicated in the NSA's surveillance programs.
For the majority of smaller companies (as well as larger ones, who have refused to comment on challenging such warrants), complying with data demands may be their only option. The vast majority, however, do not have the resources to handle such requests.
"If they don't have an internal lawyer [reviewing FISA warrants], they could use a third-party service. That third-party can't provide legal advice, but it can create a system for reviewing the data, pulling, and processing the data," the security clearance-holding attorney said.
Enter the trusted third-party, which facilitates the data request between the two.
Neustar's business is wide-ranging. Many industry insiders know it as a phone number portability company and the owner of top-level domain names. But its dedicated — and widely-unknown — legal and compliance division, dubbed "fiduciary" services, handles subpoenas and warrants on behalf of their customers, provides technical assistance in the lawful interception of data, and the services to carry out the surveillance demanded by the court or law enforcement agency.
"It's not hidden, but not visible," according to a former Neustar executive who worked in the division and who declined to be named, because the customers whose activities the division supports are ones that customers "don't publicize very much." These services are stigmatized particularly in the wake of the Snowden disclosures. The person said that ordinary people do not want to know that their data is up for grabs.
BuzzFeed in 2012 profiled Neustar in some depth, disclosing the scope of its legal intercept unit. The piece led the company to disclose for the first time transparency figures (more on that later).
Neustar works primarily for small to medium-sized businesses. The company said two years ago that it serves about 400 of the "thousands" of U.S. phone companies — including smaller firms like Cbeyond and Grande Communications, but also larger firms like Bright House Networks, and also Cricket, which disclosed its relationship with Neustar to Congress in May 2012 — to handle and respond to the court orders they receive. Neustar does not always act as the first go-to point for its customers.
The fiduciary division can also be held on reserve as an "overflow" in cases where its larger corporate giants may be inundated with more demands for data than usual, the former Neustar executive said.
To the degree that the company performs overflow functions for companies such as Verizon, Neustar chief privacy officer and deputy general counsel Becky Burr explained, it is "only non-criminal information," such as civil subpoenas, often generated in bitter divorce and custody disputes.
2014: 1,412 legal intercepts** (* approximate figures) (** to date, as of August 15) (Source: Neustar)
The company disclosed, for the second time, to ZDNet its latest transparency figures. Burr said the company has seen a spike in lawful intercept requests since the five-year period ending 2011, thanks to the new business of a larger customer in 2011, which is not named as it was divulged off the record.
These lawful requests are authorized by a court, and can mandate a company to hand over the contents of emails and phone calls — including the time, date, and duration of calls, and the phone numbers themselves, though not the contents of the calls made.
Out of the 2,278 data requests Neustar processed in 2012, about 77 percent came from that one unnamed customer, and accounted for about 76 percent of all Neustar's processed requests in 2013.
While the division also processes civil requests, and in rare cases handles emergency responses from law enforcement agencies — such as the immediate threat to property or life — it nonetheless handles a significant portion of its customers' criminal requests.
Neustar transparency report (August 28, 2014)
PSAP** Emergency — 911
Total court order
Criminal — full contents
Criminal — pen/trap
NSL orders, FISA demands/targets
* through August 15, 2014 ** stands for "public-safety answering point" — such as 911 emergency call centers *** per Justice Dept. requirements, only the range of FISA warrants can be issued **** the last six months are not available as per the Justice Dept. delayed publication rule Source: Neustar
Neustar's figures show a spike in warrants since its first transparency report. The figures show that civil requests make up the bulk of Neustar's fiduciary business, but criminal requests — including court orders and search warrants — make up about one-third of the overall requests.
As per reporting rules set out by the U.S. Department of Justice on disclosing FISA requests and National Security Letters (NSLs), which can be used to compel an ISP or phone company while gagging them from disclosing the fact, the last six-months worth of data is not available. Any requests prior to the six-month reporting rule are disclosed only a numerical range.
Although the range spans from zero, we know from Cbeyond's case that at least one FISA warrant has been served.
The scope of other existing FISA orders are also shrouded in secrecy, along with the process by which these secret court orders are served on companies. Although U.S. residents are afforded legal protections to limit domestic government surveillance, the Obama administration has come under intense scrutiny for using secret interpretations of surveillance law to acquire Americans' data.
The process by which FISA warrants are served on companies or individuals isn't widely unknown, due to the restrictions on whom recipients can talk to.
In reality, it may not involve federal agents showing up at your door at all. It may be as routine as a phone call from an ISP's third-party provider. That's when the wiretapping can begin.
"Of what worth is our permission?"
Neustar will typically inform the ISP by phone that a warrant has been received. According to the former Neustar executive, the smaller the carrier, the greater chance Neustar's staff will see such orders first — though, not in every case.
Despite their secrecy, what is known is that FISA warrants are generally targeted and individualized, but they can also be broad and wide-ranging. While the contents of the FISA warrant are classified, it will state the legal authority under which a wiretap can be placed.
When it's the latter case, the law says multiple warrants can be served each year on a rolling basis to maintain fresh oversight by judges, or to form a new legal basis to acquire more data.
Companies like Neustar, Subsentio, and Yaana have staff with security clearance, allowing them to see, review, and execute the warrant.
If an order is not valid, or it has deficiencies such as inappropriate language, the third-party's legal experts may outright reject the order — regardless of the type of order issued by the law enforcement agency.
"Every action Neustar took as an outsourced partner was really governed by the carriers' policies and procedures," the former Neustar executive explained. If an ISP or phone company was particularly conscious of its customers' civil liberties, Neustar can adopt strict guidelines to meet those criteria. That said, if a customer is less than willing to uphold the rights — or was unable to pay to have the order challenged in court — Neustar may near-automatically accept each government data request.
"Of what worth is our permission when we don't even know what we're being asked to give access to?" — Cbeyond senior staffer
The ISP remains informed along the way, and will be the final arbiter on whether or not a data request will be accepted or rejected — regardless of its policies in directing Neustar how to act.
Neustar, like other trusted third-parties, are granted full technical access to the network of its ISP customer, either by way of the company's own wiretap equipment or technology provided by the trusted third-party. Then, Neustar will formally request permission from the ISP's general counsel to execute the warrant. As often is the case, no information about the FISA request is given to the company.
"Of what worth is our permission when we don't even know what we're being asked to give access to?" a senior staffer at Cbeyond admitted.
Neustar can in many cases execute the warrant from anywhere within the U.S., keeping within the bounds of the country's surveillance law. But when a wiretap device is needed, they are not hard to come by. Most networking equipment makers sell devices that can be used to collect data, or used to inspect data — so-called deep-packet inspection devices, which can also be used to prevent piracy, the spread of malware, and website access, all at the Internet provider level.
Once a FISA warrant is issued, so-called "tasking" orders, which contain selectors — like a phone number or an email address — are often sent electronically to the ISP. These tell the ISP or phone company, or third-parties like Neustar, exactly where to wiretap and what data to collect to hand back to the requesting authority.
By acting as middlemen, companies like Neustar, Subsentio, and Yaana often liaise with the targeted ISP or phone company, and the law enforcement agency to act as a channel in which intercepted data can flow.
For Cbeyond, the process is relatively straightforward — it's out of sight and (almost) out of mind. But, that's not the case for every ISP or phone company. Each company's infrastructure has unique requirements.
FISA requests also come at a cost on two fronts for the ISP. Neustar's services are held on retainer, with additional costs for each warrant.
Although financial arrangements were not disclosed between Cbeyond and Neustar, the ISP's limited annual revenue and legal resources are a driving factor behind why it has not so far challenged a FISA warrant. But, Neustar will also work with U.S. law enforcement agencies to recover costs, which they are entitled to do under the law, for data requests.
Other companies work on a case-by-case basis, or charge a little more each year instead of taking on a retainer fee.
"Maybe we should be thinking about civil liberties more"
Data requests can be refused — it's not often that it happens, but it does. For the third-party companies, their obligations are with their client and not the law enforcement agency.
But there are limits. If the ISP or phone company decides to fight a warrant, the third-party can stand back and wash its hands of it.
Neustar: At a glance
Acquired Fiducianet in 2005, buying its way into the wiretapping business
Performs and audits legal wiretaps and intercepts
Authorized to handle FISA warrants
Reviews warrants to ensure they are valid, legal, and appropriate
Recovers costs for companies whose data is being requested under provisions in U.S. surveillance law
Burr said Neustar "has and will" reject subpoenas that are inadequate for one reason or another. But should its clients choose to fight a FISA warrant or court order it believes to be overbroad, Neustar will not join the battle in court.
Other trusted third-parties take a similar approach.
"We're out of the picture," said Marcus Thomas, chief technology officer at Subsentio, another trusted third-party company, founded in 2004, and based out of Littleton, Colorado.
The company has "well over 100 customers," and mostly focused on wireless carriers and cloud providers, Thomas said on the phone. Thomas is no stranger to this field. As a former FBI assistant director, he was responsible for the bureau's lawful interception operations. He retired in 2011.
Thomas said that Subsentio, unlike Neustar, is not a formal "custodian of records," but it interacts with both parties to ensure the correct records and the right amount of data is transferred from the company to the law enforcement agency. The company typically handles pen registers for real-time recording of phone numbers made from a particular line, full-content wiretap orders, and FISA warrants.
Subsentio provides more than simply the legal vetting procedures for determining whether a lawful intercept can go ahead. It's not unusual for Subsentio to provide the actual wiretap device itself, should its customer need one.
"If they choose not to implement it, they don't authorize use to implement it," Thomas said.
Yaana operates under a similar regime. Founded in 2007 and based in the heart of Silicon Valley, it has "dozens" of companies out of the thousands of U.S.-based ISP and phone companies. The firm also serves companies operating with a foreign presence, and supports warrants from a number of European states. Yaana's focus is compliance in the cloud, which — according to executive vice president for regulatory affairs and standards Tony Rutkowski — the vast majority of technology companies were "slowly but surely" moving towards.
Like Neustar, Yaana acts as legal agent to its corporate customers, Rutkowski said. Thanks to its in-house "rules-based reasoning engine," law enforcement requests can be triaged and cleared, which are then accepted or rejected by on-call staff. For subpoenas, the system is straightforward and near-autonomous. For court orders under seal — of which many are — these require the direct approval from the ISP or phone provider.
"If they haven't seen it, we won't approve it," Yaana's chief technology officer David Grootwassink explained on the phone.
However, when handling FISA warrants, there "isn't a lot of wiggle room" except to ensure that they are valid, Grootwassink said. The FISA warrant requires the approval of the ISP or phone provider to decide whether it will comply or not. Should a company wish to fight the order, the company will not step in to fight on behalf of or alongside its ISP or phone provider client.
"It's the provider's problem," Rutkowski said. "The nice part about the trusted third-party business is that just from a liability standpoint, we don't want to be left holding the bag here." Grootwassink agreed. "We provide the gears. We don't get involved in fights between the governments and our clients."
Except, according to the numerous people spoken to for this article, many of the customers to these trusted third-party firms may not have the legal expertise or resources in the first place to develop policies that are fitting for the Internet and phone customers they serve.
Because Neustar, Subsentio, and Yaana act on behalf of their clients' best wishes, their clients themselves may be the weakest link in the privacy chain. Many of the companies outsourcing their services to a trusted third-party may not have strong policies designed to first and foremost protect the civil liberties of their customers.
These policies dictate how the trusted third-party will respond to requests ahead of time, without having to face getting dragged into the minutia of each case.
Although some ISPs have wanted to fight tooth and nail, they have not had the money to hire a top-secret cleared attorney to argue their case. Instead, they have invoked their interpretation of the First Amendment — the right to free speech — to disclose that they have received a FISA warrant, despite the secrecy and gagging clauses that come with them.
"The nice part about the trusted third-party business is that just from a liability standpoint, we don't want to be left holding the bag here." — Tony Rutkowski, Yaana
Others, like Cbeyond, "haven't examined simply saying 'no' and challenging them," said the person with direct knowledge of the warrants served on the ISP.
"What we're doing is what the rest of the American public is doing," the person said. "We're trusting in some way that these [warrants] are being handled in a responsible fashion."
Because of its business clientele, higher management was "not thinking about civil liberties issues," noting that the company near-automatically approved all requests.
"We don't have a department designed to resist unwarranted government intrusions or to even figure out if they're unwarranted or not," the person said.
The onus of responsibility is with business customers it serves, Cbeyond believes — which the people argued that they likely themselves still do not have the resources to deal with such warrants. The ISP is instead focused on fighting "incessant and unrelenting regulatory attacks" from its larger corporate rivals, one of the people said.
For the end customers or ISPs and phone companies, they are not made aware that their data is being collected. In many cases, a company's chief executive is kept out of the loop.
U.S. surveillance law restricts who can be told about classified data requests. Although the law does not preclude a company's chief executive from knowing, Cbeyond's chief executive Jim Geiger said on the phone he would not be informed of the receipt of any FISA warrants, nor would he know about all of the subpoenas the company gets.
"It's a wide burden for a chief executive's involvement of things that would suck time and energy that aren't necessary," he said.
"We are not a regulated industry"
Cbeyond's approach means Neustar will accept almost every government data request it receives on behalf of the ISP — so long as they pass Neustar's own internal legal review.
In the relationship between ISPs and phone companies and these trusted third-parties, there are few — if any — sticking points. The ISPs devolve a portion of their responsibilities to the third-party, which generates a tidy sum for their services, and the law enforcement agencies receive the data they request.
But despite this data handover process, there remains little regulation or oversight of the trusted third-party industry.
Staff members at these companies hold U.S. security clearance and are therefore legally allowed to handle and remotely execute FISA warrants and directives. They fall within the realm of rules, protocols and laws that the U.S. intelligence community abides by.
But the vast majority of their work goes unsupervised by the government.
"Even though its sounds like [trusted third-parties] are regulated or licensed… the [legal] functions weren't fully outsourced," the former Neustar executive said. "You didn't as a carrier turn over your responsibilities to someone who's licensed to do those responsibilities. You hired competent staff on an outsourced basis to do your work, and it's all governed by the policies of the carrier."
"Everything was just an extension of the [carrier's] work center," they said. "Neustar wasn't doing anything other than work for [its] carriers."
Neustar says it reviews, validates, and keeps audit trails for its customers. Subsentio and Yaana also audit their activities for their customers' benefit in order to make sure the companies are not conducting activities beyond their purview.
Thomas said trusted third-parties are "not a regulated industry" and that there is no external party reviewing such work. He said that the company does not undergo any audits that would examine how they do their jobs.
"We sort-of determine our own communication and security requirements," Thomas said. The only exception is classified work, which he said is "reviewed" periodically by the company.
The only oversight, per se, is from the public. In the wake of the Snowden leaks, many companies have bowed to public pressure and released government data request figures. Cbeyond does not currently have a transparency report, and Geiger said the company has no plans to publish one any time soon. But a company's size is no excuse for some. Like one Utah-based ISP XMission, which has a staff just shy of 50 employees and one attorney, the company regularly updates its transparency pages — even on one occasion disclosing it had received and fulfilled an FISA warrant for one individual's data.
Cbeyond's business clientele were a driving reason behind Birch Communications' bid to acquire the ISP for $323 million, which closed on July 21. Birch is now said to comply with subpoenas and warrants in-house, ending the long-standing relationship with Neustar.
In June, one month before the deal closed, not knowing what changes the new regime would bring, the senior staffer at the ISP ended the conversation to go back to work.
"We're not thinking about civil liberties issues. Maybe we should have been thinking about it more."