AT&T’s First Transparency Report Reveals Warrantless Demands for Customer Data
In the wake of our shareholder advocacy, AT&T has now joined Verizon and released its first transparency report. AT&T’s report shows how federal, state, and local governments have requested large volumes of customer information, typically without a warrant. While we welcome AT&T’s move, the American public remains in the dark about a lot of what’s happening behind the scenes. Greater transparency is still needed from AT&T and the federal government.
Here’s a breakdown of the many demands AT&T received in 2013. As we have long suspected, the vast majority of these demands lacked a warrant:
- AT&T received 301,816 demands related to criminal and civil litigation. Only 16,685 of these demands included a warrant based on probable cause.
- AT&T received 223,659 subpoenas for customer information. This is significantly more than the 164,184 subpoenas Verizon received during the same period.
- AT&T received 37,839 demands for location information. At least 21,000 of these demands lacked a warrant. AT&T’s full report says a warrant is “almost always required to obtain real-time location information.”
- AT&T also received 1,034 demands for “cell tower searches” last year, some of them compelling the company to identify the numbers of all phones that connected to a specific cell tower during a given period of time. Cell tower information is ripe for misuse—we know of at least one instance where a cell tower request was made for all phones within the vicinity of a planned labor protest.
AT&T also included information on national security requests (though, not the complete story):
AT&T reported receiving between 2,000 and 3,000 National Security Letters (NSLs) from the federal government for customer information including name, address, length of service, and toll billing records. NSLs do not require prior approval from courts and the government has been criticized for misusing them. 4,000 to 4,999 AT&T customers were affected by NSLs last year. Note: Verizon has not yet revealed how many customers were affected by the NSLs it received.
AT&T also released information about federal government demands for customer content under the Foreign Intelligence Surveillance Act (FISA), demands that may result in government access to the telephone and Internet communications of US citizens and persons abroad. For the first six months of 2013, AT&T received 0-999 requests for content that ultimately affected 35,000-35,999 customers. In fact, more AT&T customers were affected by FISA content requests in the first half of 2013 than the combined number of Facebook, Google, and Microsoft customers affected by the same sort of requests during that period.
Unfortunately, the report omits important information on the metadata that the government reportedly obtains from AT&T under the call records program (currently being challenged by the ACLU in federal court). Phone metadata includes the phone numbers of parties to a conversation, a call’s duration, and device identifiers—information that can paint a very detailed picture of private lives. We know that the government justifies its access to phone metadata with a section of the FISA law, yet AT&T’s report states that only 0-999 customers were affected by such “non-content” requests. On its own, this lack of detail misleads the millions of AT&T customers whose phone metadata may be subject to these demands.
In addition to a clearer explanation of national security requests, we hope that AT&T’s future reports will also address the following shortcomings:
The current report does not include the number of customers or individuals affected by all of the government demands. The company claims that it is “difficult” to tally this information.
The report does not describe statistics on how often AT&T complies with demands.
This report includes very limited information about demands from foreign governments.
AT&T’s transparency report, limited in what it reveals, also highlights just how essential it is for privacy laws to be updated in both the national security and law enforcement contexts. Technology has advanced exponentially and our privacy laws are still in the digital dark ages, enabling the government to engage in a largely unsupervised shopping spree of the personal data held by AT&T and other companies. This is why you should tell your member of Congress to support the USA Freedom Act and an update to the federal Electronic Communications Privacy Act. We also urge AT&T to play a larger role by pushing for greater transparency, including far more detail in its future reports, and advocating for stronger privacy protections.
Matthew Cagle is a Volunteer Attorney for Technology and Civil Liberties with the ACLU of Northern California.