Last week, the New York Times unearthed a troubling twist to the endless stream of bad surveillance news. Not only is AT&T handing over bulk call records to the CIA, but they’re getting paid for it, to the tune of $10 million each year. In a statement in response, AT&T said only, "we ensure that we maintain customer information in compliance with the laws of the United States," emphasizing the law and giving little reassurance to customers that the company was looking out for them.
Why couldn't a small carrier push back?
Ten million dollars is chicken feed to AT&T, of course; its profits are currently running a little over a billion dollars a month, with revenue triple that. It's more the principle of the thing. If the company handling all the traffic in and out of your phone is literally on the government payroll, it's hard to expect them to be on your side. And in fact, they haven't been: while Google, Facebook and the rest of the PRISM crew have sworn up and down that they respect user privacy, phone carriers have remained mostly silent.
But why does it have to be that way? From afar, it seems like there's an enormous niche for a smaller carrier to compete on privacy. Why couldn't a small carrier like US Cellular or C Spire announce tomorrow that they're pushing back, honoring only explicitly legal requests, and anyone who cares about privacy should switch over? What's keeping the carriers so firmly in the NSA's corner?
"They have little incentive to resist requests."
In part, the problem is the weird structure of American phone companies, which have always operated more like the postal service than an independent business. A century ago, AT&T was a regulated monopoly, allowed to provide all the phone service in the country as long as the FCC approved of the way it handled things. Maintaining telephone lines was too expensive for any meaningful competition, so customers had to rely on the FCC to keep prices low and policies reasonable. The regulated monopoly setup was broken up by courts 30 years ago, but the basic dynamic persists. There's more than one phone company now (experts would say we've got two and a half: Verizon, AT&T and everybody else), but they still act like a monopoly, whether it's restrictive phone contracts or nonsensical pricing schemes. It's still one of the most regulated industries in the US, and the real threats to their business come from the government, not from consumers.
Making enemies in Washington is scarier than a few angry customers
This line of argument is usually trotted out to explain why customer service is so bad or text messaging is so expensive — but for surveillance, the effects are even worse. If the FBI or CIA wanted to put pressure on a telecom, they’d have plenty of options. When we asked Harvard professor Susan Crawford, a prominent telecom critic, she said it wasn’t surprising. "They are frequently major providers of commercial services to the government," Crawford told us. "They have little incentive to resist requests for detailed information about their subscribers, particularly given that they frequently need approval to merge their operations." The approval for those mergers comes from both the FCC and the Department of Justice, the same branch of government as the FBI. Any explicit coordination would be unethical, but it’s easy to imagine why telecoms might not want to step on any toes. By the nature of the industry, the companies are constantly asking for favors from government agencies. The result is that making enemies in Washington is much more troubling than a few angry customers.
We don't need to wonder what a telecom whistleblower might look like
That's hypothetical, of course, but we don't need to wonder what a telecom whistleblower might look like. In February 2001, Qwest CEO Joseph Nacchio says he was approached by NSA agents about establishing direct access to Qwest's call records without a FISA warrant. Nacchio declined, thinking the program was illegal. Subsequent leaks showed Qwest as the only phone company that declined to participate in the program. The retaliation was immediate: Nacchio says Qwest lost government contracts in the following months (although some contest this), and the business started to collapse. Just a few years later, Nacchio was brought up on insider trading charges, a prosecution he maintains was political payback. There are plenty who doubt Nacchio’s story — as one put it to me recently, "it’s a great way to come out of an insider trading case looking like a hero" — but it’s still an unsettling thought for any telecom who’s considering pushing back against law enforcement.
For anyone worried about surveillance, the moral of the story is even worse. There are plenty of encryption schemes, plenty of services that will promise to safeguard your data, and the recent transparency push could make them even safer. The past few months have focused more on soft networks, whether it's Lavabit's SSL keys or the encryption that safeguards Gmail. But access to the lines carrying that data has never been in doubt. And anyone making a push for transparency knows better than to look to AT&T for help.