Google and Yahoo were quick to condemn the NSA for spying on their customers, but telecom firms remained conspicuously silent – and for good reason. Privacy International has filed a complaint against them with the OECD.
Google and Yahoo weren’t slow to express their fury last week when it emerged that the National Security Agency had been tapping their customers’ data from inside their own cloud networks.
But the companies perhaps more directly affected have been conspicuously silent. Telecommunications firms like US-based Level 3 or Britain’s BT, which provide Internet giants with their fiber-optic cable networks and customers with their phone and Internet access, are yet to offer any condemnation of the surveillance that has been carried out via their hardware.
Some analysts suspect that those companies in the US may have been compelled to comply with the NSA by secret court orders, which would also have prevented them from speaking publicly. But a report late last month in the Guardian newspaper may offer a key to their silence. According to GCHQ documents leaked by former NSA contractor Edward Snowden, telecom companies are working with the intelligence agencies more zealously than they care to admit.
GCHQ, Britain’s equivalent of the NSA, runs a surveillance program called Tempora – also disclosed by the Guardian via Snowden in June – which taps into fiber-optic cables to gather mass quantities of email and telephone communications between the US and Europe. To do this, the internal documents make clear, GCHQ needs both the knowledge and cooperation of these “Communications Service Providers” (CSPs) that own the cables.
Beyond requirements
The extent of this collusion emerges from a classified review prepared by GCHQ for the British government, as quoted in the Guardian: “Under RIPA [the Regulation of Investigatory Powers Act 2000], CSPs in the UK may be required to provide, at public expense, an adequate interception capability on their networks. In practice all significant providers do provide such a capability. But in many cases their assistance – while in conformity with the law – goes well beyond what it requires.”
As a result of the story, human rights group Privacy International has filed a complaint against six telecom firms – BT, Verizon Enterprise, Vodafone Cable, Viatel, Level 3 and Interoute – with the Organization for Economic Cooperation and Development (OECD), on the grounds that their cooperation with GCHQ amounts to a violation of their lawful obligations to protect the privacy of their customers.
“The telecommunications companies can actually do an astonishing amount to push back against this sort of surveillance,” Eric King, head of research at Privacy International, told DW. “It’s plain that the Tempora program is almost certainly unlawful… Companies don’t have an obligation to comply with unlawful requests, and should they wish to challenge them, they would be well within their rights to do so, and would likely be successful.”
Ready and willing
Privacy International called on these companies to explain what, if anything, they have done to resist government requests to help spy on their customers, but they have been unresponsive. Of the six companies, only two responded to DW’s requests for comment, though without addressing Privacy’s complaint directly: “It is our policy and our practice to comply with laws in every country where we operate, and to provide government agencies access to customer data only when the law in the country where the request has been made compels us to do so,” an emailed statement from Level 3 said.
UK-based BT would also not be drawn on the Privacy complaint itself, but emailed this statement: “We shall study details of any complaint we receive, but we are clear that matters of national security are for governments, not telecommunications providers. As a company, we comply with the law.”
There may be good reason for this obfuscation, for as the leaked GCHQ documents also showed, the CSPs were in fact worried about the publicity should the information be revealed. They were worried enough, in fact, to threaten to withdraw their help if it ever got out. The companies “feared damage to their brands internationally, if the extent of their co-operation with HMG [Her Majesty’s government] became apparent,” the GCHQ document said. Furthermore, if tapped private communications were ever made admissible as evidence in UK courts, GCHQ admitted that “many CSPs asserted that they would withdraw their voluntary support.”
Technical assistance
King also pointed out that the nature of the technology involved – cables that provide 90 percent of the world’s communications – would require technical help that only the companies that own them could provide. “It isn’t simply plugging in an Ethernet cable and away you go,” he said. “It’s going to cause major disruption, it’s copying every single communication going through a network, and doing that without causing delays in the network itself and doing it in a way that it doesn’t tip people off to the fact that it’s going on. I’d be absolutely astonished if it could be done without the company’s own engineers.”
Moreover, according to Privacy, telco firms are not under any legal obligation to help. “In the UK, we have no judicial authority that approves or denies any surveillance orders of any form – it’s our ministers who sign off on these things,” said King. “This is one intelligence agency asking their bosses – the ministers who are responsible for them – whether they can spy on some people. There’s no independent authority anywhere touching this process.”
A commercial partnership
Peter Micek, of US digital rights group Access Now, explained that in the US there is a similarly strong partnership between the CSPs and the NSA, though often the NSA does need to get secret court orders. “It depends on what traffic they’re looking to get,” he told DW. There are legal obstacles in place if it is a US-based telecom firm, and if the data collection is happening on US soil. “It looks like [the courts] do have some oversight,” Micek said.
Micek also suggested there was a historical reason why the telecom firms have remained silent, while the Internet companies have been outraged: “We are talking about two different animals,” he said. “The Internet companies are very new to this game, whereas the US has been working with the major US telecoms since the 70s to gain access to international communications data. They have decades-long relationships with the intelligence community.”
Not only is this a historical partnership, it is also in many cases a commercial one. As a report published in the New York Times on Thursday (07.11.2013) showed, the CIA pays AT&T over $10 million (7.4 million euros) a year to spy on its customers’ data. “The recent ‘black budget’ has shown that the NSA spends hundreds of millions of dollars annually in order to support upstream collection programs,” said Micek. “We have seen that they are compensated for other types of data-sharing with the US government – in the law enforcement areas.”
In other words, not only are customers paying their phone bills to a company actively helping the government to collect their data, they are also, via their taxes, funding the company to do it.