AT&T's Selling Customer Data Is Unlawful, Say Consumer Advocates

Consumer advocates are asking the FCC to make carriers get users' consent before sharing their data—or better, anonymize it.

AT&T charges the Central Intelligence Agency more than $10 million a year to provide data about subscribers, The New York Times reported last month, calling the arrangement part of the CIA's overseas counterterrorism efforts. Now, consumer advocacy groups, led by Public Knowledge, have filed a petition with Federal Communications Commission (FCC), asking it to enforce protections of wireless subscriber information provided by the Communications Act, of which it believes AT&T to be in violation.

In 1996, lawmakers modified the Communications Act to include Section 222. It states that, with few exceptions, carriers must receive customers' consent before sharing customer proprietary network information (CPNI).

After The Times report, Public Knowledge started poking around and found that "all four major mobile carriers (AT&T, Sprint, T-Mobile and Verizon) have privacy policies that indicate they believe it is okay to sell or share similar records to anyone," staff attorney Laura Moy wrote in a Dec. 11 blog post.

"We don't know whether or not they actually are selling CPNI, but the fact that they think they can is alarming."

In a press statement on the filing with the FCC, Moy summarized the position that consumers have been put in.

"Consumers have no choice but to share vast quantities of personal and private information about themselves with phone carriers in order to obtain service, which is an absolute necessity in the modern age," she wrote. "Americans should be able to rest assured that carriers can't just turn around and secretly share or sell that information with marketers or the government without consent."

In the petition, the consumer groups state that AT&T is likely to claim that it "anonymized" or "de-identified" call records before sharing them—but that it doesn't believe that to be the case. For at least two reasons, it argues, removing personal identifiers from call records, or blocking a few numbers from a phone number, aren't enough to really separate a person from his or her data.

"When a carrier purges individual identities from a set of call records but leaves individual characteristics (such as incoming calls and outgoing calls, call times and call durations) intact, the records are not anonymous at all; they are pseudonymous. ... Not only are pseudonymous records at risk of being linked back to a specific individual, pseudonymous records often contain sufficient information to discover the true identity of the person whose records they are," the petition explains.

It went on to offer several examples.

In 2000, researcher Latanya Sweeney, now the chief technologist at the FCC, found that "87 percent of the U.S. population can be uniquely specified by knowledge of his or her five-digit ZIP code of residence, gender and date of birth."

More recently, researchers at the University of Texas at Austin found that they could identify Netflix subscribers in a dataset by using publically available information. "'Removing identifying information is not sufficient for anonymity,'" the researchers reported, according to the petition.

Another group of researchers found that "95 percent of individual users could be uniquely identified using just four location data points."

For these reasons and others, Public Knowledge and its cohorts have asked the FCC to declare a ruling that non-aggregate call records that leave customers' individual characteristics intact are protected as identifiable CPNI and that AT&T, Verizon, Sprint and T-Mobile can't sell such records without customers' consent.

"The next step," Moy wrote in her blog post, "is for the Commission to docket the petition and put it out on public notice for people to comment on it. Let's hope the Commission does it soon."

An AT&T spokesperson told eWEEK, "In all cases, whenever any governmental entity in any country seeks customer information from us, we ensure that the request and our response are completely lawful and proper in that country. We have rejected government requests for customer information many times. Wherever we serve our customers, we maintain those customers' data and information in compliance with the laws that apply in the country where that service is provided."