[109334] in Cypherpunks
WSJ: no-notice for cell-phone record subpoena
daemon@ATHENA.MIT.EDU (Bill Stewart)
Thu Mar 18 22:43:02 1999
Date: Thu, 18 Mar 1999 10:10:13 -0800
To: cypherpunks@cyberpass.net
From: Bill Stewart <bill.stewart@pobox.com>
Reply-To: Bill Stewart <bill.stewart@pobox.com>
So we've been discussing the Israeli phone companies giving away information;
here's a similar US issue, though it doesn't include geographic data (yet :-)
Also, there was some European phone company doing the same thing (Swiss?)
discussed on cypherpunks a while back.
>Date: Tue, 16 Mar 1999 18:29:33 -0600
>Reply-To: Law & Policy of Computer Communications <CYBERIA-L@LISTSERV.AOL.COM>
>Sender: Law & Policy of Computer Communications <CYBERIA-L@LISTSERV.AOL.COM>
>From: Sean Donelan <SEAN@SDG.DRA.COM>
>Subject: WSJ: no-notice for cell-phone record subpoena
>To: CYBERIA-L@LISTSERV.AOL.COM
>
>The Wall Street Journal had a story in the March 16, 1999 B section
>about the lack of privacy in cell-phone billing records. Much like
>my previous note about the lack of privacy of most subscriber information
>held by companies such as Yahoo, most cell phone companies give no notice
>to the subscriber about a subpoena for their records. AT&T reports 15,000
>subpoena for cell phone records. AT&T says its subscribers are made
>aware of the no-notice policy in the subscriber agreement. You know
>the one, which says they can change the terms at any time and you agree.
>
>Further the cell-phone companies claim because court rules generally
>require the party seeking the records notify the customer themselves, so
>the additional notification by the phone company would be redundant. But
>since there seems to be little penalty, or enforcement, notification
>by the party seeking the records is a bit lax; especially in civil cases.
>Lack of notice also seems to undermine the ability for the subscriber
>to challenge a subpoena for his or her records, since he or she does not
>know it exists. Not to mention, in several cases the party seeking
>the records is seeking them precisely because they do not know who
>the person is; and want the records to discover the person's identity.
>Its kind of difficult to recover your privacy after the party receives
>your records.
>
>The article goes on to say some consumers may make privacy a bargaining
>chip in their negotiations with the carriers. However, I don't see how
>that can really work for an ordinary consumer since a carrier can nullify
>any private terms in the contract by filing a tariff to do something
>different. And most cell phone agreements say the company employee
>selling the cell phone service has no authority to negotiate any of
>the terms anyway.
>
>In the past most wireline telephone companies had more or less the
>same policy for handling subscriber information inherited from the
>days of Ma Bell. But new CLECs and even new subsidiaries of old phone
>companies have policies all over the board.
>
>Ok, to Cyberia-L land. Last week I attended a seminar at the Internet
>Service Providers/Forum on the Electronic Communications Privacy Act.
>The US Asst Attorney General gave a good spiel. What I found interesting
>was how differently ISPs were handling subpoena and court orders. For
>example, exactly what "telephone numbers" are given out when. I've
>always taken a conservative approach and only released the basic
>information given by the subscriber himself, on the application form,
>such as the contact phone number in response to a subpoena. I generally
>wanted a search warrant or similar court order before releasing what I
>consider "transactional information" (a step below "content" but a
>step above "basic account information").
>
>But other ISPs were reading the ECPA's definition of "basic subscriber
>information" to include any record with a telephone number and doing
>iterative searches through ANI (Automatic Number Identification) logs
>along with cross-references to IP addresses and other session identification
>information to find all other accounts using the same phone number, in
>addition to all other phone numbers those accounts dialed in from, and
>repeating the process again. You can scoop up a lot of information
>doing that. And the person who said that's how they handled subpenas
>worked for a pretty big ISP.
>
>>From a plain reading of the ECPA, I can see the argument on both sides.
>But I'm afraid the argument isn't being made because most of the operation
>happens out-of-sight. Because people aren't being notified about the
>subpenas, they never think to ask what information has been released
>about their account. Ma Bell's old policy may have been the equivalent
>of law when there was only AT&T, but those days are over. In the case of
>many small and medium ISPs, they just assume anything with a "Law Offices
>Of ..." or "District Attorney of ..." letterhead must be correct and legal.
>During the ISP/F seminar, one ISP owner became rather irate, and felt law
>enforcement officials had taken advantage of her ignorance to obtain
>information.
>
>Are we heading for another social blowup, such as the one which led to
>the 1968 wiretap laws? Or should we just accept Scott McNealy, the CEO of
>SUN Microsystems, announcement that we have already lost our privacy and
>we should just move on.
>--
>Sean Donelan, Data Research Associates, Inc, St. Louis, MO
> Affiliation given for identification not representation
>
>
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
