As Tech Advances, Privacy Laws Lag

Never has it been so easy to know so much about so many.

Thursday’s disclosure that three of the nation’s biggest telephone companies gave customer calling records to the National Security Agency again demonstrates that technology is rewriting the rules of privacy faster than the law can adapt.

And with their powerful database programs tracking a massive amount of personal details of Americans’ daily lives, a growing number of companies find themselves sandwiched between the privacy expectations of their customers and the national security demands of the federal government.

“It’s so easy to say yes,” said technology security expert Bruce Schneier. “The government sings a patriotic song, and you want to do what’s right. We all want to band together.”

With the rise of lightning-fast ways to collect, collate and distribute digital data, county sheriffs, credit card companies and even nosy neighbors can dig up private information. But in many cases it is the federal government that has been looking over the public’s virtual shoulder.

The NSA program is the most recent example of how personal data collected for commercial purposes can be used in unexpected ways.

“You have to think about how that information could be misused or used too zealously,” said constitutional law professor Martin S. Flaherty of Fordham Law School in New York. “At the end of the day, you’re still talking about information on private parties.”

The data collected by the NSA over the last four years did not routinely include individual names. The NSA is barred from deliberately tracking U.S. residents. Instead, the data were used to map calling patterns in search of clues to help identify terrorist activity.

Even so, civil liberties advocates said the effort raised questions about the government’s willingness to use technology to skirt privacy laws.

“This is the most comprehensive surveillance of the American public ever undertaken by the American government,” said Marc Rotenberg, executive director of the Electronic Information Policy Center.

Said attorney Kevin Bankston of the Electronic Frontier Foundation: “There is simply no legal process for this kind of wholesale invasion of privacy. What they claim to be doing with the data is irrelevant because the fact is they could do whatever they choose without any oversight.”

The foundation already is suing AT&T; Corp. -- the largest of the companies that provided data to the NSA -- over previously disclosed cooperation with the spy agency. That case cites a December report in the Los Angeles Times that the company gave the NSA access to a database cataloging all of its calling records.

The foundation also accuses AT&T; of maintaining a room in its main San Francisco switching office with equipment that received copies of all e-mail and digitized voice traffic transmitted through the site. The room was accessible only to people cleared by the NSA, former employees said.

AT&T; declined to comment.

Federal intelligence authorities are finding cooperative partners in corporate America, particularly in the wake of the 9/11 attacks on New York and the Pentagon.

Companies maintain detailed records on their customers, generally for marketing purposes. Credit card companies can track every purchase and use that information to make customized offers to consumers. Online retailers such as Amazon.com Inc. have software with the uncanny ability to recommend purchases. Search engines that catalog queries can reveal the changing zeitgeist.

Companies that have made blunders on privacy issues sometimes have suffered a backlash -- while others that safeguarded customer information against outside perusal have won plaudits.

Data broker ChoicePoint Inc. saw its stock fall sharply last year, after its databases were infiltrated by identity thieves. Some Internet users switched to Verizon Communications Inc. after it fought recording industry requests to identify customers suspected of piracy. And Google Inc. was hailed by privacy advocates for fighting subpoenas for millions of search queries while other Internet companies complied.

The release of phone records resonates because calls have been presumed to be private for decades. Unlike other companies, phone carriers are barred from revealing anything without a court order.

Of the four phone companies the NSA asked for information about customer calls, only Qwest Communications International Inc. refused. Qwest declined to comment Thursday on what it said were “matters related to national security.”

The other carriers -- Verizon, BellSouth Corp. and AT&T; Inc. -- said they followed the law.

“For many years, we have cooperated with law enforcement and did that under applicable laws,” Verizon spokesman Eric W. Rabe said. “Nothing’s changed. Certainly, we also think we take our customers’ privacy extremely importantly.”

Telecommunications industry insiders, speaking without attribution because of the sensitivity of the NSA’s activities, described the massive data collection to determine calling patterns as benign.

“This was about traffic patterns, aggregate calling from one place to another, [not] tracing a particular call,” one said.

Other communications companies, such as Internet service provider EarthLink Inc., said they would object to such a broad request.

Les Seagraves, EarthLink’s chief privacy officer, said his company responded to law-enforcement and intelligence requests, but regarding only one customer at a time.

No broader monitoring is allowed, and “no agency has carte blanche,” Seagraves said.

Former NSA Director Bob Inman said the use of telephone and other databases might not have violated privacy rights. That’s because the initial explorations were automated and personal information wouldn’t have spread any further in most cases -- a position supported by a former Bush administration official familiar with the monitoring program.

“Computers may have sorted through hundreds of millions of messages without a person ever seeing it. So no one’s e-mail or phone call has been compromised,” Inman said. “The problem only starts when the information goes to an analyst to read.”

Legal experts were less sanguine.

“Substantively, I don’t really care if they know my address and phone number and my calling habits,” said Frank Pasquale, an associate professor at Seton Hall Law School in New Jersey. “But if all the systems of checks and balances are torn down, then that’s a matter for concern. How far can they go?”

A key law regulating the NSA’s domestic activities is 1978’s Foreign Intelligence Surveillance Act, or FISA, which was prompted by a congressional investigation begun three years earlier over a Central Intelligence Agency spy campaign. Without warrants, the CIA had intercepted international mail and telegrams headed to the Soviet Union and other Communist nations for 20 years.

“The total number of mail and messages intercepted was in the millions, and testimony in Congress showed that the intelligence yield was pretty thin,” said Bruce Fein, a former Federal Communications Commission general counsel. “Now we have the ability to track massive amounts of information. We don’t even know the full scope of the NSA’s activities.”

Fein disputed the Bush administration’s contention that regulations needed to adapt to the realities of fighting terrorism. When FISA was passed, he noted, the U.S. had intercontinental missiles aimed at it, and the Cold War was in full force.

“To think all the world changed with 9/11 is wrong,” he said. “There have always been threats we faced.”

Flaherty, the Fordham law professor, said modern technology had raised possibilities no one could envision in 1934, when many of the original laws that still govern telecommunications companies were passed.

“Government is sitting on a huge database,” he said, “and you have to think about how that information could be misused or used too zealously.”