[Infowarrior] - AT&T rewrites rules: Your data isn't yours

[Richard Forno]

AT&T rewrites rules: Your data isn't yours
- David Lazarus
Wednesday, June 21, 2006
http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/21/BUG9VJHB9C1.DTL

AT&T has issued an updated privacy policy that takes effect Friday. The
changes are significant because they appear to give the telecom giant more
latitude when it comes to sharing customers' personal data with government
officials.

The new policy says that AT&T -- not customers -- owns customers'
confidential info and can use it "to protect its legitimate business
interests, safeguard others, or respond to legal process."

The policy also indicates that AT&T will track the viewing habits of
customers of its new video service -- something that cable and satellite
providers are prohibited from doing.

Moreover, AT&T (formerly known as SBC) is requiring customers to agree to
its updated privacy policy as a condition for service -- a new move that
legal experts say will reduce customers' recourse for any future data
sharing with government authorities or others.

The company's policy overhaul follows recent reports that AT&T was one of
several leading telecom providers that allowed the National Security Agency
warrantless access to its voice and data networks as part of the Bush
administration's war on terror.

"They're obviously trying to avoid a hornet's nest of consumer-protection
lawsuits," said Chris Hoofnagle, a San Francisco privacy consultant and
former senior counsel at the Electronic Privacy Information Center.

"They've written this new policy so broadly that they've given themselves
maximum flexibility when it comes to disclosing customers' records," he
said.

AT&T is being sued by San Francisco's Electronic Frontier Foundation for
allegedly allowing the NSA to tap into the company's data network, providing
warrantless access to customers' e-mails and Web browsing.

AT&T is also believed to have participated in President Bush's acknowledged
domestic spying program, in which the NSA was given warrantless access to
U.S. citizens' phone calls.

AT&T said in a statement last month that it "has a long history of
vigorously protecting customer privacy" and that "our customers expect,
deserve and receive nothing less than our fullest commitment to their
privacy."

But the company also asserted that it has "an obligation to assist law
enforcement and other government agencies responsible for protecting the
public welfare, whether it be an individual or the security interests of the
entire nation."

Under its former privacy policy, introduced in September 2004, AT&T said it
might use customer's data "to respond to subpoenas, court orders or other
legal process, to the extent required and/or permitted by law."

The new version, which is specifically for Internet and video customers, is
much more explicit about the company's right to cooperate with government
agencies in any security-related matters -- and AT&T's belief that
customers' data belongs to the company, not customers.

"While your account information may be personal to you, these records
constitute business records that are owned by AT&T," the new policy
declares. "As such, AT&T may disclose such records to protect its legitimate
business interests, safeguard others, or respond to legal process."

It says the company "may disclose your information in response to subpoenas,
court orders, or other legal process," omitting the earlier language about
such processes being "required and/or permitted by law."

The new policy states that AT&T "may also use your information in order to
investigate, prevent or take action regarding illegal activities, suspected
fraud (or) situations involving potential threats to the physical safety of
any person" -- conditions that would appear to embrace any terror-related
circumstance.

Ray Everett-Church, a Silicon Valley privacy consultant, said it seems clear
that AT&T has substantially modified its privacy policy in light of
revelations about the government's domestic spying program.

"It's obvious that they are trying to stretch their blanket pretty tightly
to cover as many exposed bits as possible," he said.

Gail Hillebrand, a staff attorney at Consumers Union in San Francisco, said
the declaration that AT&T owns customers' data represents the most
significant departure from the company's previous policy.

"It creates the impression that they can do whatever they want," she said.
"This is the real heart of AT&T's new policy and is a pretty fundamental
difference from how most customers probably see things."

John Britton, an AT&T spokesman, denied that the updated privacy policy
marks a shift in the company's approach to customers' info.

"We don't see this as anything new," he said. "Our goal was to make the
policy easier to read and easier for customers to understand."

He acknowledged that there was no explicit requirement in the past that
customers accept the privacy policy as a condition for service. And he
acknowledged that the 2004 policy said nothing about customers' data being
owned by AT&T.

But Britton insisted that these elements essentially could be found between
the lines of the former policy.

"There were many things that were implied in the last policy." He said.
"We're just clarifying the last policy."

AT&T's new privacy policy is the first to include the company's video
service. AT&T says it's spending $4.6 billion to roll out TV programming to
19 million homes nationwide.

The policy refers to two AT&T video services -- Homezone and U-verse.
Homezone is AT&T's satellite TV service, offered in conjunction with Dish
Network, and U-verse is the new cablelike video service delivered over phone
lines.

In a section on "usage information," the privacy policy says AT&T will
collect "information about viewing, game, recording and other navigation
choices that you and those in your household make when using Homezone or
AT&T U-verse TV Services."

The Cable Communications Policy Act of 1984 stipulates that cable and
satellite companies can't collect or disclose information about customers'
viewing habits.

The law is silent on video services offered by phone companies via the
Internet, basically because legislators never anticipated such technology
would be available.

AT&T's Britton said the 1984 law doesn't apply to his company's video
service because AT&T isn't a cable provider. "We are not building a cable TV
network," he said. "We're building an Internet protocol television network."

But Andrew Johnson, a spokesman for cable heavyweight Comcast, disputed this
perspective.

"Video is video is video," he said. "If you're delivering programming over a
telecommunications network to a TV set, all rules need to be the same."

AT&T's new and former privacy policies both state that "conducting business
ethically and ensuring privacy is critical to maintaining the public's trust
and achieving success in a dynamic and competitive business climate."

Both also state that "privacy responsibility" extends "to the privacy of
conversations and to the flow of information in data form." As such, both
say that "the trust of our customers necessitates vigilant, responsible
privacy protections."

The 2004 policy, though, went one step further. It said AT&T realizes "that
privacy is an important issue for our customers and members."

The new policy makes no such acknowledgment.

David Lazarus' column appears Wednesdays, Fridays and Sundays. Send tips or
feedback to dlazarus at sfchronicle.com.

Page C - 1
URL: 
http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/06/21/BUG9VJHB9C1.DTL