I want to make two more points about AT&T’s “Transparency” Report which, as I mentioned earlier, shows how deceitful “transparency” reports can be.
First, compare the number of subpoenas AT&T shows, total, compared to the rough numbers provided for requests to AT&T under Hemisphere for the prior year.
In 2012, 3 cities — Atlanta, Houston, and Los Angeles — submitted a total of 2,770 requests to Hemisphere. In 2012 to 2013 (see the following slide), 7 HIDTAs plus two parts of the Southwest Border HIDTA submitted 838 requests to Hemisphere. While I suspect other HIDTAs also have access to Hemisphere, those numbers are still just a tiny fraction of the total subpoenas AT&T got the following year — using the larger number, just slightly more than 1% of the 223,659 criminal subpoenas AT&T received in 2013.
Even assuming the number is 3 times that across all DEA requests, that seems like a miniscule number, probably even a miniscule number of the requests submitted in drug investigations.
We are to believe, then, that AT&T keeps up this database just to feed as what might be less than 4% of its total requests?
Which is one reason I suspect Hemisphere is also serving other purposes.
And that, of course actually assumes (I’m in a generous mood) that AT&T receives a subpoena for all its Hemisphere requests, in spite of references in the Hemisphere presentation to emails and despite the past history of AT&T (or another telecom) providing phone records in response to requests on Post-It notes.
Which makes me really wonder, given another little detail in AT&T’s “Transparency” Report, whether AT&T responds to as data requests, rather than formal demands.
Here are the categories for the data requests it gets:
- National Security Demands
- Total U.S. Criminal & Civil Litigation Demands
- Location Demands
- Emergency Requests
- International Demands [my emphasis]
Remarkably, AT&T has just 22 International Demands, counting both law enforcement and URL blocking. Verizon, by contrast, got 2,396 law enforcement demands and 1,663 block requests, though some of that may reflect Vodapone exposure and it also implies there were other requests that it funneled through MLAT processing.
I raise this because, in his paper on the dragnet, David Kris repeatedly suggested the NSA gets some bulk metadata via voluntary production of foreign data.
Alternative methods of collection would include non-bulk FISA orders, or what prior NSA Directors in the past have referred to as “vacuum cleaner” surveillance outside the ambit of FISA, under Executive Order 12333 and its subordinate procedures, such as DOD 5240-1.R, and perhaps voluntary production if not otherwise prohibited by law. See NSA End-to-End Review at 15; August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); cf. 18 U.S.C. § 2511(2)(f) otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”).(“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”).
If AT&T is voluntarily providing data in response to requests, without insisting on getting a demand, it might explain some of the numbers (not to mention its far greater skew towards subpoenas rather than warrants, as compared to Verizon — though this “demand” “request” language necessarily appears at Verizon, too).
Don’t get me wrong: if AT&T wants to just give out customer information in response to data requests without asking for a demand, I’ll just assume it’s being polite to those in authority. But if it is, those requests should be in its transparency report too.