Gold9472
06-21-2006, 10:52 AM
AT&T rewrites rules: Your data isn't yours
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/06/21/BUG9VJHB9C1.DTL&type=printable
David Lazarus
Wednesday, June 21, 2006
AT&T has issued an updated privacy policy that takes effect Friday. The changes are significant because they appear to give the telecom giant more latitude when it comes to sharing customers' personal data with government officials.
The new policy says that AT&T -- not customers -- owns customers' confidential info and can use it "to protect its legitimate business interests, safeguard others, or respond to legal process."
The policy also indicates that AT&T will track the viewing habits of customers of its new video service -- something that cable and satellite providers are prohibited from doing.
Moreover, AT&T (formerly known as SBC) is requiring customers to agree to its updated privacy policy as a condition for service -- a new move that legal experts say will reduce customers' recourse for any future data sharing with government authorities or others.
The company's policy overhaul follows recent reports that AT&T was one of several leading telecom providers that allowed the National Security Agency warrantless access to its voice and data networks as part of the Bush administration's war on terror.
"They're obviously trying to avoid a hornet's nest of consumer-protection lawsuits," said Chris Hoofnagle, a San Francisco privacy consultant and former senior counsel at the Electronic Privacy Information Center.
"They've written this new policy so broadly that they've given themselves maximum flexibility when it comes to disclosing customers' records," he said.
AT&T is being sued by San Francisco's Electronic Frontier Foundation for allegedly allowing the NSA to tap into the company's data network, providing warrantless access to customers' e-mails and Web browsing.
AT&T is also believed to have participated in President Bush's acknowledged domestic spying program, in which the NSA was given warrantless access to U.S. citizens' phone calls.
AT&T said in a statement last month that it "has a long history of vigorously protecting customer privacy" and that "our customers expect, deserve and receive nothing less than our fullest commitment to their privacy."
But the company also asserted that it has "an obligation to assist law enforcement and other government agencies responsible for protecting the public welfare, whether it be an individual or the security interests of the entire nation."
Under its former privacy policy, introduced in September 2004, AT&T said it might use customer's data "to respond to subpoenas, court orders or other legal process, to the extent required and/or permitted by law."
The new version, which is specifically for Internet and video customers, is much more explicit about the company's right to cooperate with government agencies in any security-related matters -- and AT&T's belief that customers' data belongs to the company, not customers.
"While your account information may be personal to you, these records constitute business records that are owned by AT&T," the new policy declares. "As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process."
It says the company "may disclose your information in response to subpoenas, court orders, or other legal process," omitting the earlier language about such processes being "required and/or permitted by law."
The new policy states that AT&T "may also use your information in order to investigate, prevent or take action regarding illegal activities, suspected fraud (or) situations involving potential threats to the physical safety of any person" -- conditions that would appear to embrace any terror-related circumstance.
Ray Everett-Church, a Silicon Valley privacy consultant, said it seems clear that AT&T has substantially modified its privacy policy in light of revelations about the government's domestic spying program.
"It's obvious that they are trying to stretch their blanket pretty tightly to cover as many exposed bits as possible," he said.
Gail Hillebrand, a staff attorney at Consumers Union in San Francisco, said the declaration that AT&T owns customers' data represents the most significant departure from the company's previous policy.
"It creates the impression that they can do whatever they want," she said. "This is the real heart of AT&T's new policy and is a pretty fundamental difference from how most customers probably see things."
John Britton, an AT&T spokesman, denied that the updated privacy policy marks a shift in the company's approach to customers' info.
"We don't see this as anything new," he said. "Our goal was to make the policy easier to read and easier for customers to understand."
He acknowledged that there was no explicit requirement in the past that customers accept the privacy policy as a condition for service. And he acknowledged that the 2004 policy said nothing about customers' data being owned by AT&T.
But Britton insisted that these elements essentially could be found between the lines of the former policy.
"There were many things that were implied in the last policy." He said. "We're just clarifying the last policy."
AT&T's new privacy policy is the first to include the company's video service. AT&T says it's spending $4.6 billion to roll out TV programming to 19 million homes nationwide.
The policy refers to two AT&T video services -- Homezone and U-verse. Homezone is AT&T's satellite TV service, offered in conjunction with Dish Network, and U-verse is the new cablelike video service delivered over phone lines.
In a section on "usage information," the privacy policy says AT&T will collect "information about viewing, game, recording and other navigation choices that you and those in your household make when using Homezone or AT&T U-verse TV Services."
The Cable Communications Policy Act of 1984 stipulates that cable and satellite companies can't collect or disclose information about customers' viewing habits.
The law is silent on video services offered by phone companies via the Internet, basically because legislators never anticipated such technology would be available.
AT&T's Britton said the 1984 law doesn't apply to his company's video service because AT&T isn't a cable provider. "We are not building a cable TV network," he said. "We're building an Internet protocol television network."
But Andrew Johnson, a spokesman for cable heavyweight Comcast, disputed this perspective.
"Video is video is video," he said. "If you're delivering programming over a telecommunications network to a TV set, all rules need to be the same."
AT&T's new and former privacy policies both state that "conducting business ethically and ensuring privacy is critical to maintaining the public's trust and achieving success in a dynamic and competitive business climate."
Both also state that "privacy responsibility" extends "to the privacy of conversations and to the flow of information in data form." As such, both say that "the trust of our customers necessitates vigilant, responsible privacy protections."
The 2004 policy, though, went one step further. It said AT&T realizes "that privacy is an important issue for our customers and members."
The new policy makes no such acknowledgment.
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/06/21/BUG9VJHB9C1.DTL&type=printable
David Lazarus
Wednesday, June 21, 2006
AT&T has issued an updated privacy policy that takes effect Friday. The changes are significant because they appear to give the telecom giant more latitude when it comes to sharing customers' personal data with government officials.
The new policy says that AT&T -- not customers -- owns customers' confidential info and can use it "to protect its legitimate business interests, safeguard others, or respond to legal process."
The policy also indicates that AT&T will track the viewing habits of customers of its new video service -- something that cable and satellite providers are prohibited from doing.
Moreover, AT&T (formerly known as SBC) is requiring customers to agree to its updated privacy policy as a condition for service -- a new move that legal experts say will reduce customers' recourse for any future data sharing with government authorities or others.
The company's policy overhaul follows recent reports that AT&T was one of several leading telecom providers that allowed the National Security Agency warrantless access to its voice and data networks as part of the Bush administration's war on terror.
"They're obviously trying to avoid a hornet's nest of consumer-protection lawsuits," said Chris Hoofnagle, a San Francisco privacy consultant and former senior counsel at the Electronic Privacy Information Center.
"They've written this new policy so broadly that they've given themselves maximum flexibility when it comes to disclosing customers' records," he said.
AT&T is being sued by San Francisco's Electronic Frontier Foundation for allegedly allowing the NSA to tap into the company's data network, providing warrantless access to customers' e-mails and Web browsing.
AT&T is also believed to have participated in President Bush's acknowledged domestic spying program, in which the NSA was given warrantless access to U.S. citizens' phone calls.
AT&T said in a statement last month that it "has a long history of vigorously protecting customer privacy" and that "our customers expect, deserve and receive nothing less than our fullest commitment to their privacy."
But the company also asserted that it has "an obligation to assist law enforcement and other government agencies responsible for protecting the public welfare, whether it be an individual or the security interests of the entire nation."
Under its former privacy policy, introduced in September 2004, AT&T said it might use customer's data "to respond to subpoenas, court orders or other legal process, to the extent required and/or permitted by law."
The new version, which is specifically for Internet and video customers, is much more explicit about the company's right to cooperate with government agencies in any security-related matters -- and AT&T's belief that customers' data belongs to the company, not customers.
"While your account information may be personal to you, these records constitute business records that are owned by AT&T," the new policy declares. "As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process."
It says the company "may disclose your information in response to subpoenas, court orders, or other legal process," omitting the earlier language about such processes being "required and/or permitted by law."
The new policy states that AT&T "may also use your information in order to investigate, prevent or take action regarding illegal activities, suspected fraud (or) situations involving potential threats to the physical safety of any person" -- conditions that would appear to embrace any terror-related circumstance.
Ray Everett-Church, a Silicon Valley privacy consultant, said it seems clear that AT&T has substantially modified its privacy policy in light of revelations about the government's domestic spying program.
"It's obvious that they are trying to stretch their blanket pretty tightly to cover as many exposed bits as possible," he said.
Gail Hillebrand, a staff attorney at Consumers Union in San Francisco, said the declaration that AT&T owns customers' data represents the most significant departure from the company's previous policy.
"It creates the impression that they can do whatever they want," she said. "This is the real heart of AT&T's new policy and is a pretty fundamental difference from how most customers probably see things."
John Britton, an AT&T spokesman, denied that the updated privacy policy marks a shift in the company's approach to customers' info.
"We don't see this as anything new," he said. "Our goal was to make the policy easier to read and easier for customers to understand."
He acknowledged that there was no explicit requirement in the past that customers accept the privacy policy as a condition for service. And he acknowledged that the 2004 policy said nothing about customers' data being owned by AT&T.
But Britton insisted that these elements essentially could be found between the lines of the former policy.
"There were many things that were implied in the last policy." He said. "We're just clarifying the last policy."
AT&T's new privacy policy is the first to include the company's video service. AT&T says it's spending $4.6 billion to roll out TV programming to 19 million homes nationwide.
The policy refers to two AT&T video services -- Homezone and U-verse. Homezone is AT&T's satellite TV service, offered in conjunction with Dish Network, and U-verse is the new cablelike video service delivered over phone lines.
In a section on "usage information," the privacy policy says AT&T will collect "information about viewing, game, recording and other navigation choices that you and those in your household make when using Homezone or AT&T U-verse TV Services."
The Cable Communications Policy Act of 1984 stipulates that cable and satellite companies can't collect or disclose information about customers' viewing habits.
The law is silent on video services offered by phone companies via the Internet, basically because legislators never anticipated such technology would be available.
AT&T's Britton said the 1984 law doesn't apply to his company's video service because AT&T isn't a cable provider. "We are not building a cable TV network," he said. "We're building an Internet protocol television network."
But Andrew Johnson, a spokesman for cable heavyweight Comcast, disputed this perspective.
"Video is video is video," he said. "If you're delivering programming over a telecommunications network to a TV set, all rules need to be the same."
AT&T's new and former privacy policies both state that "conducting business ethically and ensuring privacy is critical to maintaining the public's trust and achieving success in a dynamic and competitive business climate."
Both also state that "privacy responsibility" extends "to the privacy of conversations and to the flow of information in data form." As such, both say that "the trust of our customers necessitates vigilant, responsible privacy protections."
The 2004 policy, though, went one step further. It said AT&T realizes "that privacy is an important issue for our customers and members."
The new policy makes no such acknowledgment.