Despite New Privacy Policy, AT&T Can't Rewrite Right and Wrong, ACLU Says

June 22, 2006
FOR IMMEDIATE RELEASE
CONTACT: media@aclu.org

Statement of Barry Steinhardt Director, ACLU Technology and Liberty Project


NEW YORK -- Changes that AT&T has instituted in its privacy policy are a completely inadequate response to the company's apparent betrayal of its customers' privacy by illegally providing calling information to the NSA. 

The changes, as first reported by the San Francisco Chronicle, claim ownership over its customers' records and sweeping new language describing the company's uses of the records, including any purpose "involving potential threats to the physical safety of any person."  Given that even the vaguest hunch by the lowest-ranking security guard could qualify as a "potential threat," AT&T appears to be trying to give itself license to do whatever it sees fit with customers' data.

It has always been a part of the story that AT&T apparently violated its former privacy policy, but that has never been the central problem with the reported program.  If the allegations are true, AT&T could somewhat reduce its liability for any participation in "The Program" once the new policy goes into effect on Friday.  But such cooperation would still be illegal.  Privacy policies do not trump the laws of the U.S. or individual states.  For example, Congress has explicitly banned telecoms from providing customers' calling information to the government outside of the specific legal channels created by Congress.  Many states have similar laws.

And even more fundamentally, by secretly providing customer data to the government outside of any legal channel, AT&T has violated the privacy expectations of Americans - not just the terms of some legalistic privacy policy, but their basic expectations for how private communications will be treated in America. 

No tweaks to any fine-print click-through contract unilaterally imposed on its customers (and changed at will) can alter that fact.  We at the ACLU have always maintained that the twisted legalese in corporate "privacy statements" is a poor substitute for overarching privacy laws that all other industrialized nations have adopted.  But in the NSA spying scandal, we have the all-too-rare instance where existing laws actually do cover the behavior at issue, making changes to AT&T's privacy policy nothing more than an exercise in spin control.

Statistics image