Businesses that receive a court order for data similar to the one reportedly handed to Verizon by an intelligence agency have no choice but to comply and to take comfort in their immunity from lawsuits, an expert says.
In April, the Foreign Intelligence Surveillance Court (FISC) granted the Federal Bureau of Investigation (FBI) unlimited authority to collect over a three-month period millions of phone records that included the numbers of both parties on a call, location data and the time and duration of all calls, The Guardian reported late on Wednesday. The conversations between the parties were not included in the data, which was turned over to the National Security Agency.
When cross-checked against other public records, the data could reveal someone's name, address, driver's license, credit history, Social Security number and more, the report said. The information would also tell the government whether the relationship between two people was ongoing, occasional or one-off.
The Obama administration defended the data gathering as "a critical tool in protecting the nation from terrorist threats to the United States." It also said the intelligence gathering was done legally under the Patriots Act, and with the review and authorization of Congress, as well as the courts and the executive branch.
While the FISC order only applied to Verizon, experts believe that other carriers have likely complied with similar orders. Putting aside whether such a massive data-gathering operation is good public policy, .
Paul Rosenzweig, founder of business advisory firm Red Branch Law & Consulting, said Thursday he would tell his clients: "Though the FBI/NSA order was probably not smart policy, it was lawful and that they should comply with the order."
In addition, businesses would be bound by the required confidentiality, so would not be able to tell their partners or customers, said Rosenzweig, who is a former deputy assistant secretary for policy in the Department of Homeland Security (DHS). He would also tell clients to be prepared to make clear that they were following a lawful order, if the data gathering activity became public.
In following such demands from the government, businesses would be immune from liability against lawsuits from parties whose personal data was included in the sweep, Rosenzweig said. "Especially after the FISA Amendment Act of 2007, they would be in good shape."
The amendment to the Foreign Intelligence Surveillance Act, passed by Congress at the request of President Bush, gave providers of information full immunity from civil suits.
While the extent of data gathering in the Verizon case felt "very wrong," it did not seem to pose any risk to Verizon, said Anton Chuvakin, research director for security and risk management at Gartner.
Sign up for CIO Asia eNewsletters.