Businesses told to give up data when NSA calls

Any company receiving a similar order to Verizon's would have no choice but to comply to avoid serious legal consequences, experts say

Businesses that receive a court order for data similar to the one reportedly handed to Verizon by an intelligence agency have no choice but to comply and to take comfort in their immunity from lawsuits, an expert says.

In April, the Foreign Intelligence Surveillance Court (FISC) granted the Federal Bureau of Investigation (FBI) unlimited authority to collect over a three-month period millions of phone records that included the numbers of both parties on a call, location data and the time and duration of all calls, The Guardian reported late on Wednesday. The conversations between the parties were not included in the data, which was turned over to the National Security Agency.

When cross-checked against other public records, the data could reveal someone's name, address, driver's license, credit history, Social Security number and more, the report said. The information would also tell the government whether the relationship between two people was ongoing, occasional or one-off.

The Obama administration defended the data gathering as "a critical tool in protecting the nation from terrorist threats to the United States." It also said the intelligence gathering was done legally under the Patriots Act, and with the review and authorization of Congress, as well as the courts and the executive branch.

While the FISC order only applied to Verizon, experts believe that other carriers have likely complied with similar orders. Putting aside whether such a massive data-gathering operation is good public policy, .

Paul Rosenzweig, founder of business advisory firm Red Branch Law & Consulting, said Thursday he would tell his clients: "Though the FBI/NSA order was probably not smart policy, it was lawful and that they should comply with the order."

In addition, businesses would be bound by the required confidentiality, so would not be able to tell their partners or customers, said Rosenzweig, who is a former deputy assistant secretary for policy in the Department of Homeland Security (DHS). He would also tell clients to be prepared to make clear that they were following a lawful order, if the data gathering activity became public.

[Also see: Online monitoring scheme bad news for security, opponents say]

In following such demands from the government, businesses would be immune from liability against lawsuits from parties whose personal data was included in the sweep, Rosenzweig said. "Especially after the FISA Amendment Act of 2007, they would be in good shape."

The amendment to the Foreign Intelligence Surveillance Act, passed by Congress at the request of President Bush, gave providers of information full immunity from civil suits.

While the extent of data gathering in the Verizon case felt "very wrong," it did not seem to pose any risk to Verizon, said Anton Chuvakin, research director for security and risk management at Gartner.

"Unless NSA loses the data, it is probably not a big deal," he said. "I don't see any additional risk to enterprise security stemming from this data collection."

Privacy in an age of the collection and mining of huge amounts of data gathered by businesses is an issue that's been around for some time and is no closer to a solution.Ã'Â

"The open question is the extent of data collection and the latitude those with access to this sort of information -- and more -- have, or could have, in a free and open society," said Scott Crawford, research director for Enterprise Management Associates and an expert in big data security.

The ability by government and business to collect and analyze large volumes of digital information can make the world safer, but also threatens privacy and civil liberties, Crawford said.

"I believe it is going to take a considerable amount of public discourse in order for society to come to any kind of consensus on the responsible use of this capability," he said. "Even then, it seems that the power to collect and analyze large volumes of data will likely outstrip our ability to manage this power."

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security AgencyapplicationsverizonnsaFederal Bureau of Investigationsoftwareintelfbidata protectionData Protection | Data Privacybig data privacy

More about BushEnterprise Management AssociatesFBIFederal Bureau of InvestigationGartnerNational Security AgencyNSAScott CorporationVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place