Businesses that receive a court order for data similar to the one reportedly handed to Verizon by an intelligence agency have no choice but to comply and to take comfort in their immunity from lawsuits, an expert says.
In April, the Foreign Intelligence Surveillance Court (FISC) granted the Federal Bureau of Investigation (FBI) unlimited authority to collect over a three-month period millions of phone records that included the numbers of both parties on a call, location data and the time and duration of all calls, The Guardian reported late on Wednesday. The conversations between the parties were not included in the data, which was turned over to the National Security Agency.
When cross-checked against other public records, the data could reveal someone's name, address, driver's license, credit history, Social Security number and more, the report said. The information would also tell the government whether the relationship between two people was ongoing, occasional or one-off.
The Obama administration defended the data gathering as "a critical tool in protecting the nation from terrorist threats to the United States." It also said the intelligence gathering was done legally under the Patriots Act, and with the review and authorization of Congress, as well as the courts and the executive branch.
While the FISC order only applied to Verizon, experts believe that other carriers have likely complied with similar orders. Putting aside whether such a massive data-gathering operation is good public policy, .
Paul Rosenzweig, founder of business advisory firm Red Branch Law & Consulting, said Thursday he would tell his clients: "Though the FBI/NSA order was probably not smart policy, it was lawful and that they should comply with the order."
In addition, businesses would be bound by the required confidentiality, so would not be able to tell their partners or customers, said Rosenzweig, who is a former deputy assistant secretary for policy in the Department of Homeland Security (DHS). He would also tell clients to be prepared to make clear that they were following a lawful order, if the data gathering activity became public.
In following such demands from the government, businesses would be immune from liability against lawsuits from parties whose personal data was included in the sweep, Rosenzweig said. "Especially after the FISA Amendment Act of 2007, they would be in good shape."
The amendment to the Foreign Intelligence Surveillance Act, passed by Congress at the request of President Bush, gave providers of information full immunity from civil suits.
While the extent of data gathering in the Verizon case felt "very wrong," it did not seem to pose any risk to Verizon, said Anton Chuvakin, research director for security and risk management at Gartner.
"Unless NSA loses the data, it is probably not a big deal," he said. "I don't see any additional risk to enterprise security stemming from this data collection."
Privacy in an age of the collection and mining of huge amounts of data gathered by businesses is an issue that's been around for some time and is no closer to a solution.Ã'Â
"The open question is the extent of data collection and the latitude those with access to this sort of information -- and more -- have, or could have, in a free and open society," said Scott Crawford, research director for Enterprise Management Associates and an expert in big data security.
The ability by government and business to collect and analyze large volumes of digital information can make the world safer, but also threatens privacy and civil liberties, Crawford said.
"I believe it is going to take a considerable amount of public discourse in order for society to come to any kind of consensus on the responsible use of this capability," he said. "Even then, it seems that the power to collect and analyze large volumes of data will likely outstrip our ability to manage this power."
Read more about data privacy in CSOonline's Data Privacy section.