By Jonas Kron & Michael Connor
(Published in the Winter 2014 Issue of Investing For a Better World)
The high-stakes drama began to unfold in a Hong Kong hotel room last June. In the starring role was a 29-year-old computer whiz who had committed what TIME magazine called “the most spectacular heist in the history of spycraft.” The story has continued to develop in the months since with a steady drumbeat of news reports that have rocked the highest levels of government in the U.S. and around the world.
The computer whiz is Edward Snowden, a former contactor for the U.S. National Security Agency (NSA) who allegedly disclosed hundreds of thousands of classified files to The Guardian and The Washington Post detailing a U.S. government surveillance program which has been collecting massive amounts of data on millions of Americans – regardless of whether they are suspected of any wrongdoing.
While public opinion on Snowden is divided (some think he’s a hero; others, a traitor), his disclosures have highlighted the increasingly complex relationship between legitimate law enforcement and national security concerns and the need to protect individual privacy in the digital age. With almost ubiquitous global communications – often with mobile phones, or on social media platforms like Facebook or Twitter – law enforcement agencies at all levels, and in virtually all countries, are increasingly turning to telecommunications and Internet companies in search of confidential customer data.
And when those requests involve information belonging to everyday citizens, serious questions arise. U.S. Senator Ron Wyden (D-OR), speaking about the NSA surveillance program, said: “When law-abiding Americans call their friends, who they call, when they call, and where they call from is private information…I have to believe the civil liberties of millions of American have been violated.”
In addition to calls for legislative and regulatory reform, privacy concerns such as these have prompted shareholder initiatives – by Trillium and others – which seek greater accountability regarding those government requests for customer information.
Need for Transparency
Customer trust is critical for any business, but especially so for the major Internet and telecommunications companies – which routinely gather massive amounts of personal data concerning and affecting the lives of hundreds of millions of people in the U.S. and around the world. Failure to persuade customers of a genuine and long-term commitment to privacy rights could present companies with serious financial, legal and reputational risks.
In fact, there is evidence that reports of government surveillance may already be hurting the U.S. economy. The Information Technology and Innovation Foundation has estimated that disclosures regarding surveillance programs could cost the cloud computing industry $21 – $35 billion in business over the next three years if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits.
Privacy is also a fundamental tenet of democracy and free expression. If people around the world come to mistrust their communications networks, they’re less likely to speak out on critical issues. And society suffers as a result.
One way for companies to develop trust is to tell customers and investors how they’re dealing with government requests for confidential customer information. Even as companies are sometimes subject to strict legal gag orders regarding national security requests, they can still provide data on a broader pool of law enforcement data requests, which often come from local law enforcement, and from governments outside the U.S.
Internet companies – such as Google, Microsoft, LinkedIn, Twitter, Yahoo and Facebook – have begun to publish that data on an annual or semi-annual basis in what are called Transparency Reports or Law Enforcement Request Reports. These companies have also begun to lobby and press the U.S. government for permission to disclose more detail about national security-related requests. A large coalition of Internet companies recently published and endorsed principles calling for world governments to reform surveillance law, including an end to bulk collection of Internet communications, judicial authorization of surveillance and transparency.
Until recently, two of America’s largest communications carriers – AT&T and Verizon Communications – which also allegedly play major roles in U.S. government surveillance programs – have steadfastly refused to disclose any information regarding government requests for customer data, or to take a stand on the underlying issues of free expression and privacy. The companies’ refusal stood in stark contrast to their own privacy policies and corporate codes of conduct, which state that privacy and customer trust are critical to the success of their businesses.
The telecommunications companies are familiar with some of these issues from past experience. In December 2005, for example, media organizations reported that AT&T and other carriers had agreements with the federal government, dating back to 2001, to systematically gather information flowing on the Internet through the company’s network. Following those reports, more than 40 lawsuits were filed against communications carriers collectively seeking hundreds of billions of dollars in damages. It took an act of Congress (the FISA Amendments Act of 2008) to provide retroactive immunity to the communications carriers.
More recently, The New York Times disclosed that for at least six years, law enforcement officials working on a counternarcotics program have had routine access, using subpoenas, to an enormous AT&T database that contains the records of decades of Americans’ phone calls — parallel to but covering a far longer time than the NSA’s collection of phone call logs. The initiative, called the Hemisphere Project, covers every call that passes through an AT&T switch, not just those made by AT&T customers, and include calls dating back 26 years. It is estimated that four billion “call detail records” are added to the database – every day.
Both AT&T and Verizon are highly regulated by the government, and both are major contractors for the federal government. Verizon CEO Lowell McAdam, discussing subpoenas and company legal obligations, reportedly told an audience at Cornell University (his alma mater), We are the largest telecommunications provider to the United States government, and you have to do what your customer tells you.”
To address these issues, investors in AT&T and Verizon filed shareholder proposals in the fall of 2013 calling on the companies to publish semi-annual reports detailing how often they have shared information with U.S. or foreign governments and what type of customer information has been shared.
The prime sponsor of the AT&T proposal was the $160.7 billion New York State Common Retirement Fund, which manages assets on behalf of more than one million State employees and retirees. Trillium was the lead proponent of the Verizon proposal. Other investment firms and organizations – including the American Civil Liberties Union of Northern California – co-filed at one or both of the companies.
On December 19, 2013, in a significant breakthrough after a long period of silence, Verizon announced that in January it would publish transparency reports comparable to those published by Internet companies. Verizon’s announcement was followed a day later by a similar announcement by AT&T.
While we are gratified that the companies have apparently embraced our position, we are continuing to push for the reports to be as robust as possible. We are urging the companies to provide data about their compliance rates and specific information about how they are protecting customer privacy – e.g., what they require of government agencies that request user information. Finally, we also believe that the companies should urge the U.S. Department of Justice and the Foreign Intelligence Service Court to allow them to provide more granular information about how many National Security Letters and FISA Orders they receive.
Publication of transparency reports such as these in many ways represents a watershed moment in the effort to curb excessive government surveillance. We’re delighted at the important progress that’s been made and encouraged by the momentum that has developed. However, these reports are just first steps in a long-term effort to press AT&T, Verizon and other companies to be genuine guardians of privacy.
In 2014, we’ll continue to work toward achieving our immediate goal – to bring the rest of the telecom industry on board with transparency reporting – while also highlighting the much broader need for companies of all types to embrace privacy rights which are beneficial to our economy and democracy.
Jonas Kron is Senior Vice President and Director of Shareholder Advocacy for Trillium. Michael Connor is Executive Director of Open MIC, an organization that has worked with Trillium and other institutional investors to promote a vibrant, diverse media ecosystem through market-based solutions, including shareholder activism.