'Trusted Third Parties' Add One More Link In The Supply Chain Between Your Data And Government Requests

from the a-new-wave-of-data-brokers dept

Mon, Sep 8th 2014 2:49pm — Tim Cushing

Just how many entities have their hands on your data when the NSA makes requests? Well, it's not just the service providers and any number of analysts at the NSA. There's a whole industry subset of third parties that actually handle requests, implement wiretaps, direct searches for communications/data and deliver this information to the intelligence agency.

ZDNet's Zack Whittaker has the details.

With permission from their ISP customers, these third-parties discreetly wiretap their networks at the behest of law enforcement agencies, like the Federal Bureau of Investigation (FBI), and even intelligence agencies like the National Security Agency (NSA).

By implementing these government data requests with precision and accuracy, trusted third-parties — like Neustar, Subsentio, and Yaana — can turn reasonable profits for their services.

Little is known about these types of companies, which act as outsourced data brokers between small and major U.S. ISPs and phone companies, and the federal government. Under the 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), any company considered a "communications provider" has to allow government agencies access when a valid court order is served. No matter how big or small, even companies whose legal and financial resources are limited do not escape federal wiretapping laws.

Subpoenas, search warrants, court orders -- even those from the FISA court -- run through these trusted third parties. From the information Whittaker has gathered, this market seems to have evolved out of limited legal resources retained by smaller ISPs and service providers. Incoming requests are forwarded to these companies, which vet them for legal issues and determine what exactly needs to be done to satisfy them. Some of this is just CYA -- an extra insulating layer to serve as a buffer between the service provider and the possibly aggrieved customer(s). Some of it is due to practicality. Smaller ISPs and service providers do not retain lawyers with the security clearance needed to inspect/challenge certain orders.

One of those attorneys, who declined to be named for the story because the person holds top-secret security clearance, explained that although hundreds of lawyers have the same clearance — including those serving terror suspects in Guantanamo Bay — very few have been in front of the FISA Court to defend their clients. These clearance-holding lawyers have been in high demand over the past year representing major Silicon Valley companies implicated in the NSA's surveillance programs.

For the majority of smaller companies (as well as larger ones, who have refused to comment on challenging such warrants), complying with data demands may be their only option. The vast majority, however, do not have the resources to handle such requests.

"If they don't have an internal lawyer [reviewing FISA warrants], they could use a third-party service. That third-party can't provide legal advice, but it can create a system for reviewing the data, pulling, and processing the data," the security clearance-holding attorney said.

Because these companies have the sort of clearance the ISPs lack, smaller ISPs are often nothing more than dumb terminals for government agencies to manipulate. The trusted third parties are often the only entities that see certain court orders and requests, and ISP participation in the approval and response processes is often non-existent. In many cases, the ISP cannot even see the court order it's being directed to comply with.

"Of what worth is our permission when we don't even know what we're being asked to give access to?" a senior staffer at [ISP] Cbeyond admitted.

In the unlikely event that a request is rejected, it's usually done by the third parties, again without the participation of the ISP itself. The trusted third parties are better equipped -- in terms of legal team security clearance -- to do this than smaller ISPs are, but that additional expertise is of little use should ISPs decide to directly challenge a court order.

If the ISP or phone company decides to fight a warrant, the third-party can stand back and wash its hands of it.

Burr said Neustar "has and will" reject subpoenas that are inadequate for one reason or another. But should its clients choose to fight a FISA warrant or court order it believes to be overbroad, Neustar will not join the battle in court.

Other trusted third-parties take a similar approach.

"We're out of the picture," said Marcus Thomas, chief technology officer at Subsentio, another trusted third-party company, founded in 2004, and based out of Littleton, Colorado.

While the third parties may be collecting money from ISPs for handling data and intercept requests, their desire to stay in the government's good graces appears to outweigh any loyalty to the businesses that retain their services.

"It's the provider's problem," [Yaana Executive VP Tony] Rutkowski said. "The nice part about the trusted third-party business is that just from a liability standpoint, we don't want to be left holding the bag here." [Yaana CTO David] Grootwassink agreed. "We provide the gears. We don't get involved in fights between the governments and our clients."

And therein lies part of the problem. While it may be easier to turn over what is largely a compliance function to third parties, there's very little oversight into these companies' actions and processes. Even the ISPs that hire them seem to have limited insight into what's actually being done. These go-betweens have carefully dodged liability by refusing to be involved in legal challenges, leaving underequipped ISPs to fight their own battles. While some trusted third parties have issued transparency reports detailing the requests they've facilitated, this basically leaves the public to perform the oversight, something of very limited use. About all the public can do is switch providers, which, if even an option, only puts them in the hands of another company using the same practices.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 4th amendment, data, isps, phones, records, surveillance, third parties

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

John Fenderson (profile), 8 Sep 2014 @ 3:00pm

I thought I couldn't be surprised
In many cases, the ISP cannot even see the court order it's being directed to comply with.

That surprised me. I thought that secret laws were about as bad as it could get, but no -- they found something even worse.

It's the purest of bureaucratic insanity. Under no circumstances should any entity be required to comply with a court order it can't even read. The illogic of it could threaten the space-time continuum.
[ link to this | view in chronology ]
- Anonymous Coward, 8 Sep 2014 @ 5:01pm
  
  Re: I thought I couldn't be surprised
  It's like they do not even need a court order.
  [ link to this | view in chronology ]
- Ninja (profile), 9 Sep 2014 @ 3:16am
  
  Re: I thought I couldn't be surprised
  Well, haven't we seen people fighting for the right to see the evidence being used against them so they can build a defense (Dotcom comes to mind)?
  
  I'm not surprised, really. Outraged for sure but not surprised.
  [ link to this | view in chronology ]
- art guerrilla (profile), 9 Sep 2014 @ 6:09am
  
  Re: I thought I couldn't be surprised
  forget orwell, we need to go right to kafka with this crap...
  
  wave buh bye to America, say hello to amerika...
  [ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 3:16pm

Be afraid, be very afraid. Then while in, and due to this irrational state, go on and do something really stupid. Then do not pass go, and do not collect $200. Or you could turn off your phone, disconnect from the internet, and save some of your hard earned cash.
[ link to this | view in chronology ]
Anonymous Coward, 8 Sep 2014 @ 3:57pm

And then they will act shocked (SHOCKED, I tell you!) when there will be many leaks or hacks because of poor security.
[ link to this | view in chronology ]
Anonymous Anonymous Coward, 8 Sep 2014 @ 4:19pm

Trusted by...
...whom?

Not by me.
[ link to this | view in chronology ]
- Anonymous Coward, 9 Sep 2014 @ 9:50am
  
  Re: Trusted by...
  It's "trusted" in the sense of a trusted system: "one whose failure may break a specified security policy".
  [ link to this | view in chronology ]
Anonymous Coward, 9 Sep 2014 @ 12:28am

True Meaning of Security Clearance
It is pretty clear that all that "Security Clearance" means is that you're in on their conspiracies.
[ link to this | view in chronology ]
orbitalinsertion (profile), 9 Sep 2014 @ 12:42am

Neustar again? Well of course governments love DPI even more than advertisers.
[ link to this | view in chronology ]
wec, 9 Sep 2014 @ 9:49am

What makes them 'Trusted Third Parties' and who trusts them?
[ link to this | view in chronology ]
- John Fenderson (profile), 9 Sep 2014 @ 10:26am
  
  Re:
  They are trusted by the ISPs and the government. What makes them "Trusted" is that they are trusted by the ISPs and the government.
  [ link to this | view in chronology ]
GEMont (profile), 10 Sep 2014 @ 1:01am

Come one, come all. Sorry, public not allowed.
I'm beginning to think that it might be far easier to list the people who DO NOT have access, in one way or another, to the public's communication information.

Every month it seems there's a new layer of corporate businesses with their fingers dug deeply into the public pie, assisting the primary spooks in their over-whelming task of gathering everyone's private and personal information into a useable portfolio for blackmail, theft and abuse.

Trusted third parties indeed.

Whoever said there was no Trust between thieves?
[ link to this | view in chronology ]
anju89 (profile), 30 Aug 2018 @ 2:53am

Bluetooth
There is indeed post.
[ link to this | view in chronology ]