AT&T Does Not Care about Your Privacy

AT&T's CEO believes that the company should not offer robust security to its customers:

But tech company leaders aren't all joining the fight against the deliberate weakening of encryption. AT&T CEO Randall Stephenson said this week that AT&T, Apple, and other tech companies shouldn't have any say in the debate.

"I don't think it is Silicon Valley's decision to make about whether encryption is the right thing to do," Stephenson said in an interview with The Wall Street Journal. "I understand [Apple CEO] Tim Cook's decision, but I don't think it's his decision to make."

His position is extreme in its disregard for the privacy of his customers. If he doesn't believe that companies should have any say in what levels of privacy they offer their customers, you can be sure that AT&T won't offer any robust privacy or security to you.

Does he have any clue what an anti-market position this is? He says that it is not the business of Silicon Valley companies to offer product features that might annoy the government. The "debate" about what features commercial products should have should happen elsewhere -- presumably within the government. I thought we all agreed that state-controlled economies just don't work.

My guess is that he doesn't realize what an extreme position he's taking by saying that product design isn't the decision of companies to make. My guess is that AT&T is so deep in bed with the NSA and FBI that he's just saying things he believes justify his position.

Here's the original, behind a paywall.

Posted on February 10, 2016 at 1:59 PM • 51 Comments

Comments

DanielFebruary 10, 2016 2:07 PM

I agree with the CEO that ultimately it isn't the tech companies decision. They live in a democracy and are bound by the same rules as everyone else. At the same time, tech companies have an obligation to lead by example which is what Apple is doing. To suggest otherwise is to imply that the debate is over, which it is not. Moreover, I'd argue that tech companies have a special obligation in this regard because they have the most technical expertise.

SO I think he's right to say that ultimately it is not up to Silicon Valley. I think he is wrong to imply that Silicon Valley doesn't have an important role to play.

BillFebruary 10, 2016 2:46 PM

Does this mean that AT&T WIreless will stop selling the incredibly popular iPhones because they encrypt the device's data?

I doubt it. Too much money to be made.

CallMeLateForSupperFebruary 10, 2016 2:49 PM

We got a large whiff of AT&T's brand of commitment and security when the door of its Room 641A in San Francisco was thrown open (figuratively speaking). I abandoned AT&T at that time. Toxic. And their dial-up was unreliable.

I came up empty when I cast about for an AT&T-customer-friend to share this link with. The only AT&T customer I know pays big $$$ for a dongle thingie for web access during his annual one-week vacation. Besides, he mentally shuts down as soon as I start talking security.

PeterFebruary 10, 2016 2:51 PM

I think you're being unduly harsh here. He's saying that it's up to our elected representatives to decide what level of privacy we're entitled to. He's certainly not saying that companies shouldn't design their own products or decide what features they contain. But whatever the company does decide, it must follow the law. And that's up to the law makers, not the CEO.

Sancho_PFebruary 10, 2016 3:56 PM

I think it is wrong to say “tech company” when Tim Cook argues for strong encryption.
Tim Cook is personally engaged, he’s a sensitive + extremely sharp wit.
It is not a company (business) decision, it’s his heart.
The AT&T CEO may not have an opinion (personality ?), but that’s OK for business alone.

UnconvincedFebruary 10, 2016 4:10 PM

It sounds like the AT&T CEO is invoking the Nuremberg Defense. But companies and individuals have obligations beyond merely the law.

Politicians can decide what the law should be. They cannot decide what is ethical. They cannot decide what organizations and individuals owe human society.

John CampbellFebruary 10, 2016 4:16 PM

The day someone other than the NSA reads his messages or listens to his calls, he will likely come to the conclusion that privacy is not a bad idea after all.

mishehuFebruary 10, 2016 4:36 PM

I got my money on sock puppetry. We all remember what happened to the former head of Qwest don't we?

David LeppikFebruary 10, 2016 4:43 PM

@Peter

Tim Cook's position is that government shouldn't limit Apple's ability to encrypt its products. Stephenson disagrees with that. That implies that there's a compelling argument for weakened encryption, and that companies shouldn't take sides in the debate.

Companies regularly take sides in political debates all the time. It's a natural part of a democracy, since companies are a part of society. To say that a company shouldn't take sides in a debate is nothing more than an attempt to silence that perspective.

ThothFebruary 10, 2016 4:45 PM

@all
From the beginning of AT&T's history, they have been breaching privacy and already in bed with the NSA from day one. It wouldn't be surprise that they make such disgusting statements. In fact, one of our threat model in security is the elephant in the room which is the ISP becausw of it's priviledged position to listen and corrupt communications which in terms of Cryptography, this malicious 3rd party is called by many names (e.g. Lilith, Eve, Mallory...).

The more ideal Internet would be a peer-to-peer decentralized secure communication network that uses secure message broadcasting. It would be nice if we can start to pull ourselves away from a centralized insecure networking model to a fully decentralized, secure and highly anonymous networking model.

Poul-Henning KampFebruary 10, 2016 5:28 PM

He has a good point.

Two good points actually.

First:

As a carrier he has the "End-to-end arguments in systems design" firmly on his side.

Anything he and his company can do to improve end-users privacy will come at the cost of trusting him and his company go protect the end-users privacy.

History considered, I don't think *anybody*, *anywhere* has *any* reason to trust *any* telco.

Second:

He is right that this is not something tech-companies should decide.

This is a human rights issue.

It needs to be decided through whatever is a constitutionally compliant mechanism in each Nation of the world.

Tech companies should have a voice, and they should use it.

But under no circumstances should we let unaccountable, unelected and usually tax-evading CEO's decide if the rest of us should have a right to privacy or not.

Poul-Henning

rFebruary 10, 2016 6:12 PM

Okay, so how about if it is a neutral standpoint and if it a human rights issue to strip all the carrier included bs from their products.

Unless, ofc; they're not the ones including all that garbage software in the phones here stateside and they're bound by some sort of NDA.

Clive RobinsonFebruary 10, 2016 6:25 PM

In an "ideal market" this conversation would not be happening, because both the company and the politicians actions would be decided by the citizens as customers and/or voters.

Arguably Tim Cook over at Apple is adressing the needs "of Apple's customers" not that of the more general citizens as voters. Which gives rise to why the needs of Apples customers and that of the general citizens are not aligned.

There are three basic arguments for this,

1, Apple customers have more knowledge than the general citizen.
2, Apple customers have special needs that general citizens do not.
3, The political process is not representative of the citizens as voters.

I Would argue that for Apple the main issue is 3 augmented by 1, and that Apple has a sufficiently large customer base that 2 is not realy applicable.

I would further argue that AT&Ts position is solely based on 3.

Thus the real determaning issue between Apple's position and AT&Ts position is 1. That is Apples customers are more knowledgable than the general citizens, and thus understand that the political process is broken and unlikely to be fixed any time soon if ever.

Thus the solution for the AT&T issue is first having an alternative supplier and secondly for a sufficient number of AT&Ts customers to become knowledgeable and "vote with their feet" by taking their custom to an acceptable alternative (assuming their is onr, which appears doubtful). If sufficient customers leave AT&T then the loss of market share may well cause the shareholders to put the CEO on notice to actually meet customer requirements.

Do I rate the chances of this happening? Long answer short "NO".

The Telco market is "stiched up" and is more of a cartel than an open market, due to insufficient market competition. This needs to change and happen "free of Government constraint".

Bah! Bah!February 10, 2016 6:45 PM

AT&T, Verizon and a good many other very large U.S. corporations are all but government agencies anymore. They receive billions and billions of tax dollars for services rendered including selling the private data of Americans to the US military and law enforcement agencies,; not to mention other corporations with the government's blessing.

It's a melding of government and corporations to dominate and control us sheep. Some would call it Facsim.

Dirk PraetFebruary 10, 2016 7:13 PM

At least he's honest about AT&T not giving a flying *bleep* about their customer's privacy. In stark contrast to a huge number of corporate weasels pretending they "value and protect" their customer's privacy while at the same time silently complying with any government request.

AnonFebruary 10, 2016 7:27 PM

The argument "it's not for the corporations to decide" seems weird - they should have the total freedom to decide whether or not privacy is included in their products.

If people really believe in freedom of rights, then no-one should get to decide for everyone (either for or against) in the case of privacy.

If I want to supply a very secure product, I should be able to. If I want to broadcast everything someone does on a product, then fine. The consumer gets to choose by whether they buy my product or not.

So this AT&T guy doesn't want privacy. Watch as he loses customers.

Nobody You KnowFebruary 10, 2016 7:36 PM

My take is the guy is just out of touch. That is horrible PR for his company, regardless of his engagement.

Telcos are also largely domestic focused, as well.

Whereas those companies that signed the petition have global sales and other strategic partnerships at risk.

When I read that list of company names on the petition, I do not go, "These are the clean ones." I have a reaction like "these people are just trying to cover their asses".

rFebruary 10, 2016 8:27 PM

Maybe they can't remove the crapware from their stateside phones for 'privacy' reasons because it would alert the international markets to the existance of subverted software. :)

Bruce SchneierFebruary 10, 2016 8:31 PM

"I think you're being unduly harsh here. He's saying that it's up to our elected representatives to decide what level of privacy we're entitled to. He's certainly not saying that companies shouldn't design their own products or decide what features they contain. But whatever the company does decide, it must follow the law. And that's up to the law makers, not the CEO."

I don't buy that. I don't think he doesn't allow his company to express an opinion on impending laws. I don't think he refuses to permit AT&T to lobby. He might say that laws are up to our elected representatives, but the odds are zero that he acts that way. This is the only issue where he wants hands off -- and that's him expressing his opinion as well.

Ross SniderFebruary 10, 2016 8:47 PM

@Bruce

This isn't about privacy.

This is about liberty.

Warrantless surveillance is about liberty.

Please stop using the term 'privacy'. It waters down the crucial importance of secure personal affects.

rFebruary 10, 2016 9:34 PM

@Ross,

Forgive me if I'm wrong here, but...

I don't think this is about liberty. We can root our phones, we can change service providers, we can reverse engineer their crapware, we can download encryption apps, we can use our phones to track others, commit crimes... But we can't use their network without being marked ala 1940's IBM style on our data streams. You can't use your phone without being implicitly watched... They will log your bluetooth mac, your wireless mac, they will co+relate your presence to a coffee shop with an add for sneaker sales... Or a good book from barne's & noble. We can't protect ourselves from their monetization practices (selling our data, our likes & dislikes, our habits and our virtual memberships with impunity). They're not stopping us from crashing into cars, they're using this technology to identify us... They are mining the goods that are present in the darkness of "privacy". You have the liberty to not participate in their marketing schemes...

The fact that the NSA or anyone else has their hands in the same cookie jar they do is irrespective of the fact they are mining both your conscious & subconscious for marketable data. So what if they double dip and charge law enforcement additionally for access to the same information they're already utilizing for their own monetary greed. Didn't the patriot act grant them immunity and thus impunity against reprisals for activities like this?

rFebruary 10, 2016 9:39 PM

Section 225 (Immunity for compliance with FISA wiretap) gives legal immunity to any provider of a wire or electronic communication service, landlord, custodian, or other person that provides any information, facilities, or technical assistance in accordance with a court order or request for emergency assistance. This was added to FISA as section 105 (50 U.S.C. § 1805).

Coyne TibbetsFebruary 10, 2016 11:42 PM

@Schneier - His position is extreme in its disregard for the privacy of his customers. If he doesn't believe that companies should have any say in what levels of privacy they offer their customers, you can be sure that AT&T won't offer any robust privacy or security to you

He's also disingenuous in the extreme. Companies decide the level of privacy for their customers all the time; specifically that the customers don't get to keep this or that information private.

And now that the idea is to increase privacy, all of a sudden he doesn't believe he can make a decision about his customer's privacy? Fie.

He has plenty of courage to stand up for his company profit, no problem. His company just threw a major fit over new FCC rules: fire-breathing dragon. Multiple major lawsuits.

But when it comes to his customers' needs? For that he evinces all the courage of a terrified mouse, too scared to stand up to big bad government.

Not likely: the reality is, he's just a government security agency boot-licker. He has to be, because his company derives a huge portion of its profit selling our data--selling us out--to those same agencies.

Danny GordonFebruary 11, 2016 12:37 AM

If they use the term privacy for security purpose of people and not for any other intention then there should not be any problem but if they are using people's private data for market surveys and marketing kind of things then its a complete breach of our security.

RossFebruary 11, 2016 2:03 AM

@r

It absolutely is about liberty.

You need look no further than the laws you've yourself described, the "State Corporate Partnership" Schneier himself has gone to lengths to describe, the "Military-Industrial Complex" - or however you want to phrase it.

There is an explicit partnership between service providers and the state whereby citizens are monitored by private parties on behalf of the state.

The Stasi had citizens spying on one another. Remember that this was legal. That was an issue of liberty then.

The US intelligence sector has citizens spying on one another. This is made legal. It's still an issue of liberty now.

Gerard van VoorenFebruary 11, 2016 2:20 AM

@ Anon,

I am sorry but you just couldn't be more wrong in what you say.

If I want to supply a very secure product, I should be able to. If I want to broadcast everything someone does on a product, then fine. The consumer gets to choose by whether they buy my product or not.

In that case you are saying to car manufacturers that seat belts, air bags, ABS and ESP are optional. Here you have the cheap Ford Pinto, there you have the more expensive safe car. The choice is up to you customer. We are a free country and rules are for the other suckers.

I wonder how the people who have had their data stolen at the OPM hack think about this issue.

So this AT&T guy doesn't want privacy. Watch as he loses customers.

That doesn't happen. See Clive Robinson's reply. It's just that people are naive.

blakeFebruary 11, 2016 4:48 AM

> But whatever the company does decide, it must follow the law. And that's up to the law makers, not the CEO.

Remind me again how much AT&T have spent lobbying the Net Neutrality debate?

>> Watch as he loses customers.
> That doesn't happen. See Clive Robinson's reply. It's just that people are naive.

It might just take a major data breach first; see TalkTalk in the UK.

Inside Threat ModelFebruary 11, 2016 7:32 AM

It is the operator's responsibility to secure to bearer channel Poul, and that bearer is the operator's design.

Keith GlassFebruary 11, 2016 7:34 AM

@Bruce. . .

Re: Elected officials deciding on the allowable privacy level. I would suggest that the Constitution says otherwise, at least in .us. . .

To wit:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things ..."

End of InnocenceFebruary 11, 2016 7:40 AM

Does it really matter what Apple does, when the phone companies collects and share/sell your data? It's not just AT&T; Verizon, T-Mobile, and lesser know entities do the same. They are at the place, where the "rubber hit the road" and it's well suited for monitoring end users activities.

b_smarkFebruary 11, 2016 8:59 AM

"Companies regularly take sides in political debates all the time. It's a natural part of a democracy, since companies are a part of society. To say that a company shouldn't take sides in a debate is nothing more than an attempt to silence that perspective."

Stephenson is being grossly hypocritical in that 1)nobody in their right minds believes that AT&T is going to forego exerting political influence on this or any other issue touching its interests and 2)making the statement *is* taking a position (on the pro-surveillance side) under a thin cloak of passive-agressive cowardice.

OldFishFebruary 11, 2016 11:23 AM

I just cannot see any legitimate argument that government has the power to control the domestic use of encryption.
Where do they find the power to control the form of speech?
From what demented mind comes the conclusion that the permission to search is equivalent of the power to dictate form and storage in order to guarantee a successful search?
Apparently from the same demented mind that considers the government to have the right to a priori remove the right to remain silent by outlawing secure transmission and storage.

So here's a little analogy: how does current law treat an encrypted diary in old-fashioned, paper and pen form?

rFebruary 11, 2016 12:01 PM

@oldfish,

I would assume the pen and paper diary is along the same lines of the booky, if there's a pressing and conveyable need they can offer immunity and go bowling. How do they know it's a diary until it's decrypted?

Robert GFebruary 11, 2016 12:04 PM

@Old Fish

I agree with your sentiment, but one also has to step back and consider that probably what happens a lot is they can not get the information they want to get.

There are open murder cases related to unbroken pen and paper encryption. Some going back decades. Great mysteries, but probably worthless for actually solving the murder.

Reality is, however, the reason the NSA does not whine for breaking encryption, and the FBI does is because the NSA knows computers. The FBI has had leadership in forensics, but that was far outside their culture. They have slowly built a large cyber division, but who are they hiring, and who is being promoted to advise.

The NSA, CIA, and other agencies have far more vulnerability finding resources then the FBI. And that is the effective "backdoor" anyone needs. That is a failure on the part of the FBI. The intelligence agencies have no reason to share, and it would be an extreme security disadvantage to do so. You can teach someone to fish, or you can give them a fish. The FBI has to get the budget to learn how to fish.

Domestic law enforcement is a bigger problem. Why should even the FBI share with them. Yet, they have budgets. Anaheim California, a relatively small city, has full blown mass 'stingray on steroid' systems designed for bulk surveillance.

The value for sheriffs who must run for election is too large, the chance for corruption is too high. Policing, federally, every city and their usage is impossible. Usually there is no motivation for it.

Cops, federal and state and city, tend to not be very motivated to policing each other.

The federal would have to police the state, the state the city and county. And who would police the federal, but their own selves?


OldFishFebruary 11, 2016 6:08 PM

@RobertG

"I agree with your sentiment, but one also has to step back and consider that probably what happens a lot is they can not get the information they want to get."

'Tough nutz' would be the correct response to that problem. The permission to search that is a warrant is not a guarantee of success, nor does it grant the power to control individuals to the point that success in possible future searches may be guaranteed.

It is an overreach. As usual.

Robert GFebruary 11, 2016 7:21 PM

@Old Fish

There is always a way in. If the case is important enough, they just have to do extra work. That level of effort helps protect against abuse.

As a critical part of that cost, it also requires soliciting resources which make such efforts easy to regulate, and therefore control.

A badge does not magically transform people into Jesus. Cops are as prone to crime and error as anyone else. And actually, they tend to share the same behavioral makeup as criminals. Coin toss which way they ended up.

@Curious

It is highly unlikely that going much beyond "hammering a cam to a telephone pole" would be legal. Even hammering a cam to a telephone pole might kill a case, and be illegal. These sorts of sketchy activity even open their department and personnel to civil cases. ie, they can be personally sued for much more then they have. And put in jail at the same time.

RossFebruary 12, 2016 2:56 AM

@Curious

Right. Legally, privacy is something you have to have a reasonable expectation to. Liberty, freedom, security of person and personal effects. These things are rights.

Given the third party doctrine and other interpretations of law we have no expectation of privacy really anywhere. But we still have rights. At least, if there is legitimate rule of law.

If surveillance were merely a privacy issue it would be quite clear that we have no expectation not to be surveilled pretty much anywhere.

MattFebruary 12, 2016 7:28 AM

"I don't buy that. I don't think he doesn't allow his company to express an opinion on impending laws. I don't think he refuses to permit AT&T to lobby" - Bruce is right. Nevermind the fact that the government makes law, we all know that from kindergarten, Stephenson said it is not their decision to make if it is the right thing to do, not what the law should be.

JohnPFebruary 13, 2016 9:06 AM

AT&T is just voicing what their largest customer voices. If there was any doubt, that customer is the US Government. Even huge companies like AT&T have to "ride the bull" sometimes and when you've been doing it for 100 yrs, doing anything else is impossible.

Anon10February 15, 2016 5:32 PM

@b_smark

Publicly traded companies in the US have a fiduciary duty to their minority shareholders, which implies that publicly listed companies should be taking part in political debates only in limited circumstances:

1) The issue directly affects the company's profitability.
2) The company should only lobby for that which maximizes its own profitability.
3) The company should only lobby on issues that are winnable for the company.

It's unethical for a public CEO to use his company to lobby in the political process if it doesn't maximize shareholder value.

WhiskersInMenloFebruary 16, 2016 8:10 PM

OK it is on record:
AT&T Does Not Care about Your Privacy
AT&T's CEO believes that the company should not offer robust security to its customers...

It is important to note that AT&T is not in the payment business.
Apple has Apple Pay, Samsung has Samsung Pay others want to play too.

Both should place AT&T on notice that if AT&T delays security
updates or hobbles security by installing bad boy software
that AT&T is opening themselves for a big legal expense and perhaps
fines and civil liability. Executive compensation may prove to be fair game if
criminals are found within a close link on a connection graph
built from meta data and a plausible parallel construction of criminal
activity presented to a jury.

The issue of who knew what when may come to play but it is clear
that the position is in response to a real or potential threat. So the clock
has started.

There may be more hidden behind secrecy orders and it may be that
the CEO's statement is a canaries message that the internals of AT&T
have been compromised.

The risks when hardware is insecure go all the way down.

What is the old curse: "May you live in interesting times."

BuckFebruary 16, 2016 10:00 PM

@WhiskersInMenlo

It is important to note that AT&T is not in the payment business.
Tell me again, why is this so important? Same question repeated, but could you possibly explain it to me without using any dubious definitions of contact-chained watering-holes..? That all sounds like a bunch of BS to me (no offense to you intended).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.