C.I.A. is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls, according to government officials
The cooperation is conducted under a voluntary contract, not under subpoenas or court orders compelling the company to participate, according to the officials. The C.I.A. supplies phone numbers of overseas terrorism suspects, and AT&T searches its database and provides records of calls that may help identify foreign associates, the officials said. The company has a huge archive of data on phone calls, both foreign and domestic, that were handled by its network equipment, not just those of its own customers.
The program adds a new dimension to the debate over government spying and the privacy of communications records, which has been focused on National Security Agency programs in recent months. The disclosure sheds further light on the ties between intelligence officials and communications service providers. And it shows how agencies beyond the N.S.A. use metadata — logs of the date, duration and phone numbers involved in a call, but not the content — to analyze links between people through programs regulated by an inconsistent patchwork of legal standards, procedures and oversight.
Because the C.I.A. is prohibited from spying on the domestic activities of Americans, the agency imposes privacy safeguards on the program, said the officials, speaking on the condition of anonymity because it is classified. Most of the call logs provided by AT&T involve foreign-to-foreign calls, but when the company produces records of international calls with one end in the United States, it does not disclose the identity of the Americans and “masks” several digits of their phone numbers, the officials said.
Still, the agency can refer such masked numbers to the F.B.I., which can issue an administrative subpoena requiring AT&T to provide the uncensored data. The bureau handles any domestic investigation, but sometimes shares with the C.I.A. the information about the American participant in those calls, the officials said.
Dean Boyd, a spokesman for the C.I.A., declined to confirm the program. But he said the agency’s intelligence collection activities were lawful and “subject to extensive oversight.”
“The C.I.A. protects the nation and upholds privacy rights of Americans by ensuring that its intelligence collection activities are focused on acquiring foreign intelligence and counterintelligence in accordance with U.S. laws,” he said. “The C.I.A. is expressly forbidden from undertaking intelligence collection activities inside the United States ‘for the purpose of acquiring information concerning the domestic activities of U.S. persons,’ and the C.I.A. does not do so.”
Mark Siegel, an AT&T spokesman, said: “We value our customers’ privacy and work hard to protect it by ensuring compliance with the law in all respects. We do not comment on questions concerning national security.”
The C.I.A. program appears to duplicate work performed by the N.S.A. But a senior American intelligence official, while declining to address whether the AT&T alliance exists, suggested that it would be rational for the C.I.A. to have its own program to check calling patterns linked to overseas terrorism suspects.
With on-the-ground operatives abroad seeking to disrupt terrorist activities in “time-sensitive threat situations,” the official said, the C.I.A. requires “a certain speed, agility and tactical responsiveness that differs” from that of other agencies. “That need to act without delay is often best met when C.I.A. has developed its own capabilities to lawfully acquire necessary foreign intelligence information,” the official said.
Since June, when documents leaked by the former N.S.A. contractor Edward J. Snowden began to surface, an international debate has erupted over the scope of N.S.A. surveillance and the agency’s relationships with American companies that operate networks or provide Internet communications services. Many of the companies have protested that they are legally compelled to cooperate. The AT&T-C.I.A. arrangement illustrates that such activities are not limited to the N.S.A., and that cooperation sometimes is voluntary.
While officials in Washington are discussing whether to rein in the N.S.A. on American soil, governments in Europe are demanding more transparency from the companies and threatening greater restraints. AT&T is exploring a purchase of Vodafone, a European cellphone service provider, and European regulators and politicians have vowed to intensely scrutinize such a deal.
AT&T has a history of working with the government. It helped facilitate the Bush administration’s warrantless surveillance program by allowing the N.S.A. to install secret equipment in its phone and Internet switching facilities, according to an account by a former AT&T technician made public in a lawsuit.
It was also one of three phone companies that embedded employees from 2003 to around 2007 in an F.B.I. facility, where they used company databases to provide quick analysis of call records. The embedding was shut down amid criticism by the Justice Department’s inspector general that officers were obtaining Americans’ call data without issuing subpoenas.
And, for at least the past six years, AT&T has embedded its employees in federally funded drug investigation offices to analyze call records, in response to subpoenas, to track drug dealers who switch phones. A briefing document for that program said AT&T had records of calls handled by its switches — including “a tremendous amount of international numbers that place calls through or roam on the AT&T network” — dating back to 1987, and described efforts to keep its existence “under the radar.”
The history of the C.I.A. program remains murky. It began sometime before 2010, and was stopped at some point but then was resumed, according to the officials. They said the House and Senate Intelligence Committees had been briefed about it.
While the N.S.A. is separately vacuuming up call metadata abroad, most scrutiny in the United States has focused on its once-secret program that uses court orders to domestic phone companies under the Patriot Act to assemble a comprehensive database of Americans’ calls.
Some lawmakers have proposed modifying it to have the phone companies, not the N.S.A., control the data, similar to how the C.I.A. has been operating.
Still, there may be limits to comparisons. The N.S.A. is subject to court-imposed rules about the standard that must be met before its analysts may gain access to its database, which contains records from multiple providers. The C.I.A. appears to have a freer hand, and officials said it had submitted significantly more queries to AT&T for data.
In addition, while both programs analyze cross-border calls of Americans, the N.S.A.’s Patriot Act database does not include purely foreign calls, while AT&T does not use purely domestic calls in analyzing links for the C.I.A., officials said.
Absent an emergency, phone companies are usually legally forbidden to provide customers’ calling records to the government except in response to a subpoena or a court order, and the C.I.A. has a mandate to focus overseas. Lawyers who reviewed the program, officials said, concluded that AT&T’s partial masking of American phone numbers satisfied those restrictions, citing a statutory exception to data privacy lawscovering “the acquisition by the United States government of foreign intelligence information from international or foreign communications.”
That same exception has come to public attention before. It was apparently invoked by a still-secret Jan. 8, 2010, memo written by the Justice Department’s Office of Legal Counsel. A 2010 inspector general’s report described the memo as allowing the F.B.I. to obtain call records “on a voluntary basis from providers, without any legal process or a qualifying emergency.”
While the bureau said it would not use that memo, the report warned that the existence of the government’s still-classified legal theory created a “significant gap” in “accountability and oversight” and urged Congress to modify the statute. Lawmakers have not acted on that recommendation.