AT&T Rewrites Privacy Policy

VikingThunder writes "The San Francisco Chronicle reports that AT&T has revamped its privacy policy, in an effort to head off future consumer lawsuits, with changes taking effect this Friday. AT&T is introducing a new policy that gives it more 'latitude' when it comes to sharing your browsing history with government agencies. Notable changes include notification that AT&T will track viewing habits of customers of its new video services Homezone and U-Verse, which is forbidden for cable and satellite companies, as well as explicitly stating that the customer's data belongs to the company: 'While your account information may be personal to you, these records constitute business records that are owned by AT&T. As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process.'"

It's time to take action.

[evileyetmc]

Well, I knew it wasn't going to be long before companies decided to openly admit that playing politics was more important than treating their customers right. Agreed that they had been playing politics in the past *cough* Bush's domestic wiretapping *cough*, but only now are they confirming that and trying to save their behinds from lawsuits like the kind the EFF has filed for unwarranted wiretaps.
This is exactly the treachery that leads to companies going under...You f*ck the consumer, you get f*cked right back.

I say call up your local congressman/woman and tell them that you want the Cable Communications Policy Act of 1984 to include provisions for all methods of distributing content, including IPTV. Also explain to them that your privacy is important to you and that you want them to support as many privacy bills as they can.

Of course, if that doesn't work, just ditch AT&T. I know there is enough competition out there to cripple them. Alas, you might end up paying a bit more, but think of it as the price you pay for privacy, and consumer-friendliness.

Well, I would not be surprised...

[Bananatree3]

if the other telcos started doing the same thing. In the beginning they simply said all their interactions were "classified" with the governement, building a huge smokescreen with which to hide behind. Now they have to deal with lawsuits, and they slip this into their privacy statement to stymie the 'suits. Knowing how telcos really like to avoid such suits I wouldn't be surprised if AT&T has started a fad.

*Sigh of relief*

[shumacher]

I was shopping for a new ISP this morning, and AT&T lost out only by failing to have a particularly local dialup number.

How is this legal?

[AWhiteFlame]

Can they really legally say, "Welp, even though it's your personal data, we reserve the right to do whatever we want with it if it benefits us or our partners." ?

So, does this mean we can get out of our contracts

[mrchaotica]

...with the company formerly known as Cingular, since they're changing the terms of the agreement after the fact?

Perfect opportunity for me to get off my duff.

[(H)elix1]

With my bride and I both using cell phones as our primary line, I've put off canceling them on my POTS line for long distance service. Well no more - the $8USD/month (was $3, but it looks like it jumped up with extra fees) just to have the service is not a lot of cash, but at least I'll get a chance to give AT&T a big old FU and the horse you road in on. The rep had the brass to say this was something to strengthen my 'privacy', then started on a song and dance about September 11th.

For those in the US, 1-800-222-0300 option 6 gets you where you need to go. Expect a 30 minute (or more) wait time.

Fuckers...

Contract Violation

[Doc Ruby]

In most states, actually operating under the terms of a contract, even if it's not signed by any party, gives that contract full force and effect.

If I used AT&T for anything covered by that privacy "policy", I'd sue them for unilaterally changing the terms of the contract without my consent. If I were a lawyer, I'd construct a class of everyone whose contract they're breaching.

Unless the old privacy policy says "AT&T can unilaterally change any terms of this policy without notice at any time", in which case I'd be a fool to think it was anything but an invitation to screw me whenever they want.

wait... the cable co isn't tracking what I watch?!

[legal_asshole]

"Notable changes include notification that AT&T will track viewing habits of customers of its new video services Homezone and U-Verse, which is forbidden for cable and satellite companies, [...]"

Did anybody else find that the most shocking/suprising part of the article? I had just always assumed that the primary purpose of the digital boxes the cable company gives you was so that they could have more control over tracking what you're watching and when, but apparently my secret American Idol fetish is safe (at least from the cable company's datawharehouse).

Re:How is this legal?

[stratjakt]

Yes, because they are legitimate business records.

Best Buy is allowed to keep all your credit card purchases on file, and use those records however they see fit in the course of business - including selling your purchasing habits to a marketing firm for analysis.

If you don't like it, tough titties. Move to a developing nation that doesn't have technology yet.

Re:Time for the Privacy Act

[Mad Dog Manley]

They're not protecting their customers, they're protecting themselves.

That's not all. The wording in the old privacy policy said:

the company "may disclose your information in response to subpoenas, court orders, or other legal process to the extent required and/or permitted by law"

New policy:

the company "may disclose your information in response to subpoenas, court orders, or other legal process"

Looks like the law isn't important to them anymore.

Re:How is this legal?

[richg74]

Yes, they can do just that.

While your account information may be personal to you, these records constitute business records that are owned by AT&T.

This really summarizes the legal problems with privacy here in the US. Although the data that people collect on you is "personal to you", it almost always, legally, belongs to whoever collected it. The hodgepodge of Federal and state laws doesn't help. For example, here in Virginia, my medical records are the property of my doctor. It was only relatively recently that legislation was passed that gives me the statutory right to see my own medical records.

This also relates directly to the more-or-less careless approach many firms take to protecting personal data. If the data belongs to them, they are that much more insulated from any legal consquences of losing it.

Bruce Schneier [schneier.com] has discussed this in a number of his blog posts and essays.

Read between the lines...

[EvilGrin5000]

FTFA...

Gail Hillebrand, a staff attorney at Consumers Union in San Francisco, said the declaration that AT&T owns customers' data represents the most significant departure from the company's previous policy. "It creates the impression that they can do whatever they want," she said. "This is the real heart of AT&T's new policy and is a pretty fundamental difference from how most customers probably see things."

...from how most customers probably see things. Which brings me to the next quote FTFA...

John Britton, an AT&T spokesman, denied that the updated privacy policy marks a shift in the company's approach to customers' info. "We don't see this as anything new," he said. "Our goal was to make the policy easier to read and easier for customers to understand."

...

But Britton insisted that these elements essentially could be found between the lines of the former policy. "There were many things that were implied in the last policy." He said. "We're just clarifying the last policy."

So my dear /. fellows, AT&T is clearly stating that it was always their intention to use your private information for their needs, and it was always in their power. What changed is that now the words used in the policy are more black-and-white than before. As far as AT&T 'owning' a customer's private info, I'd like to see the policy and read the fine print. Since I don't have one on hand, I think they are talking about the customer's information is private to the customer (DOB, SSN, First/Last name etc...) but to AT&T, it is a piece of DATA which belongs to the business. The DATA contains private info, but I think AT&T is claiming ownership on your data as a whole, as part of a registered user. The fact that they will disclose DOBs, names etc... for whatever reason, is a cascade scenario occuring from the fact that the DATA they will disclose, happens to contain your private information. This policy change is not a shocker at all. In fact it's more shocking that they actually stated in the policy the 'ownership' and 'disclosure' as clearly as they did. We all knew AT&T has always disclosed information.

Charter Communicationsbasically does this also

[xlr8ed]

15. RIGHT TO MONITOR

Neither Charter nor any of its affiliates, suppliers, or agents have any obligation to monitor transmissions or postings (including, but not limited to, e-mail, newsgroup, and instant message transmission as well as materials available on the personal web pages and online storage features) made on the Service. However, Charter and its affiliates, suppliers, and agents have the right to monitor these transmissions and postings from time to time for violations of this Policy and to disclose, block, or remove them in accordance with the Subscriber Agreement and any other applicable agreements and policies.

Charter laid this out about 15 months ago, basically stating that they have the right to watch and record anything you are doing under the guise of "protecting" itself

Re:It's time to take action.

[Billosaur]

Better to trial and fail then not try at all, I'd say. At least if you actively work to avoid them, eventually you will at least hurt them financially - which can eventually (hopefully?) lead to someone else with bigger pockets that we can trust finally buying out the backbone.

It's not so easy in more rural areas, but I suspect this will give Vonage a hefty boost if enough people get disenfranchised by AT&T over this to make the switch. That's assuming that Vonage can avoid more lawsuits [eweek.com].

Corporate Espionage

[W.Mandamus]

"While your account information may be personal to you, these records constitute business records that are owned by AT&T. As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process."

So lets see:
If I work at AT&T and a headhunter calls me at work or at home the corporation to check my phone records to "protect its legitimate business interests".

If I am a competitor of AT&T's, AT&T can find out what VC's I've been calling to "protect its legitimate business interests".

If I am sueing AT&T, AT&T can check my phone records to find out when I called my lawyer to "protect its legitimate business interests".

If I sign a contract with AT&T to provide me with my competitors phone records AT&T can do it to "protect its legitimate business interests".

You know if I were in charge of secruity for a major corporation I would be extremely worried about this.

Small Business and Corporations?

[fallen1]

If AT&T can unilaterally change the privacy policy as it applies to users of those services (primarily individuals) what is stopping them from doing to same thing to small business as well as big business/coporations? Hmm? Lawyers? - perhaps. If I had a small business that used AT&T in any way, shape, form, or fashion I would be IMMEDIATELY and deeply concerned about the privacy of my business documents that are being transmitted over AT&T's network - by any means (T1/T3, OC3, Frame Relay, VPN, etc. - even encrypted communications). Suddenly all of my VERY sensitive corporate secrets become the property of AT&T? My e-mails are all logged? My browsing and viewing habits as CEO of said corporation are now catalogued and kept in a database at AT&T's Galactic Data Core? As a private citizen of the United States of America and as a corporate employee I say, unequivocally, FUCK THAT.

Every concerned citizen and individual should rail against these changes in their policy - even if you don't use their service now. Write to them and explain, calmly and rationally, why you would never use their service and how you will do everything in your power to explain to family and friends why THEY should not use their service either. Dissatisfied people talk to loads of other people. Pissed off people talk to loads of other people. ANYTHING negative gets spread, on average, 10 times more than positive things do. When was the last time someone you know went to the doctor and said they had a great visit? Probably can't remember that, but I can guarantee that _someone_ you know has been to the doctor/dentist/etc. in the past 2 weeks and has vented a complaint about "I had to wait FOREVER to even see the doctor and he was only in there for 5 minutes" or something along those lines. Will a write-in campaign from both people who are on their service as well as those who aren't work? MAYBE. Yes, capital maybe since is always an If. Corporations tend to be a little more responsive to loads of negative press and negative write-ins than the goverment of the USA seems to be. If a good many small businesses and larger businesses/corporations jump on the write-in bandwagon too (especially those affected by HIPAA, Sa-Ox and other "privacy" concerns) then I'd give it a good chance.

Not to mention who did NOT see this coming? Any company that uses the frigging DEATH STAR as a corporate logo has to be aiming for world domination somehow ;-)

WTF?

[plasmacutter]

WTF is an ad for "hands off the internet" doing on slashdot?

As many erudite posters have pointed out this is nothing more than an astroturfing campaign by big telcos.. why is slashdot giving these people ad space?

Re:How is this legal?

[cayenne8]

"Best Buy is allowed to keep all your credit card purchases on file, and use those records however they see fit in the course of business - including selling your purchasing habits to a marketing firm for analysis. If you don't like it, tough titties. Move to a developing nation that doesn't have technology yet."

Or....you could just use cash.

:-)

Re:It's time to take action.

[UniXY]

now if companies (end user ISPs and such) toss ATT A few months ago my ISP (one of the largest cable internet providers in the Midwest--Insight) dropped AT&T for Sprint. I think this might have been motivated by the current attitude AT&T is displaying towards privacy and the tiered Internet. I am not sure if Sprint is any better, but so far all I can say is my pings are lower!

Re:It's time to take action.

[Anonymous Coward]

Hell, I live in a whole different country (Canada), and my cell-phone company (Rogers) is associated with AT&T. Which probably means that some if not all of my own damned information is probably going to flow south of the border. Which fscking Congressman am I going to fskcing contact to complain about this? Oh, wait, that would be absolutely fsking noone, that's who.

Yours. If it affects Canadian citizens, it's the job of the Canadian elected officials to be concerned about it. In fact, it's probably much easier to convince your MPs and prime minister this is a problem than to convince our congressmen and president. Your government has some ability to influence America's foreign policy through diplomacy. In other words, I'd say you have as much of a chance of fixing this as I do...

For that matter, you can complain to Rogers as well. If somehow you succeed in getting a big company to listen to consumers, one big company will certainly listen to another if they think their business relationship is at stake.

Re:It's time to take action.

[quantum bit]

You're preaching to the choir here. Most of the network related programs I use operate with ssh as their transport layer (unison for file sync, svn+ssh for source code repo and other versioned storage).

I also operate my own mail server/domain, which most of my friends and family have accounts on. I allow ONLY SSL-protected connections, so no plaintext POP3 passwords flying about. As far as they're concerned it's only 1 extra checkbox to click so it's no big deal. SMTP+AUTH+SSL for sending.

Granted, that won't help for sending messages to the outside as they transit unencrypted at some point, but at least we can email each other in relative security. If the NSA wastes a few weeks of processor time just to find out what my lunch plans were last Friday, serves 'em right.

Grant it....it will slow you up a bit

Unless you're talking about initial setup, at the bandwidth levels that most consumer accounts have, I have never seen an appreciable slowdown due to encryption. My modest 266-Mhz router can saturate a 3Mb link with VPN traffic.

Even on my laptop where I do full-disk encryption (GELI on FreeBSD -- built in and it was cake to set up), I can still get upwards of 20MB/s disk I/O, which isn't significantly worse than the el-cheapo drive that's in there can manage without it.

Re:Why does contract law allow this?

[winnabago]

I did exactly this with Verizon, after raising SMS rates 8 months into a 2 year contract (with notification), I objected in writing and asked to be terminated, or at least held to the original terms. They told me that I would be charged the termination fee anyway, because it was at my request. Even though I didn't agree to the new conditions, they said I agreed to such "minor" changes at the beginning. And my rate is not contractually bound, so it's subject to their whim, apparently.

To further complicate matters, the original contract was printed on a thermal receipt-type printer, and my copy has since faded to illegibility. It didn't have the complete language anyway, to the extent that where I signed, it referred to my agreement to a copy of the "current" terms, as available on the website. These have obviously changed over the last two years, so what did I agree to?

Is it even an option to take someone like this to small claims court?

I guess AT+T is no longer a "Common Carrier"

[denis-The-menace]

If AT+T claims ownership of all traffic flowing on its network, then all special interest groups will finally have somebody to sue with big $$ when something "bad" is found on the Internet.

AT+T will now be a lightning rod for lawsuits, frivolous or not.

Re:It's time to take action.

[cayenne8]

"Wasn't there some bill/law in the UK that you have to provide the government with all your private keys or face jail time?"

Well, one way to maybe at least get around having to 'have keys' for email. You could set up a nym server, that instead of mailing the mail to you...sent it to a newsgroup like alt.anonymous. Only you would know the subject for your messages, and have the encryption key to decrypt it.

I'd think the govt. in order to prove you needed to turn a key over to them...would need evidence of something you have that is encrypted?

At the very least...they could get all your keys, but, would never know where to get your messages...

:-)

Re:WTF?

[Jherek Carnelian]

As many erudite posters have pointed out this is nothing more than an astroturfing campaign by big telcos.. why is slashdot giving these people ad space?

Why not? It sure is better than running the advert in front of people who will take it at face value. At least on slashdot it gets a firm rebuttal and helps pay for the place.

Re:It's time to take action.

[Anonymous Coward]

Actually this is coming up a lot. One thing that you can certainly do is write to your MP. The deal here is that most communications with the government are covered under the Privacy Act and/or PIPEDA. If an MP or government employee transmits information to or through companies which may be compelled (by the USA PATRIOT act for example) to violate Canadian privacy law, they are in violation of one or the other of those acts. If they are also aware of the obligations of American corporations under the USA PATRIOT act, they are (literally) twice as guilty.

In short, the current American Administration has successfully made it illegal for US companies to do business with the Canadian Government. The civil service has largely chosen to disregard this however the issue is gaining traction slowly. Frankly, I think we need to throw a couple of these weasels in jail to speed this along but unfortunately CUPE's membership appears to be above the law.

Re:It's time to take action.

[Money for Nothin']

<sarcasm>Great! I'll get mom, dad, and my popular sister with 60 of her bestest friends on AIM using anonymous email and Freenet in no time!</sarcasm>

Seriously though, the reason these apps haven't taken-off is because they face a chicken-and-egg problem: they aren't standards de facto or de jure.

I've tried getting my friends to use encrypted AIM, via GAIM, Trillian, etc.. Of course they don't use it, (except for another Slashdotter friend of mine): it's "too hard" and (so they say) if you have nothing to hide, then what's the concern over privacy about? (and then I sigh: "He who does not learn from the past, is doomed to repeat it...")

I have relatives who are privacy nuts, and one close to me is even somewhat technically-competent and very well-educated. Yet, mention "PGP", and his eyes glaze over.

If even the privacy-concerned intelligentsia don't want to put forth the effort to protect their privacy, then isn't the battle, as a defacto matter, basically lost?

I think privacy is, has, and will always be, a lost cause. It takes:

• Political and/or economic/business intelligence to understand its value
• A historian's knowledge to understand the historical examples of privacy loss
• Mathematical sophistication to have a theoretical conception of the potential growth in instances of knowledge of one's personal information by others via the network effects of private information's spread
• A network-connected computer geek's (like most of us Slashdotters) understanding of how quickly that information actually *does* spread on the Internet to understand and demonstrate the reality of the privacy situation

Few people outside of many computer scientists, and some in the hard sciences and math, and maybe a few lawyers, are competent to fully-grasp the implications of privacy loss. Most people are not so intelligent, nor nearly patient enough to understand the subject -- and so, most people don't give a rat's ass.

The reality of privacy around the world is that Scott McNeely was right some 10 years ago, when he proclaimed that "privacy is dead." I cannot think of a single period in time in which the U.S. or Britain have undergone periods in which privacy could be said to have generally *increased*. [1] Germany arguably improved after the fall of East German socialism, having eliminated the Stasi in the process, but that's like switching from a Yugo to a GM-made econocar for one's personal transportation -- it's a big improvement, but still very far from what is wanted.

Those of us who care about privacy can and do use such applications. The rest of the unwashed masses will be tracked and eventually hunted-down by governments, corporations, and sophisticated black-market criminal organizations like the goddamn cattle they are (and, if East German, Iraqi, Chinese, North Korean, and American communist history -- as well as the history of various black market businesses (drug cartels, the Mafia, etc.) -- is any indicator, murdered much the same).

It doesn't help either that privacy apps have typically not worked particularly-well. Freenet is a great example: it hogs RAM and CPU and in the end, content-retrieval is painfully-slow. Not to mention that Freenet, like PGP, is basically a big red flashing neon sign to law-enforcement suggesting a high probability of illegal activity (and I think those of us who genuinely run/ran it for the political purpose of keeping free-speech and privacy alive really are/were in the minority -- just as those with whom you can talk intelligently to on USENET, or anywhere else on the Internet or in real life, are in the minority)...

[1] Then again, how does one measure privacy? By the number of surveillance cameras, public and private? By the number of records per individual being analyzed out of databases? By the number of doors kicked-down on the basis of information obtained via a breach of privacy? By th

Obligatory Car Analogy

[Kattana]

Had some interesting points come in a discussion about this and thought I would share.

Soultron: your bandwidth stream is not your property
Soultron: it's their property on their network
Kattana: Is your car on a road not your property because you dont own the road?
Quaoar: eh, analogies between information and tangible objects tend to break down
Kattana: Is your mail not your mail when it leaves your mailbox?
Quaoar: better
Kattana: much better, since its illegal to open mail in most cases.
Quaoar: of course, the argument there is that mail is handled by a public entity.
Soultron: is a cop allowed to stop your car and inspect it? is the post office allowed to inspect mail?
Kattana: and it contains your information.
Soultron: tampering with mail is only a crime when a private citizen does it
Kattana: cops and post office workers are _goverment_ employees
Quaoar: but the total "privateness" of telcoms is up for debate. They're one of the more involved corporate sectors in government business.
Quaoar: Soul, only if they have probable cause or a warrant/court order/whathaveyou of that sort. On both questions.
Kattana: AT&T is a private entity, they should not be allowed to open your packets any more than your packages.

PS, anyone know what laws apply to private mail carriers such as FedEX? are they even "mail carriers"?
PPS, I am posting chat in a comment posted on /. and that amuses me, if only I had a blog to quote it in.