understanding the importance and impact of anonymity and authentication in a networked society
navigation menu top border

.:home:.     .:project:.    .:people:.     .:research:.     .:blog:.     .:resources:.     .:media:.

navigation menu bottom border
main display area top border
« Identity Exchange | Main | A Watchful Eye Influences Behaviour »

AT&T's Privacy Policy

posted by:Angela Long // 11:59 PM // June 27, 2006 // ID TRAIL MIX


During my usual pre-work web-surfing (aka. technique of seemingly interminable procrastination) last week, I came upon a post on boingboing.net with the title AT&T retrofits privacy policy: your data is not yours. The title piqued my curiosity, given its relevance to privacy law and the involvement of one of the world’s largest telecommunications companies. During our contracts course this past year, Ian Kerr and I routinely used Canadian telecommunications contracts and privacy policies to provide ‘real world’ examples of contracts with which the students would have had some personal (and often frustrating) experience. Having read those contracts and policies in great detail (and even fashioning an exam question based on one such contract), I was interested to see what changes AT&T was making.

Apparently AT&T has revamped it’s privacy policy (a misnomer if ever I’ve heard one – ‘privacy policies’ usually provide protection for almost everything EXCEPT privacy) to provide even less protection for it’s customers confidential information. The boingboing.net posts a link to an article by David Lazarus of the San Francisco Gate. Lazarus describes the new policy, that applies only to AT&T Yahoo! internet users, as markedly different from the company’s previous policy, in that it specifically ascribes ownership of customer data to AT&T. The new policy states in a section dealing with AT&T’s legal obligations and fraud:

While your Account Information may be personal to you, these records constitute business records that are owned by AT&T. As such, AT&T may disclose such records to protect its legitimate business interests, safeguard others, or respond to legal process.

In addition, it also requires customer agreement with the policy as a term of the service. It states (in bold print):

Please read this Privacy Policy carefully. Before using your Service(s), you must agree to this Policy.

In other words, if you don’t agree with the policy, which means agreeing to the use of your personal information in the ways set out by AT&T, you can’t use AT&T’s service.

Much of the brouhaha surrounding the latest antics of AT&T in the U.S. has to do with allegations that the company has been allowing the National Security Administration access to not only customer account information, but also to data that customers have transmitted through AT&T’s services, such as e-mails, without warrants, in the name of national security to subvert potential terrorist attacks on the US, an on-going red hot issue for privacy advocates. The company’s new policy widens the scope of to whom and in what circumstances it will be able to provide it’s customers’ information to government authorities. It states:

We may disclose your information in response to subpoenas, court orders, and other legal process, or to establish or exercise our legal rights or defend against legal claims. We may also use your information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the Service Terms or the Acceptable Use Policy, or as otherwise required or permitted by law.

While Lazarus focuses on the ownership of information issue (an issue that is no doubt of interest to privacy advocates) in this article and in a follow up article, I will instead focus on the contractual issue of required agreement to privacy policies, which I have discovered, has implications for Canadians dealing with telecommunications companies, as well as all other commercial enterprises. As I stated above, AT&T has made it a term of its internet service agreement that customers agree to the privacy policy. If you don’t agree to the policy, you don’t get the service. In contractual lingo, we call this a take it or leave it offer. AT&T, as the offeror, is the master of the offer. The customer, as the offeree, may attempt to negotiate (the chances of this happening in modern commercial relationships is quite unlikely), but has no real power of the terms upon which the offer rests. The only choice the offeree has is to accept the terms of the offer or take her business elsewhere. I am no expert in US privacy law, but given the lack of emphasis on the take-it-or-leave-it change to AT&T’s policy in the media coverage, we can assume that it is legal for AT&T to take such an approach. In addressing this issue, Lazarus states:

Meanwhile, what can AT&T customers do if they choose to distance themselves from AT&T? Dozens of readers have put that question to me since Wednesday’s column ran. Short answer: Not all that much. There are other local and long-distance companies...but they often rely on AT&T’s network to get calls through or have policies similar to AT&T’s.

After reading about the situation with AT&T, I became curious about the state of affairs in Canada with respect to take-it-or-leave-it offers based on acceptance of privacy policies. Having some familiarity with Canadian telecommunications privacy policies, I didn’t recall seeing a similar term that required acceptance of the privacy policy in order to receive the service. But upon further investigation, I realized that Rogers has a similar term in its End User Agreement for Rogers Yahoo! Highspeed Internet . The preamble states:

As a condition of using the Services, you agree to and must comply with the terms and conditions of this Agreement, which will be binding on you.

Clause 8c then incorporates the Rogers Privacy Policy into the End User Agreement. So by agreeing to the End User Agreement, a customer agrees to the Privacy Policy, and in fact must agree to the Privacy Policy, as it is a term of the contract itself. The result is much the same as in the AT&T situation, consumers have to take it or leave it. And the Canadian situation for consumers, especially with respect to telecommunications, is at least as bad, if not worse, than it is in the United States, with large corporations dominating the market for these services. If they don’t agree with the content of these privacy policies, or the way that the information will be used as provided within the privacy policies, consumers will increasingly be out of luck in finding them elsewhere at a reasonable price.

One difference in the Canadian situation, I thought, may be the existence of PIPEDA (Personal Information Protection and Electronic Documents Act ), a federal act designed to help protect personal information within commercial transactions. I thought there may be some sort of recourse for people who wish to acquire a product or service without necessarily consenting to the use of their personal information as outlined in a company’s privacy policy. However, after looking at PIPEDA, I was sorely disappointed (well, actually, I was a bit confused at first, as is often the case when I first read legislation). As it turns out, Rogers can require assent to their privacy policy as a term of their service agreement, meaning that Rogers can decline to enter into contractual relations with people who do not want to consent to the use of their information in the ways that Rogers have outlined in their policy.

Schedule 1 of PIPEDA provides the principles with which commercial enterprises are to adhere to with respect to the collection, retention and dissemination of personal customer information. The harbinger of PIPEDA is consent of the individual, meaning that people must consent to all collection, retention and dissemination of information at the time it is collected by a company. This means that companies must tell their customers upfront what information they will collect and how they will use that information. This all seems fine and good, until we consider whether there are any limits on the kinds of information that companies are able to collect or on the uses of that information. It appears that there are no such limits, and as long as the customer is informed of what the company is doing with the information there is compliance with the principles of PIPEDA. To me, it all seems largely circuitous. Companies are essentially allowed to collect, retain and use personal information for any purpose, as long as that purpose is identified by the company, communicated to the customer and consented to by the customer. There are no real limits on the kinds of purposes, since the purposes are defined by the companies themselves.

To illustrate my point, look at Principle 4.2.2 and 4.2.3 of Schedule 1:

4.2 Principle 2 — Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfil these purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary for the purposes that have been identified.
The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.

The purposes are to be identified by the company itself. That may not be problematic in and of itself, but when looked at with the other principles contained within PIPEDA, it becomes harder to swallow. Principle 4.3.3. states:

An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

A company cannot require an individual to consent to a purpose that was not explicitly specified in order to obtain a product or service. The problem is that the corollary of this statement must also be true, a company CAN require the consent of an individual to the collection, use or disclosure of information to obtain a product or service where that collection, use or disclosure has been defined and explicitly specified as a legitimate purpose. And who determines the legitimate purposes? Going back to Principle 4.2, the companies themselves are able to set their own purposes for gathering information. If consumers don’t agree to these purposes and do not wish to consent to them, they are out of luck as the company will not be required to contract with them.

This state of affairs seems unfair, to say the least. To allow companies to set their own purposes for the collection and use of personal information, some which may not be seen by consumers as legitimate (ie. the sharing of information with other companies within the same corporate family, or even worse transgressions) and then to allow them to deny the provision of a product or service on the basis of disagreement with such purposes does not seem to be in line with the general purpose of PIPEDA, which is to protect information of individuals. This may be acceptable (a big MAY) in some situations, where there is ample choice in the market for consumers. They can choose to go to companies who have information purposes more in line with their own views. But as Lazarus points out, this kind of consumer choice is waning. First, there is less and less choice about who to do business with, especially in the telecommunications industry where virtual corporate monopolies exist. Second, more and more companies are invoking all encompassing privacy policies that give them wide scope to deal with the personal information of their customers. And as long as they disclose this to customers at the outset, they have complied with PIPEDA. Increasingly, then, consumers must either consent (I would actually question whether this is true consent given the circumstances) to such policies or go without products and services. And as more and more companies adopt broad collection and use purposes, there is less and less privacy. Given this state of affairs my question is where there actually exists any substantive protection for personal information collected within the commercial sphere at all?


hi angela,

thanks very much for your careful and interesting analysis. i have tried to propose a solution to this problem in the context of DRM end user licence agreements, arguing that private law principles provide ample authority for setting aside the take-it-or-leave-it agreements of the sort you discuss.

to get a sense of that argument, jump to: http://idtrail.org/files/Kerr%20-%20If%20Left%20to%20Their%20Own%20Devices....pdf

Posted by: ian at June 27, 2006 09:39 AM

I think PIPEDA provides at least one limit you may have overlooked. Section 5(3) of PIPEDA provides that:

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

In Eastmond v. CP Railway, the Federal Court of Canada applied former Commissioner Radwanski's four part test to assess whether the purpose of a particular collection of personal information was appropriate.

Looking at the Eastmond test, organizations bound by PIPEDA might ask themselves the following questions to ensure that their collection, use, and/or disclosure (CUD)of personal information will pass muster:

Is the CUD necessary to meet a specific need?
Is the CUD likely to be effective in meeting that need?
Is the loss of privacy proportional to the benefit gained?
Is there a less privacy-invasive way of achieving the same end?

Each of these questions warrants a satisfactory answer, but the critical question in an "A T &T" context may be the last question.

In a society bound by the rule of law and constitutional principles, including those providing for judicial safeguards, the state is not generally permitted to invade privacy without first going before a judge and convincing that independent adjudicator that a warrant ought to be granted in the paricular circumstances. Barring narrowly defined exigent circumstances, the judicial process is the "less-invasive way of achieving the same end". An "A T &T" shouldn't be able to contract out of these constitutional and statutory limits either.

Americans still have reason to hope that the US Congress will insist on bringing the NSA program back under the U.S. Constitution and the jurisdiction of a FISA Court that already provides law enforcement and security agencies with considerable latitude to intrude on privacy. On the other hand, it is not clear to me that Canadians have yet to absord the significance of the bargains Parliament struck in the Anti-Terrorism Act, including those allowing a Minister to authorize the CSE to intercept communications between people in Canada and those on or "overseas".

Posted by: confoederatus at June 27, 2006 10:30 AM

Post a comment

Remember Me?

main display area bottom border

.:privacy:. | .:contact:.

This is a SSHRC funded project:
Social Sciences and Humanities Research Council of Canada