Trusted Third Parties, Obscure Intermediaries in the Digital Surveillance Process

September 15, 2014

Cyberspace SpyDisclosures made by Edward Snowden brought global public attention to the processes used by governments to access personal data and communications from Internet service providers (ISPs) and other telecommunications companies.  That attention now reveals an obscure group of commercial companies (“trusted third parties”) playing a key role as intermediaries between communications companies and government authorities demanding access to personal communications and information.  These trusted third parties are frequently used for the sake of economic efficiency, yet their use raises important concerns about protection of civil liberties.

Companies including Yaana, Neustar, and Subsentio are not widely known to the public, but they have developed multi-million dollar businesses serving as trusted third parties facilitating compliance with government search warrants and other demands for access to the digital communications and information of individual Americans.  In effect, these companies are paid by ISPs and other telecommunications service providers to manage compliance with government demands for personal data.

Many small and mid-size ISPs and communications companies do not have the resources necessary to manage government demands for user data internally.  Yet those companies must nonetheless address those increasingly frequent demands for data, including those made by the U.S. government’s Foreign Intelligence Surveillance (FISA) Court.  Of necessity, those smaller companies turn to trusted third parties to outsource their compliance with government data demands.

Trusted third parties facilitate compliance within the framework of policies established by their clients.  They help to identify legitimate government data requests and manage compliance with those requests subject to specific policies and approvals provided by their client companies.

There are, however, important issues associated with the increasingly widespread use of trusted third parties.  For example, the trusted third parties consistently note that they operate within the guidelines and instructions imposed by their clients.  There appears, however, to be substantial reason to question how meaningful such client oversight is in many cases.

When FISA Court orders are involved, for instance, only certain individuals who have high level national security clearance can be informed of the specific information sought and the context for the data request.  Often, small and mid-size companies do not have any staff members who possess the necessary level of security clearance, while the trusted third parties have access to such appropriately cleared personnel.  In that environment, the trusted third party is unable to disclose key details associated with the data request to its client, calling into question the extent to which any client authorizations and approvals are meaningful and informed.

Additionally, some trusted third parties play an active role in ongoing surveillance activities associated with search warrants and other data demands.  For example, when a court order requires monitoring of communications or Internet activity, some trusted third parties provide the surveillance equipment and oversee the monitoring on behalf of their communications company clients.  They may also interact directly with government authorities to transfer the data in question.  In these situations, essentially the entire monitoring function has been outsourced from the service providers to the trusted third parties.

Although the economic forces that create demand for trusted third party services are clear and readily understandable, the rapid growth of the services raises important concerns.  When ISPs and other telecommunications service providers effectively outsource oversight of customer communications and data to trusted third parties, they appear to lose a substantial level of control over those key digital materials.

Outsourcing of surveillance activities to trusted third parties results in a notable loss of control over the operations and integrity of the network facilities of the service providers.  Reliance on trusted third parties seems to represent an abdication of control over critical operations and content which is not widely anticipated, recognized or understood by most consumers.  This lack of transparency is troubling and appears to be a potential threat to those consumers.