WASHINGTON — The CIA is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls, according to government officials.
The cooperation is conducted under a voluntary contract, not under subpoenas or court orders compelling the company to participate, according to the officials. The CIA supplies phone numbers of overseas terrorism suspects, and AT&T searches its database and provides records of calls that may help identify foreign associates, the officials said.
The company has a huge archive of data on phone calls, both foreign and domestic, that were handled by its network equipment, not just those of its own customers.
The program adds a new dimension to the debate over government spying and the privacy of communications records, which has been focused on National Security Agency programs in recent months.
The disclosure sheds further light on the ties between intelligence officials and communications service providers. And it shows how agencies beyond the NSA use metadata — logs of the date, duration and phone numbers involved in a call, but not the content — to analyze links between people through programs regulated by an inconsistent patchwork of legal standards, procedures and oversight.
Because the CIA is prohibited from spying on the domestic activities of Americans, the agency imposes privacy safeguards on the program, said the officials, speaking on the condition of anonymity because it is classified. Most of the call logs provided by AT&T involve foreign-to-foreign calls, but when the company produces records of international calls with one end in the United States, it does not disclose the identity of the Americans and “masks” several digits of their phone numbers, the officials said.
Still, the agency can refer such masked numbers to the FBI, which can issue an administrative subpoena requiring AT&T to provide the uncensored data. The bureau handles any domestic investigation, but sometimes shares with the CIA the information about the American participant in those calls, the officials said.
Dean Boyd, a spokesman for the CIA, declined to confirm the program. But he said the agency’s intelligence collection activities were lawful and “subject to extensive oversight.”
“The CIA protects the nation and upholds privacy rights of Americans by ensuring that its intelligence collection activities are focused on acquiring foreign intelligence and counterintelligence in accordance with U.S. laws,” he said. “The CIA is expressly forbidden from undertaking intelligence collection activities inside the United States ‘for the purpose of acquiring information concerning the domestic activities of U.S. persons,’ and the CIA does not do so.”
Mark Siegel, an AT&T spokesman, said: “We value our customers’ privacy and work hard to protect it by ensuring compliance with the law in all respects. We do not comment on questions concerning national security.”
The CIA program appears to duplicate work performed by the NSA. But a senior U.S. intelligence official, while declining to address whether the AT&T alliance exists, suggested that it would be rational for the CIA to have its own program to check calling patterns linked to overseas terrorism suspects.
With on-the-ground operatives abroad seeking to disrupt terrorist activities in “time-sensitive threat situations,” the official said, the CIA requires “a certain speed, agility and tactical responsiveness that differs” from that of other agencies. “That need to act without delay is often best met when CIA has developed its own capabilities to lawfully acquire necessary foreign intelligence information,” the official said.
Since June, when documents leaked by the former NSA contractor Edward J. Snowden began to surface, an international debate has erupted over the scope of NSA surveillance and the agency’s relationships with American companies that operate networks or provide Internet communications services. Many of the companies have protested that they are legally compelled to cooperate. The AT&T-CIA arrangement illustrates that such activities are not limited to the NSA, and that cooperation sometimes is voluntary.
While officials in Washington are discussing whether to rein in the NSA on American soil, governments in Europe are demanding more transparency from the companies and threatening greater restraints. AT&T is exploring a purchase of Vodafone, a European cellphone service provider, and European regulators and politicians have vowed to intensely scrutinize such a deal.
The history of the CIA program remains murky. It began sometime before 2010, and was stopped at some point but then was resumed, according to the officials. They said the House and Senate Intelligence Committees had been briefed about it.
While the NSA is separately vacuuming up call metadata abroad, most scrutiny in the United States has focused on its once-secret program that uses court orders to domestic phone companies under the Patriot Act to assemble a comprehensive database of Americans’ calls.
Some lawmakers have proposed modifying it to have the phone companies, not the NSA, control the data, similar to how the CIA has been operating.
Still, there may be limits to comparisons. The NSA is subject to court-imposed rules about the standard that must be met before its analysts may gain access to its database, which contains records from multiple providers. The CIA appears to have a freer hand, and officials said it had submitted significantly more queries to AT&T for data.
In addition, while both programs analyze cross-border calls of Americans, the NSA’s Patriot Act database does not include purely foreign calls, while AT&T does not use purely domestic calls in analyzing links for the CIA, officials said.
Absent an emergency, phone companies are usually legally forbidden to provide customers’ calling records to the government except in response to a subpoena or a court order, and the CIA has a mandate to focus overseas. Lawyers who reviewed the program, officials said, concluded that AT&T’s partial masking of American phone numbers satisfied those restrictions, citing a statutory exception to data privacy laws covering “the acquisition by the United States government of foreign intelligence information from international or foreign communications.”