It turns out AT&T (News - Alert) is not the only company which has a policy which lets them sell users’ call data. In their case, it went to none other than the CIA, news reports have claimed.

Public Knowledge, a national advocacy group for consumers, is claiming Sprint, T-Mobile (News - Alert) and Verizon also have company policies on privacy which let them sell or even share “similar records to anyone.” What they do is “reserve the right to do so,” the group charges.

It all relates to what the industry calls “customer proprietary network information” (CPNI).

“We don’t know whether or not they actually are selling CPNI, but the fact that they think they can is alarming,” Public Knowledge (News - Alert) said in a recent blog post about the companies’ actions.

Because the alleged sale of information to the CIA by AT&T was done without permission from the customers involved, Public Knowledge says it violates Section 222 of the U.S. Communications Act. Laura Moy, a staff attorney with Public Knowledge, explains that Section 222 says carriers almost always have to get permission from customers before they can share any CPNI.

Public Knowledge has decided to ask for a ruling by the FCC (News - Alert) on the issue. Joining with it on the move sounds like a who’s who of consumer and privacy advocates. It includes the Benton Foundation, Center for Digital Democracy, Center for Media Justice, Common Cause, Consumer Action (News - Alert), Electronic Frontier Foundation, Electronic Privacy Information Center, Free Press, New America Foundation’s Open Technology Institute and the U.S. PIRG. A lot is at stake, the groups claim.

“Given the increasing ease with which datasets purged of personally identifying information can be re-identified, pseudonymous non-aggregate call records must be considered individually identifiable CPNI even if ‘individually identifiable’ is interpreted to mean personally identifiable,” Public Knowledge stated in its filing with the FCC. “This is especially so if identifying details pertaining to international calls are not removed from the records.”

In response, carriers claim they “anonymize” CPNI – with AT&T masking some of the phone numbers of digits before phone records wound over at the CIA, according to The New York Times.

AT&T’s privacy policy says the company “may share” both “anonymous” and aggregate data “with other companies and entities.” To render data “anonymous,” AT&T “remove[s] data fields . . . that can reasonably be used to identify you” and also “use[s] statistical techniques and operational controls to anonymize data,” according to statements quoted by Public Knowledge.

Moy responds that those steps are insufficient and points out that the logs still contain information which can be used to re-identify people. In 2000, Latayna Sweeney, now the Federal Trade Commission’s chief technologist, showed how “87 percent of the US population can be uniquely specified by knowledge of his or her 5-digit ZIP code of residence, gender and date of birth.” More recently, University of Texas researchers were able to use publicly available information to identify Netflix subscribers in a dataset of movie ratings after which personal identifiers were removed.

On its part, AT&T has gotten some decent revenue for handing over international calling records to the CIA. The CIA is paying the company more than $10 million a year, news reports said.

The information may relate to the agency’s investigation of supposed terrorists and could include calls made in the United States to foreign nations. AT&T apparently was not forced to turn over the records by subpoenas or court orders. Instead, the CIA gave the company phone numbers of terrorism suspects from other nations, and AT&T willingly searched databases for records “that may help identify foreign associates,” The Times reported, quoting unnamed officials. The information was described as “metadata” rather than the content contained in phone conversations.

In response to its connection to the issue, T-Mobile issued a statement. Other carriers have been largely silent.

"T-Mobile appreciates the concerns expressed by Public Knowledge in its petition, and we will provide input when it is put out for comment,” the company statement said. “We would clarify that T-Mobile follows all laws governing Customer Proprietary Network Information (CPNI) and provides annual reports to the FCC regarding regulatory compliance in this area. We do not sell personally identifiable CPNI data to third parties except in three cases: 1) we obtain the user’s consent; 2) we provide it in aggregate form; or 3) we anonymize the data."

And what is AT&T saying in recent weeks about the issue?

"In all cases, whenever any governmental entity anywhere seeks information from us, we ensure that the request and our response are completely lawful and proper," AT&T told Ars Technica in a statement released last month. "We ensure that we maintain customer information in compliance with the laws of the United States and other countries where information may be maintained. Like all telecom providers, we routinely charge governments for producing the information provided. We do not comment on questions concerning national security."

Last month, Mark Siegel, an AT&T spokesman, also told The Times: “We value our customers’ privacy and work hard to protect it by ensuring compliance with the law in all respects. We do not comment on questions concerning national security.”