A Delaware-based company that didn't exist 20 years ago has quietly become one of the major players in surveillance infrastructure — but they've been so under the radar that leading online privacy and security expert Chris Soghoian, a fellow at the Open Society Foundations, calls them the "Keyzer Söze of surveillance." Meet Neustar, one of the most important companies you've never heard of.
Over 400 telecommunications companies go to Neustar when they want to outsource law enforcement data requests. While it's not known how many law enforcement requests for cell and VoIP data they get, consider the volume that one of their client's, Cricket, copped to: 116 a day on average, or 42,500 law enforcement requests last year.
On Monday, the New York Times reported that cell phone surveillance requests by law enforcement have grown massively. This past year, police and federal agents asked wireless carriers for access to data — including text messages, cell phone locations, wiretaps — 1.5 million times.
Neustar isn't a wireless carrier. But they are one of a number of companies that work in the background, providing part of the invisible network that undergirds all the electronic communication. And sometimes it takes a specific issue, like how phone companies deal with law enforcement queries, to illuminate the big and complicated and potentially scary institutions hidden in plain sight.
Information gleaned from Neustar's latest SEC filing, as well as their own website, shows that they have their hands in many different pots, outsourced surveillance being only one of them.
The company was originally founded as a department inside aerospace giant Lockheed Martin, developed to help phone carriers assign phone numbers in a portable fashion — that is, letting people keep the same (landline) number even if they switched phone companies. Neustar was spun off in 1999 after the parent company bought a telecommunications company and concerns rose about its ability to maintain "neutrality." In 2003, the business changed again when Neustar introduced cellphone portability: the ability to keep your phone number across different carriers.
By then, Neustar had also gotten into the internet game, winning a contract to administer ".biz" domain in Australia. (They would eventually control ".biz," and ".us" and are currently applying for over 300 new top-level domains, including ".nyc.") The company timeline details a series of acquisitions that leveraged its existing strength managing databases: buying Webmetrics, for instance, in 2008, gave it the ability to provide website management service to clients. More recently, they make money from providing web security services — a Neustar employee, Rodney Joffe, advises the White House on cybersecurity issues. In addition to issuing phone numbers, Neustar also provides caller-ID to United States carriers and, according to SEC filing, "real-time identification and location services to over 1,000 businesses in the U.S across multiple industries."
That's not even all Neustar does: They are also the people behind short codes (the five-digit text numbers often used to give donations, like the Red Cross or political campaigns) and UltraViolet, Hollywood's new DRM system for multi-platform cloud-based streaming.
Again, from the SEC filing:
With respect to our roles as the North American Numbering Plan Administrator, National Pooling Administrator, administrator of local number portability for the communications industry, operator of the sole authoritative registry for the .us and .biz Internet domain names, and operator of the sole authoritative registry for U.S. Common Short Codes, there are no other providers currently providing the services we offer.
All of these different arms of Neustar — especially their government contracts and access to huge consumer databases — worry security experts. "This is definitely an area that I want do more research. [Their government contracts] seem problematic in context of their law enforcement requests," said Alan Butler, a lawyer and fellow at the Electronic Privacy Information Center (EPIC). "When you have repeat players that represent large swaths of the industry, you can imagine that they build a rapport [with law enforcement], especially when it's in their best interest to comply as much as possible to avoid any sort of extra cost or trouble for their client."
No one has alleged that Neustar has done anything wrong in its surveillance request business. According to company spokeswoman Susan Wade, they started processing law enforcement requests in 2005, after acquiring a company called Fiducianet whose sole business was handling such requests. (Conspiracy theorists, take note: Fiducianet was founded by an FBI veteran in 2002 and saw its profits grow as law enforcement got the power to monitor Internet-based VoIP like Skype, as well as phone communication.)
Wade declined to provide numbers on how many requests Neustar processes on behalf their 400 clients but affirmed that they don't accept all of them. "Yes, we do reject — and have rejected — law enforcement requests on behalf of our customers where those requests do not comply with the applicable legal standards," she wrote in an email. "For example, if a warrant is required by law and we receive only a subpoena, the request will be rejected."
But, given the breadth of their business, Soghoian and others said that it was important for the company to give the public more information under what conditions they hand over customer information to all levels of government. "Neustar plays probably the most central role — Neustar is the first company that the government calls in every investigation," he said. Soghoian explained that in order to get a court order to access wireless or VoIP information, police need to find out which carrier the target uses — and, handily, Neustar runs a website for law enforcement to access just that information.
"By running that database, Neustar knows of every single phone number in the country," he said.
That doesn't, however, mean the Neustar is listening in on your phone calls or can do much more than route your phone number. In an emailed statement, Neustar's recently-appointed chief privacy officer Becky Burr emphasized their adherence to legal protocol. "In handling these requests, Neustar's experienced staff works closely with in house counsel and our client's legal staff if appropriate," she wrote, "Subpoenas and court orders are reviewed for accuracy and sufficient legal authority."
Watch enough George Clooney movies and every bland corporate giant begins to take on frightening properties. Certainly, it's not hard to find speculation on the internet that Neustar's relationship with law enforcement reaches to the NSA level.
Regardless, it's important to know about the Keyzer Sözes of the world. The ability to protect your information is only possible if you understand who has it — and we all unwittingly put a lot of trust in Neustar's hands. As the Washington Post noted in a 2008 story, "Neustar is part of an evolving telecom industry that is creating caches of information attractive to the government without clear guidelines governing who may have access and under what circumstances."
And we will continue to have to trust Neustar: Their contract with the group that manages the phone numbering system, NPAC, was recently extended to 2017. Consider the words of company president Lisa Blow, on an earnings call earlier this year. "The U.S. NPAC is considered a critical component of U.S. telecommunications infrastructure and plays an active role in supporting a broad range of applications," she said. "Though not known to many, U.S. NPAC plays a key role in every one of our daily lives."
Update: Neustar has now decided to release their surveillance requests on the company blog. Over the past five years, they have gotten 57,000 law enforcement queries —with 12,500 in 2011 alone. They point out, though, that pales in comparison to 1.5 million from nine major phone carriers.