Where protecting your privacy is the ‘right thing to do.’
Shortly after WikiLeaks released a trove of classified government documents, a small Internet service provider (ISP) got a very serious-looking message from the U.S. government. Law enforcement officials wanted the ISP, Sonic, to turn over information it had about about one of its customers: security researcher and former WikiLeaks spokesperson Jacob Appelbaum.
Headquartered in a sleepy corner of Northern California’s wine country, about an hour drive north of San Francisco, Sonic seems like an unlikely candidate to push back against an investigation into one of the biggest information-security breaches in U.S. government history. But that is precisely what the company did.
“One thing I would like to make really clear is that our goal is to protect the privacy of our law-abiding customers.”
At first, Sonic tried to get a court to vacate the order, have it withdrawn so the company wouldn’t have to comply. That didn’t work. The FBI‘s subpoena was sealed, meaning that Sonic employees could face up to five years in prison for disclosing details, even to members of their own families. At the very least, Sonic didn’t want one of its customers—who hadn’t been charged with a crime—to have his data snooped on without being informed about it.
To Sonic CEO and cofounder Dane Jasper, the secrecy didn’t seem particularly fair, so the company challenged the gag order in court. While most of the details of the order are still under seal—Jasper can’t talk about them to this day—Sonic was able to make public that the Federal Bureau of Investigation requested information about Applebaum, and the company ultimately turned over his data.
“[Challenging the order was] rather expensive, but we felt it was the right thing to do,” Jasper told the Wall Street Journal at the time.
This disclosure allowed Appelbaum to learn that his communications were being targeted, but it also helped Sonic establish a reputation as an ISP that’s fundamentally different than Comcast, Verizon, AT&T, and other national telecom giants. Sonic doesn’t just pitch its Internet service as being fast and cheap; it also wants to be known as the ISP that cares about your privacy.
That a tech company would tangle with the government on a surveillance request isn’t remarkable. Around the same time the government ordered Sonic turn over information on Appelbaum, it also made demands on Twitter, which similarly pushed back against the Department of Justice’s demand for data relating to Appelbaum. For an ISP, however, it’s relatively rare.
In 2011, the Electronic Frontier Foundation (EFF) launched an annual scorecard called “Who Has Your Back?” The goals of the scorecard are many: inform users about which tech companies were doing a good job of protecting their personal data, encourage companies to adopt a set of best practices that includes fighting for users’ privacy rights before Congress, require law enforcement officials to have a warrant before turning over data, increase the publication of transparency reports, and establish a roadmap for young tech start-ups that care about privacy. The scorecard list includes firms like Google and Yahoo, but it also rates ISPs. Sonic is the only ISP to receive a perfect score, which it has received every single year.
“We wanted to show that a for-profit company can do business and make good money and still protect its users privacy.”
“We included Sonic in the report … as a foil—essentially, as a counter-example to the big guys, like AT&T, Comcast, and Verizon,” said EFF Staff Attorney Nate Cardozo during a phone interview. “We wanted to show that a for-profit company can do business, and make good money, and still protect its users’ privacy.”
Sonic was founded in 1994 to sell dial-up Internet service. It evolved into a middleman between AT&T, which had the technical backbone for DSL, and around 70 service providers in California to provide Internet service to residential and business customers. In 2006, Sonic started offering its own vertically-integrated broadband service, which has now been deployed throughout 120 cities in the state. In recent years, the company, which boasts just over 200 employees, began rolling out gigabit fiber service near its home base in Sonoma County as well as in San Francisco’s Sunset District.
Compared with a behemoth like Comcast, which could grow its footprint to 30 million subscriber households across the country if its proposed merger with Time Warner Cable goes through, Sonic’s footprint is microscopic. But when serving as a model for other ISPs on how to conceptualize privacy, the company is an industry leader.
“One thing I would like to make really clear is that our goal is to protect the privacy of our law-abiding customers,” Jasper said during a phone interview. “We are not, nor do we want to be, a haven for those who seek to abuse others and break the law. We’re not a rogue entity. We are respectful of the law as it stands today.”
Jasper noted, however, that there are some parts of the law that are deeply problematic. He cited the use of National Security Letters and provisions of the PATRIOT Act that allow for the mass collection of the private electronic data of American citizens. Sonic recently joined with 42 other tech companies and nonprofit groups to send an open letter to the Obama administration calling for a reform of the PATRIOT Act that would end the bulk collection of the metadata of American citizens.
As evidenced by the Appelbaum case, Sonic makes a concerted effort to disclose any time it receives a government data request for customer information. Many ISPs don’t do this—possibly as a way to avoid the public relations headache that could come from having to send out letters to customers about how the government is spying on them.
Some of these information orders are officially sealed, whereas others don’t carry the same legal restrictions. Most subpoenas come with a fairly routine set of boilerplate language asking, but not mandating, the operators of the ISP not to disclose the existence of the subpoena. Sonic makes a point of always informing unless they’re legally compelled not to do so. “I feel like compliance with … request is a dangerous precedent,” Jasper explained. “It may encourage privacy violations and overreach by law enforcement and investigators.”
A concern for privacy isn’t just embedded into Sonic’s corporate philosophy, it’s also built into the design of the company’s networks. There are essentially two different views about data collection in the tech industry. The largely dominant sentiment holds that data is power and collecting as much of it as possible, and retaining it for as long as possible, is the key to a company’s success in leveraging and monetizing that data. It’s why Google has amassed an estimated 10 exabytes of information to become the most successful advertising company in history.
Sonic, on the other hand, practices privacy by design. The company has a policy of only holding onto the IP addresses of most of its users for two weeks before deleting it. In addition to providing Internet service, Sonic is also a telephone company. As such, the law requires it to keep call records, such as who a given customer called and how long that call lasted (otherwise known as metadata), for 18 months. Customers who use static IP addresses have their records retained indefinitely. However, for most of Sonic’s customers, whose IP addresses change can dynamically as often as every few hours, Sonic’s system only records information for the shortest amount of time necessary to provide its services, according to Jasper.
“I also don’t want to be in the position where a child is kidnapped and posts a Facebook update from an IP address, and the FBI comes to my office the next day, and I can’t isolate it.”
The most common reason why Sonic holds onto customer data, at least for a short period of time, is to identify customers whose computers have been infected by malware and are unintentionally sending out spam emails or inadvertently participating in distributed denial-of-service attacks (DDoS). But there are also public safety concerns with erasing IP data immediately.
“I also don’t want to be in the position where a child is kidnapped and posts a Facebook update from an IP address, and the FBI comes to my office the next day, and I can’t isolate it,” Jasper said. “This is not black and white; there is a grey area here. As an organization, we try to make what feels like the right choice, both to ensure the privacy of our customers and also to assist law enforcement when it’s warranted.”
Even so, Sonic’s two-week retention period is out of the norm for ISPs. Many other players in the industry keep this type of information on their servers anywhere from 12 to 26 months. While some in the law enforcement community have advocated for holding requirements for individual IP addresses, there are no specific laws governing it. Jasper insisted that, if the law changed, he would comply with it, but he believes holding that information for longer than the bare minimum is irresponsible.
Sonic isn’t alone among ISPs in standing up for user privacy. XMission, a small Internet provided based in Utah, has successfully fended off a litany of government data requests on Fourth Amendment grounds since it opened its doors back in the mid 1990s. While some elected officials have attempted to label XMission as soft on crime, founder Pete Ashdown told the Guardian that the effects of a pro-privacy stance on the company have been largely positive. “I didn’t feel that I was in danger, or that my business suffered,” he said.
Both XMission and Sonic have found success by going to bat for privacy again and again—so what’s stopping the big players in the space from following suit?
On the EFF’s most recent scorecard, Comcast earned three stars out of a possible six, and AT&T only merited two. Cardozo speculates that the reason why larger telecoms are less bullish on privacy is because they don’t have to be.
In many markets around the country, the incumbent providers face very little, if any, competition—especially at higher download speeds. When Comcast, the nation’s largest ISP, announced its intention to acquire Time Warner Cable, the nation’s second-largest ISP, company executives argued that the merger wouldn’t stifle competition because the two companies don’t directly compete against each other anywhere in the country. This is intentional. Through a series of coordinated mergers in the late 1990s dubbed “The Summer of Love,” the big ISPs effectively sliced the country, city by city, to ensure relatively low levels of geographic competition.
For a small upstart provider like Sonic, proclaiming that the company will, within the boundaries of the law, fight to keep customer data secure, creates a selling point over the big guys.
However, as Cardozo notes, the split is also generational.
“I think the line between ISPs that care about user privacy and ones that don’t is a younger vs. older dichotomy. We have companies like Twitter that are suing the Department of Justice for their First Amendment right to disclose more about their national security process—that’s great! That’s the same mindset that Sonic is in, in a lot of ways. The telcos are essentially legacy monopolies, and companies like Sonic and XMission—and XMission might take offense to this, being based in Utah—but they’re Silicon Valley startups. They’re in that mindset. That Silicon Valley mindset puts users first in a way that old-school telco monopolies never have.”
While privacy isn’t the only issue that’s turned Comcast in the most-hated company in America, it’s definitely there in the mix. It’s a frustration with incumbent providers that Jasper sees being expressed in surprising ways.
“The FCC … got 4.3 million comments from consumers about net neutrality. Which is, at its core, about a dispute between content sources, like Netflix, and the terminating access monopolists, the edge providers who have the consumer eyeballs,” Jasper said. “I was surprised to see so much popular interest because it’s really a dispute between two large companies over whether or not Netflix is going to have to give a nickel to Comcast or whatever.”
“Consumers really spoke out, and I don’t think specifically they were trying to defend Netflix and other sources of content. I think it was an opportunity for consumers to really speak out about their frustration with having little or no choice [in ISPs],” Jasper added. “And that’s very, very encouraging to me. I saw that proceeding as being not just about net neutrality, but as a way for consumers to express their will. It gives me a lot of optimism for the future.”
Illustration by Jason Reed
Pure, uncut internet. Straight to your inbox.