Earthlink’s First Chief Privacy Officer on Balancing Customer Privacy Concerns with Governmental Regulation

Earthlink named Les Seagraves, a lawyer by training, its first chief privacy officer in December, charging him with overseeing all privacy matters in the company and responding to its customers privacy concerns. Last year the FBI served Earthlink?the nation’s number-two ISP?with a court order to install the e-mail surveillance tool Carnivore on its network. Earthlink sued?and lost?but the case sparked a public outcry from privacy advocates. The Internet wiretap technology is designed to sit on an ISP’s e-mail server and filter incoming and outgoing mail in search of addresses that are the target of an investigation. Earthlink eventually came to an agreement with the FBI in which the ISP can avoid using Carnivore, but the debate rages on.

CIO: What were Earthlink’s original concerns with Carnivore?

Seagraves: Our first concern was that we didn’t know exactly what Carnivore did. We were approached to put this on our system, but we couldn’t look at it beforehand. We had no idea about the risks involved. The second concern was from a legal standpoint. We felt that the trap-and-trace order it came under was old and applied to regular telephone conversations but maybe not to e-mail. The main thing was that we control our network, and this wasn’t under our control.

What happened when you tried to install Carnivore at Earthlink?

In order to test the system, we put it on a mail server, which brought it to a halt. We began to challenge Carnivore legally. Now if we get a similar court order for information, we have an agreement with the FBI that they will give us the target addresses and we will figure out a way to get only those messages. In that way, we have total control over it, and we can get what the law requires and still protect our other customers’ privacy as much as possible.

Are companies trying to gather information without infringing on people’s rights?

I’m sure that most companies with the technical resources are doing so. My concern is that smaller companies and ISPs that may not have either the time or the capability to do it would be pressured to install Carnivore without knowing what it is or how it works. No one really knows how it works. The FBI hasn’t let anyone really look at it.

Why haven’t CIOs been more vocal?

They have to balance customer privacy and legal compliance with criminal investigations. Many companies are dealing with it, but it’s not something they want to make a lot of noise about. Companies are waiting to see how the Bush administration will deal with this question.