AT&T

Overview

AT&T Inc. is the largest telecommunications company in the United States and one of the largest in the world, providing wireless services to approximately 87 million postpaid phone subscribers, broadband internet to over 14 million fiber subscribers, and legacy wireline services to millions more. Headquartered in Dallas, Texas, the company traces its lineage to Alexander Graham Bell's original telephone company and the Bell System monopoly that dominated American telecommunications for over a century before its court-ordered breakup in 1984.

The current AT&T was formed through a series of mergers: SBC Communications, itself a descendant of Southwestern Bell, acquired AT&T Corporation in 2005 for $16 billion and adopted the AT&T name. Subsequent acquisitions of BellSouth ($86 billion, 2006), DirecTV ($48.5 billion, 2015, later spun off in 2021), and Time Warner ($85 billion, 2018, later spun off as Warner Bros. Discovery in 2022) expanded AT&T into a massive media and telecommunications conglomerate before the company retreated to focus on core telecommunications in 2022 under CEO John Stankey.

AT&T reported $122.4 billion in revenue for 2023 and carries approximately $137 billion in long-term debt, making it one of the most indebted companies in the world. Despite divesting its media properties, AT&T remains one of the most data-rich companies in the world because telecommunications metadata, who calls whom, when, for how long, and from where, is among the most revealing categories of personal information in existence.

As former NSA General Counsel Stewart Baker has stated, "Metadata absolutely tells you everything about somebody's life. If you have enough metadata, you don't really need content." AT&T possesses more telecommunications metadata on American citizens than any other private entity in the world.

AT&T's privacy significance is inseparable from its role in the history of U.S. government surveillance. The company has the longest and most deeply documented record of cooperation with government intelligence programs of any American telecommunications company. From the warrantless wiretapping program exposed by AT&T technician Mark Klein in 2006 to the NSA's FAIRVIEW program documented in the Snowden disclosures in 2013 to the DEA's Hemisphere Project that provided access to trillions of phone records, AT&T has served as the primary private-sector partner for U.S. government communications surveillance for over two decades.

This history is not merely historical, AT&T's network infrastructure continues to serve as a collection point for government surveillance programs, and the legal frameworks established to immunize AT&T from liability for warrantless wiretapping (the FISA Amendments Act of 2008) remain in effect and have been repeatedly renewed by Congress.

The structural concern with AT&T is the convergence of two roles that create irreconcilable conflicts: the company is simultaneously the most important private-sector partner for U.S. government surveillance and a consumer-facing telecommunications provider obligated to protect subscriber privacy. AT&T cannot meaningfully advocate for subscriber privacy while operating as the NSA's most productive corporate partner, and the legal immunity framework ensures that this conflict never receives judicial scrutiny.

Data Collection Practices

AT&T's data collection spans wireless communications, broadband internet, and legacy wireline services, capturing some of the most intimate categories of personal information:

Call detail records (CDRs) represent the core of AT&T's data collection. For every phone call made on AT&T's network, the company generates and retains records including the originating number, destination number, call start time, call duration, cell tower locations for both parties (for wireless calls), and call disposition. For AT&T's approximately 87 million postpaid wireless subscribers and additional prepaid customers, this creates a comprehensive record of social relationships, daily routines, and physical movements.

The New York Times reported in 2013 that AT&T's databases contained records of trillions of phone calls, not just from AT&T's own customers but from calls that traversed AT&T's network from other carriers. AT&T retains CDR data for years, creating a historical archive of telecommunications metadata of extraordinary scope.

The scale of AT&T's CDR collection is difficult to overstate: as a Tier 1 internet backbone provider and one of the three largest wireless carriers, AT&T's switches process a substantial fraction of all telephone calls in the United States, including calls originating on or terminating to other carriers' networks. The Hemisphere database alone contained records dating back to 1987, a nearly four-decade archive of American telecommunications activity.

Cell-site location information (CSLI) is generated continuously by every mobile phone connected to AT&T's wireless network. As phones maintain connections to cell towers, AT&T generates location records that track subscriber movements throughout the day. Historical CSLI data can reconstruct a subscriber's movements over weeks, months, or years, revealing home and work locations, religious attendance, medical visits, political activities, and intimate associations.

The Supreme Court ruled in Carpenter v. United States (2018) that accessing seven or more days of historical CSLI requires a warrant, but AT&T's retention of this data and its availability to law enforcement with appropriate legal process remains a significant privacy concern. AT&T retains CSLI data for up to five years, creating an extensive historical archive of subscriber movements that can reconstruct years of physical activity with cell-tower-level granularity.

Real-time location tracking through AT&T's network is even more precise than historical CSLI. AT&T's Enhanced 911 (E911) infrastructure can locate subscribers to within 50-300 meters using cell tower triangulation, and modern devices with GPS provide meter-level accuracy. This capability is essential for emergency services but also available to law enforcement through court orders and, in some cases, emergency requests that do not require judicial approval.

Broadband internet metadata from AT&T's fiber and DSL services includes DNS queries, connection logs, bandwidth usage, and traffic metadata. Like other ISPs, AT&T can observe which domains subscribers visit, when they are online, and the volume and patterns of their internet activity.

AT&T's broadband data collection was particularly controversial when the company offered its "Internet Preferences" program (2013-2016), which charged fiber subscribers an additional $29-$70 per month unless they consented to having their browsing activity tracked for targeted advertising. This program effectively monetized privacy as a premium feature, subscribers who could not afford the surcharge had their browsing monitored by default. AT&T discontinued the program in 2016 amid regulatory pressure, but the episode revealed the company's view that browsing data had significant monetizable commercial value.

The Internet Preferences program was deployed across AT&T's U-verse and GigaPower fiber markets in cities including Austin, Dallas, and Kansas City. Privacy researchers noted that the program created a two-tier internet access model where wealthy subscribers could afford privacy while lower-income subscribers were subjected to surveillance, a form of economic discrimination in privacy that had no precedent in the broadband industry. The FCC's then-chairman Tom Wheeler publicly criticized the program as incompatible with consumer protection principles.

Location data sales to third parties became a national scandal when Motherboard (Vice News) reported in 2019 that AT&T, along with T-Mobile and Sprint, was selling real-time location data to data brokers who resold it to bounty hunters, bail bondsmen, and others without subscriber consent or knowledge. For as little as $300, a bounty hunter could obtain the real-time location of any AT&T wireless subscriber.

The location data flowed through a chain of intermediaries: AT&T sold to aggregators like LocationSmart and Zumigo, who sold to brokers, who sold to end users with no meaningful verification of purpose. The FCC proposed $57 million in fines against AT&T for these practices, but enforcement has been contested through administrative appeals.

The location data sales also demonstrated that telecommunications carriers' data sharing practices can have life-threatening consequences. In domestic violence and stalking cases, perpetrators could potentially use the same data broker chains to locate victims. The accessibility of real-time location data through commercial channels effectively undermined witness protection programs, domestic violence shelters, and any other safety measure that depends on physical location being private.

Advertising and analytics data is collected through AT&T's digital properties and mobile apps. The myAT&T app, AT&T TV app, and associated services collect device identifiers, usage patterns, location data, and browsing behavior. AT&T's privacy policy discloses that data may be shared with "affiliates, vendors, and third parties for advertising and analytics purposes", language broad enough to encompass virtually any commercial use of subscriber data.

DirecTV and video data (prior to the 2021 spinoff, and through the ongoing commercial relationship) include detailed viewing records for satellite and streaming subscribers. Under the Video Privacy Protection Act (VPPA), video viewing records receive special legal protection, but AT&T's retention and use of viewing data for advertising targeting within its ecosystem has been a persistent concern.

FirstNet first responder data creates a unique category of sensitive information. AT&T operates FirstNet, the nationwide public safety broadband network authorized by Congress after the September 11 attacks. FirstNet carries communications for police, fire, and EMS personnel, meaning AT&T processes sensitive law enforcement communications, emergency response data, and first responder location information.

Internet Preferences program (2013-2016) charged AT&T fiber subscribers an additional $29-$70 per month unless they consented to having their browsing activity tracked and used for targeted advertising. The program effectively created a two-tier privacy system where wealthier subscribers could buy privacy while lower-income subscribers were surveilled by default. The FCC criticized the program as incompatible with reasonable consumer expectations, and AT&T discontinued it in September 2016 under regulatory pressure, but not before operating it for three years.

DirecTV and video consumption data (collected during AT&T's ownership from 2015-2021 and through ongoing commercial relationships) encompassed viewing habits for approximately 15 million satellite subscribers. AT&T combined DirecTV viewing data with wireless subscriber data to create cross-platform profiles for its advertising division, Xandr (later sold to Microsoft in 2022 for an undisclosed sum). This integration demonstrated AT&T's strategy of combining telecommunications metadata with content consumption data for advertising monetization.

Connected car and IoT data from AT&T's role as a leading provider of cellular connectivity for automobiles and Internet of Things devices generates location and telemetry data from millions of connected vehicles and devices. AT&T provides cellular connectivity for approximately 74 million IoT connections, including connected cars from major manufacturers, fleet tracking systems, and industrial sensors, each generating location and usage data that flows through AT&T's network.

The connected car segment is particularly privacy-sensitive because vehicles equipped with AT&T cellular modems generate continuous location data, driving behavior telemetry (speed, braking, acceleration), and in some cases audio data from in-car voice assistants. AT&T's partnerships with automakers including Ford, General Motors, and others mean that the company processes location data for millions of vehicles whose drivers may not be aware that their car is transmitting data to AT&T.

Email and messaging metadata from AT&T's email services and messaging platforms creates additional data streams. While AT&T's consumer email service (att.net) is not as widely used as Gmail or Yahoo Mail, the company's enterprise email and unified communications services for business customers process significant volumes of corporate communications metadata.

Known Clients & Government Contracts

AT&T's government surveillance relationships are the most extensive and best-documented of any American telecommunications company, spanning signals intelligence, drug enforcement, and public safety:

NSA Room 641A and the FAIRVIEW Program represent the most significant documented case of warrantless government surveillance of American communications. In 2006, AT&T technician Mark Klein disclosed that the NSA had installed a secret room, Room 641A, at AT&T's Folsom Street switching facility in San Francisco. The room contained a fiber-optic splitter that copied all internet traffic flowing through the facility to NSA equipment, enabling the mass interception of domestic and international communications.

Klein's disclosure, first reported by the New York Times in 2005 and detailed in sworn declarations filed in the EFF's Hepting v. AT&T lawsuit, revealed that similar installations existed at AT&T facilities in Seattle, San Jose, Los Angeles, and San Diego. The program captured emails, web browsing, and VoIP calls of millions of Americans who were not targets of any investigation.

The Snowden documents (2013) later revealed that AT&T's cooperation with the NSA operated under the codename FAIRVIEW and was described internally by the NSA as the agency's most productive corporate partnership. NSA documents characterized AT&T as "highly collaborative" and noted that the company provided access to massive volumes of internet backbone traffic, foreign-to-foreign communications transiting U.S. switches, and metadata for billions of domestic communications.

A 2015 New York Times investigation based on Snowden documents detailed that AT&T had been providing the NSA with access to billions of emails flowing through its domestic networks since at least 2003. AT&T installed surveillance equipment at 17 or more of its internet hubs, enabled the NSA to access the content and metadata of email and internet traffic, and actively assisted the NSA in developing new surveillance capabilities.

The documents revealed that AT&T was the first company to begin turning over emails and internet data to the agency, starting in October 2001, less than a month after the September 11 attacks. The NSA described AT&T's cooperation as "highly collaborative," contrasting it favorably with the more guarded approach of other telecommunications companies. AT&T's compliance extended to providing technical assistance for "upstream" collection, tapping into the major internet backbone cables that carry domestic and international internet traffic through AT&T's infrastructure.

The legal fallout was resolved not through accountability but through immunity: Congress passed the FISA Amendments Act of 2008, which retroactively immunized AT&T and other telecommunications companies from civil liability for participating in warrantless surveillance. This legislation effectively terminated the EFF's lawsuit and established the legal framework for ongoing corporate participation in government surveillance programs.

DEA Hemisphere Project provides the Drug Enforcement Administration with access to AT&T's vast database of telephone metadata, records covering every call that passes through an AT&T switch, including calls from other carriers. The New York Times reported in 2013 that the Hemisphere database contained records of trillions of phone calls dating back to 1987.

The program is operated by AT&T employees working under government contracts, embedded within DEA offices and High Intensity Drug Trafficking Area (HIDTA) task forces. AT&T personnel, not government employees, query the database in response to law enforcement requests, operating with administrative subpoenas rather than warrants.

Hemisphere's scope is extraordinary: because AT&T's switches handle a significant portion of all U.S. telephone traffic (not just AT&T customers' calls), the database effectively functions as a comprehensive record of American telephone communications spanning decades. The program was deliberately structured to avoid public disclosure, law enforcement agencies were instructed to use "parallel construction" to conceal that Hemisphere was the source of investigative leads.

FirstNet public safety network was authorized by Congress in 2012 and awarded to AT&T in 2017. AT&T operates the nationwide broadband network for first responders, processing sensitive law enforcement, fire, and emergency medical communications. The contract, valued at approximately $46.5 billion over 25 years (including $6.5 billion in direct government funding), makes AT&T the infrastructure provider for American public safety communications.

Standard law enforcement compliance processes tens of thousands of requests annually. AT&T's transparency report for 2022 disclosed approximately 115,000 total demands from U.S. law enforcement, including subpoenas, court orders, warrants, and emergency requests. AT&T is the telecommunications provider that receives the highest volume of law enforcement requests in the United States.

Stingray / cell-site simulator cooperation, while not an AT&T-operated program, the company's network architecture must accommodate law enforcement use of IMSI catchers (commonly known as Stingrays), which mimic cell towers to intercept communications from nearby mobile devices. The relationship between AT&T and agencies deploying cell-site simulators involves technical cooperation that remains largely undisclosed. Harris Corporation Stingray devices are widely used by federal, state, and local law enforcement, and their operation on AT&T's network requires some degree of carrier awareness and accommodation.

Privacy Incidents & Litigation

2024 Mega-Breach (73 Million Customer Records): In March 2024, AT&T confirmed that a dataset containing personal information for approximately 73 million current and former customers had been published on a dark web hacking forum. The compromised data included full names, email addresses, mailing addresses, phone numbers, dates of birth, Social Security numbers, and AT&T account passcodes.

AT&T initially denied the data was from its systems when the dataset first appeared in 2021, attributing it to a third-party source. The company reversed this position in 2024, acknowledging that the data was legitimate and appeared to date from 2019 or earlier. The three-year delay between the data's initial appearance and AT&T's acknowledgment drew harsh criticism from cybersecurity researchers and affected customers. AT&T reset account passcodes for 7.6 million active customers and faced multiple class-action lawsuits.

The compromised account passcodes were particularly concerning because they consisted of four-digit PINs that AT&T used for account authentication, effectively functioning as secondary passwords that could be used to take over customer accounts, authorize SIM swaps, and access account information. Security researchers noted that storing four-digit PINs rather than more robust authentication credentials reflected a systemic underinvestment in security relative to the sensitivity of the data AT&T holds.

2024 Snowflake-Related Breach (Call/Text Records): In July 2024, AT&T disclosed a separate breach in which hackers accessed AT&T's Snowflake cloud data environment, obtaining call and text message records for "nearly all" of AT&T's approximately 110 million wireless customers covering a six-month period from May to October 2022 and January 2, 2023. The stolen data included telephone numbers of calls and texts, call durations, and cell site identification numbers that could be used to approximate locations.

This breach was particularly alarming because it captured the communications metadata, the social graph and location patterns, of virtually AT&T's entire wireless customer base. AT&T reportedly paid a hacker $370,000 to delete the stolen data, though security researchers noted that paying ransom provides no guarantee of deletion.

The breach originated through compromised credentials for AT&T's Snowflake cloud data warehouse account, which lacked multi-factor authentication. AT&T delayed public disclosure for over two months, citing an FBI request that early disclosure could pose a national security risk, an invocation of national security that raised questions about the relationship between AT&T's government partnerships and its breach disclosure obligations to customers. The DOJ granted AT&T two exemptions from the SEC's mandatory four-business-day breach disclosure rule.

NSA Warrantless Wiretapping (2001-ongoing): AT&T's participation in the NSA's warrantless surveillance program, exposed by Mark Klein in 2006 and further documented in the Snowden disclosures, represents the most extensive known case of a private company enabling warrantless government surveillance of American citizens. The program intercepted the content and metadata of billions of communications without individualized warrants or probable cause.

The legal immunity granted by the 2008 FISA Amendments Act prevented any judicial determination of whether AT&T's participation in the program violated federal wiretapping laws or the Fourth Amendment. This immunity remains in effect and has been renewed by Congress multiple times, most recently through Section 702 reauthorizations.

FTC Throttling Settlement ($60 Million, 2019): The FTC filed suit against AT&T in 2014, alleging that the company deceived customers who purchased "unlimited" data plans by severely throttling data speeds, by as much as 80-90%, after customers used relatively modest amounts of data. AT&T agreed to pay $60 million to settle the charges in 2019, the largest FTC data-throttling settlement at the time.

The FTC's complaint documented that AT&T throttled the data speeds of approximately 3.5 million customers who had purchased plans explicitly marketed as "unlimited." AT&T's throttling reduced speeds to levels that rendered video streaming, web browsing, and GPS navigation unusable, effectively punishing heavy data users while continuing to market plans as unlimited. The $60 million settlement was distributed as credits to affected customers.

Location Data Sales (FCC Proposed $57M Fine): The FCC proposed fines totaling approximately $57 million against AT&T in 2020 for selling subscriber real-time location data to aggregators who resold it to bounty hunters and others without subscriber consent. The location data supply chain, AT&T to LocationSmart/Zumigo to data brokers to end users, operated without meaningful oversight, enabling virtually anyone to locate any AT&T wireless subscriber for a few hundred dollars.

Hemisphere Project Secrecy (2013-ongoing): The DEA's Hemisphere Project, which provides access to AT&T's database of trillions of phone call records, was structured to avoid public disclosure. Law enforcement agencies using Hemisphere were instructed never to reveal the program's existence in court proceedings and to use "parallel construction", fabricating an alternative explanation for investigative leads derived from Hemisphere queries.

This deliberate concealment of surveillance methods from courts and defendants raises fundamental due process concerns. Defense attorneys cannot challenge evidence derived from a program whose existence is concealed from them, and judges cannot assess the constitutionality of a surveillance technique they do not know is being used.

AT&T's role in Hemisphere is unique among corporate surveillance partnerships: the company does not merely provide data, it employs dedicated AT&T analysts who are embedded in government offices, hold security clearances, and query AT&T's databases on behalf of law enforcement. This blurs the line between private corporate data and government surveillance capability, creating a hybrid public-private intelligence function that operates without the oversight mechanisms that would apply to either a purely governmental or purely private operation.

Mexico Operations Data Practices: AT&T Mexico (formerly Iusacell and Unefon, acquired as part of the 2015 DirecTV merger with Grupo Iusacell) serves approximately 22 million wireless subscribers in Mexico. Mexican telecommunications regulations regarding data retention, government access, and privacy differ from U.S. standards, and AT&T's data practices in Mexico operate under a regulatory framework that provides fewer privacy protections than U.S. law.

Mexico's Ley Federal de Telecomunicaciones requires telecommunications providers to retain metadata for 24 months and provide it to government authorities upon request. Given Mexico's documented use of commercial surveillance tools (including NSO Group's Pegasus spyware) against journalists and activists, AT&T's role as a major carrier in Mexico places it within a telecommunications surveillance ecosystem that has been used to target civil society.

Xandr Advertising Data Integration (2018-2022): AT&T's acquisition of AppNexus in 2018 (rebranded as Xandr) created an advertising technology platform that combined AT&T's telecommunications and television data with programmatic advertising capabilities. Xandr's platform used AT&T subscriber data to target advertising across connected television, mobile, and desktop platforms. AT&T sold Xandr to Microsoft in 2022, but during the four years of AT&T ownership, the platform demonstrated the company's intent to monetize subscriber data through advertising at scale.

Data Breach History (2014-2024): AT&T has disclosed multiple data breaches beyond the 2024 mega-breaches:

• 2014: Three separate breaches exposing customer SSNs and account information through unauthorized employee access at AT&T contractors in Mexico and Colombia, affecting approximately 280,000 customers
• 2015: $25 million FCC settlement for breaches at call centers in Mexico, Colombia, and the Philippines where employees sold customer data to third parties who used it for phone unlocking fraud
• 2019: Unauthorized SIM swaps enabling cryptocurrency theft from customer accounts, with insiders at AT&T stores paid bribes to execute the swaps
• 2023: Vendor breach affecting approximately 9 million wireless customer records through a compromised marketing vendor

SIM Swap Fraud (2018-ongoing): AT&T has faced multiple lawsuits from customers whose phone numbers were stolen through SIM swap attacks, where attackers convince carrier employees to transfer a victim's phone number to an attacker-controlled SIM card. In some documented cases, AT&T store employees were paid bribes of $100-$300 per swap by organized fraud rings. Victims have lost millions of dollars in cryptocurrency and experienced account takeovers across banking, email, and social media platforms. A 2021 class-action lawsuit alleged that AT&T's security practices were systematically inadequate to prevent insider-facilitated SIM swaps.

Threat Score Analysis

AT&T receives a composite threat score of 65/100, reflecting its central role in U.S. government surveillance infrastructure, a catastrophic breach record, and a history of monetizing subscriber data without meaningful consent:

• Data Collection (70/100): AT&T collects comprehensive telecommunications metadata including call detail records, cell-site location data, broadband usage, and text message records for approximately 87 million wireless and millions of broadband subscribers. The company's network infrastructure processes communications metadata for calls traversing its switches from other carriers, extending data collection far beyond its own subscriber base. The Hemisphere database demonstrates that AT&T retains call records dating back to 1987, decades of telecommunications metadata for a significant portion of all U.S. telephone traffic.

• Third-Party Sharing (72/100): AT&T's record of sharing subscriber data with government surveillance programs (NSA FAIRVIEW, DEA Hemisphere) and selling real-time location data to brokers who resold it to bounty hunters represents some of the most egregious third-party sharing documented for any telecommunications company. The location data sales scandal demonstrated that AT&T's data sharing practices operated without meaningful oversight, the company sold data that enabled virtually anyone to locate any subscriber in real time. The government surveillance partnerships share communications data at a scale and scope that exceeds any other documented corporate-government surveillance arrangement.

• Breach History (65/100): The 2024 breaches were catastrophic: 73 million customer records including Social Security numbers (March 2024), followed by call/text metadata for nearly all 110 million wireless customers (July 2024). The three-year delay in acknowledging the first breach and the payment of ransom for the second reflect deeply inadequate security governance. AT&T's breach record from 2014-2024 demonstrates a pattern of recurring security failures across internal systems, vendor relationships, and employee access controls.

• Government Contracts (60/100): AT&T's role in NSA warrantless wiretapping (Room 641A / FAIRVIEW), the DEA Hemisphere Project, and FirstNet represent the deepest documented telecommunications surveillance partnerships in U.S. history. The FAIRVIEW program was described by the NSA as its most productive corporate partnership. However, AT&T's government surveillance role is primarily as infrastructure provider and data source rather than as an active surveillance technology developer, which moderates this score relative to companies that build offensive surveillance tools.

• Transparency (40/100): AT&T publishes a transparency report and provides some disclosure of law enforcement request volumes. However, the company participated in secret warrantless surveillance for years before it was exposed by a whistleblower, the Hemisphere Project was deliberately structured to avoid judicial scrutiny through parallel construction, and the company denied the 2024 data breach for three years. AT&T's transparency is fundamentally compromised by its obligations under classified government programs that prohibit disclosure.

Weighted calculation: (70 * 0.25) + (72 * 0.25) + (65 * 0.20) + (60 * 0.15) + (40 * 0.15) = 17.5 + 18 + 13 + 9 + 6 = 63.5, adjusted to 65 due to AT&T's unique historical role as the primary corporate partner for NSA warrantless surveillance, the unprecedented scale of the 2024 breaches affecting the majority of all AT&T customers, and the Hemisphere Project's decades-spanning archive of trillions of phone records.

Transparency & Accountability

AT&T's transparency and accountability record is defined by a fundamental contradiction: the company publishes annual transparency reports while simultaneously participating in classified surveillance programs that are deliberately concealed from the public and the courts.

The company's participation in NSA warrantless wiretapping was not disclosed voluntarily, it was exposed by whistleblower Mark Klein in 2006, years after the program began. Rather than facing legal consequences, AT&T successfully lobbied Congress to pass retroactive legal immunity through the 2008 FISA Amendments Act, which terminated civil lawsuits and established that telecommunications companies could participate in warrantless surveillance without liability.

The DEA Hemisphere Project was structured with explicit instructions to conceal the program's existence from courts and defense attorneys through parallel construction, fabricating alternative investigative paths to explain evidence derived from the program. AT&T employees embedded in DEA offices queried the trillions-of-records database without judicial oversight, and the program operated for years before being disclosed by the New York Times in 2013.

AT&T's transparency report discloses the volume of law enforcement requests it receives, but the most consequential government data access, NSA surveillance programs and Hemisphere, operates outside the transparency report framework entirely. National Security Letter reporting is limited to broad ranges that obscure the actual scope of government access.

The company's handling of the 2024 data breaches demonstrated accountability failures: AT&T denied the 73-million-record breach for three years before acknowledging it, and reportedly paid $370,000 in ransom to hackers in an attempt to delete stolen call/text metadata rather than immediately disclosing the breach to affected customers.

AT&T's lobbying expenditure, approximately $12 million annually in federal lobbying, is directed substantially toward shaping telecommunications regulation, privacy legislation, and surveillance law. The company has consistently supported legal frameworks that provide immunity for corporate participation in government surveillance while opposing privacy regulations that would restrict its commercial data practices.

The structural challenge with AT&T's accountability is that its most consequential privacy impacts, enabling mass government surveillance of domestic communications, are protected by legal immunity, classification rules, and gag orders that prevent meaningful public scrutiny. The 2008 FISA Amendments Act did not merely immunize past conduct; it created a legal framework under which AT&T can continue participating in surveillance programs without risk of civil liability, effectively insulating the most invasive government-corporate surveillance partnership from accountability.

AT&T's response to privacy incidents follows a consistent pattern: deny, delay, minimize, and settle. The company denied the 2024 breach for years, denied throttling unlimited data until the FTC sued, and settled location data sales complaints without admitting wrongdoing. This pattern suggests that AT&T's privacy compliance is driven primarily by enforcement risk rather than institutional commitment to subscriber privacy.

The cumulative effect of AT&T's transparency failures is a telecommunications company whose most consequential privacy impacts are invisible to the public and immune from judicial review. The NSA partnerships operate under classification, the Hemisphere Project operates under deliberate concealment, the FISA Court orders operate under seal, and the company's responses to public breaches are characterized by denial and delay. For a company that processes the most intimate details of over 100 million Americans' communications, this level of opacity is a structural threat to democratic accountability.

AT&T's status as a former regulated monopoly, and its continued dominance as one of only three major U.S. wireless carriers, means that subscribers cannot meaningfully withhold consent. The telecommunications market is an oligopoly where all three major carriers (AT&T, Verizon, T-Mobile) participate in government surveillance programs and have histories of privacy violations. Switching carriers does not escape the surveillance infrastructure, it merely changes which corporate partner processes your data for the same government programs.

The concentration of the U.S. wireless market means that genuine privacy competition is impossible within the existing carrier structure. AT&T, Verizon, and T-Mobile collectively control over 98% of U.S. wireless subscribers, and all three operate under the same legal frameworks that mandate government surveillance cooperation. This oligopoly structure ensures that the privacy floor for American telecommunications is set by government surveillance requirements rather than by market competition or consumer choice.