Consumer advocates have asked the Federal Communications Commission (FCC) to declare that AT&T violated a privacy rule in the Communications Act by selling phone records to the Central Intelligence Agency (CIA).

A report last month said that "AT&T has turned over international calling records to the CIA. The telecom charges the CIA more than $10 million per year in exchange for access to metadata about calls by suspected terrorists overseas."

In response, a group of consumer advocacy groups led by Public Knowledge filed a petition today with the FCC.

Appealing to the FCC is a new tactic against government collection of calling records. Previously, privacy advocates have tried to shut down the phone collection by filing lawsuits, including one in the Supreme Court.

"We filed a Petition for Declaratory Ruling at the FCC asking it to declare that the types of records AT&T is reportedly selling to the government are protected under Section 222," a part of the Communications Act that "tells carriers that with few exceptions, they have to get customers’ consent before they can share 'customer proprietary network information,' or 'CPNI,'" Public Knowledge Staff Attorney Laura Moy wrote in a blog post.

Public Knowledge's petition calls out AT&T as being "in Violation of Section 222 because it sells individually identifiable call records to the CIA, Companies, and Other Entities Without Customers’ Consent." And unsurprisingly, the practice may not be limited to AT&T.

"[T]he sale of CPNI to the government isn’t our only concern—when we did a little more poking around, we found that all four major mobile carriers (AT&T, Sprint, T-Mobile, and Verizon) have privacy policies that indicate they believe it is OK to sell or share similar records to anyone," Moy wrote. "We don’t know whether or not they actually are selling CPNI, but the fact that they think they can is alarming."

We've contacted the FCC, AT&T, Verizon, T-Mobile, and Sprint about Public Knowledge's complaint.

We haven't heard from most of them, but T-Mobile responded: "T-Mobile appreciates the concerns expressed by Public Knowledge in its petition, and we will provide input when it is put out for comment. We would clarify that T-Mobile follows all laws governing Customer Proprietary Network Information (CPNI) and provides annual reports to the FCC regarding regulatory compliance in this area. We do not sell personally identifiable CPNI data to third parties except in three cases: 1) we obtain the user’s consent; 2) we provide it in aggregate form; or 3) we anonymize the data."

Sprint declined to comment.

AT&T's sale of the data to the CIA was revealed in the New York Times on November 7. As we explained in our previous coverage, AT&T retains the call metadata but "performs searches against its databases for specific phone numbers upon request from the CIA... Unlike the NSA's metadata collection from telephone companies, the CIA's relationship with AT&T is not under a warrant, as it focuses on overseas calls not necessarily covered by the Foreign Intelligence Surveillance Act or the Patriot Act."

"In all cases, whenever any governmental entity anywhere seeks information from us, we ensure that the request and our response are completely lawful and proper," AT&T told Ars last month. "We ensure that we maintain customer information in compliance with the laws of the United States and other countries where information may be maintained. Like all telecom providers, we routinely charge governments for producing the information provided. We do not comment on questions concerning national security."

Public Knowledge said the call data shouldn't be shared even if carriers purge the logs of names and phone numbers but predicted that carriers will argue that it's not a violation because data is anonymized.

"We think the pushback will come from carriers claiming that they always 'anonymize' CPNI before they share it," Moy wrote. "For example, according to the Times article, AT&T 'masks' several digits of Americans’ phone numbers before sharing records with the CIA. But we don’t think anonymizing records exempts them from Section 222 protections... Even after personal identifiers have been removed from a dataset, sufficient information that is not traditionally thought of as personally identifiable often remains to 're-identify' specific people... [R]ecently, researchers succeeded in using publicly available information to identify Netflix subscribers in a dataset of movie ratings from which personal identifiers had been removed. 'Removing identifying information is not sufficient for anonymity,' the researchers explained. And earlier this year, researchers used a dataset of 'anonymized' location data from an unidentified mobile phone carrier to demonstrate that 95 percent of individual users could be uniquely identified using just four location data points."

Public Knowledge asked the FCC to issue a declaratory ruling stating AT&T, Verizon, Sprint, and T-Mobile must not sell the records in question without customers' consent.

Here's a look at the full complaint to the FCC: