DoJ Doc Reveals Cellphone Providers' Long, Long Memories
A DoJ document obtained by the ACLU details how long various U.S. cellphone companies keep track of user information like call details, which towers were used to relay a signal, bill copies and IP session information. The revelation has raised concerns among privacy advocates over the security of that information and how long it's kept on record.
Sep 30, 2011 10:18 AM PT
A recently revealed U.S. Department of Justice document has provided details about what kind of usage information is retained by the nation's largest mobile phone providers, as well as how long they retain it.
In some cases, information is stored for many years.
The document, a single-paged memo, was obtained by the North Carolina ACLU. The chapter was looking into North Carolina law enforcement activities and procured document as part of a Freedom of Information Act request.
What's Stored and When
It's a window into what information would be available from any given company to law enforcement agencies looking to track suspects or confirm alibis using phone records, tracking devices, Web-browsing habits or past text messages.
There are no set standards on which information gets saved or for how long, so wireless companies' policies on the matter vary widely. For instance, Verizon keeps a list of who a customer has shared text messages with for the shortest time -- one year. The period is 18 months for Sprint, five years for T-Mobile, and seven years for AT&T.
Verizon, though, does what other companies don't -- it keeps the content of the messages for five days, where the other providers simply have records of which contacts the messages went to.
Cell-site data, or tracking information, is another big point of difference between providers. The data lists a phone's connections to mobile-phone towers to show where the phone has been used across a certain period of time. The retention periods for cell-site data are not as straightforward as in other categories. For Verizon, that period is a one-year "rolling" basis, T-Mobile says it stores it for "a year or more," Sprint keeps it for up to two years and AT&T indefinitely, starting in July 2008.
None of the wireless providers responded to TechNewsWorld's requests for further comment.
Keeping It Private
Though privacy advocates sometimes view the practice as invasive, using information retained by cellphone service providers has been an effective tool for catching criminals or busting other illicit activity. Also, keeping tabs on customer habits and tendencies can be helpful for cellphone companies interested in how to better market their products.
The question becomes, then, how well companies can keep that data private, and how long they need to hold onto something before it will be of no use to law enforcement.
"Wireless carriers are just another vendor tracking the behavior of their users. The deeper issue with all types of online tracking is how transparent vendors are with their users about what kind of data they are collecting, how they are using it, and how it is protected," Tim Keanini, CTO for nCircle, told TechNewsWorld.
When using smartphones, consumers may be conducting an even greater amount of personal business via cellular networks, such as Web browsing or managing bills online. The question of security then becomes even more crucial. The question of a security breach doesn't become a matter of if, but when, and consumers need to be sure they are protected from major damage when that happens.
"It's only a matter of time before we experience a data breach at a wireless carrier. It's really inevitable when you consider how much this kind of data is worth to cybercriminals," said Keanini.
Security is part of the reason the ACLU and other consumer advocacy groups don't think the average consumer should have to worry about their wireless providers doubling as protection agencies.
"We were pretty surprised when we saw the charts because these private companies have pretty long retention policies. Cellphone companies are not only offering this information to local law enforcement, they're keeping it for a long period of time and really offering to share your services," Katy Parker, legal director for the North Carolina ACLU, told TechNewsWorld.
Law enforcement officials, however, say the information saved by phone companies is crucial and effective when tracking down and nailing criminals.
Consumer advocates don't deny the information can be helpful for public safety, but they insist the legal system is in place for that reason, and that the appropriate information should be accessible only when necessary.
"Of course it helps in certain situations, but the information ought to have probable cause. Law enforcement can go to court to get a warrant, which in many situations is not hard to do. There ought to be some check there to prevent just automatic response, such as pinging a cell phone to figure out where you are. There's no reason that there shouldn't be a warrant requirement," said Parker.
The North Carolina ACLU isn't sure how it's going to go forward with the information.
"Right now we're trying to figure out how we're going to process this information and proceed. Right now we want to at least make the public aware of what's going on," said Parker.