The Federal Communications Commission should repeal a rule requiring telephone providers to retain customer phone data for a year and a half, according to a coalition of privacy civil liberties groups, who allege the outdated requirement serves no purpose other than providing a bank of personal information from which intelligence agencies, law enforcement and hackers can withdraw.
The Electronic Privacy Information Center (EPIC) filed a petition with the FCC Tuesday asking the agency to end telecommunications companies’ requirement to store 18 months of customers call data, including names, addresses, dialed numbers, the dates, times and lengths of telephone calls.
“[T]he rule requiring mass retention of phone records exposes consumers to data breaches, stifles innovation, reduces market competition, and threatens fundamental privacy rights,” EPIC wrote in the petition undersigned by digital privacy groups including the Electronic Frontier Foundation, Fight for the Future, TechFreedom and others.
“The FCC’s data retention mandate implicates substantial privacy and civil liberties interests for millions of Americans.”
According to the mandate providers must retain such records to verify billing charges, but when the FCC suggested doing away with the rule in 1985, when the required length of retention was only six months, the Department of Justice stepped in.
“[T]elephone toll records are often essential to the successful investigation and prosecution of today’s sophisticated criminal conspiracies . . .” the DOJ said at the time, despite recommendations from telecom providers for law enforcement to request specific records be kept for investigation targets on a case-by-case basis.
Providers said retention beyond six months was unnecessary, and the elimination of the requirement would allow them to build more efficient record-keeping systems. Despite the recommendations, the FCC sided with the DOJ.
The shift in technology over the last 30 years makes the requirement unnecessary by today’s standards, according to petitioners, as most providers have moved away from traditional billing models based on individual calls and toll records, and instead, bill based on contracted plans for minutes and data.
“Many years later, it is abundantly clear that the 18-month data retention rule serves no purpose,” EPIC wrote. “As the DOJ itself acknowledged in 2006, “the efficacy of the commission’s current Section 42.6 requirement to meet law enforcement needs has been significantly eroded.”
As companies move away from classic billing, non-toll record structures and toward today’s flat-rate, non-measured and bundled service plans, there’s more opportunity for telecoms to develop smarter, more cost-efficient record keeping systems, according to the group.
“These telephone records not only show who consumers call and when, but can also reveal intimate details about consumers’ daily lives,” EPIC said. “These records reveal close contacts and associates, and confidential relationships between individuals and their attorneys, doctors, or elected representatives.”
Since the FCC rule in question does not limit the retention of records to ongoing investigations, and now that 90 percent of American adults carry cell phones, “this equates to sensitive data being retained for nearly every American adult, even when they are under no suspicion of wrongdoing,” the group argued.
“Such mass retention of sensitive data of the American people, and subsequent access by the government has a chilling effect.”
Petitioners pointed to a recent federal district court case, Klayman v. Obama, in which the court said telecommunications companies were doing a disservice to the privacy interests of consumers by collecting records and turning over the metadata gleaned to the federal government.
The so-called “215 Program” revealed by former NSA contractor Edward Snowden in 2013 was ruled illegal by a federal appeals court earlier this year, and dismantled in Congress.
The practice of big data retention itself puts consumers at risk, according to the group, which highlighted the recent hack at the Office of Personnel Management and compromise of 21.5 million Americans’ data as the most timely example of the danger posed by storing sensitive information where hackers know to look for it.
“The risk of breaches will increase as more sensitive data is retained,” EPIC wrote. “The best strategy to reduce the risk of an attack and to minimize the harm when such attacks do occur is to collect less sensitive personal information at the outset.”
Petitioners noted the FCC itself imposes standards and fines for protecting or failing to protect consumer data, and as such, should hear public comment on and repeal the data retention requirement.
“The mandatory retention of call toll records under Section 42.6 violates the fundamental right to privacy,” the petition states. “It exposes consumers to data breaches, stifles innovation, and reduces market competition. It is outdated and ineffective. It is not necessary or proportionate for a democratic society.”