A recent story on rawstory.com highlights the rather disturbing and frightening data retention policies of two major phone carriers. Verizon and Virgin Mobile both keep the content of text messages after they are sent; the former for a mere “3 to 5 days”, but Virgin Mobile keeps around text message content for a staggering 90 days (but thankfully requires a search warrant for law enforcement agencies to get copies).
The story links this chart from the Department of Justice obtained by the ACLU. The numbers that texts are sent to and received from is one thing, but those shouldn’t even be kept for longer than is necessary to resolve billing disputes.
Also quite horrifying, is the length of time cell tower information is kept by certain carriers. Perhaps the worst offender here is AT&T, which merely states “from July 2008” and has no upper end on how long they will keep the information such as one year, two years, three years, five years, etc. Ideally, this information should not normally be kept beyond, say, a week up to a month, maybe longer when absolutely necessary for the express purpose of troubleshooting (such as while repairing a tower that drops a statistically significant number of calls higher than average), and securely deleted as soon as it’s no longer needed.
Perhaps the worst part of this story is that each company appears to have one area in which they are keeping certain records way too long, undermining most attempts to preserve privacy by switching companies. AT&T hangs on to store surveillance videos for 2 months, clearly not necessary if T-Mobile only keeps them two weeks (and then there’s Sprint, who doesn’t reassure me at all with their “depends” response, which could mean they’re buying hard drives every year to archive surveillance video indefinitely). Sprint (including Nextel and Virgin Mobile) keep call detail information the longest, and have no upper end on subscriber information retention (scary, as I was once a Sprint customer). Verizon keeps IP session information for a whole year, and IP destination information for 90 days, while Sprint keeps both for 60 days; however, it’s clearly not necessary to keep either if AT&T, T-Mobile, and Virgin Mobile don’t keep that information at all.
In response to receiving this document, ACLU affiliates in 32 states filed requests for information with local law enforcement agencies seeking to uncover exactly how they are using this information to track Americans. Unfortunately, Texas is not one of those states, and I am trying to find out why.
If there are legal minimum requirements for keeping information, that’s one thing. However, companies need to be held accountable when they make record retention decisions that have a potentially deleterious effect on customer privacy. Judging by the diverse range of record retention times, there appear to be no legal minimums for many categories. If anything, in the age where landline use is seen as antiquated, the laws should be revised to protect the privacy of wireless phone subscribers.
I will likely be following up with the most interesting parts of what the ACLU and ACLU affiliates find out regarding their requests for information, as well as what I find out, if anything, regarding Texas. It may not be for several months, though I will endeavor to post incremental followups if I uncover something particularly important or interesting.