Mo’ data, mo’ problems: Data retention rears ugly head in U.S. surveillance reform debate

Much of the press and political attention in the wake of the Snowden era has focused on the bulk telephone metadata collection program, which requires telecom operators to turn over all call detail records on an “ongoing, daily basis” to the NSA. While President Obama has pledged to “end this program as we know it,” a mandatory data retention requirement could be placed into the USA FREEDOM Act by members of the Senate Select Committee on Intelligence, which would effectively perpetuate this rights-abusing government surveillance program. Indeed, during a recent open hearing, Senators Dianne Feinstein (the Committee’s Chair), Saxby Chambliss (the Committee’s Vice Chair), Angus King, and Susan Collins appeared eager to insert such a provision into the bill.

Although USA FREEDOM as passed by the full House of Representatives was substantially weaker than the version that was passed unanimously by the House Judiciary and Intelligence Committees, the bill did manage to pass without the inclusion of a mandatory data retention provision. Given the Administration’s involvement in last minute changes to the bill, the lack of a data retention mandate in the House-passed version signals that this issue is not a priority for the intelligence community. Yet, the U.S. Senate is considering shifting data retention from the government to private companies, in effect “privatizing” the mechanism that would continue to allow for pervasive government surveillance and access to data.

Access opposes the addition of a data retention provision, which would not serve the goal of real surveillance reform and would be a significant step backward for privacy, freedom of expression, and related rights. Indeed, collecting all user data effectively turns all citizens into suspects, a position at odds with human rights law.

Data retention and the USA Freedom Act

Already, the amended USA FREEDOM Act would increase the number of calls the government has access to because the bill would apply to all U.S. telcos and to both wire and wireless calls. Inserting a data retention mandate would further increase the amount of information subject to government orders.

Telcos have voiced their opposition to mandatory retention proposals. Verizon recently went so far as to assert that it is a “basic principle” that companies should not be forced to retain more or different data than is necessary for business purposes. The prepared statement of Michael Woods, Verizon’s representative at the Senate Intelligence hearing on USA FREEDOM, emphasized the cost, technological difficulties, and general “inappropriateness” of outsourcing government surveillance functions. As Woods highlighted, given that companies’ data retention policies vary, a data retention mandate for these services would require that telcos fill expensive data centers with extraneous data, which would negatively impact both users’ privacy and the telco’s bottom lines. This position is in line with one of the standards articulated in the International Principles on the Application of Human Rights Law to Communications Surveillance: “A priori data retention or collection should never be required of service providers.”

Although not yet delineated, any proposed USA FREEDOM Act mandate would also presumably include more expansive data retention requirements for telcos than the FCC’s current requirements, which exclude calls made on unlimited plans, and the House’s amended version of the USA FREEDOM Act, which excludes call content or location information.

How we got here: Past data retention law by U.S. telcos and the NSA

U.S. telcos do not have a common approach to data retention, even for one type of data like call detail records, which include at minimum the origin, destination, date, time and duration of calls. The timeframes for call data retention policies of U.S. telcos vary widely, ranging anywhere from six months to five years.

Existing law governing telecommunications data is not much clearer. Under an FCC regulation adopted in 1986, 47 CFR 42.6, telephone companies must retain toll call billing records for eighteen months. This scope of the regulation includes toll call subscriber and call metadata, defined as “the name, address, and telephone number of the caller, telephone number called, date, time and length of the call.” However, many subscribers today do not pay by the call, but rather by unlimited phone plan contracts, so they do not clearly fall under this regulation.

Interestingly, it is unclear whether U.S. law enforcement agencies find the FCC regulation necessary. While the DOJ supported the FCC regulation on data retention in 1985 as “often essential” to investigating and prosecuting “terrorism” and “espionage,” in 2006 the DOJ did not press the FCC to extend the retention period. Essentially, the DOJ abandoned the opportunity to publicly express the importance of retaining phone records, perhaps because it was already getting them directly from providers through secret FISA Court orders.

Due to the current absence of a mandatory data retention law, the NSA enforces de facto data retention of U.S. telephony data by holding onto the call detail records (CDRs) it bulk collects from telcos under requests made pursuant to Section 215 of the USA Patriot Act. There are some limits to this retention: since at least 2006, the Foreign Intelligence Surveillance Court (FISC) has told the NSA to destroy these records after five years. In January 2014, this requirement was codified in FISC Judge Reggie Walton’s Primary Order as one of several safeguards, or “minimization procedures.” Incredibly, the NSA fought even this modest restriction, but lost in court last March.

In his March ruling against the NSA’s motion to extend retention periods, Judge Walton found that the NSA’s proposal “would further infringe on the privacy interests of United States persons” whose records were collected. Longer retention yields more problems: “Extending the period of retention for these voluminous records increases the risk that information about United States persons may be improperly used or disseminated.” Judge Walton found that those records contained little evidence of wrongdoing as “the great majority of these individuals have never been the subject of investigation” for terrorism or intelligence purposes.

The rise and fall of data retention directives

The calls for data retention in the U.S. go back more than a decade, when then-deputy Attorney General Eric Holder proposed “certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement.” In 2006, the same year the now defunct European data retention directive was passed, the International Association of Chiefs of Police called for mandatory retention of both ISP and telephony communications data. In 2011, several hearings were held in the U.S. Congress on data retention as a tool to fight child pornography and other online crimes. These efforts were highly contentious, and did not result in data retention legislation.

Throughout this time, civil society groups and think tanks like the Cato Institute have opposed the expansion of mandatory data retention, highlighting its negative impact on both fundamental rights and the economy. Further, many policymakers outside the U.S. are now critical of forced data retention, claiming that it is unnecessary and disproportionately invasive. Earlier this year, the Court of Justice of the European Union found that data retention seriously interfered with fundamental rights, and struck down the EU’s Data Retention Directive. The CJEU found that the mandate violated the European Charter of Fundamental Rights and was of questionable utility in combating terrorism. In spite of this sea-change, certain members of the Senate appear staunchly committed to tacking a data retention directive onto the USA FREEDOM Act.

Access’ stance and alternatives

As the U.S. Privacy and Civil Liberties Oversight Board (PCLOB) has noted, data retention requirements for third parties such as telecoms “would pose difficult questions of liability, accountability, oversight, mission creep, and data security, among others.” Data retention could lead to potential abuse, theft or other unlawful transfer, problems that are only worsened the longer data are retained. Moreover, with this threat to privacy looming in the background, users are less likely to express themselves freely online.

Access supports efforts to clarify what is currently required of telcos under U.S. law, but stands firm that data retention by private parties should never be mandated by law. Real reforms are urgently needed to rein in NSA spying and to align U.S. laws with the country’s international obligations on human rights. In this effort, we point lawmakers to the International Principles on the Application of Human Rights Law to Communications Surveillance, a comprehensive guide to crafting necessary and proportionate rules that protect rights of users at risk worldwide.