The nation’s major mobile-phone providers are keeping a treasure trove of sensitive data on their customers, according to newly-released Justice Department internal memo that for the first time reveals the data retention policies of America’s largest telecoms.
The single-page Department of Justice document, “Retention Periods of Major Cellular Service Providers,” (.pdf) is a guide for law enforcement agencies looking to get information — like customer IP addresses, call logs, text messages and web surfing habits – out of U.S. telecom companies, including AT&T, Sprint, T-Mobile and Verizon.
The document, marked “Law Enforcement Use Only” and dated August 2010, illustrates there are some significant differences in how long carriers retain your data.
Verizon, for example, keeps a list of everyone you’ve exchanged text messages with for the past year, according to the document. But T-Mobile stores the same data up to five years. It’s 18 months for Sprint, and seven years for AT&T.
That makes Verizon appear to have the most privacy-friendly policy. Except that Verizon is alone in retaining the actual contents of text messages. It allegedly stores the messages for five days, while T-Mobile, AT&T, and Sprint don’t store them at all.
The document was unearthed by the American Civil Liberties Union of North Carolina via a Freedom of Information Act claim. (After the group gave a copy to Wired.com, we also discovered it in two other places on the internet by searching its title.)
“People who are upset that Facebook is storing all their information should be really concerned that their cell phone is tracking them everywhere they’ve been,” said Catherine Crump, an ACLU staff attorney. “The government has this information because it wants to engage in surveillance.”
The biggest difference in retention surrounds so-called cell-site data. That is information detailing a phone’s movement history via its connections to mobile phone towers while its traveling.
Verizon keeps that data on a one-year rolling basis; T-Mobile for “a year or more;” Sprint up to two years, and AT&T indefinitely, from July 2008.
The document also includes retention policies for Nextel and Virgin Mobile. They have folded into the Sprint network.
The document release comes two months before the Supreme Court hears a case testing the government’s argument that it may use GPS devices to monitor a suspect’s every movement without a warrant. And the disclosure comes a month ahead of the 25th anniversary of the Electronic Privacy Communications Act, an outdated law that the government often invokes against targets to obtain, without a warrant, the data the Justice Department document describes.
“I don’t think there there is anything on this list the government would concede requires a warrant,” said Kevin Bankston, a staff attorney with the Electronic Frontier Foundation. “This brings cellular retention practices out of the shadows, so we can have a rational discussion about how the law needs to be changed when it comes to the privacy of our records.”
Sen. Patrick Leahy (D-Vermont) has proposed legislation to alter the Electronic Privacy Communications Act to protect Americans from warrantless intrusions. Debate on the issue is expected to heat up as the anniversary nears, and the Justice Department document likely will take center stage.
Infographics: Michael Cerwonka/Wired.com
- Google+ vs. Facebook on Privacy: + Ahead On Points — For Now
- Senator Wants Investigation of OnStar’s ‘Brazen’ Privacy Invasion
- Report: Facebook CEO Mark Zuckerberg Doesn’t Believe In Privacy
- DuckDuckGo Challenges Google on Privacy (With a Billboard)
- Insurance Company Telematics Trade Perks for Privacy
- Plug-Ins for Privacy: Redirect Remover and Trackerblock