A U.S. senator has put telecommunication companies – AT&T, T-Mobile, Sprint and Verizon – on notice for their data-collection and retention policies.
Last week, U.S. senator Ron Wyden (D-Ore.) sent an open letter to the CEOs of the four major telecom providers urging them to limit the data they collect and store from their customers’ communications, web browsing and app usage. Wyden has demanded that telecommunication executives respond to the letter before Sept. 4 with an outline of the steps they will take to protect customer privacy.
“Your companies collectively hold deeply sensitive information about hundreds of millions of Americans,” Wyden said in his letter. “It should come as no surprise that this data is a juicy target for foreign spies. Particularly in this modern era of massive data breaches, it is critical that companies like yours minimize the data you keep.”
Representatives for AT&T, T-Mobile, Sprint and Verizon did not immediately respond to a request for comment from Threatpost.
Wyden said that current rules that are in place that surround data retention are not enough, and that the telecom companies have been able to skirt them. The Federal Communications Commission (FCC) requires carriers to keep records of toll calls for 18 months, for instance – but Wyden alleges that firms retain records “for much longer.”
A New York Times article reports that AT&T continues to store (and supply Drug Enforcement Administration agents) with phone data from as far back as 1987. Even before that, Wyden mentioned, phone companies played a role in the Bush-era “warrantless wiretapping” program and the NSA’s surveillance of telephone metadata.
Wyden for his part urged the companies to cut their data retention period back further, to a few weeks or even a few days: “Retention periods of several years should not be the norm,” he said.
The letter, which came in conjunction with a talk at DEF CON in Las Vegas entitled “Can You Track Me Now? Why The Phone Companies Are Such A Privacy Disaster,” once again thrusts data collection and usage privacy policies into the spotlight.
The strength of our hacker community makes America stronger and Americans safer. Thrilled to have the opportunity to speak at #defcon today about the importance of privacy, backdoor-free encryption, and overseeing our intelligence community. Thank you for having me! pic.twitter.com/VK2NeTqn9g
— Ron Wyden (@RonWyden) August 10, 2019
The letter piles pressure on these four companies, which are also facing backlash from the Federal Trade Commission (FTC) for their data collection policies around internet services.
In March, the FTC urged companies to reveal exactly what data they’re collecting as part of their ISP arms, and requested details around how they collect, retain, use and disclose information about consumers and their devices. Specifically impacted by this request were: AT&T, AT&T Mobility, Comcast Cable/Xfinity, Google Fiber, T-Mobile USA, Verizon Communications and Cellco Partnership (Verizon Wireless).
“Fundamentally the premise the Senator is stating is correct,” Ernesto Falcon, senior legislative counsel at the Electronic Frontier Foundation (EFF), told Threatpost. “You can’t breach data that is not collected or retained. Data breaches are not a matter of ‘if’ but rather ‘when’ they happen with the entry of state actors. Historically telecom carriers were expected to only use personal information necessary to render the service and the FCC was applying that as a matter of regulation until Congress repealed consumer privacy protections on behalf of Comcast, AT&T, and Verizon. The latest string of data scandals involving ISPs, notably the geolocation scandal that EFF is litigating now, are all reasons we need the restoration of consumer privacy laws here.”
Meanwhile, while major companies like Comcast, AT&T and Verizon have made informal pledges to not sell customers’ individual internet browsing information, that hasn’t stopped privacy issues from plaguing the companies: In 2018, for instance, reports also emerged that AT&T, Sprint, T-Mobile and Verizon were selling real-time location data to companies like LocationSmart, Zumigo and others.
“Consistent with the best practices recommended by the FTC and leading privacy experts, absent a legal requirement to retain specific records, you should delete records of your customers’ historical location, their web browsing, app usage and their communications as soon as those records are no longer needed to reasonably manage your networks and provide service,” Wyden said.