EPIC Asks FCC To End Long-Term Retention Of Call Records

The Electronic Privacy Information Center (EPIC) called on the FCC to end its data retention mandate, which affects sensitive information such as phone numbers dialed, date, time, and call length.

Back in 1986, when multiple anti-privacy laws and regulations seem to have passed, the FCC required telephone companies to keep their customer records for at least 18 months. Because of this, an EPIC-led coalition filed a complaint in 2015, in which it argued that the mandate violates U.S. citizens’ fundamental right to privacy and exposes them to data breaches. The group added that the mandate is outdated and ineffective, so it should be terminated.

Data Retention Enables Mass Surveillance

EPIC warned that the call records implicates privacy and freedom of association of millions of Americans who are suspected of no wrongdoing. As we learned from Edward Snowden’s revelations, the NSA was using the call records in bulk to identify targets via “three-hop” surveillance. This means that if someone you know (first hop) knows someone else (second hop) who may somehow be related to a target of the NSA, then you’d also be under surveillance and a potential suspect in the NSA’s investigation (and potentially even on a list).

The NSA and the FBI have said that this type of broad surveillance is reasonable for an investigation. However, Congress disagreed somewhat and changed the restriction from three hops to two hops in the “USA Freedom Act.” That means that if you call the same pizza place as an NSA target does, you may also be under investigation, as part of the two-hop surveillance strategy.

The FCC mandate that requires telephone companies to keep the records for 18 months is what makes this type of broad surveillance easily accessible by intelligence agencies and law enforcement.

Exposure To Data Breaches

Over the past few years, we’ve seen some major data breaches, including the largest data breach in the U.S. government’s history, and wireless carriers have not been spared either. Storing data from millions of people in the same place for a long time can significantly increase a company's hacking risk. It also gives attackers a bigger window of opportunity to try to get someone’s calls records from the phone companies’ servers.

Mandate At Odds With International Rights

EPIC also argued that the data retention mandate is at odds with international laws and fundamental rights. In the European Union, for instance, even though the national governments have tried multiple times to pass data retention regulations, the laws have been beaten back by the E.U.’s top court for violating the Union’s Charter of Fundamental Rights.

 A year ago, the U.S. and the E.U. signed the “Privacy Shield” agreement, which in theory should guarantee E.U. that citizens’ calls to the U.S. are protected under the same privacy protections they can experience in the E.U. However, the FCC mandate seems to be in conflict with that, because if an American calls an E.U. citizen, or vice-versa, then that call record will be stored, affecting the privacy of both the American and the E.U. citizens.

“The FCC has said it opposes unnecessary and outdated regulation,” said EPIC President Marc Rotenberg. “There is hardly a better regulation to end than the FCC’s data retention mandate. It is ineffective, burdensome, and costly,” he added.

If you care about the privacy of your calls, the FCC is accepting public comments until June 16, so you can submit one there.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • mavikt
    I can't believe it; I need a burner phone to order pizza! Outrageous!
  • derekullo
    So Kevin Bacon is on most lists?
  • bigpinkdragon286
    Is EPIC ignorant of companies retaining information for their own use? How many pieces of data, from pictures and messages, or even entire accounts, that consumers have intentionally deleted, are later found to still be retained? Nothing about changing the law will guarantee that records are not kept, and EPIC doesn't seem to be speaking to the responsibility of the record keepers in securing their data.