Campaign for Liberty has joined a collation of organizations from across the political spectrum on a letter to the Federal Communications Commission (FCC).
Th letter requests that the agency repeal its regulation that forces telephone companies to retain our phone records for 18 mouths. This requirement represents a major violation of our privacy and violates the Fourth Amendment to the Constitution.
Text of the comments available here and below:
August 4, 2015
Marlene H. Dortch, Secretary
Federal Communications Commission
Office of the Secretary
445 12th Street, SW,
Washington, DC 20554
RE: Petition to Repeal 47 C.F.R. § 42.6 (“Retention of Telephone Toll Records”)
Dear Secretary Dortch,
We, the undersigned consumer rights, human rights, and civil liberties organizations, along with members of the EPIC Advisory Board, petition the Federal Communications Commission (“FCC”) to repeal 47 C.F.R § 42.6 (“Retention of Telephone Toll Records”) because the rule requiring mass retention of phone records exposes consumers to data breaches, stifles innovation, reduces market competition, and threatens fundamental privacy rights.
Mass Retention Requirements for Telecommunications Carriers Threatens Consumer Privacy
The FCC’s data retention mandate implicates substantial privacy and civil liberties interests for millions of Americans. It states:
Each carrier that offers or bills toll telephone service shall retain for a period of 18 months such records as are necessary to provide the following billing information about telephone toll calls: the name, address, and telephone number of the caller, telephone number called, date, time and length of the call. Each carrier shall retain this information for toll calls that it bills whether it is billing its own toll service customers for toll calls or billing customers for another carrier.
In 1985, when data was retained for only six months, the FCC initiated a rulemaking to remove this burdensome record-keeping requirement. In response to the FCC’s proposal, the Department of Justice (“DOJ”) petitioned the Commission to extend the retention period from 6 to 18 months, claiming “telephone toll records are often essential to the successful investigation and prosecution of today’s sophisticated criminal conspiracies . . . .” Telecommunications providers objected to the DOJ’s proposal, noting that the elimination of the retention period would permit telephone companies to “develop cost efficient recordkeeping systems.” The companies also stated that “a six month retention period would seem adequate for most records.” Finally, they said, law enforcement agencies could request that records be maintained “for individuals under investigation without requiring that all toll records be retained.” The Department of Justice prevailed. Telephone records were retained, and the privacy interests of American telephone customers were placed at risk.
Many years later, it is abundantly clear that the 18-month data retention rule serves no purpose. As the DOJ itself acknowledged in 2006, “the efficacy of the Commission’s current Section 42.6 requirement to meet law enforcement needs has been significantly eroded.” The regulation is based on an outdated model since carriers have “moved away from classic billing models, in which charges are itemized,” and instead use “non-measured, bundled, and flat-rate service plans,” such that “some carriers have claimed that call records under such new plans are not covered by Section 42.6 because they are not ‘toll records.’’’
Not only is the rule ineffectual in assisting law enforcement, it also stifles innovation and market competition. As explained above, carriers opposed the proposal to retain toll records for 18 months because moving away from toll recordkeeping would allow them to develop more cost efficient recordkeeping systems. Furthermore, the toll recordkeeping is out of sync with the market demands of “bundled” packages that provide consumers with more comprehensive billing structures. And the requirement prevents companies from competing on privacy, which many believe is the market-based solution to the enormous privacy challenge confronting the nation today. These inefficiencies reveal that this program is no longer necessary or reliable in meeting the original goal of “forming basis of charges to subscribers and others” or “supporting successful investigations.”
Mass Retention of Telecommunications Data Implicates Substantial Privacy and Associational Freedom Interests
Section 42.6 requires telecommunication carriers to retain sensitive information on all of their customers, including the name, address, and telephone number of the caller, telephone number called, date, time and length of the call. These telephone records not only show who consumers call and when, but can also reveal intimate details about consumers’ daily lives. These records reveal close contacts and associates, and confidential relationships between individuals and their attorneys, doctors, or elected representatives.
Justice Stewart recognized the significant privacy interests implicated through phone surveillance in his dissent in Smith v. Maryland. He wrote,
he role played by a private telephone is . . . vital, and since Katz it has been abundantly clear that telephone conversations carried on by people in their homes or offices are fully protected by the Fourth and Fourteenth Amendments. As the Court said in United States v. United States District Court, “the broad and unsuspected governmental incursions into conversational privacy which electronic surveillance entails necessitate the application of Fourth Amendment safeguards.”
Justice Marshall expressed similar concern when he wrote in Smith, “In my view, whether privacy expectations are legitimate within the meaning of Katz depends not on the risks an individual can be presumed to accept when imparting information to third parties, but on the risks he should be forced to assume in a free and open society.”
Following the decision in Smith v. Maryland, the United States Congress took steps to safeguard telephone record information and overturned the Court’s decision. The House Committee report that accompanied the Electronic Communications Privacy Act of 1986 explained:
As a general matter telephone companies maintain a record of calls placed from a telephone for billing purposes. These business records are primarily used by the telephone company for its own purposes. At the federal level the government can legally obtain access to such records based on a grand jury or trial subpoena or through the use of an administrative summons authorizing a specific federal agency to obtain records. Such government access is usually in connection with an ongoing criminal or civil investigation.
The call toll records currently retained under the FCC Section 42.6 are not specifically tailored or limited to a particular investigation; carriers are required to retain data for 18 months for all subscribers. Since 90% of American adults have a cell phone, this equates to sensitive data being retained for nearly every American adult, even when they are under no suspicion of wrongdoing. Such mass retention of sensitive data of the American people, and subsequent access by the government has a chilling effect.
As Justice Sotomayor recently stated in United States v. Jones, “wareness that the Government may be watching chills associational and expressive freedoms.” And although telephone records may be a useful resource in the investigations of crimes, law enforcement agencies could request that records be maintained “for individuals under investigation without requiring that all toll records be retained,” as carriers have previously suggested. Simply put, “t is simply not possible that every phone record in the possession of a telecommunications firm could be relevant to an authorized investigation.”
A federal district court recently found that the bulk collection of telephone “do implicate the interests of cell phone subscribers when their service providers are producing metadata about their phone communications to the Government . . . .” Similarly, the FCC must recognize the significant privacy interests implicated by retaining toll data. The 42.6 program should end.
The European Court of Justice Struck Down the Data Retention Directive Because It Violated the Fundamental Right to Privacy
The Court of Justice of the European Union has determined that the routine mandated retention of telephone data violates the fundamental right to privacy. The decision is binding on the provision of telecommunications services across the European Union, a market larger than the United States telecommunications market. Echoing views expressed by Justices Stewart, Marshall, and Sotomayor, the Court of Justice found:
Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented.
The CJEU decision bears on the FCC’s continuing the mandate of Section 42.6. The routine compelled retention of telephone records is not necessary or proportionate for a democratic society.
Recent Data Breaches Reveal the Inherent Risks of Maintaining Unnecessary Records
In recent months, there have been a large number of high profile data breaches that illustrate the severity of the risks associated with data retention. For example, in April 2015, the Office of Personnel Management (“OPM”) discovered that the personal data of 4.2 million current and former Federal government employees had been stolen. Subsequently in June 2015, OPM discovered that additional information had been compromised: including the background investigation records of current, former, and prospective Federal employees and contractors, totaling 21.5 million individuals.
The FCC itself has brought data breach actions against companies that fail to safeguard the personal information of their customers. The agency recently proposed “a $10 million fine against two telecommunications carriers for failing to protect the personal information of up to 305,000 consumers.” According to the FCC:
The Commission alleges that the carriers’ failure to reasonably secure their customers’ personal information violates the companies’ statutory duty under the Communications Act to protect that information, and also constitutes an unjust and unreasonable practice in violation of the Act, given that their data security practices lacked “even the most basic and readily available technologies and security features and thus creates an unreasonable risk of unauthorized access.”
The risk of breaches will increase as more sensitive data is retained. The best strategy to reduce the risk of an attack and to minimize the harm when such attacks do occur is to collect less sensitive personal information at the outset. Furthermore, the risk of a breach can be reduced by deleting call records after they are no longer needed for billing or dispute purposes, or if law enforcement has not lawfully requested retention of call records for specific individuals. Section 42.6 stands in opposition to a critical strategy to safeguard consumer privacy.
Request for Agency Action
The mandatory retention of call toll records under Section 42.6 violates the fundamental right to privacy. It exposes consumers to data breaches, stifles innovation, and reduces market competition. It is outdated and ineffective. It is not necessary or proportionate for a democratic society.
The public should be given the opportunity to comment on the ongoing necessity of this provision in light of its ineffectiveness and the corresponding privacy threats. Further, the undersigned organizations and privacy experts petition the FCC to repeal 47 C.F.R. § 42.6 in its entirety.
Contact: Marc Rotenberg and Khaliah Barnes, EPIC 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202-483-1140.
Accord Official Statement, Office of the Director of National Intelligence, Statement by the ODNI on Retention of Data Collected Under Section 215 of the USA Patriot Act (July 27, 2015) http://icontherecord.tumblr.com/post/125179645313/statement-by-the-odni-on-retention-of-data.
Preservation of Records of Communications Common Carriers, 50 Fed. Reg. 31,395, 31,395 (proposed Aug. 2, 1985) . See also Preservation of Records of Communication Common Carriers, 28 Fed. Reg. 13,200, 13,209 (Dec. 5, 1963) (in which the FCC orders the 6-month retention to provide the “basis of charges to subscribers.”).
Id. at 11-12; See also Fed. Bureau of Investigation Memorandum Opinion for the General Counsel on Information Under the Elec. Comm. Privacy Act (Nov. 5, 2008) at 6 (explaining the historical definition and difference between “local” and “long distance toll” within the communication industry).
See, e.g., Tom Wheeler, Chairman, Fed. Commc’n Comm’n, Remarks at the RSA Conference (Apr. 21, 2015), https://apps.fcc.gov/edocs_public/attachmatch/DOC-333127A1.pdf (“We are also continuing to examine how the concept of cybersecurity intersects with other aspects of the FCC's statutory mission. For instance, the FCC has explicit responsibilities to protect the privacy of data that communications providers collect from their customers in the everyday course of business. Consumers have a right to expect that this information will be protected from disclosure. Failure to do so can have a chilling effect on free expression and the virtuous cycle of network investment and innovation.”).
See Continued Oversight of the Foreign Intelligence Surveillance Act: Hearing Before the S. Comm. on the Judiciary, 113th Cong. (2013) (statement of Edward Felten, Professor of Computer Science and Public Affairs, Princeton University).
See Letter regarding Ending Renewal of the Section 215 Bulk Telephony Metadata Program from 28 Privacy & Civ. Liberties Organizations to President Barak Obama and Eric Holder, U.S. Attorney Gen. (June 17, 2014), https://www.epic.org/privacy/Coalition-Ltr-to-End-NSA-Bulk-Collection.pdf; Mobile Technology Fact Sheet, Pew Research Center, http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/(last visited July 16, 2015) (stating that as of 2014, 90% of American adults own a cell phone).
Klayman v. Obama, 957 F.Supp.2d 1, 22 (D.D.C. 2013). See also Am. Civil Liberties Union v. Clapper, 785 F.3d 787, 794 (2d Cir. 2015) (“The more metadata the government collects and analyzes, furthermore, the greater the capacity for such metadata to reveal ever more private and previously unascertainable information about individuals.”).
The EU and US programs differ in two key respects. The EU data retention requirements are typically broader in scope than the data that is lawfully obtained in the US under the FISA. However, EU telephone companies are not required to routinely provide customer information to the government as are US telephone companies.
Press Release No 54/14, Court of Justice of the European Union, The Court of Justice Declares the Data Retention Directive to be Invalid (Apr. 8, 2014), http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf. Similar views were expressed by Justice Potter Stewart in dissent in Smith v. Maryland, 742 U.S. at 746.
See Letter Concerning European Court of Justice Opinion on Data Retention and Privacy from Privacy Advocates, to John Podesta, Counsel to the President, and Nicole Wong, Deputy Chief Tech. Officer, Office of Science & Tech. Pol’y (Apr. 16, 2014), http://privacycoalition.org/Priv-Coal-to-WH-on-ECJ-Opinion.pdf.
Press Release, Fed. Trade Commission, FCC Plans $10 Million Fine for Carriers that Breached Consumer Privacy (Oct. 24, 2014) https://www.fcc.gov/document/fcc-plans-10m-fine-carriers-breached-consumer-privacy.
A Bill to Require Greater Protection or Sensitive Consumer Data and Timely Notification in Case of Breach: Hearing on H.R. ___ Before the Subcomm. on Commerce, Manufacturing, & Trade, H. Comm. on Energy & Commerce, 112th Cong. 3 (2011) (statement of Marc Rotenberg, Executive Director, EPIC).
Tags: privacy, FCC