May 18, 2015
As a potential vote nears on the USA FREEDOM Act, talk about possible amendments has begun. There is one amendment in particular that poses a threat not only to the bill’s passage, but to data security, privacy, and the information economy: a new data retention mandate requiring phone companies to store Call Detail Records (CDRs) for a fixed period of time, regardless of their business needs. Not only would such a requirement be harmful; it is also unnecessary for national security. The President has been clear that he does not want one, the NSA testified before the Senate Intelligence Committee that it does not need one, and the Director of National Intelligence stated in September 2014 and May 2015 letters supporting the USA FREEDOM Act that a new data retention requirement is unnecessary for the Intelligence Community to meet its operational needs.
Strong Opposition From Civil Society, Security Experts, Industry, and the House of Representatives: The addition of a data retention requirement would severely undermine the unique, bipartisan, and broad-reaching coalition of supporters the USA FREEDOM Act currently enjoys. In June, July and September 2014 coalition letters on the USA FREEDOM Act, OTI cautioned that we, along with over 40 other privacy and advocacy organizations, would strongly oppose the inclusion of any new data retention requirements in surveillance reform legislation. Over 20 security experts and academics also wrote to Congress opposing such a mandate. A data retention mandate would also threaten the support of tech and telecommunications companies, like Verizon who testified before Congress that they would strongly oppose any such provision of law. In March, over 40 advocacy groups and companies, including the Reform Government Surveillance coalition, which represents some of America’s largest tech companies like Google, Apple, and Facebook, signed a letter opposing the inclusion of controversial new mandates in surveillance reform legislation.
Support would not only be lost in industry and civil society. The House of Representatives overwhelmingly opposes data retention requirements, and would almost certainly refuse to pass a version of the USA FREEDOM Act that includes one. It has rejected proposals for data retention requirements several times in the past few years – most recently during its 2014 and 2015 considerations of the USA FREEDOM Act. There, the House Judiciary Committee resoundingly opposed an amendment that would have authorized the government to make individual agreements with companies for data retention. Even that amendment smacked too much of a requirement and both times failed by a vote of 24-4, with Chairman Goodlatte stating in 2014 that “record retention by the communications companies does not necessarily assuage civil liberty and privacy concerns and could expose these records to data breaches by cyber hackers. For these reasons, I cannot support this amendment.”
Bad Public Policy: There is good reason for this fierce opposition to a data retention requirement. It is bad public policy. Mandatory data retention would not only threaten privacy and increase data insecurity, it would also impose unnecessary financial burdens on American technology companies, it could hinder law enforcement efforts, and it could cause regulatory problems.
Threat to Privacy: Requiring companies to store their customers’ personal information beyond what is needed for their business practices is an inherent threat to privacy. That’s why privacy and security regulators routinely counsel companies not to keep data they don’t need—to minimize, rather than retain, unnecessary data. In this case, the CDR data at issue is especially sensitive, providing a detailed dossier on Americans’ private communications and associations. A requirement under the USA FREEDOM Act would set a dangerous precedent—a precedent that could quickly set the stage for mandatory retention of even richer and more personal Internet data—because it would, for the first time, require that companies store Americans’ private data solely so that a military intelligence agency – the NSA – could access it. This possibility was considered and explicitly rejected as a threat to privacy when the President announced the need to reform the Patriot Act Section 215 bulk collection program.
Threat to Data Security: In addition to posing a threat to privacy, a new data retention requirement would pose a serious threat to data security and could significantly increase the risk of a data breach. First, there are staggering technical difficulties to storing and securing the vast quantities of data that would be required. Second, we live in an era of data breaches. In the last two years alone, Americans’ personal and financial information has been stolen from dozens of major companies like Target, Home Depot, JP Morgan, Sony, and Anthem. Passing a data retention requirement with the USA FREEDOM Act will paint a new, bigger, and brighter bullseye for hackers on the back of every company that is subject to the requirement, and thus, on each of their customers.
Threat to Business: A new data retention requirement would be extremely costly to companies. Storing exabytes of data, as would be required by ISPs, will cost many millions of dollars to set up systems for storing, securing, and searching the data, and millions of dollars more each year to maintain those systems. Additionally, Kate Dean, President of the U.S. Internet Service Providers Association, warned Congress that the opportunity cost, or the cost to innovation resulting from the diversion of business resources to the development of these storage and retrieval systems, would be incalculable. Costs to innovation make government reimbursement, which would fall squarely on taxpayers’ shoulders, inadequate compensation.
Hindrance to Law Enforcement: Dean also cautioned against a new data retention requirement because it could impede law enforcement investigations. Delays in retrieving relevant data would likely result from searching large stores data since it would be more difficult to identify the specific information sought in the masses of irrelevant information. Additionally, the systems could crash altogether under the weight of the data.
Source of Regulatory Problems: Lastly, a new data retention requirement could cause significant problems in implementation because there could be conflicts between statutory and regulatory obligations, protections for users’ privacy, and questions about standards for law enforcement access to records.
Ultimately, a new data retention requirement would not increase our security. Just the opposite – it would be bad for security, bad for privacy, and bad for business. The USA FREEDOM Act has a historic coalition of support. Republicans and Democrats have reached across the aisle to pass this reform. Technology companies large and small along with civil society groups from the right and left have worked together with lawmakers for nearly two years to see it pass this Congress. Now that we’re nearly at the finish line, Congress should pass that bill rather than fatally undermine its chances by adding to it an unnecessary, controversial, and dangerous new data retention mandate.