Federal data protection needed in US but don’t expect it any time soon

Companies have valuable information on citizens that government is happy to access

The Patriot Act, the US legislation brought in as an emergency measure after the September 11th, 2001, terrorist attacks, expires in June and many are concerned about what might come next.

The Act has been seen as the legal foundation on which mass-scale, secretive surveillance was undertaken by the National Security Agency. These are the programs revealed by whistleblower Edward Snowden, such as Prism (which involved data-gathering requests to numerous, compliant technology companies) and the wholesale slurping of telecoms call data from users of Verizon's service in the US.

The disclosure of such snooping might have Congress in the mood to limit such powers. This is particularly likely as there is scant evidence that spying on whole populations is a productive tool in the war on terrorism – security agencies failed to convince congressional committees at hearings.

Data retention

Alternatively, it might persuade Congress that what the US really needs is a federal data retention law, mandating that companies hang on to metadata – information about, but not the content of, a call, email, text or other communication – for a set period of time.

READ MORE

Although a 2009 attempt to pass data retention legislation in the US failed, privacy activists and technology companies are concerned about the possibility that it will be reintroduced as the Patriot Act is reconsidered. Campaigning has begun to keep data retention off the US law books.

Mozilla, the community of developers behind web browser Firefox, is among the first to take a firm public stance. It published a policy statement on its blog last week in which it argued for four key points: no more bulk data collection, greater transparency in how surveillance agencies operate, no data retention and no new surveillance powers.

It’s a well-formulated statement, but like so many of these types of things, it falls apart on one significant point. Mozilla argues against data-retention laws that would require companies “to hold user data longer than necessary for business purposes” and says that “storing data for longer than it’s useful for any purpose should be avoided”.

The problem is that US companies determine both those points themselves. And the reality for years has been that companies hold data for a very, very long time.

The US has not had mandatory data retention because, thanks to a greedy business appetite for data, the government has never really needed it. Lacking European-style data-protection legislation, companies in the US can hold data of all types for years, including call and internet service provider data. That’s why privacy advocates rightly consider corporate activity as much a part of the privacy landscape as governments and spy agencies.

Off the record, I asked a telecoms and internet industry contact how long US internet service providers (ISPs) and telecoms companies hung on to metadata; he in turn asked two US industry colleagues. The response? “They thought it was funny that we think that they delete anything.”

One provider of virtual private network services in the US, IVPN, says on its website that ISPs, as private companies, can hang on to user data as long as they want with little regulation in the area; in the EU, data must generally be deleted within six months.

Companies in the US hang on to data for many reasons, including billing disputes, but the main reason these days is likely to be for marketing and advertising. At a time when data is seen as the monetising goldmine of the future, there’s even more incentive for companies to store all types of data to see if it becomes an enticing asset. Perversely, some US ISPs are even beginning to monetise privacy: pay them extra and they won’t analyse your data to target you with ads.

Secret subpoenas

All this data-gathering and storage, for whatever corporate purpose, creates a nice, years-long archive of data for law enforcement, which they can access in a number of ways. The FBI uses national security letters (NSLs) which the

Electronic Frontier Foundation

describes as “secret subpoenas issued directly by the FBI without any judicial oversight”. Law enforcement agencies can also obtain access via a court order.

That’s admittedly clumsier than secretly harvesting data in bulk, but still means that a massive collection of data sits in the servers and clouds of US companies. So who needs official data retention when far more data is already retained by the US corporate community for far longer than any federal law could likely mandate?

That’s not to say the US might as well just bring in data retention. They absolutely should not.

What’s needed is federal data protection. But don’t expect that any time soon. Companies want to generate and keep as much user data as possible. Those data piles are handy for law enforcement. No one has much incentive for change.