Over in Europe this blanket saving of phone records beyond what it is necessary to operate would have been illegal in many countries, and is in general incompatible with the European Convention for the Protection of Human Rights and Fundamental Freedoms outside of active threats to national security and temporary measures overseen by a court.[1]
There's really no reason why any service providers should save this stuff in the first place, and it isn't hard to fix with legislation. Just make it illegal to even keep.
> Over in Europe this blanket saving of phone records beyond what it is necessary to operate would have been illegal in many countries,
On the contrary, many European countries have mandatory data retention periods that meet or exceed the 6 months of records that were supposedly included in this breech.
Germany has one of the shorter retention periods at 10 weeks, but they still have to keep those records.
Saying that it would be illegal to collect these records in Europe is patently false, and furthermore the record collection is generally mandated for a period of time that depends on the country.
> There's really no reason why any service providers should save this stuff in the first place,
Billing. You need phone records for billing purposes. You need to keep them for a while longer because people will dispute their bills all the time.
> Germany has one of the shorter retention periods at 10 weeks, but they still have to keep those records.
No they don't, because it's "suspended" by the federal network agency until courts are through with it. In fact they suspended it three days before the law would've come into force and thus it never was. The current state of affairs is this: the retention was ruled incompatible with German and European law in an injunction and it does not look like that is about to change.
There's a similar picture in many EU countries: There's a law on the books, but it can't be enforced/is being challenged/was already invalidated/is being rewritten/repeat.
Also note that to courts location data/phone records is a different issue than retaining information that merely associates an IP address with the subscriber that used it at some time (knowing which subscriber has what phone number is not an issue either, after all). The latter was ruled to be unproblematic by the ECJ just this year, while for the former the latest ruling is what I outlined earlier.
Besides Germany, some other countries that had data retention laws that were ruled unconstitutional are: Belgium, Bulgaria, Czech Republic, Cyprus, Romania, Slovenia, Slovakia.
In many other places that currently do have mandatory retention in force, it is being challenged.
> Saying that it would be illegal to collect these records in Europe is patently false
It is illegal to mandate in such a manner. There's a difference.
> Billing. You need phone records for billing purposes. You need to keep them for a while longer because people will dispute their bills all the time.
You must've not read the part where I said "beyond what is necessary to operate". Telekom for instance is doing just fine deleting phone records after 80 days - or within 7 days if you use a flat-rate and they're not relevant to billing.
I should add that if is not mandated, then it is illegal to do under GDPR and other privacy laws beyond what is necessary without obtaining explicit consent. Even if it was mandated, the telcos still could not do with the data as they please and forward it to another company like AT&T did.
> There's really no reason why any service providers should save this stuff
There are many reasons! Most of them are simply contrary to how folks think business should operate. Unfortunately the US seems to value "disruption" over "customer protection", so legally protecting data is unpopular on the hill.
I was under the impression that the government wasn't allowed to create a mandate that a telco has to save all phone records like that, but it doesn't stop a telco from doing it themselves. I think that would fall more under GDPR limitations?
I believe you are correct. That's what I was referring to with "illegal in many countries". Most judgements on this issue predate GDPR, but before GDPR, many countries already had similar laws and attitudes. For example article 2* and 10 of the German constitution protect personal data and communication, not just from others, but also from the government. Not unlike the GDPR.
Some service providers in Europe don't even want to save any data. The linked judgement above was the German state suing Telekom, which didn't want to save that data, and losing. Given the state of affairs, the question of "illegal or not" doesn't really come up as much. At least I'm not aware of any high profile judgements.
Besides Telekom, which always tried to minimize they data they keep to the point of fighting it all the way to Europe's highest courts, most other telcos don't really care and pick whichever middle-ground is available between "must" and "must not". Whatever is least-likely to get them into trouble. Right now that just happens to mean "save little".
If it wasn't for the courts and a decent de-facto "constitution" (collection of treaties really), governments would absolutely love to expand the amount of data they (police, spy apparatus, etc.) have access to. That they also try to reduce the amount of data companies are allowed to save for themselves is tangential.
The court case I linked is evidence of that. The German state wanted Telekom to save more data, but the telco refused and won in court.
According to the article, the data was being made available to other businesses... From the detail level involved, I imagine the NSA has some sweeter deal with telcos... And they have much richer data.
For those not deeply versed in US federal regulations: Part 4a of Title 15 of the Code of Federal Regulations (CFR), which covers the "Classification, Declassification, and Public Availability of National Security Information" for the National Security Agency (NSA).
Not entirely sure, but I thought they were talking about the 4th amendment, which also is relevant. It prevents the government from spying on Americans without a warrant. The NSA works around it so openly by buying the spy data from third parties, and saying the 4th Amendment doesn’t apply since they didn’t collect the data themselves, so it’s fine. It’s a giant middle finger to the Constitution of the US.
New lines of business. Another way for them to sell your data. The NSA is quaint. The Valley knows everything about everyone already, and even has their current GPS coordinates.
It's not so much the NSA as various other government agencies. The NSA is hoovering everything up, but if the local cops call them and want access to it, the NSA is going to tell them that they're not even authorized to know whether or not the NSA has that information. Also, something something due process something something American citizens.
Whereas if they can get the telcos to keep it then the cops can get it using the third party doctrine. This is basically an end run around the constitution, which is why they like it.
Every txt and phone call, every email and letter sent to your address along with every utility bill (list goes on) has been saved since at least 1999/2000 to present day. People like Bernie went to jail because they pushed back and it was all because of this....
This is probably a reference to US postal or mail covers.
The USPS takes images of most or all postal mail as part of its delivery and postal sorting/routing processes. Those covers are retained for a limited period of time, and actually have, so far as I understand, significant privacy protections associated with them, of the sort notably absent in most electronic communications.
See:
Mail Cover (Wikipedia):
Mail cover is a law enforcement investigative technique in which the United States Postal Service, acting at the request of a law enforcement agency, records information from the outside of letters and parcels before they are delivered and then sends the information to the agency that requested it.[1] The Postal Service grants mail cover surveillance requests for about 30 days and may extend them for up to 120 days.
MICT: Mail Isolation Control and Tracking (Wikipedia):
[A]n imaging system employed by the United States Postal Service (USPS) that takes photographs of the exterior of every piece of mail that is processed in the United States.[1] The Postmaster General has stated that the system is primarily used for mail sorting,[2] though it also enables the USPS to retroactively track mail correspondence at the request of law enforcement.[2] It was created in the aftermath of the 2001 anthrax attacks that killed five people..
You can sign up to have them email you a daily summary of your mail deliveries including the associated images they've logged under USPS Informed Delivery.
As Bruce Schneier has noted, metadata equals surveillance, as it's actually far more amenable to analysis and inference than whole-text or audio capture. Though that latter may have shifted significantly with the rise of LLM AI techniques.
There's really no reason why any service providers should save this stuff in the first place, and it isn't hard to fix with legislation. Just make it illegal to even keep.
[1] https://curia.europa.eu/juris/document/document.jsf?text=&do...