Security

Why carriers keep your data longer

Comment

Image Credits: Saul Gravy (opens in a new window) / Getty Images

Your wireless carrier knows where you are as you read this on your phone — otherwise, it couldn’t connect your phone in the first place.

But your wireless carrier also has a memory. It knows where you took your phone in the last hour, the last week, the last month, the last year — and maybe even the last five years.

That gives it an enormous warehouse of data on your whereabouts that can help your wireless carrier fix coverage gaps while revealing much more. Depending on the density of cell sites around you at any one point, the location data triangulated from them can not only highlight your home and office, but also point to the bars you frequented, the houses at which you spent the night and the offices of therapists you visited.

This intersection of a business necessity and historical habit bashes into a key precedent of both privacy best practices and such laws as the European Union’s General Data Protection Regulation and the California Consumer Privacy Act: data minimization.

That is, collect and keep no more data than you need for a business purpose. The less personal information you have squirreled away on your servers, the less remains at risk in the event of a data breach exposing some of this stash, management turnover putting privacy-apathetic leadership in charge or an overly broad law-enforcement query mandating its exposure.

Image via Getty Images / Photographer is my life

A multiple-choice quiz

This concept traditionally gets talked about as a Nice Thing We Can’t Have — companies will collect as much data as their data centers can accommodate, leaving customers unable to vote with their wallets for a privacy-optimized vendor.

But in the reality of wireless phone service, things are only half as bleak. That is, while the big four carriers do vary significantly in how long they retain your cell-site location history, they don’t disclose this, leaving customers ill-equipped to vote with their wallets.

Because AT&T, Sprint, T-Mobile and Verizon (disclosure: the parent firm of TechCrunch) don’t disclose how long they retain the location history generated by their transmitters, I had to ask. And the responses varied enormously:

  • AT&T: five years
  • Sprint: 18 months
  • T-Mobile: two years
  • Verizon: one year

These are important distinctions, even after the Supreme Court’s June 2018 ruling in Carpenter v. United States that historical cell-site location information cannot be disclosed to law-enforcement authorities without a warrant.

The last time it appears all four carriers documented their retention periods — letters sent to Sen. Ed Markey (D.-Mass.) in 2013 in response to a round of queries from his office — all cited the same retention periods except T-Mobile. Back then, T-Mobile said it kept historical cell-site location data for just 180 days.

The big four carriers are in the clear because the law doesn’t clearly require them to keep this data for any period of time.

Electronic Frontier Foundation surveillance litigation director Jennifer Lynch and American Civil Liberties Union staff attorney Nathan Freed Wessler separately said that carriers don’t have to keep this data at all.

“As far as the regulations are concerned, the carriers could retain that information for 1 minute or 100 years,” Wessler wrote in an email.

A Federal Communications Commission rule does require phone carriers to retain certain billing records for 18 months, and Georgia Tech law professor Peter Swire suggested that could compel carriers to keep cell-site location data for the same time.

Wessler and Lynch both brushed aside that reading; Lynch, for instance, said location history would only fall under this regulation if carriers determined that it was necessary for accurate billing.

Image via Getty Images / Nora Carol Photography

Business cases

But if the law leaves wireless carriers free to choose retention periods, business imperatives may not — as Lynch said, “I would suspect each has its own business reasons for how long they hold on to the data.”

Monitoring network performance is the biggest reason to keep this data.

“You can’t ensure a good end-user experience without having an understanding of where those users spend time and how they move around on the network,” said Brendan Gill, president of the network-surveying firm OpenSignal, in an email forwarded by a publicist.

And that data remains useful for a while, he added: “The argument for retaining historical data is that some events/activities only happen periodically — like seasonal effects/storms, or major entertainment or sporting events — so if you want to forecast, you need that data.”

Another industry analyst said your utility for keeping it declines after 18 months.

“From a network perspective, one year gives you just barely a year-over-year comparison,” said Roger Entner, founder of Recon Analytics. “Ideally, if you want to do a year-to-year comparison of how your traffic on your network changed, you’d want to do a year and a half.”

He suggested that AT&T’s industry-leading retention reflected not that company’s fondness for the surveillance state — a frequent topic of criticism in many tech-privacy circles — but the Dallas firm’s habit of analyzing itself and its customers in detail.

“One of the big differences between AT&T and the other carriers is, they are heavily into big data and heavily into big-data analysis,” Entner said. “For example, every VP within AT&T has a data analytics team attached to him — or almost every VP.”

AT&T itself did not explain why it chose this retention period, but the other three did not answer the same question either.

As for commercial reuses of this historical data, Wessler noted that the Telecommunications Act prohibits such sale or sharing without explicit customer consent — although you could interpret that as only covering location data generated during calls. The big four have all gotten caught selling access to real-time location data, although they’ve since pledged to end that.

Finally, from the perspective of reducing the potential risk of a data breach, holding onto this data for less time should make business sense.

“Companies around the world typically oppose any mandatory data retention laws, which would require that they artificially extend how long they hold on to sensitive data beyond what they need for business purposes,” emailed Amie Stepanovich, U.S. policy manager for the advocacy group Access Now.

There’s also the privacy rationale.

EFF’s Lynch wrote: “Because cell phone location data can reveal such sensitive and private information about individuals — where and with whom we live, socialize, visit, vacation, worship, etc. — and because that data only becomes more revealing the longer it’s retained — carriers should retain this data for as little time as absolutely necessary to provide their services to customers.”

Image via Getty Images / Andriy Onufriyenko

When carriers retain their own retention periods

But the bigger mystery here is why none of these firms document these retention periods on either their privacy policies (AT&T, Sprint, T-Mobile, Verizon) or transparency reports (AT&T, Sprint, T-Mobile, Verizon). All four declined to explain that, too.

The wireless-industry trade group CTIA’s best practices for providers of location-based services call for both data minimization and transparency about retention periods.

“LBS Providers should retain user location information only as long as business needs require, and then must destroy or render unreadable such information on disposal,” the guidelines state. “LBS Providers must inform users how long any location information will be retained, if at all.”

Privacy advocates consistently ask companies to humblebrag when they don’t indulge in data maximization— as Georgetown University Center on Privacy and Technology executive director Laura Moy said in a South By Southwest talk about location privacy this March, “When companies decline to collect that information for privacy-protecting reasons, they ought to be public about it.”

Lynch stayed on the same page: “In all cases, they should be informing customers about these retention periods as part of their annual or biannual transparency reports.”

Instead, the wireless carriers are engaging in the polar opposite of, say, Apple, which has made a habit out of documenting its privacy-preserving features.

(Some wireless resellers may tout their own unwillingness to disclose location history — for example, Credo Mobile’s privacy policy declares that this Verizon reseller “does not receive, store, or assign precise handset location information, handset IP addresses, or logs of websites visited by your phone” — but the underlying carrier does get and keep that data. Credo spokesman Josh Nelson declined to comment, emailing “We’re going to pass on this.”)

That leaves privacy-minded customers either under-informed or having to rely on information that could change without notice or documentation.

“In general the minimal competition in the U.S. telco sector creates few incentives for companies to adhere to what may otherwise be best practices, the very first step of which would be to publish information on what data is collected on users and how long it’s stored,” Access’s Stepanovich griped.

And if customers don’t get the information needed to choose services accordingly, nothing else seems likely to push wireless carriers to keep less rather than more data. The words Sen. Ron Wyden (D.-Ore.) said at an event hosted by the Center for Democracy & Technology in October 2017 remain unfortunately relevant: “Our citizens can’t count on the friction created by the limits of technology or government resources.”

We can only depend on the kindness of large telecommunications companies. Good luck with that.

More TechCrunch

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

2 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

2 days ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo