Despite nearly two years of revelations about the scope and scale of government surveillance practices, and the ensuing damage to user trust, security, and privacy, the U.S. Congress continues to delay passing meaningful reforms.
The current surveillance authority under discussion is Section 215 of the USA PATRIOT Act, which has been used to authorize mass surveillance by the NSA, including for all phone metadata. This law expires June 1, and must not be renewed as it stands today.
Our bottom line for this round of surveillance reform in the United States includes four key elements, without which user trust will continue to suffer:
- A strict ban on bulk collection;
- Sufficient transparency to be able to tell if bulk collection or mass surveillance is occurring, including declassification of Foreign Intelligence Surveillance Court opinions;
- No new data retention mandates; and
- No new surveillance authorities, powers, or programs.
One of the most contentious topics in the current legislative debate is whether to include mandatory data retention as part of Section 215 reauthorization and reform. The theory behind this “compromise” is that, when direct bulk collection by the U.S. government is eliminated, if telecommunications companies are not required to retain data, then some bits might be “lost” and not available for later law enforcement or intelligence access.
This is not a compromise, but rather an exercise in misguided pragmatism. The expectation of total after the fact information awareness by the U.S. government of the intimate details of our conversations is at the core of negative reactions to overbroad surveillance regimes and harm to trust online. It is an unnecessary, and harmful, posture for any democratic government to take. Data retention mandates are not a missing piece of the long-term surveillance ecosystem; they are a bridge too far.
Once we accept the principle that the government has a right to force records to be held onto so they can effectively go into the past, where does that stop? What’s the limit? Or are we paving the way to a world where nothing can be deleted just in case the government might want to look at it? It’s not hard to see how such a limitless program would quickly move from telephone records to Internet companies.
As the nearly daily parade of data breaches make clear, amassing the personal information of everyone in the United States exposes those data to breach, theft, misuse, and abuse. Data acquired are data at risk, and this threat to user security and privacy is not acceptable. As Foreign Intelligence Surveillance Court Judge Reggie Walton noted in a recent ruling, data retention by government “increases the risk that information about United States persons may be improperly used or disseminated,” in particular because “the great majority of these individuals have never been the subject of investigation” for intelligence purposes. These same risks apply to data retention by companies.
In addition to making troves of private user information vulnerable to malicious actors, requiring companies to hold user data longer than necessary for business purposes would create additional liability and risk. In general, storing data for longer than it’s useful for any purpose should be avoided. To do so in support of intrusive surveillance practices is even more harmful. What’s more, at a time when 91% of Americans say they feel they have lost control over their own data, mandatory data retention would preclude new privacy-maximizing business models.
Finally, when Congress was last considering reform of Section 215, Attorney General Holder and Director of National Intelligence Clapper wrote that mandatory data retention was unnecessary, stating that the version of the USA FREEDOM Act then under consideration, “will accommodate operational needs while providing appropriate privacy protections.” These statements are as true today as they were at the end of last year.
Mandatory data retention under Section 215 reauthorization, or in any other law, will further harm trust online and will compound security risks for users and associated economic costs for the future.
Chris Riley, Head of Public Policy
Jochai Ben-Avie, Internet Policy Manager