recommended reading

Phone Companies Worry They'll Be Required to Store Customer Data for NSA


Privacy advocates are cautiously optimistic about a number of reforms that President Obama promised to make to the National Security Agency on Friday. But Obama punted on one critical issue that has privacy groups and the telecom industry worried: Will the government require phone companies to maintain vast databases of phone records?

The most controversial revelation from the leaks by Edward Snowden is that the NSA collects records on virtually all U.S. phone calls. The records include phone numbers, call times and call durations—but not the contents of any conversations.

Ending bulk data collection, which the NSA claims is authorized under Section 215 of the Patriot Act, has been the top priority for civil liberties groups.

Obama announced on Friday that he will end the program "as it currently exists."

Starting immediately, NSA analysts will need approval from the Foreign Intelligence Surveillance Court every time they want to access the phone database. Obama also said he plans to eventually move the database out of the government's hands. The president directed Attorney General Eric Holder and top intelligence officials to come up with a plan by March 28 for turning over control of the database.

But no matter who stores the data, the NSA will want to ensure that its analysts can still access it when they want to map the connections of a potential terrorist group. That could mean the administration will ask Congress to enact a mandate requiring phone companies to store their customers' data on behalf of the NSA.

Privacy advocates warn that a data retention mandate would turn phone companies into agents of the NSA.

"To the contrary, companies should be working on ways to store less user data for less time—decreasing the risks from data breaches and intrusions like the one that just happened to Target," wrote Cindy Cohn and Rainey Reitman of the Electronic Frontier Foundation. "Data retention heads in the wrong direction for our security regardless of whether the government or private parties store the information."

Kevin Bankston, a policy director for the New American Foundation, said that if the alternative to government storage is mandatory data retention or a requirement for phone companies to turn the data over to some other third party, "the President should be prepared for a major legislative battle with key members of Congress, the technology industry and the privacy community arrayed against him."

The telecom companies themselves have no interest in new regulatory requirements for data retention. Storing the vast amounts of data would be expensive and could open the companies up to new lawsuits.

CTIA, a lobbying group representing the cellphone carriers, issued a statement emphasizing that the government can balance security and privacy "without the imposition of data retention mandates that obligate carriers to keep customer information any longer than necessary for legitimate business purposes."

Verizon, AT&T and other telecom companies are some of the most powerful lobbying forces in Washington and would likely fight any proposal for data retention.

Patrick Leahy, the Democratic chairman of the Senate Judiciary Committee, has been one of the most outspoken critics of the NSA and has introduced legislation that would end bulk collection entirely.

In a statement, he urged the administration to consider the "privacy implications of any mandate that these records be held in the private sector."

House Judiciary Committee Chairman Bob Goodlatte noted that "third party storage itself is a very difficult proposal that raises additional concerns."

Any NSA reform bills would likely have to get through both Judiciary Committees to become law.

The fight over who will control the database likely comes down to a more fundamental disagreement—whether the program is useful in the first place. The president's own review panel concluded that the bulk collection of phone records has not stopped a single terrorist attack.

Leahy also claimed the program has not made the nation safer. But Obama in his speech made clear that though he is open to some structural changes, he believes it is critical to maintain the program's capabilities.

"The telephone metadata program under Section 215 was designed to map the communications of terrorists, so we can see who they may be in contact with as quickly as possible. This capability could also prove valuable in a crisis," Obama said.

"For example, if a bomb goes off in one of our cities and law enforcement is racing to determine whether a network is poised to conduct additional attacks, time is of the essence. Being able to quickly review telephone connections to assess whether a network exists is critical to that effort."

(Image via marinini/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.