A move to get massive amounts of surveillance data out of the government's hands could backfire for some firms.
Privacy advocates are cautiously optimistic about a number of reforms that President Obama promised to make to the National Security Agency on Friday. But Obama punted on one critical issue that has privacy groups and the telecom industry worried: Will the government require phone companies to maintain vast databases of phone records?
The most controversial revelation from the leaks by Edward Snowden is that the NSA collects records on virtually all U.S. phone calls. The records include phone numbers, call times and call durations—but not the contents of any conversations.
Ending bulk data collection, which the NSA claims is authorized under Section 215 of the Patriot Act, has been the top priority for civil liberties groups.
Obama announced on Friday that he will end the program "as it currently exists."
Starting immediately, NSA analysts will need approval from the Foreign Intelligence Surveillance Court every time they want to access the phone database. Obama also said he plans to eventually move the database out of the government's hands. The president directed Attorney General Eric Holder and top intelligence officials to come up with a plan by March 28 for turning over control of the database.
But no matter who stores the data, the NSA will want to ensure that its analysts can still access it when they want to map the connections of a potential terrorist group. That could mean the administration will ask Congress to enact a mandate requiring phone companies to store their customers' data on behalf of the NSA.
Privacy advocates warn that a data retention mandate would turn phone companies into agents of the NSA.
"To the contrary, companies should be working on ways to store less user data for less time—decreasing the risks from data breaches and intrusions like the one that just happened to Target," wrote Cindy Cohn and Rainey Reitman of the Electronic Frontier Foundation. "Data retention heads in the wrong direction for our security regardless of whether the government or private parties store the information."
Kevin Bankston, a policy director for the New American Foundation, said that if the alternative to government storage is mandatory data retention or a requirement for phone companies to turn the data over to some other third party, "the President should be prepared for a major legislative battle with key members of Congress, the technology industry and the privacy community arrayed against him."
The telecom companies themselves have no interest in new regulatory requirements for data retention. Storing the vast amounts of data would be expensive and could open the companies up to new lawsuits.
CTIA, a lobbying group representing the cellphone carriers, issued a statement emphasizing that the government can balance security and privacy "without the imposition of data retention mandates that obligate carriers to keep customer information any longer than necessary for legitimate business purposes."
Verizon, AT&T and other telecom companies are some of the most powerful lobbying forces in Washington and would likely fight any proposal for data retention.
Patrick Leahy, the Democratic chairman of the Senate Judiciary Committee, has been one of the most outspoken critics of the NSA and has introduced legislation that would end bulk collection entirely.
In a statement, he urged the administration to consider the "privacy implications of any mandate that these records be held in the private sector."
House Judiciary Committee Chairman Bob Goodlatte noted that "third party storage itself is a very difficult proposal that raises additional concerns."
Any NSA reform bills would likely have to get through both Judiciary Committees to become law.
The fight over who will control the database likely comes down to a more fundamental disagreement—whether the program is useful in the first place. The president's own review panel concluded that the bulk collection of phone records has not stopped a single terrorist attack.
Leahy also claimed the program has not made the nation safer. But Obama in his speech made clear that though he is open to some structural changes, he believes it is critical to maintain the program's capabilities.
"The telephone metadata program under Section 215 was designed to map the communications of terrorists, so we can see who they may be in contact with as quickly as possible. This capability could also prove valuable in a crisis," Obama said.
"For example, if a bomb goes off in one of our cities and law enforcement is racing to determine whether a network is poised to conduct additional attacks, time is of the essence. Being able to quickly review telephone connections to assess whether a network exists is critical to that effort."