The Computer Crime and Intellectual Property Section of the U.S. Department of Justice compiled a summary in August 2010 of the retention periods of major cellular service providers of data transmitted to and from users’ mobile devices. The report is here. (PDF link) The American Civil Liberties Union (ACLU) obtained a copy of the foregoing report through a Freedom of Information Act (FOIA) request. The contents of the report are interesting, to say the least.
As reported by Cory Doctorow on the terrific Boing Boing in this article, and by David Kravets of Wired.com in this article titled "Which Telecoms Store Your Data the Longest? Secret Memo Tells All," it is unclear which major cellular carrier treats our usage data with the most respect. On the one hand, Verizon stores text message details (just the transmission receipt details, such as recipient and time) only one year, compared to as long as 5-7 years for post-paid subscribers of AT&T. On the other hand, AT&T, Sprint and T-Mobile store none of the contents of text messages, whereas Verizon stores that information for 3-5 days. The IP Session information may be the most interesting, because of the additional information that can be gleaned from the raw data, the question of why it is stored (billing disputes?) and the disparity in length of storage. One of the excellent infographics posted on Wired’s web site is posted here, but a full Wired article is a must read.
Besides this information being eye opening on a personal level, it can be crucial evidence in the case of a corporate data breach. While we all hope that law enforcement will use all tools available to it when investigating a corporate crime, knowing the tight time constraints under which businesses investigating a potential crime is crucial. To be clear, I am referring to use of these tools as an option for ethical investigations into criminal activity through law enforcement. These are not tools to assist a company in sacking an employee that is surfing the web on her mobile phone while on the clock. In any event, these time frames should be considered when investigating a suspected data breach.
If you are getting that "eye in the sky is watching me" feeling, I will be sure not to mention the warrantless GPS and triangulation tracking capabilities of the major mobile carriers available to law enforcement.
Source: BoingBoing.net; Wired.com