WASHINGTON – U.S. mobile-carriers such as AT&T Inc. and Verizon Wireless retain customer data including billing records and the cell towers used by a phone for at least a year, according to a Justice Department document.
AT&T has some of the longest retention periods, saving text-message details, some call records and copies of bills for as long as seven years, according to the document, which was posted today on the Justice Department’s website. The document also outlined data-retention practices at Sprint Nextel Corp. and T-Mobile USA Inc.
“This disclosure reflects the importance of data minimization,” Greg Nojeim, senior counsel at the Center for Democracy and Technology in Washington, said in an interview. “Some companies do a much better job of disposing of sensitive, personally identifiable information. Once such information is no longer needed for business-reasons, it shouldn’t be held onto because of the risks that it could be obtained by a hacker.”
Mobile phone records are obtained through a legal process mandated by the Electronic Communications Privacy Act, Laura Sweeney, a Justice Department spokeswoman, said in an email. The document posted today was originally produced for law enforcement and was released following a Freedom of Information Act request from the American Civil Liberties Union of North Carolina.
“Communications providers store records for business purposes, however those records can also be critical to a wide variety of criminal and national security investigations,” Sweeney said.
Law Enforcement Requests
Verizon Wireless responds to law enforcement requests for customer data if it is able to provide the information, according to Jeffrey Nelson, a spokesman for the Basking Ridge, N.J.-based carrier, which is owned by New York-based Verizon Communications Inc. and Newbury, England-based Vodafone Group Plc.
“While we won’t comment on the details in the report, Verizon Wireless keeps data for various periods of time in order to provide services to our customers, including responding to customer inquiries about their own accounts,” Nelson said in an interview. “We take the privacy of our customers very seriously, and have policies and procedures in place to safeguard customer information.”
Privacy Policy
Michael Balmoris, a Washington-based spokesman for AT&T, pointed to the company’s privacy policy and referred to an April 19 letter sent to Representatives Edward Markey, a Massachusetts Democrat, and Joe Barton, a Texas Republican, that detailed its practices for handling customer data.
AT&T gathers data to provide “the best customer experience possible” and uses “powerful encryption and other security safeguards to protect customer data,” according to the company’s privacy policy.
T-Mobile collects personal information for “various business purposes” and to “create and improve products and services,” according to the privacy policy posted on its website. The company uses a “variety of physical, electronic and procedural safeguards to protect personal information.”
T-Mobile did not immediately respond to requests for comment.
Sprint uses personal information from customers for business purposes, to “respond to legal process” and improve services, according to its privacy policy. “We maintain a variety of physical, electronic, and procedural safeguards,” which protect “personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction,” according to the company’s policy.
Good Stewards
“We act as good stewards of our customers’ personal information while also meeting our obligations to law enforcement agencies,” Jason Gertzen, a spokesman for Overland Park, Kan.-based Sprint, said in an email. “Different categories of data are retained for varying lengths of time depending on the type and sensitivity of data, the applicable laws and regulations governing the retention of such data and the business purpose of the data.”
