Tag Archives: metadata

Telco Rules for Subpoenas

Senator Marsha Blackburn (R-Tenn.) recently wrote to the CEOs of AT&T, T-Mobile, and Verizon to ask why they had complied with subpoenas seeking phone toll records from her and other Republican senators. Senator Blackburn said the FBI had gotten call metadata for the period of Jan. 4–7, 2021.

For those not familiar with the term, metadata for telephone calls are records that a call was made, which includes the called and calling party and the time and duration of the call. Telephone companies don’t listen to or record the content of voice calls.

Today’s blog looks at telephone company rules for retaining data and responding to subpoenas.

Record Retention. Federal law and FCC rules require telephone companies to retain call records for at least 180 days. Many telcos hold call metadata longer.

There are no specific rules for the retention of text messages, and each carrier has a different policy. For example, AT&T says it doesn’t store the content of text messages. Verizon says it keeps the content of texts for 3-5 days. Most cell carriers keep the metadata for texts for longer periods, like is done with voice calls.

When you hear about court cases that use text messages as evidence, or stories in the press about text message content, the content of the text messages comes from the cellphones of one of the parties to a text. Your phone will typically keep the details of your text messages for years unless you delete them.

ISPs in the U.S. are not required to retain customer browsing data or emails. Browsing data shows the websites a user has visited and the time and duration of a connection. ISPs typically don’t try to retain encrypted web searches. Most ISPs retain browsing history or email details for a limited time, often up to several months. If an ISP still has the data, it’s likely that they would respond to a valid subpoena and produce it. Some ISPs permanently keep records of when a customer is online or offline and the amount of data consumed.

ISPs and telcos typically retain other customer data like billing records or trouble logs, often for many years.

Responding to Subpoenas. Federal and state laws require telephone companies to provide call records to law enforcement or other government entities when requested by a valid subpoena, court order, or search warrant. In the case of Senator Blackburn, AT&T, T-Mobile, and Verizon were required by law, and by longstanding common practice, to comply with a subpoena from the FBI.

Carriers are allowed to challenge a subpoena. For example, a carrier might refuse a subpoena that is not properly addressed or that lacks the proper signatures. A carrier might refuse to comply with a subpoena that was issued in a State that has no jurisdiction over where the phone records are stored. Carriers might refuse to comply if satisfying the subpoena is too burdensome or costly. But carriers respond to most subpoenas.

Wiretaps. Wiretaps occur when law enforcement wants to either listen to live voice calls or intercept broadband usage and must be obtained through a subpoena. In some cases, this is done using federal CALEA law, but can also come from a direct subpoena or court order. Most typically, law enforcement will ask to have call or data streams forwarded to them, and the ISP doesn’t do the monitoring.

Who Owns IoT Data?

The press has been full of discussion over the last month with numerous articles about Internet privacy. Recent moves by the FCC and Congress have opened the doors for ISPs to track and monetize customer data.

But there is another, possibly bigger source of data that nobody is talking about. I ask the question today about who owns data from the Internet of Things? Our homes are starting to fill up with devices that have the ability to monitor our behavior in numerous ways. Currently there are no specific laws governing the collection and use of this data.

For example, there are now many kinds of devices that listen to conversations in our homes – the one thing that most people probably consider as private and personal. A few years ago we learned that Samsung TVs were capable of hearing all conversations in the room. It was reported at Christmas time that there are now dolls that listen to everything said and send the conversations to the cloud. Millions have invited talking personal assistants into their homes and business in the form of Amazon Echo or the numerous other devices hitting the markets. And many more millions now use Apple’s Siri when driving their cars. And those are just the devices that listen to us today. It’s expected that within the next few years that many electronic devices will be voice activated and monitored in the cloud.

But there are numerous other kinds of devices that can spy on us. Security systems can track every movement of people within a home, and scientists say that understanding people’s movements says a lot about them – including things we might not even understand. When motion sensors get coupled with video cameras the security concerns get even scarier.

But monitoring our IoT can be even simpler than that and seem somewhat innocuous. Numerous manufacturers of appliances plan to include IoT monitoring capability so that they can understand how we use their products. You wouldn’t think that there is much to be worried about if your new blender tells the factory exactly how and when you use it. But if these companies decide to monetize the data they are collecting they could sell it to somebody that collects and collates data from all of our devices – and that aggregator could paint an incredibly detailed picture of our lives.

All of these devices will report back to the cloud using either WiFi or cellular connections, and that means the IoT data will always flow through an ISP on the way to the cloud. One would hope that much of this data will be encrypted, but if not then our ISPs might be the ones using big data analytics to paint a detailed picture of each of us.

From a legal perspective there is no clear answer about who owns this kind of data. Data from IoT devices are not specifically covered under current intellectual property laws. And that’s what makes this all murky. We provide personal data to outsiders in different ways, which might eventually make a legal difference. For example, any time we voluntarily give somebody access to data then they gain a right to use it. We all do this all of the time when we sign up for social media platforms or smartphone apps.

But the situation is probably different when we didn’t specifically grant any approval to use our data. I don’t expect that I am going to be required to sign a terms of service to use a new TV, a smart washer or a blender. In that case there can be a stronger argument made that such data belongs to the customer unless they grant specific approval to use it.

Things get even messier when we start looking at metadata. This is composite data that combines data from multiple people into a jumbled pile. But burying personal data inside metadata does not mean that people can’t be identified from the pile of data – it just means that it’s a bit harder to do.

At some point this is going to have to be addressed legally. Right now, without specific laws controlling this kind of data it’s a no man’s land. It’s hard to think that a court today would know what to do with a complaint that a vendor somehow violated us by using our data.

How Much Would You Pay for Privacy?

Keep OutAT&T has started offering gigabit data in Austin to compete with Google fiber and Grande Communications. AT&T has matched Google’s price of $70 per month for a gigabit of bandwidth, but there is a second option—for $29 more per month they will guarantee not to spy on you and record your web browsing.

That claim actually came as a surprise to me, both for the price and for the claim of privacy. If I thought I could really get better privacy I might consider paying $5 more per month, or maybe $10 at the most. But $29? That’s $348 extra dollars per year for AT&T to not spy on you.

I sit and wonder how they came up with that number. That certainly can’t be a ‘make-whole’ number to compensate them for the amount they make for selling your data to others. They certainly get some value from selling advertising rights for the web sites you visit. But from what I know of the industry, it’s hard to think that they could be getting much more than maybe $1 – $2 per customer per month from that. And it’s also hard to believe that if you sign up for this that you still aren’t going to get ads that AT&T makes some money on. Perhaps the ads would be a little less targeted at you, but they are not going to send you to web pages with all blank ad slots.

Perhaps they get a little more by peddling data about you to the companies that are building profiles on everybody. But I also have a hard time seeing a whole lot of value from this for them today. So how did they come up with the $29 monthly fee? It’s almost like they are expecting nobody to buy it and perhaps it is just a marketing ploy to remind people that Google gathers a lot of data about you.

But even after getting over the shock of the price, which seems aimed at attracting nobody, I must ask how effective their claim might be about not recording what you do on the web. The problem is that they are not the only ones watching you, and they have no way to keep others from gathering data on you no matter how much they charge.

If you use the Google search engine then Google is watching you. If you use Bing for search then Microsoft is watching you. And your browsers watch you as well. If you use Chrome, for example, then Google knows every web site you visit. Same thing with Microsoft Explorer and most of the rest of the browsers. There are search engines and browsers that say that they don’t watch you, so if you are the kind of person willing to pay $29 a month to get AT&T to not record you, then you are probably going to also use the alternatives.

And there are lots of other sites that track you and build profiles of who you are. Even if AT&T doesn’t record what you do, if you use any social media sites or lot of other free software services on the web, those companies are learning as much as they can about you.

And then there are tracking cookies. I don’t know about everybody else, but because I read a lot of articles on tech and telecom each day I seem to get about 50 tracking cookies a day on my computer. AT&T’s plan is not going to help you with these, and unless you scrub your computer often you are going to be tracked to some extent.

Even if you do all of those things and pay AT&T,  use alternate search engines and browsers, don’t use social media and scrub your cookies often, you still are going to be tracked. It seems that the NSA is more or less recording everything that passes through major Internet hubs – every email, web search, browsing session.

Finally, even if you pay AT&T to not track you, if a law enforcement agency subpoenas them to track you, they will comply and track you anyway. That’s the law and they have always freely complied with that law.

So I sit here wondering: what do you really get if AT&T doesn’t record your web usage? And honestly, I think you get very little. They are certainly one of the parties on the web who can track you, and as your ISP they see everything. But so do a whole lot of other parties on the web. If you are going to use the web you are going to be tracked and profiled no matter what you do.

As I described in a blog of just a few weeks ago, it’s possible today to extract information about you from big databases using only a few data points. The example that researchers used was how easy it was to identify your credit card purchases out of huge metadata files using only a few seemingly unrelated data points for reference. The fact is, now that companies are using big data techniques to look through web transactions, it’s getting easier and easier to track you and I can see only minor benefits to cutting your ISP out of that process.

So I sit and laugh at anybody willing to shell out $29 per month to AT&T for privacy, because it’s largely a sham. One has to even wonder if they have the ability to not track you, and for that money they might instead just ignore your data when working with big data. I must say, that the AT&T offer is one of the oddest things I have ever seen in our industry. I would love it if one of my readers could show me the value in paying $29 each month to AT&T.

Tracking Us Online

SpyVsSpyAn interesting article from MIT shows how easy it is to identify people using just a few data points. The scientists have demonstrated that only a few data points can identify you well enough to pick out your credit card purchases made from a giant file of credit cards purchases.

What I think that most people are going to find scary about this is that the data points don’t even have to be related. To quote the article, “That means that someone with copies of just three of your recent receipts — or one receipt, one Instagram photo of you having coffee with friends, and one tweet about the phone you just bought — would have a 94 percent chance of extracting your credit card records from those of a million other people.”

What this means is that the ‘metadata’ that a lot of companies sell to each other is not safe, as they would have you believe. Metadata is data that has been scrubbed of identifying information. For instance, it might be credit card transactions without the credit card number and the name of the person doing the purchasing. But it would show the date of the purchase, the amount spent, and some short description of what was bought.

But metadata can mean many other things. It can mean readings from your home Internet of Things devices or your fitness wearable. It can mean records on web sites you visited through a search engine. It can be almost any big pile of raw data that is assembled and compiled from individual transactions. Big web sites tell us not to worry about security because they don’t sell our information. Instead they only sell big metadata files that have removed any personal identifying information.

What the MIT data shows is that it’s relatively easy for data scientists to find any individual’s records within a big pile of metadata. Just two data points were enough in this MIT trial to identify 40 percent of people. Five data points were enough to identify almost everybody.

Of course, in real life we leave all sorts of data points in public that identify us. We allow adware to stay on our computers that tell advertisers sites we have visited in the past. We allow tracking cookies that might tell somebody our name and address. We frequently sign up for public websites and then give them all sorts of personal information in exchange for the right to use the site for free. And we tell sites like Pinterest and Facebook all of our likes and dislikes from restaurants to clothes to politics.

I read somewhere last year that there are other easy ways to identify almost everybody. One thing that makes us easy to identify is the configuration file on our computer that tracks all of the specific versions of software. It turns out that this is as accurate for identifying a given computer as fingerprints are to identify people. Every computer contains small differences in the versions of programs installed that makes that machine unique. When you consider the hundreds or programs and apps that sit on a typical PC, tablet, or smartphone this is not surprising.

I don’t think there are many people left who are naïve enough not to know that people watch what you do online. After all, if you post all of your favorite things on some public website, you have to expect that somebody is going to gather that information somewhere and associate it with you in a database.

But this MIT research shows that big data research firms can take that public data and then match it up to all sorts of things that you didn’t think were public, like scrubbed metafile records of credit card receipts or phone calls. We’ve been told that such metadata records are anonymous, but this research shows how easy it is for a big company to crack the metadata and find your specific records.

We would be naïve to think that somebody isn’t already doing that. There are now a number of firms who will sell you a file of data about anybody if you are willing to pay them for it. A company that will do that has no morals, because they could be selling your information to a jealous partner (or ex-partner), a stalker, or who knows who else? This kind of data is also available to your employer or anybody else willing to pony up a few bucks to take a closer look at you.

It ought to be illegal to sell your personal data to the public, but it’s not. But even if your personal data was not available to the general public, it is routinely passed between large corporations who use it to create a detailed profile of you.

I don’t think there is any way to stop companies from gathering data on us. Data is now generated for everything we do as a routine part of living in a computerized world. If we had strict privacy laws it could be made harder to share such data and to monetize it. But it’s going to take a lot of people to get really angry about this for this to drive a political change. We don’t seem very close to that point yet.