Cops to Congress: We need logs of Americans' text messages
AT&T, Verizon Wireless, Sprint, and other wireless providers would be required to record and store information about Americans' private text messages for at least two years, according to a proposal that police have submitted to the U.S. Congress.
CNET has learned a constellation of law enforcement groups has asked the U.S. Senate to require that wireless companies retain that information, warning that the lack of a current federal requirement "can hinder law enforcement investigations."
They want an SMS retention requirement to be "considered" during congressional discussions over updating a 1986 privacy law for the cloud computing era -- a move that could complicate debate over the measure and erode support for it among civil libertarians.
As the popularity of text messages has exploded in recent years, so has their use in criminal investigations and civil lawsuits. They have been introduced as evidence in armed robbery, cocaine distribution, and wire fraud prosecutions. In one 2009 case in Michigan, wireless provider SkyTel turned over the contents of 626,638 SMS messages, a figure described by a federal judge as "staggering."
Chuck DeWitt, a spokesman for the Major Cities Chiefs Police Association, which represents the 63 largest U.S. police forces including New York City, Los Angeles, Miami, and Chicago, said "all such records should be retained for two years." Some providers, like Verizon, retain the contents of SMS messages for a brief period of time, while others like T-Mobile do not store them at all.
Along with the police association, other law enforcement groups making the request to the Senate include the National District Attorneys' Association, the National Sheriffs' Association, and the Association of State Criminal Investigative Agencies, DeWitt said.
Excerpts from court opinion in Rhode Island murder case
"Sgt. Gates sent a letter to T-Mobile in advance of obtaining the warrant for the T-Mobile phone records to ask the service provider to preserve the information that he expected to request by the warrant. T-Mobile produced the requested information on October 20, 2009, and the records show that Defendant's use of the T-Mobile cell phone was almost exclusively for text messaging. The results also reveal that T-Mobile does not store, and has no capacity to produce, the content of subscriber text messages.
"Unlike T-Mobile, Verizon was able to produce records with text messaging content in them. The content of the LG cell phone matches the photographs taken on October 4, 2009 by Det. Cushman, including a text message which reads, 'Wat if I got 2 take him 2 da hospital wat do I say and dos marks on his neck omg,' which is the message that Sgt. Kite testified to having seen that morning.
"Sprint/Nextel responded on October 13, 2009. It produced two preserved text messages, both of which were unrelated to this case, and no voice mail messages."
"This issue is not addressed in the current proposal before the committee and yet it will become even more important in the future," the groups warn.
That's a reference to the Senate Judiciary committee, which approved sweeping amendments to the Electronic Communications Privacy Act last week. Unlike earlier drafts, the latest one veers in a very privacy-protective direction by requiring police to obtain a warrant to read the contents of e-mail messages; the SMS push by law enforcement appears to be a way to make sure it includes one of their priorities too.
It wasn't immediately clear whether the law enforcement proposal is to store the contents of SMS messages, or only the metadata such as the sender and receiver phone numbers associated with the messages. Either way, it's a heap of data: Forrester Research reports that more than 2 trillion SMS messages were sent in the U.S. last year, over 6 billion SMS messages a day.
The current policies of wireless providers have been highlighted in some recent cases. During a criminal prosecution of a man for suspected murder of a 6-year old boy, for example, police in Cranston, R.I., tried to obtain copies of a customer's text messages from T-Mobile and Verizon. Superior Court Judge Judith Savage said that, although she was "not unfamiliar with cell phones and text messaging," she "was stunned" to learn that providers had such different policies.
While the SMS retention proposal opens a new front in Capitol Hill politicking over surveillance, the principle of mandatory data retention is hardly new. The Justice Department has publicly called for new laws requiring Internet service providers to record data about their customers, and a House of Representatives panel approved such a requirement last summer.
"We would oppose any mandatory data retention mandate as part of ECPA reform," says Christopher Calabrese, legislative counsel for the American Civil Liberties Union. That proposal is "a different kettle of fish -- it doesn't belong in this discussion," he says.
An internal Justice Department document (PDF) that the ACLU obtained through the Freedom of Information Act shows that, as of 2010, AT&T, T-Mobile, and Sprint did not store the contents of text messages. Verizon did for up to five days, a change from its earlier no-logs-at-all position, and Virgin Mobile kept them for 90 days. The carriers generally kept metadata such as the phone numbers associated with the text for 90 days to 18 months; AT&T was an outlier, keeping it for as long as seven years, according to the chart.
A review of court cases by CNET suggests that Justice Department document is out of date. While Sprint is listed as as not storing text message contents, the judge in Rhode Island noted that the company turned over "preserved text messages." And in an unrelated Connecticut case last year, a state judge noted that Sprint provided law enforcement with "text messages involving the phone numbers."
An e-mail message from a detective in the Baltimore County Police Department, leaked by Antisec and reproduced in a Wired article last year, says that Verizon keeps "text message content on their servers for 3-5 days." And: "Sprint stores their text message content going back 12 days and Nextel content for 7 days. AT&T/Cingular do not preserve content at all. Us Cellular: 3-5 days Boost Mobile LLC: 7 days"
Sprint and Verizon referred calls last week to CTIA - The Wireless Association, which declined to comment. So did the Justice Department. T-Mobile and AT&T representatives did not respond to a request for comment.
Katie Frey, a spokeswoman for U.S. Cellular, said:
Due to the volume of text messages sent by our customers every day, text messages are stored in our systems for approximately three to five days. The content of text messages can only be disclosed subject to a lawful request. We comply with every lawful request from authorities.
We have a dedicated team of associates who are available 24 hours a day, every day of the year, to handle requests for information in emergency situations. Law enforcement must be able to show that it's an emergency and complete an Exigent Circumstance Form prior to receiving data. If a situation is not an emergency, law enforcement must submit a lawful request to receive the data.
Over the past five years, U.S. Cellular has received more than 103,000 requests in the form of subpoenas, court orders, search warrants and letters regarding customers' phone accounts and usage.
Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, said he would be skeptical of the need for a law mandating that text messaging data be retained.
"These data retention policies serve one purpose: to require companies to keep databases on their customers so law enforcement can fish for evidence," he said. "And this would seem to be done against the wishes of the providers, presumably, since...some of the providers don't keep SMS messages at all."