How would you feel if your phone carrier accidentally leaked every record of every call you made—and didn’t even tell you? If you’re like most Americans, you would be livid, because the vast majority of us care deeply about the privacy of our phone records. A November report from the Pew Research Center found that 82 percent of Americans consider location information gathered by their phones to be “sensitive” or “very sensitive,” and 75 percent feel that way about the numbers they have called or texted. But a forthcoming bill from Congress could dramatically reduce the security of that information—amid a number of high-profile data breaches.
The threat comes from a bill—scheduled to be introduced in the House this week—called (incongruously) the “Data Security and Breach Notification Act of 2015.” As I explained in testimony before the House of Representatives last week, counter to its name, this piece of legislation would actually eliminate key legal protections for phone, cable, and satellite records.
What would this mean for you? You could no longer assume that any information your phone, cable, or satellite provider collects about you is protected, and companies would no longer be obligated to tell you if that information is compromised. The results could be disastrous. Just a list of the phone numbers called by a customer would reveal not only information about that customer’s ties to other individuals, but also ties to organizations, health-related entities, hotlines, support groups, and so on. That list of numbers could reveal that the customer had called a hotline for suicidal thoughts or domestic violence. It could indicate that the customer likely had an abortion, needed 911 services, battled addiction, or struggled to come to terms with her sexual orientation.
And analyzing the records further would reveal even more intimate details, including, in the words of computer scientist Ed Felten:
[W]hen we are awake and asleep; our religion, if a person regularly makes no calls on the Sabbath, or makes a large number of calls on Christmas Day; our work habits and our social attitudes; the number of friends we have; and even our civil and political affiliations.
Phone records also contain location information. Even when customers turn off GPS on their phones, carriers keep a record of which network antenna is communicating with the phone during every call. As computer scientist Vitaly Shmatikov explained last year in a letter to the Federal Communications Commission, this information can be used to reconstruct a customer’s movements, revealing the path someone takes to drive to work or walk to her children’s school, or the location of his gym or place of worship.
As for cable and satellite customers’ viewing histories, it’s hard to imagine a class of information with greater potential for humiliation than an account of what we watch in the privacy of our own homes. Indeed, Congress was so spooked by the publication of Supreme Court nominee Robert Bork’s innocuous video rental history in 1988 that they almost immediately passed the Video Privacy Protection Act, which protects records about video rentals.
Right now, phone carriers have to train personnel on protections for these records, have an express disciplinary process in place for abuses, and annually certify that they are in compliance with the rules. Cable and satellite providers also have to carefully protect all of their customers’ information. The new bill would change all that.
Setting aside the absurdity of eliminating data security protections under a law that purports to improve them, this makes no sense. Strong protections for communications records—like the ones we have now—are appropriate. Phone customers have no choice but to share extremely sensitive information with their carriers about whom they call, when, and how long they talk. The 91 percent of us who have cellphones have no choice but to share even more information, including data about our physical locations and movements over time. Software that carriers have required manufacturers to build into phones could reveal even more granular information about us, as we learned from the Carrier IQ controversy a few years ago.
In addition, we have very few options when it comes to choosing phone providers. Although the four major wireless carriers are nominally “national,” not one serves every area in the country. Americans who want a landline have even fewer options—there is often just one provider available for any given address.
And for the vast majority of us who have cable or satellite TV, we take it for granted that embarrassing information about what we watch will be kept private and protected.
Soon those protections could just disappear. And if, as a result, your private information falls into the wrong hands, you’ll never even know.