Cops to Congress: We need logs of Americans' text messages

[Eugen Leitl]

http://news.cnet.com/8301-13578_3-57556704-38/cops-to-congress-we-need-logs-of-americans-text-messages/

Cops to Congress: We need logs of Americans' text messages

State and local law enforcement groups want wireless providers to store
detailed information about your SMS messages for at least two years -- in
case they're needed for future criminal investigations.

by Declan McCullagh

December 3, 2012 9:00 AM PST Follow @declanm

(Credit: Greg Sandoval/CNET)

AT&T, Verizon Wireless, Sprint, and other wireless providers would be
required to record and store information about Americans' private text
messages for at least two years, according to a proposal that police have
submitted to the U.S. Congress.

CNET has learned a constellation of law enforcement groups has asked the U.S.
Senate to require that wireless companies retain that information, warning
that the lack of a current federal requirement "can hinder law enforcement
investigations."

They want an SMS retention requirement to be "considered" during
congressional discussions over updating a 1986 privacy law for the cloud
computing era -- a move that could complicate debate over the measure and
erode support for it among civil libertarians.

As the popularity of text messages has exploded in recent years, so has their
use in criminal investigations and civil lawsuits. They have been introduced
as evidence in armed robbery, cocaine distribution, and wire fraud
prosecutions. In one 2009 case in Michigan, wireless provider SkyTel turned
over the contents of 626,638 SMS messages, a figure described by a federal
judge as "staggering."

Chuck DeWitt, a spokesman for the Major Cities Chiefs Police Association,
which represents the 63 largest U.S. police forces including New York City,
Los Angeles, Miami, and Chicago, said "all such records should be retained
for two years." Some providers, like Verizon, retain the contents of SMS
messages for a brief period of time, while others like T-Mobile do not store
them at all.

Along with the police association, other law enforcement groups making the
request to the Senate include the National District Attorneys' Association,
the National Sheriffs' Association, and the Association of State Criminal
Investigative Agencies, DeWitt said.

Excerpts from court opinion in Rhode Island murder case

"Sgt. Gates sent a letter to T-Mobile in advance of obtaining the warrant for
the T-Mobile phone records to ask the service provider to preserve the
information that he expected to request by the warrant. T-Mobile produced the
requested information on October 20, 2009, and the records show that
Defendant's use of the T-Mobile cell phone was almost exclusively for text
messaging. The results also reveal that T-Mobile does not store, and has no
capacity to produce, the content of subscriber text messages.

"Unlike T-Mobile, Verizon was able to produce records with text messaging
content in them. The content of the LG cell phone matches the photographs
taken on October 4, 2009 by Det. Cushman, including a text message which
reads, 'Wat if I got 2 take him 2 da hospital wat do I say and dos marks on
his neck omg,' which is the message that Sgt. Kite testified to having seen
that morning.

"Sprint/Nextel responded on October 13, 2009. It produced two preserved text
messages, both of which were unrelated to this case, and no voice mail
messages."

"This issue is not addressed in the current proposal before the committee and
yet it will become even more important in the future," the groups warn.

That's a reference to the Senate Judiciary committee, which approved sweeping
amendments to the Electronic Communications Privacy Act last week. Unlike
earlier drafts, the latest one veers in a very privacy-protective direction
by requiring police to obtain a warrant to read the contents of e-mail
messages; the SMS push by law enforcement appears to be a way to make sure it
includes one of their priorities too.

It wasn't immediately clear whether the law enforcement proposal is to store
the contents of SMS messages, or only the metadata such as the sender and
receiver phone numbers associated with the messages. Either way, it's a heap
of data: Forrester Research reports that more than 2 trillion SMS messages
were sent in the U.S. last year, over 6 billion SMS messages a day.

The current policies of wireless providers have been highlighted in some
recent cases. During a criminal prosecution of a man for suspected murder of
a 6-year old boy, for example, police in Cranston, R.I., tried to obtain
copies of a customer's text messages from T-Mobile and Verizon. Superior
Court Judge Judith Savage said that, although she was "not unfamiliar with
cell phones and text messaging," she "was stunned" to learn that providers
had such different policies.

While the SMS retention proposal opens a new front in Capitol Hill
politicking over surveillance, the principle of mandatory data retention is
hardly new. The Justice Department has publicly called for new laws requiring
Internet service providers to record data about their customers, and a House
of Representatives panel approved such a requirement last summer.

"We would oppose any mandatory data retention mandate as part of ECPA
reform," says Christopher Calabrese, legislative counsel for the American
Civil Liberties Union. That proposal is "a different kettle of fish -- it
doesn't belong in this discussion," he says.

An internal Justice Department document (PDF) that the ACLU obtained through
the Freedom of Information Act shows that, as of 2010, AT&T, T-Mobile, and
Sprint did not store the contents of text messages. Verizon did for up to
five days, a change from its earlier no-logs-at-all position, and Virgin
Mobile kept them for 90 days. The carriers generally kept metadata such as
the phone numbers associated with the text for 90 days to 18 months; AT&T was
an outlier, keeping it for as long as seven years, according to the chart.

A review of court cases by CNET suggests that Justice Department document is
out of date. While Sprint is listed as as not storing text message contents,
the judge in Rhode Island noted that the company turned over "preserved text
messages." And in an unrelated Connecticut case last year, a state judge
noted that Sprint provided law enforcement with "text messages involving the
phone numbers."

An e-mail message from a detective in the Baltimore County Police Department,
leaked by Antisec and reproduced in a Wired article last year, says that
Verizon keeps "text message content on their servers for 3-5 days." And:
"Sprint stores their text message content going back 12 days and Nextel
content for 7 days. AT&T/Cingular do not preserve content at all. Us
Cellular: 3-5 days Boost Mobile LLC: 7 days"

Sprint and Verizon referred calls last week to CTIA - The Wireless
Association, which declined to comment. So did the Justice Department.
T-Mobile and AT&T representatives did not respond to a request for comment.

Katie Frey, a spokeswoman for U.S. Cellular, said:

    Due to the volume of text messages sent by our customers every day, text
messages are stored in our systems for approximately three to five days. The
content of text messages can only be disclosed subject to a lawful request.
We comply with every lawful request from authorities.

    We have a dedicated team of associates who are available 24 hours a day,
every day of the year, to handle requests for information in emergency
situations. Law enforcement must be able to show that it's an emergency and
complete an Exigent Circumstance Form prior to receiving data. If a situation
is not an emergency, law enforcement must submit a lawful request to receive
the data.

    Over the past five years, U.S. Cellular has received more than 103,000
requests in the form of subpoenas, court orders, search warrants and letters
regarding customers' phone accounts and usage.

Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, said
he would be skeptical of the need for a law mandating that text messaging
data be retained.

"These data retention policies serve one purpose: to require companies to
keep databases on their customers so law enforcement can fish for evidence,"
he said. "And this would seem to be done against the wishes of the providers,
presumably, since...some of the providers don't keep SMS messages at all."

Last updated at 9:10 a.m. PT