October 2, 2022

T’Mobile: Deleting Stale Data Reduces Liability

T-Mobile’s data breach in August 2021 exposed the social security numbers and drivers license numbers for over 40 million former or prospective customers. I recently discovered that I was one such victim because of an alert that popped up on my phone this weekend from my credit monitoring service. I was surprised because I have not been a customer for over 5 years. Why did they still have my data? 

T-Mobile has not yet contacted me or explained why they retained my data. Various state and federal regulators are now investigating whether T-Mobile had “reasonable data security” measures in place to protect customer information. Certain aspects of the regulatory investigation will undoubtedly examine what technical measures T-Mobile used and whether they were adequate. But one important non-technical issue worth investigating further is whether the company had meaningful data retention and deletion policies, and whether it followed them. 

It appears T-Mobile’s privacy policy first introduced a statement about its data retention practices in 2013, as captured in a longitudinal study, “Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset,” that our team of researchers at the Center for Information Technology Policy published in 2021. The retention policy itself is a terse one-line statement that says “we retain your personal data for business or tax needs, or legal reasons,” without any further explanation. 

But what “business need” required retaining sensitive information about former or prospective customers who had not converted into T-Mobile customers? If T-Mobile cannot justify a legitimate need, it should be held accountable for misleading the public about its data practices.

Recent data breaches involving telecommunication carriers – this is the 5th reported breach for T-Mobile since 2018 – have led the Federal Communications Commission to consider new rules to address data breaches. The FCC might draw inspiration from the Federal Trade Commission’s security guidelines for information held by financial institutions. The FTC used our public comments to modify the Safeguards Rule to require automatic destruction of customer information two years after it was last used, unless the information is required for a legitimate business purpose. 

In a different context, the FTC’s rules implementing the Children’s Online Privacy Protection Act of 1998 also mandates data retention and deletion requirements when it comes to information about children: “An operator of a Web site or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.” 

In short, minimizing data collection and retention are simple, inexpensive steps that are effective against all manner of sophisticated or unsophisticated attacks. Any company that seeks to protect their customers should develop such policies to reduce its liability in the event of a data breach. 

Arlington v. FCC: What it Means for Net Neutrality

[Cross-posted on my blog, Managing Miracles]

On Monday, the Supreme Court handed down a decision in Arlington v. FCC. At issue was a very abstract legal question: whether the FCC has the right to interpret the scope of its own authority in cases in which congress has left the contours of their jurisdiction ambiguous. In short, can the FCC decide to regulate a specific activity if the statute could reasonably be read to give them that authority? The so-called Chevron doctrine gives deference to administrative agencies’ interpretation of of their statutory powers, and the court decided that this deference extends to interpretations of their own jurisdiction. It’s all very meta, but it turns out that it could be a very big deal indeed for one of those hot-button tech policy issues: net neutrality.

Scalia wrote the majority opinion, which is significant for reasons I will describe below. The opinion demonstrated a general skepticism of the telecom industry claims, and with classic Scalia snark, he couldn’t resist this footnote about the petitioners, “CTIA—The Wireless Association”:

This is not a typographical error. CTIA—The Wireless Association was the name of the petitioner. CTIA is presumably an (unpronounceable) acronym, but even the organization’s website does not say what it stands for. That secret, known only to wireless-service-provider insiders, we will not disclose here.

Ha. Ok, on to the merits of the case and why this matters for net neutrality.
[Read more…]

The State of Connectivity in Latin America: from Mobile Phones to Tablets

Ten years ago, issues like e-health, e-education and e-government were more products of wishful thinking than ideas with a real possibility of being implemented in most Latin American countries. Conversely, the present moment has become a turning point for the region in terms of connectivity. Government policies, markets and non-profit initiatives are contributing to improve the overall connectivity in the region.

By 2012 98% of the population in the region had access to a mobile cell signal and 84% of households subscribe to some type of mobile service, according to a World Bank report. This rather quick expansion of ICTs in Latin America and the Caribbean (LAC) caught many intellectual property and access to knowledge scholars and practitioners unprepared. While they were still considering hypothetical models for deploying and using information and communication technologies (ICTs), a significant portion of the region’s population was already putting in practice innovative uses to newly available technology, and going beyond expectations in terms of self-organization and empowerment.
[Read more…]

When Technology Sanctions Backfire: The Syria Blackout

American policymakers face an increasingly complex set of choices about whether to permit commerce with “repressive regimes” for core internet technologies. The more straightforward cases involve prohibitions on US import of critical network technology from states that we suspect may include surveillance backdoors. For example, fears of “cyber espionage” have fueled a push for import bans on routers and other equipment from China.

Things get more complicated when the United States chooses to place sanctions on technologies that it exports to “repressive regimes.” In October of last year, the Electronic Frontier Foundation revealed that routers made by US-based BlueCoat Systems had been used in Syria to filter dissent. EFF noted that this appeared to violate export controls established by the US Government, and chastised BlueCoat. At the time, this seemed like an odd stance for the EFF. On the one hand, there were clear harms to citizens on the ground. On the other hand, EFF has helped to lead the charge against the ill-fated attempt to criminalize exportation of digital tools. I am somewhat skeptical about the ability to draw a bright line between speech-enhancing tools and tools of oppression — especially when general purpose computers can easily be used for both.
[Read more…]

No Longer Bit Players: Internet Governance & Economic Growth in Developing Countries

The 200 sovereign state members of the United Nations International Telecommunications Union (ITU) will gather in Dubai this week for the World Conference of International Telecommunications (WCIT). The WCIT is a treaty developed to facilitate global interconnection and interoperability between telecommunications carriers.  The treaty was last reviewed in 1988, an era where the majority of telecommunications networks were state owned and controlled.
[Read more…]