May 17, 2022

T’Mobile: Deleting Stale Data Reduces Liability

T-Mobile’s data breach in August 2021 exposed the social security numbers and drivers license numbers for over 40 million former or prospective customers. I recently discovered that I was one such victim because of an alert that popped up on my phone this weekend from my credit monitoring service. I was surprised because I have not been a customer for over 5 years. Why did they still have my data? 

T-Mobile has not yet contacted me or explained why they retained my data. Various state and federal regulators are now investigating whether T-Mobile had “reasonable data security” measures in place to protect customer information. Certain aspects of the regulatory investigation will undoubtedly examine what technical measures T-Mobile used and whether they were adequate. But one important non-technical issue worth investigating further is whether the company had meaningful data retention and deletion policies, and whether it followed them. 

It appears T-Mobile’s privacy policy first introduced a statement about its data retention practices in 2013, as captured in a longitudinal study, “Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset,” that our team of researchers at the Center for Information Technology Policy published in 2021. The retention policy itself is a terse one-line statement that says “we retain your personal data for business or tax needs, or legal reasons,” without any further explanation. 

But what “business need” required retaining sensitive information about former or prospective customers who had not converted into T-Mobile customers? If T-Mobile cannot justify a legitimate need, it should be held accountable for misleading the public about its data practices.

Recent data breaches involving telecommunication carriers – this is the 5th reported breach for T-Mobile since 2018 – have led the Federal Communications Commission to consider new rules to address data breaches. The FCC might draw inspiration from the Federal Trade Commission’s security guidelines for information held by financial institutions. The FTC used our public comments to modify the Safeguards Rule to require automatic destruction of customer information two years after it was last used, unless the information is required for a legitimate business purpose. 

In a different context, the FTC’s rules implementing the Children’s Online Privacy Protection Act of 1998 also mandates data retention and deletion requirements when it comes to information about children: “An operator of a Web site or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.” 

In short, minimizing data collection and retention are simple, inexpensive steps that are effective against all manner of sophisticated or unsophisticated attacks. Any company that seeks to protect their customers should develop such policies to reduce its liability in the event of a data breach. 

Arlington v. FCC: What it Means for Net Neutrality

[Cross-posted on my blog, Managing Miracles]

On Monday, the Supreme Court handed down a decision in Arlington v. FCC. At issue was a very abstract legal question: whether the FCC has the right to interpret the scope of its own authority in cases in which congress has left the contours of their jurisdiction ambiguous. In short, can the FCC decide to regulate a specific activity if the statute could reasonably be read to give them that authority? The so-called Chevron doctrine gives deference to administrative agencies’ interpretation of of their statutory powers, and the court decided that this deference extends to interpretations of their own jurisdiction. It’s all very meta, but it turns out that it could be a very big deal indeed for one of those hot-button tech policy issues: net neutrality.

Scalia wrote the majority opinion, which is significant for reasons I will describe below. The opinion demonstrated a general skepticism of the telecom industry claims, and with classic Scalia snark, he couldn’t resist this footnote about the petitioners, “CTIA—The Wireless Association”:

This is not a typographical error. CTIA—The Wireless Association was the name of the petitioner. CTIA is presumably an (unpronounceable) acronym, but even the organization’s website does not say what it stands for. That secret, known only to wireless-service-provider insiders, we will not disclose here.

Ha. Ok, on to the merits of the case and why this matters for net neutrality.
[Read more…]

The State of Connectivity in Latin America: from Mobile Phones to Tablets

Ten years ago, issues like e-health, e-education and e-government were more products of wishful thinking than ideas with a real possibility of being implemented in most Latin American countries. Conversely, the present moment has become a turning point for the region in terms of connectivity. Government policies, markets and non-profit initiatives are contributing to improve the overall connectivity in the region.

By 2012 98% of the population in the region had access to a mobile cell signal and 84% of households subscribe to some type of mobile service, according to a World Bank report. This rather quick expansion of ICTs in Latin America and the Caribbean (LAC) caught many intellectual property and access to knowledge scholars and practitioners unprepared. While they were still considering hypothetical models for deploying and using information and communication technologies (ICTs), a significant portion of the region’s population was already putting in practice innovative uses to newly available technology, and going beyond expectations in terms of self-organization and empowerment.
[Read more…]