Richard Burr’s Backdoor Data Retention Amendment

The Senate Intelligence Authorization is now available here.

In addition to language requiring social media companies to report terrorist activity on their network to the government — which yesterday Jim Comey said they didn’t need — it has a provision that might to lead to data retention mandates under USA F-ReDux. It requires reporting if any provider stops retaining call detail records at least 18 months.

(a) Requirement To Retain.—Not later than 15 days after learning that an electronic communication service provider that generates call detail records in the ordinary course of business has changed its policy on the retention of such call detail records to result in a retention period of less than 18 months, the Director of National Intelligence shall provide written notification of such change to the congressional intelligence committees.

(b) Definitions.—In this section:

(1) CALL DETAIL RECORD.—The term “call detail record”—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

(2) ELECTRONIC COMMUNICATION SERVICE.—The term “electronic communication service” has the meaning given that term in section 2510 of title 18, United States Code. [my emphasis]

The important details of this provision, however, are in the definitions.

This retention requirement applies to all electronic communication service providers that generate call detail records. That means it applies not just to telecoms, traditionally defined, but also to internet service providers. And the definition of call detail record relies on “session identifier,” not any phone call made.

That either confirms that USA F-ReDux will apply to Internet companies as well as phone companies, and/or it suggests SSCI wants data retention to apply to far more than just the newfangled phone dragnet.

6 replies
  1. bloopie2 says:

    I forget – does ReDux require providers to retain call detail records? Was that previously required? And has such requirement been considered to be constitutional? I can see it for gun ownership/sales and explosives and other occupations/services that have been legally deemed to be inherently dangerous (there’s a small set of those), but phone calls?

    • What Constitution? says:

      “Is that constitutional”? Well, no, no it’s not. “Why do you ask?” would be Richard Burr’s response, but it’s really a shame he has a boatload of congressional acquiescence behind him.

      To the courts!

        • What Constitution? says:

          While “will” is a strong word, that’s still the way to hope. I’m willing to demand it of them. I’m actually entitled to demand it of them, as are we all. So I will.

    • bloopie2 says:

      I ask because your quote from the bill talks about a provider changing its “policy”. Hard to believe someone would change out of a “policy” that is legally mandated.

Comments are closed.