The Senate Intelligence Authorization is now available here.
In addition to language requiring social media companies to report terrorist activity on their network to the government — which yesterday Jim Comey said they didn’t need — it has a provision that might to lead to data retention mandates under USA F-ReDux. It requires reporting if any provider stops retaining call detail records at least 18 months.
SEC. 602. NOTIFICATION OF CHANGES TO RETENTION OF CALL DETAIL RECORD POLICIES.
(a) Requirement To Retain.—Not later than 15 days after learning that an electronic communication service provider that generates call detail records in the ordinary course of business has changed its policy on the retention of such call detail records to result in a retention period of less than 18 months, the Director of National Intelligence shall provide written notification of such change to the congressional intelligence committees.
(b) Definitions.—In this section:
(1) CALL DETAIL RECORD.—The term “call detail record”—
(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and
(B) does not include—
(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;
(ii) the name, address, or financial information of a subscriber or customer; or
(iii) cell site location or global positioning system information.
(2) ELECTRONIC COMMUNICATION SERVICE.—The term “electronic communication service” has the meaning given that term in section 2510 of title 18, United States Code. [my emphasis]
The important details of this provision, however, are in the definitions.
This retention requirement applies to all electronic communication service providers that generate call detail records. That means it applies not just to telecoms, traditionally defined, but also to internet service providers. And the definition of call detail record relies on “session identifier,” not any phone call made.
That either confirms that USA F-ReDux will apply to Internet companies as well as phone companies, and/or it suggests SSCI wants data retention to apply to far more than just the newfangled phone dragnet.