Government has no right to track that either, they themselves launder trillions, start wars and massacre millions, even a drug lord is a petty criminal compared to them, and it's clear their tracking of any and all records of any type is more about control than safety, thus it should be disregarded as an argument and be done away with entirely.

> they themselves launder trillions, start wars and massacre millions, even a drug lord is a petty criminal compared to them

And then people wonder why privacy has a difficult time getting public support.

No, we already know it is because people are complete idiots who not only fall for 'tiger repelling rocks' but actively demand them.

The government can't keep its own data safe, as the OPM breach showed. Apart from some resignations, nobody faced any serious consequences for that either.

Even more reason for regulatory requirements covering data security for all organisations- both private and public sector

Many (all?) banks keep financial transaction records for way longer than what is legally required. Thankfully, most banks are technically incompetent and are unable to easily use data that is not relatively recent. In fact, one bank I worked for had to load transactions from a CD-ROM archive which contained all the transactions in a printable text format (the same format as their printed bank statements). Multiple CDs per day, with no indexing or identification beyond the date. Trying to find a specific 10 year old transaction was very hard work indeed.

I agree. I think it's reasonable to expect companies to safeguard that information from malicious actors.

I don't agree. I don't think it's reasonable to expect it, because companies show over and over that they cannot do it. And let's face it, the only reason your company hasn't fallen victim to a data breach or ransomware is that you haven't been seriously targeted yet.

We need to change our approach. We need to look at why these kinds of data are valuable, and then make them not valuable. Then nobody will bother with hacking to get it.

This data is valuable primarily for spam mitigation and perhaps customer profiling.

Expect every SMS and MMS sent or received to be part of a spam mitigation and profiling program where it's stored indefinitely.

Apple not encrypting RCS is likely due to similar factors, where they have seen existing spam problems on RCS that are much harder to root out when you have end-to-end encryption.

In my not so humble opinion, the biggest problem with phone numbers in general is the general ability to spoof any number. Please correct me if I am wrong but stir/shaken is only available on the new stuff and even then there is no good way to track the origin of a phone call. This is beyond ridiculous and clearly leadership is asleep at the wheel.

There needs to be a firm timeline -- maybe a year maybe a decade, I don't know the details but something that allows customers to transition to a system where all calls can be traced through the network with 100% guarantee.

Step zero is actually having a process/protocol where any phone is tamper evident meaning we can tell 100% that this call came from this operator and the operator knows the call came from this user.

Perhaps the first phase allows individual users to opt in. So we would ask our operators to only route us calls and texts that positively identify themselves as fully traced with whatever the new protocol is that will replace SS7/sigtran so the origin of a call or text is positively identified. If this guarantee is not available, route the call to spam inbox somehow.

Then the hard part I'm guessing is fixing all the defects?

The second phase is to say after this date, no operator in the US is allowed to relay calls that are from legacy systems. This will likely take many years as I don't know how we will handle international calls and texts. But at some point we have to put our foot down and say enough is enough.

> Step zero is actually having a process/protocol where any phone is tamper evident meaning we can tell 100% that this call came from this operator and the operator knows the call came from this user.

This basically doesn't work because the mapping between phone numbers, users and operators isn't exactly 1:1:1.

Some businesses have a single number that they use as Caller ID on all their calls , despite having one corporate HQ in New York, one branch in New Orleans and one customer support callcenter in New Delhi. All of these use different carriers and are based in different countries, yet they're all legally authorized to use that number.

If you want to read more about why this is such a hard problem to solve, see https://computer.rip/2023-08-07-STIRred-AND-SHAKEN.html

> ...yet they're all legally authorized to use that number.

But why? I get that they want a unifed appearance, but as a phone subscriber I want to know if it's BigCo calling from New Delhi vs. BigCo calling from Chicago.

Amazing article about why phone spam is so much harder to fight than email spam.

Thank you for sharing it!

Now I need to lean SS7 signaling.

Finally, some sense. My first though when reading the article was why are we even allowing these companies to collect that data in the first place.

How would they bill customers and other providers for usage if they didn't keep call/text metadata?

These are records from 2022. The hack wasn't carried out the second the calls were made. You really need to keep the records that long to do your billing? That's absurd.

I don't think it is. I assume everyone gets hacked eventually. It's really hard (I would argue impossible) to make a 100% secure computer system, and if they're operated by people, you're terribly vulnerable.

You are more likely striken by lightning than coming in contact with terrorism whatsoever