There's no federal law requiring AT&T to hold onto this data.
There's possibly a FISA court requirement (too secret to reveal), but AT&T has long been an exceedingly willing part of the gov's spying apparatus. It fed these records and Internet data to the feds without any court order, and only escaped legal troubles when Obama, contrary to his campaign promises, gave AT&T, Verizon and more retroactive immunity
I'm no longer under this specific NDA, so, I can talk a bit about this.
It was well known in the wireless industry that ATT collected and kept the most data on all of the carriers: 7 years for text metadata, "7 years" for call history (I put that in quotations because it was rumored that ATT kept them indefinitely, but, there were technical limitations for restoring data that far back), and 7 years for the contents of the text messages themselves. Verizon was up there as well, but, I don't remember specifics.
The carrier that I worked with kept only 3 days content of the actual messages, 28 days for the text message metadata, and 28 days for the call records for their enforcement database, but, they could get calling records and sms envelope information for billing back 7 years, and at the time, we had to implement sharding at the database layer that maintained the warrant database due to the amount of traffic that we were receiving from the calling systems and the amount of queries/data that we were sending out, in near realtime, to law enforcement users who paid $10,000/month for access to that data.
AT&T wasn't storing this data out of the kindness of their heart, it was a (probably small) revenue stream for them.
Ah, back in the day the FBI would pay our CTO $5000/hr to talk to and work with him. On top of that we would charge them a monthly colo fee for their equipment that collected data of customers.
Sometimes they had warrants, but mostly just bought the data.
A year or so after 9/11 and that relationship lasted years.
the EU is much more aggressive at banning and censoring websites though. I can't recall the last time I ran into a website in the US that's blocked at the provider level (private moderation like e.g. Youtube is a different story). Maybe Tiktok is the most famous, but it's still around and available afaik. But in the EU, ran into "the government has decided this information is bad for you" all the time, with a nice notice from the internet provider. My hunch is that under various pretexts both societies will continue to drift towards more censorship and less privacy, perhaps with some temporary local differences.
Not everyone in law enforcement gets to play with the NSA's toys though. Some actually have their warrant and subpoenas glanced at by a judge before it gets rubber stamped.
While being briefly "glanced at" by a judge is certainly better than nothing (or just already having the data like NSA), practically it just means law enforcement needs to adapt some generic boilerplate justification text to each request.
That’s the AT&T Long Lines Building. It probably did have an NSA surveillance closet, but it wasn’t built without windows for that reason. The story I was told (by older colleagues when I worked at AT&T Labs) was that it was built during a time when riots and street violence were more common, so the fortress appearance was to ensure the city could maintain long-distance connectivity during urban unrest.
I believe there was another similar nexus downtown near the World Trade Center, which was destroyed on 9/11. For at least a couple of weeks we had very limited communications and credit cards were hard to use as a result.
Long lines buildings were not going to take a direct nuclear hit, but were very robust to handle shockwaves and EMP.
I came very close to buying a long lines microwave relay site, and got to tour it a few times. It had a hardened tower, as well as copper grounding that went deep into the ground. Mining the copper would have paid for the site, but alas.
These buildings were built based on the 1950s threat of Soviet bombers attacking the United States. The New York City metro area was protected by air defense missile sites and interceptors. The air defense systems would air burst small nukes in wartime to destroy bomber formations.
Once the threat shifted to ICBMs in the 1970s hardening was moot.
Yup, an underground structure would normally be a better design. But that would quickly get flooded with water in Manhattan in the event of a nuclear blast followed by loss of power.
Americans like to complain about the GDPR, but it exists to prevent exactly this sort of thing. Data cannot be retained longer than it's actually needed or required by law, and can't be sold without explicit permission. Law enforcement can't just buy data: they need to have legal authority to get it (though in many countries the bar for that is too low). In most cases the cheapest and easiest approach is to collect as little data as possible, and to delete it as soon as it's not strictly needed. This greatly reduces the compliance burden.
You obviously did not follow the recent drama in the EU related to Chat Control V2.
The EU wants LEOs to have access to the contents of your messages/emails/metadata and keeps extending the Chat Control V1 law in order to not have to delete the data that it already has.
You may not be able to buy that data outright but it will be out there and collected by the messaging providers on behalf of the EU.
It even had a data retention law that forced providers to keep up to 8 years of data related to their customers so that it could be handed over to LEOs.
The EU's stance on privacy is just lipstick on a pig. When you pick under the curtain of the privacy laws in the EU, you'll see that it's not better here than in the US.
> You obviously did not follow the recent drama in the EU related to Chat Control V2.
It is strange to say they wanted it when we have proof it is voted down and widely unsupported. A part of the EU government apparatus wants it, but taking that and saying the EU wants it is not honest.
I have talked about it around me a bit and most people who do not work in tech or who don't have a certain interest in online privacy or privacy in general don't know about it.
Of course when you ask the citizens of the EU if they are cool about being monitored at all times by the EU LEOs then they don't want it but the commission wants it bad. All this is due from the heavy lobbying that has been happening in Brussels.
The worst part is that this is happening while the EU is saying that it wants data sovereignty, and wants to become less dependent on the software coming from the US, but it's ready to get in bed with a US company in order to deploy this mass surveillance system who supposedly is very good at finding CP.
Nevermind the fact that it means that every bit of online communication will be analyzed and dissected by a corporation that is out of reach of the EU.
But the commission is not stupid, they carved themselves a nice little clause so that they can be exempted from such mass surveillance. I guess they understand that having all telecommunications monitored by a for profit company that is not from the EU could lead to some embarrassing data leaks, just like we saw with AT&T but they don;t care if it's our data that leaks as long as it's not theirs.
That is why to me GDPR is just a facade. You can't seriously say that you are pro privacy and pro democracy if you keep trying to recreate the Stasi on a larger scale.
CP is just a pretext to keep records on everyone. Good thing everyone over 40 in Eastern Europe still remembers the Stasi and its sister secret police agencies that collected data on everyone and tortured political prisoners. I suspect that climate activists are the next likely candidates for an eventual repression apparatus, so better beware.
Portugal and Spain also aren't found of their politicians from 50 years ago (their regimes fell in 1974, and 1975, respectively). To add to your point.
How does it look on one hand to say that the EU cares about it's users data and wants the users to be able to choose who it is shared with, has clear guidelines related to it's storage and levy fines on companies who breach these terms and then turn around and come out with Chat Control V2?
Something does not compute. Either you are pro privacy and you act like it or you are not.
It kills me to hear that Europe is pro privacy, because it is not true. Not if you look under the veneer and start peeling back the layers.
These sorts of data breaches should be a wake up call for any state actors who are planning on collecting massive amounts of data on their citizens.
It should make them pause and say, you know maybe we should not just give away all our data to Russia or China if they manage to break in our system.
Maybe the best way to avoid such data breaches is to not store the data in the first place.
The US also has laws that, in isolation, would suggest some sort of protection against universal corporate/government surveillance, but they’re no more effective here than in the EU.
They are talking about Americans on this site, who very often work at companies that GDPR is made to stop predating on users. Many European users here also works at such companies, so you often see it from them as well, but not as often since those companies are mostly American.
Ah got it, I totally missed that context here somehow. I hadn't noticed a habit of Americans here complaining about GDPR, but that's interesting given another common pattern here of libertarian ideas. An American complaining about a different countries internal policies doesn't seem particularly libertarian.
Well, that's kinda the point, but way too many website owners rather torture their users with barely compliant implementations than do what the GDPR intended: get rid of third parties.
I'm positive informed consent doesn't require cookie banners, but the advertisers opted to make it as annoying as possible so that everyone would click "accept" just to be left alone. It could be a browser mechanism that only asks once for all sites and have a whitelist.
Let's not pretend that the GDPR fixes this in any way. There are still EU data retention laws in place which force ISPs/carriers/... to store all kinds of data for a reasonably long time.
I don't know who Europe's biggest telco is, but if they got breached, the damage would be just as bad.
There's required disclosure using an administrative subpoena for records over 180 days old if they have them
CALEA requires phone (and later broadband) equipment to conform to wiretapping standards, and if a carrier gets a court order to wiretap it has to provide that data from warrant receipt til warrant expiration.
Landlines have some data retention requirements.
But there's no law on broadband or wireless data retention.
There may well and likely is a secret FISA court order under section 702 that's been served to telecoms, but an astonishingly small number of people in govt and industry know whether that actually says that they just have to hand over records in real time or whether they need to keep records for some period of time.
There's possibly a FISA court requirement (too secret to reveal), but AT&T has long been an exceedingly willing part of the gov's spying apparatus. It fed these records and Internet data to the feds without any court order, and only escaped legal troubles when Obama, contrary to his campaign promises, gave AT&T, Verizon and more retroactive immunity