Mozilla on Friday warned against a government policy that could require phone companies to hold on to customer data longer than their business purposes require.
Advocates for National Security Agency reform have cautioned against such a measure for the past year. Lawmakers are considering ending the government’s bulk collection of U.S. phone records in exchange for a system where officials could search records stored with the private companies themselves with approval from the surveillance court.
The data retention provision did not make it into reform bills last year, including one in the Senate that narrowly failed on a procedural vote. Mozilla’s director of public policy, Chris Riley, wants it to stay that way.
“It is an unnecessary, and harmful, posture for any democratic government to take. Data retention mandates are not a missing piece of the long-term surveillance ecosystem; they are a bridge too far,” he wrote in a blog post. Riley asserted that kind of deal would amount to “misguided pragmatism.”
He said such “total after the fact information awareness” is what the public and companies have rallied against since the revelations from Edward Snowden about the extent of U.S. surveillance practices.
Riley pointed to comments made by Attorney General Eric Holder and Director of National Intelligence James Clapper last year, when they wrote that phone companies’ “existing practices in retaining metadata” would suffice.
With the increasing number of cyberattacks in the news, Riley also cautioned that forcing companies to hold onto data longer than they need poses a security risk.
“In addition to making troves of private user information vulnerable to malicious actors, requiring companies to hold user data longer than necessary for business purposes would create additional liability and risk,” he wrote.
Phone companies currently vary in how long they retain users' metadata, which includes phone numbers, call times and duration but not the content of calls. The government is currently limited to storing the information it collects in bulk to five years.
Advocates hope to use the reauthorization of some provisions of the Patriot Act to push for NSA reforms this spring. That deadline is less than two months away on June 1.
In addition to Mozilla’s data retention stance, it also outlined three other principles in the debate: a strict ban on bulk collection, sufficient transparency and no new surveillance powers.
“This law expires June 1, and must not be renewed as it stands today,” Riley wrote.