Since the bulk collection of telephone metadata began, the NSA has been keeping those records in a vast database and maintaining and querying that data for 5 years before being required to purge it. Now that the data will be back in the hands of the telecom companies, the Federal Communications Commission’s regulations will determine the retention of the metadata.
Prior to the 1980's, the FCC retention schedule was 6 months, but in the 1980’s, during the war on drugs, the Department of Justice asked the FCC to change that requirement to 18 months to make it easier to get RICO convictions for the drug cartels and the FCC complied. Since then, telephone data has been used to convict many organized crime syndicates with great success. Now that the NSA is also an agency that would like access to the same data that they FBI has been using since the 1970’s, will they ask the FCC to maintain the data for five yeas as they had been?
FCC Chairman, Tom Wheeler, has shown himself to be on the side of consumers in three recent FCC rulings: net neutrality, a $20 million dollar fine and public flogging of ATT for loss of private customer data, and creating a path for disadvantaged Americans to have access to subsidized broadband. To be honest, he has been rattling the cage of telecom industry since he was appointed chairman in 2013. Verizon was so upset by the net neutrality ruling that they issued a press release in Morse code. The most radical stance the commission can take is to match the FISA court’s retention requirements of 90 days. It wouldn't be out of character for him to make such a brash move, but it would be controversial within the administration and cut the legs out from under law enforcement. Changing the retention schedule to 5 years is a huge and unnecessary burden on the industry and shortening it would be supported, if not embraced, by the telecom companies and their consumers, but not by federal law enforcement agencies.
Now that it doesn’t take an act of congress to change the retention of metadata, the FCC has become one of the most powerful regulators of privacy in the government and thanks to Tom Wheeler; it’s hard to predict what is coming next.
To understand what security and risk professionals should do to adapt to the new law and its requirements, read Quick Take: The Patriot Act Is Dead. Long Live The Patriot Act