In recent years, data protection regulations have been popping up everywhere. The EU’s General Data Privacy Regulation (GDPR) raised the bar for companies around the world, and many other governments jumped on the bandwagon, creating data protection regulations like the California Consumer Privacy Act (CCPA).
In most cases, the focus of data protection regulations is on data being collected, transmitted, processed, and stored via the Internet. However, this is far from the only way that organizations can collect personal data about their customers.
The US federal government periodically releases a report providing summary statistics regarding wiretapping performed by law enforcement. The US has laws limiting wiretapping, but there is a lot of wiggle room there, meaning that collected phone records can be a significant threat to individuals’ data security.
A Brief Introduction to US Wiretapping Laws
The US has laws limiting how wiretapping can be performed. This can be a significant protection to an individual’s privacy since phone records can contain a great deal of personal information. Under US wiretapping laws, recording a phone conversation using a “device” requires consent or a court order (in the case of law enforcement).
However, what it doesn’t require is consent from both parties involved. If only one party to the conversation gives consent for recording, it’s perfectly legal as long as they inform the other party of the potential that the call is recorded under US law. While certain states may have more stringent rules, it is generally possible to record a person’s telephone call without their permission. This makes it easy for organizations to record customer service or other calls as long as they have the employee’s consent (which may be a condition of employment).
So, according to US law, law enforcement has to get a court order for performing a wiretap. This is designed to limit wiretapping to cases where there is reasonable suspicion of illegal activity and to protect the privacy of innocent citizens.
But how effective is this in actually limiting the amount of data that is collected during these sanctioned wiretapping operations? Officials are often required to release a transparency report on the number of records collected, and one wiretap from 2018 is a real doozy. A single wiretap order in the Southern District of Texas resulted in the collection of 9.2 million communications records in 2018. The matter under investigation was a narcotics case in which law enforcement monitored the communications of 149 people for four months. Apparently this group was big texters (500 messages apiece intercepted a day), so law enforcement probably knows more about their lives than they ever wanted to. However, no arrests were made for that case.
Privacy Impacts of US Wiretapping
The fact that wiretapping by law enforcement requires a court order in the US is a significant first step in protecting privacy. However, as demonstrated by the Texas case, law enforcement still collects a large amount of data. A major question still remains: what do they do with it afterwards? The privacy of any citizens caught up in a wiretap depends on the government’s security for this evidence. And, while the government needs to disclose its wiretaps, the same is not always true for the private sector. While many organizations may be required to make an announcement that “this call may be monitored or recorded for quality assurance purposes”, the legal requirements vary from place to place.
In general, only one party needs to give consent for wiretapping to be legal, so all a company may have to do in order to record and store customer service call records is to ensure that the employee consents to monitoring and recording.
This can have significant privacy implications due to the data included in many of these calls. Often, customer need to authenticate themselves during the call, providing sensitive data that the company keeps on file to verify their identity. If the call is recorded, so is all of this data, so a leak of customer service phone records can mean a significant breach of personal data. Also, many organizations use the same data for verification, so one breach can then enable attacks against accounts with other organizations.
Beyond Wiretapping: The Need for Data Security
Wiretapping legislation in the US and its implications for personal privacy are an interesting case of companies collecting and storing personal information, but US law enforcement is certainly not the only ones doing it. Every organization has its own cache of sensitive data that needs to protect. In many cases, this is personal data that is even more potentially damaging to customer privacy than recordings of their phone conversations.
Just like US law enforcement needs to properly protect the wiretapping data that they are collecting, storing, and processing, so do other organizations too. The wave of data privacy regulations in recent years demonstrate that data privacy and security has become a priority in many places, and failing to comply can carry extremely stiff penalties.
We all hope that, if our phone records are somehow caught up in a wiretap, that the collector will appropriately use, protect, and discard them. It is the responsibility of other organizations that collect sensitive data to do the same. Failing to do so means an embarrassing data breach at best and an expensive one at worst, making it a priority to deploy data security solutions capable of protecting any and all sensitive data entrusted to an organization.