A US politician blasted operators for retaining sensitive customer data for years at a time, warning the information presents an appealing target for hackers.

In a letter to the CEOs of Verizon, AT&T, Sprint and T-Mobile US, Senator Ron Wyden acknowledged federal regulations require operators to retain certain customer records for as long as 18 months, but criticised the “apparently routine” practice of holding on to vast swathes of consumer data for years or even decades after collection.

He argued the hoarding of “deeply sensitive information about hundreds of millions of Americans,” including communications logs; web browsing habits; app usage; and location history, represents a threat to national security and customer privacy. Wyden pressed operators to limit retention to “a few weeks or even just a couple days” where possible.

“Retention periods of several years should not be the norm…Firms do not need 20 years’ worth of customer records to manage their networks, and these stockpiles of Americans’ data create an irresistible target for hackers and foreign governments.”

The senator, who is well-known for his work on technology and cybersecurity issues, gave operators until 4 September to respond.

Safeguards
Wyden’s criticism comes as operators and internet giants face increased scrutiny of their data collection and sharing practices. In 2018, operators stirred public ire following reports that third parties improperly gained access to subscriber location information.

Earlier this year, the Federal Trade Commission pressed broadband providers for details about what personal information they collect from users, as part of a bid to address escalating concerns about data breaches and consumer privacy.

Operators insisted to Mobile World Live (MWL) both subjects are already top of mind.

An AT&T representative said it protects customer information “by destroying it when it’s no longer needed for business, tax or legal purposes,” adding further details will be provided to Wyden directly.

Sprint referred MWL to its data policy, which notes the operator relies of customer information to process orders; respond to legal requests and emergencies; develop new products and services; personalise advertising; and improve network performance.

A Sprint representative added it safeguards such data from hackers with a variety of regularly updated “physical, electronic and procedural” security measures.