Cape, a privacy-focused telecommunications company, says it has introduced a feature that automatically deletes a user’s call data records, such as who they call and when, every 24 hours. These “disappearing call logs” as Cape describes them break with the telecom industry standard of keeping hold of call logs for months if not years.
“One of our first design principles was to minimize the amount of data that we collect and the amount of data that we store,” John Doyle, CEO of Cape, told 404 Media in an interview. “There’s no other business purpose to keep most of these logs more than like a day.”
Call data records, or CDRs, are metadata about a user’s phone call and text records. This includes the phone number the user contacted. This information can be especially revealing, showing that a particular person called an abortion clinic, for instance. In 2024, hackers stole “nearly all” of AT&T customers’ call records spanning several months. That in turn started a rush from the FBI to protect the identities of confidential informants, Bloomberg reported. That hack was so damaging in part because AT&T kept its customers’ call records for an extended period of time.
Cape is a mobile virtual network operator (MVNO), meaning it runs its service on top of other companies’ existing telecommunications infrastructure. Cape isn’t building cellphone towers; it’s making software to add security benefits. Cape is able to make changes to how long it retains data and other technical aspects because it runs its own mobile core—all of the software necessary to route messages and essentially be a telecom.
404 Media asked Cape to demonstrate that CDRs were being deleted. In response, Cape made a video describing the process. It appeared to show that the databases Cape uses to store CDRs did only contain data from a 24 hour period. Previously, Cape stored CDRs for 60 days, “which was already well short of industry standards,” Doyle said. Cape says it does hold “billing CDRs” for longer, for 30 days. These records are used to determine how much Cape has used carriers’ infrastructure.
Cape’s CDRs are made when a customer uses the Cape phone number assigned to their account. The change wouldn’t impact data generated by an app such as Signal; those are separate, and Signal already has various metadata protections.
Doyle said Cape did not warn law enforcement about the change to CDR retention beforehand. “I guess they’ll find out in the same way everyone else does,” he said. He added that the company still is in keeping with CALEA, or the Communications Assistance for Law Enforcement Act, which requires telecommunications companies to respond to legal demands for data.
Because Cape is piggybacking off other carriers’ infrastructure, that does mean that somewhere along the line those other companies could store their own copy of Cape users’ data.
“It’s definitely true that some of our carrier partners may collect some information,” Doyle said, including the IMEI, a unique identifier assigned to a device.
Since I first covered Cape in 2024, I occasionally get emails asking me if Cape is a honeypot, in the sense that maybe it is a ruse to then provide data to the authorities. Doyle is also formerly of Palantir.
“All I can do is say we definitively are not a honeypot,” Doyle said. “It’s so hard to prove a negative, but I say it out loud every chance I get.”
