|Surveillance Shocker: Sprint Received 8 MILLION Law Enforcement Requests for GPS Location Data in the Past Year
Electronic Frontier Foundation | December 1, 2009
This October, Chris Soghoian — computer security researcher, oft-times journalist, and current technical consultant for the FTC's privacy protection office — attended a closed-door conference called "ISS World". ISS World — the "ISS" is for "Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering" — is where law enforcement and intelligence agencies consult with telco representatives and surveillance equipment manufacturers about the state of electronic surveillance technology and practice. Armed with a tape recorder, Soghoian went to the conference looking for information about the scope of the government's surveillance practices in the US. What Soghoian uncovered, as he reported on his blog this morning, is more shocking and frightening than anyone could have ever expected
At the ISS conference, Soghoian taped astonishing comments by Paul Taylor, Sprint/Nextel's Manager of Electronic Surveillance. In complaining about the volume of requests that Sprint receives from law enforcement, Taylor noted a shocking number of requests that Sprint had received in the past year for precise GPS (Global Positioning System) location data revealing the location and movements of Sprint's customers. That number?
Sprint received over 8 million requests for its customers' information in the past 13 months. That doesn't count requests for basic identification and billing information, or wiretapping requests, or requests to monitor who is calling who, or even requests for less-precise location data based on which cell phone towers a cell phone was in contact with. That's just GPS. And, that's not including legal requests from civil litigants, or from foreign intelligence investigators. That's just law enforcement. And, that's not counting the few other major cell phone carriers like AT&T, Verizon and T-Mobile. That's just Sprint.
[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in.Eight million would have been a shocking number even if it had included every single legal request to every single carrier for every single type of customer information; that Sprint alone received eight million requests just from law enforcement only for GPS data is absolutely mind-boggling. We have long warned that cell phone tracking poses a threat to locational privacy, and EFF has been fighting in the courts for years to ensure that the government only tracks a cell phone's location when it has a search warrant based on probable case. EFF has also complained before that a dangerous level of secrecy surrounds law enforcement's communications surveillance practices like a dense fog, and that without stronger laws requiring detailed reporting about how the government is using its surveillance powers, the lack of accountability when it comes to the government's access to information through third-party phone and Internet service providers will necessarily breed abuse. But we never expected such huge numbers to be lurking in that fog.
Now that the fact is out that law enforcement is rooting through such vast amounts of location data, it raises profoundly important questions that law enforcement and the telcos must answer:
Even without hearings, though, the need for Congress to update the law is clear. At the very least, Congress absolutely must stem the government's abuse of its power by:
UPDATE: Sprint has responded to Soghoian's report:
The comments made by a Sprint corporate security officer during a recent conference have been taken out of context by this blogger. Specifically, the “8 million” figure, which the blogger highlights in his email and blog post, has been grossly misrepresented. The figure does not represent the number of customers whose location information was provided to law enforcement, as this blogger suggests.This response provides some important answers, while raising even more questions. First off, Sprint has confirmed that it received 8 million requests, while denying a charge that no one has made: that 8 million individual customers' data was handed over. Sprint's denial also begs the question: how many individual customers have been affected?
As for Sprint's claim that in some instances a single case or investigation may generate thousands of location "pings", that is certainly possible, but that doesn't make the 8 million number any less of a concern, or moot any of the important questions raised by Soghoian in his report or by EFF in its post regarding the lack of effective oversight and transparency in this area.
Even assuming that Sprint's statement about "pings" is true, 8 million — or, in other words, 8,000 thousands — is still an astronomical number and more than enough to raise serious concerns that Congress should investigate and address. Moreover, the statement raises additional questions: exactly what legal process is being used to authorize the multiple-ping surveillance over time that Sprint is cooperating in? Is Sprint demanding search warrants in those cases? How secure is this automated interface that law enforcement is using to "ping" for GPS data? How does Sprint insure that only law enforcement has access to that data, and only when they have appropriate legal process? How many times has Sprint disclosed information in "exigent or emergency circumstances" without any legal process at all? And most worrisome and intriguing: what customers does Sprint think have "consent[ed] to the sharing [of] location data" with the government? Does Sprint think it is free to hand over the information of anyone who has turned on their GPS functionality and shared information with Sprint for location-based services? Or even the data of anyone who has agreed to their terms of service? What exactly are they talking about?
These questions are only the beginning, and Sprint's statement doesn't come close to answering all of them. Of course, we appreciate that Sprint has begun a public dialogue about this issue. But this should be only the beginning of that discussion, not the end. Ultimately, the need for Congress to investigate the true scope of law enforcement's communications surveillance practices remains. Congress can and should dig deeper to get the hard facts for the American people, rather than forcing us to rely solely on Sprint's public relations office for information on these critical privacy issues.