Chris Soghoian attended a panel at a wiretapping and interception industry conference and recorded statements, including some from Sprint’s Manager of Electronic Surveillance. Soghoian says, “Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.”

Quotes from the panel include:

“[M]y major concern is the volume of requests. We have a lot of things that are automated but that’s just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.
– Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

“Nextel’s system, they statically assign IP addresses to all handsets … We do have logs, we can go back to see the IP address that used MySpace. By the way – MySpace and Facebook, I don’t know how many subpoenas those people get, or emergency requests but god bless, 95% of all IP requests, emergencies are because of MySpace or Facebook… On the Sprint 3G network, we have IP data back 24 months, and we have, depending on the device, we can actually tell you what URL they went to … If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months … We don’t store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte … but ultimately, that’s why we store the data … It’s because marketing wants to rifle through the data.”
– Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

Soghoian’s comments have created a lot of debate about Sprint’s actions. At EFF, Kevin Bankston says:

We have long warned that cell phone tracking poses a threat to locational privacy, and EFF has been fighting in the courts for years to ensure that the government only tracks a cell phone’s location when it has a search warrant based on probable case. EFF has also complained before that a dangerous level of secrecy surrounds law enforcement’s communications surveillance practices like a dense fog, and that without stronger laws requiring detailed reporting about how the government is using its surveillance powers, the lack of accountability when it comes to the government’s access to information through third-party phone and Internet service providers will necessarily breed abuse.

Bankston asks several important questions:

• Looking beyond Sprint and GPS, how many Americans have had their private communications data handed over to law enforcement by their phone and Internet service providers?
• What exactly has the government done with all of that information? Is it all sitting in an FBI database somewhere?
• Do you really think that this Orwellian level of surveillance is consistent with a free society and American values? Really?

Sprint has responded to Soghoian’s report in an online posting and at Wired. Sprint told Wired :

But Sprint spokesman John Taylor (who is not related to Paul Taylor) says Soghoian had “grossly misrepresented” the 8 million figure, which doesn’t refer to unique requests or to individual customers, but to the total number of “pings” made on every number for the duration of a law enforcement request.

“The figure represents the number of individual ‘pings for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year,” said spokesman Taylor. “It’s critical to note that a single case or investigation may generate thousands of individual pings to the network as the law enforcement or public safety agency attempts to track or locate an individual.”

There are four circumstances under which law enforcement agents can use the Sprint website and obtain GPS data: 1) under the authority of a court order; 2) to track the location of a customer who has made a 911 call; 3) in an emergency situation, such as tracking someone lost in the wilderness or trying to locate an abducted child or hostage; 4) with a customer’s consent.

In the case of court orders, Taylor said agents are required to provide Sprint with the order, after which the company provisions the law enforcement account to allow an agency to track the targeted phone number. Court orders cover a 60-day period, and agents can do automated pings to obtain real-time GPS data every three minutes throughout that 60-day period. Taylor says this accounts for the 8 million figure.

As many have pointed out, Sprint’s response raises more questions, especially: What is the legal process being used?

This entry was posted on Wednesday, December 2nd, 2009 and is filed under Anonymity, Civil liberties, Identification, Security, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Possibly related posts:

• IDG News Service: U.S. police increasingly view private email, instant messages
• Chris Slobogin: The Fourth Amendment in 2020
• Congress Budgets $100 Million for REAL ID National Identification System