Wednesday, December 2, 2009

Sprint Revelations: 8 Million Law Enforcement Requests for GPS Tracking Data in Past Year

GPS tracking devices have recently become all the rage of the government, law enforcement, and a variety of business interests. As I wrote a few weeks back, unfortunately for us citizens, what makes GPS devices a useful tool for those interests and sometimes our own (i.e. they track our whereabouts) is precisely what makes them a privacy threat.

Before I get to the rather astonishing news reported by the Electronic Frontier Foundation (EFF) yesterday that Sprint received 8 million law enforcement requests for GPS location data in the past year alone, let me quickly summarize other recent GPS related revelations:

Tracking Our Cell Phones

While serving as a U.S. attorney during the Bush administration, Christopher Christie tracked the whereabouts of citizens through their cell phones without warrants. The ACLU obtained the documents detailing the spying program from the Justice Department in an ongoing lawsuit over cell phone tracking. While the documents reveal 79 such cases on or after Sept. 12, 2001, they do not specify how many of the applications were made during Christie's tenure. You can read more about that usage of this technology by going to my post here

Tracking Farm Animals

As if there aren't enough ways that government and/or big business have found to creep into our lives, monitor our movements, trace our transactions, and listen to our phone calls, there was the story of the Bush Administration wanting to chip animals and have small farmers report nearly everything that happens to them.

I'm talking about - and this isn't a joke - the Bush administration's "National Animal Identification System" initiative. This proposal to "chip" animals with RFID tags isn't just an invasion of privacy (as explained in my post on this subject a year ago), it also would achieve an additional goal of the previous administration: provide an even greater advantage to agribusiness at the expense of family farms. See, big industrial farms would have only had to track herds, not individual cattle...unlike small farmers who'd be forced to track each and every one...a HUGE pain, and cost.

Family farmers see it as an assault on their way of life by a federal bureaucracy with close ties to industrial agriculture. Privacy advocates, then and now, view a database that would contain all this information as an an invasive, detailed electronic record of farmers' activities. Read about it here.

Tracking Our Vehicles

Then, there's the installation of GPS tracking devices in vehicles for auto insurance purposes. I have written extensively about this little privacy invasion in past posts, as there was legislation in California that sought to expand such an idea that the Consumer Federation of California, as well as the Consumer Watchdog, ACLU, Privacy Rights Clearinghouse, and the Electronic Frontier Foundation all opposed.

As Consumer Watchdog's Carmen Balber wrote: The possibility of installing technology in peoples' cars also brings up a host of privacy concerns: Should Californians be forced to pay higher premiums if they want to protect their privacy and reject technology?(AB 2800)...would invite the spyware in. What kind of data do insurance companies really want to collect? They're already using a huge range of information - like speed, location and time of day - in different parts of the country and across the world."

You can read my posts about this former legislation here, here, and here.

Law Enforcement Tracking Vehicles

There's also the continuing legal battle over whether law enforcement has the right to install GPS tracking devices in suspects vehicles that was recently discussed in a New York Timed Editorial.

And now, let's get to the latest from EFF and the 8 MILLION law enforcement requests (they can't all be terrorists can they?):

Sprint received over 8 million requests for its customers' information in the past 13 months. That doesn't count requests for basic identification and billing information, or wiretapping requests, or requests to monitor who is calling who, or even requests for less-precise location data based on which cell phone towers a cell phone was in contact with. That's just GPS. And, that's not including legal requests from civil litigants, or from foreign intelligence investigators. That's just law enforcement. And, that's not counting the few other major cell phone carriers like AT&T, Verizon and T-Mobile. That's just Sprint.


Eight million would have been a shocking number even if it had included every single legal request to every single carrier for every single type of customer information; that Sprint alone received eight million requests just from law enforcement only for GPS data is absolutely mind-boggling. We have long warned that cell phone tracking poses a threat to locational privacy, and EFF has been fighting in the courts for years to ensure that the government only tracks a cell phone's location when it has a search warrant based on probable case. EFF has also complained before that a dangerous level of secrecy surrounds law enforcement's communications surveillance practices like a dense fog, and that without stronger laws requiring detailed reporting about how the government is using its surveillance powers, the lack of accountability when it comes to the government's access to information through third-party phone and Internet service providers will necessarily breed abuse. But we never expected such huge numbers to be lurking in that fog.


Congress should hold hearings as soon as possible to demand answers from the government and the telcos under oath, and clear the fog so that the American people will finally have an accurate picture of just how far the government has reached into the private particulars of their digital lives. Even without hearings, though, the need for Congress to update the law is clear.


Sprint has responded to Soghoian's report:

The comments made by a Sprint corporate security officer during a recent conference have been taken out of context by this blogger. Specifically, the “8 million” figure, which the blogger highlights in his email and blog post, has been grossly misrepresented. The figure does not represent the number of customers whose location information was provided to law enforcement, as this blogger suggests. Instead, the figure represents the number of individual “pings” for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year.


Even assuming that Sprint's statement about "pings" is true, 8 million — or, in other words, 8,000 thousands — is still an astronomical number and more than enough to raise serious concerns that Congress should investigate and address. Moreover, the statement raises additional questions: exactly what legal process is being used to authorize the multiple-ping surveillance over time that Sprint is cooperating in? Is Sprint demanding search warrants in those cases? How secure is this automated interface that law enforcement is using to "ping" for GPS data? How does Sprint insure that only law enforcement has access to that data, and only when they have appropriate legal process? How many times has Sprint disclosed information in "exigent or emergency circumstances" without any legal process at all? And most worrisome and intriguing: what customers does Sprint think have "consent[ed] to the sharing [of] location data" with the government? Does Sprint think it is free to hand over the information of anyone who has turned on their GPS functionality and shared information with Sprint for location-based services? Or even the data of anyone who has agreed to their terms of service? What exactly are they talking about?

Click here to read the whole, incredible story.

It goes without saying that tracking without probably cause seems unconstitutional on its face (with an argument to be made for not having a warrant too). We know these GPS chips can locate a person to within about 30 feet. They're also able to gather less exact location data by tracing mobile phone signals as they ping off cell towers.

Documents released not too long ago by the ACLU showed that of the states randomly sampled, New Jersey and Florida used GPS tracking without obtaining probable cause or warrants. Four other states, California, Louisiana, Indiana, Nevada and the District of Columbia reported having obtained GPS data only after showing probable cause.

Those documents were part of an ongoing lawsuit by the ACLU and Electronic Frontier Foundation on how the government tracks cell phone users. As these two privacy protection stalwarts argued in those cases, government tracking without a probable cause or warrant is a violation of the Constitution's Fourth Amendment, which guards against unreasonable search and seizure. Government prosecutors have argued that only a court order showing the tracking data is relevant to a criminal investigation is needed.

As I wrote back at that time, before ever hearing of these shocking revelations coming from Sprint, is that I'd like to know more about those specific cases in which probable cause was not established and the tracking was done without warrants. We have seen too many examples of the government and law enforcement - particularly in recent years - using surveillance technologies not to actually protect Americans or "fight terrorism", but rather to stifle dissent (i.e. anti-war activists, economic and social justice protesters, etc.), perhaps monitor political "enemies", and even eavesdrop on journalists.

I am eager to find out who some of these cell phone users were and why they were tracked without a warrant or even probable cause? And more to the point, I'd like to see an investigation that holds those that abused our rights and privacy held accountable.

No comments: