Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year
http://www.wired.com/threatlevel/2009/12/gps-data/ Feds bPingedb Sprint GPS Data 8 Million Times Over a Year * By Kim Zetter Email Author * December 1, 2009 | * 5:42 pm | * Categories: Surveillance Sprint Nextel provided law enforcement agencies with customer location data more than 8 million times between September 2008 and October 2009, according to a company manager who disclosed the statistic at a non-public interception and wiretapping conference in October. The manager also revealed the existence of a previously undisclosed web portal that Sprint provides law enforcement to conduct automated b pingsb to track users. Through the website, authorized agents can type in a mobile phone number and obtain global positioning system (GPS) coordinates of the phone. The revelations, uncovered by blogger and privacy activist Christopher Soghoian, have spawned questions about the number of Sprint customers who have been under surveillance, as well as the legal process agents followed to obtain such data. But a Sprint Nextel spokesman said that Soghoian, who recorded the Sprint managerbs statements at the closed conference, misunderstood what the figure represents. The number of customers whose GPS data was provided to local, state and federal law enforcement agencies was much less than 8 million, as was the total number of individual requests for data. The spokesman wouldnbt disclose how many of Sprintbs 48 million customers had their GPS data shared, or indicate the number of unique surveillance requests from law enforcement. But he said that a single surveillance order against a lone target could generate thousands of GPS b pingsb to the cell phone, as the police track the subjectbs movements over the course of days or weeks. That, Sprint claims, is the source of the 8 million figure: itbs the cummulative number of times Sprint cell phones covertly reported their location to law enforcement over the year. The spokesman also said that law enforcement agents have to obtain a court order for the data, except in special emergency circumstances. The information about the data requests and portal comes from Paul Taylor, manager of Sprintbs Electronic Surveillance Team. He made the revelations at the Intelligent Support Systems (ISS) conference, a surveillance industry gathering for law enforcement and intelligence agencies and the companies that provide them with the technologies and capabilities to conduct surveillance. The conference is closed to press, but Soghoian, who is a graduate student at Indiana University, obtained entry and recorded a couple of panel sessions, which he posted on his blog. In one of the recordings, Taylor is heard saying that the automated system was rolled out a year ago and that in 13 months it had processed more than 8 million requests for GPS data from law enforcement. b We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests,b Taylor is heard saying. b So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy.b Soghoian concluded on his blog that the quote provided proof that b location requests easily outnumber wiretaps, and b& likely outnumber all other forms of surveillance request too.b He cites a telecom attorney named Al Gidari who claimed at a talk last year that each of the major wireless carriers received about 100 requests a week for customer-location data. At 100 requests a week for each of the top four wireless carriers, the total should be around 20,000 requests a year. b I now have proof that he significantly underestimated the number of requests by several orders of magnitude,b Soghoian writes. But Sprint spokesman John Taylor (who is not related to Paul Taylor) says Soghoian had b grossly misrepresentedb the 8 million figure, which doesnbt refer to unique requests or to individual customers, but to the total number of b pingsb made on every number for the duration of a law enforcement request. b The figure represents the number of individual bpings for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year,b said spokesman Taylor. b Itbs critical to note that a single case or investigation may generate thousands of individual pings to the network as the law enforcement or public safety agency attempts to track or locate an individual.b There are four circumstances under which law enforcement agents can use the Sprint website and obtain GPS data: 1) under the authority of a court order; 2) to track the location of a customer who has made a 911 call; 3) in an emergency situation, such as tracking someone lost in the wilderness or trying to locate an abducted child or hostage; 4) with a customerbs consent. In the case of court orders, Taylor said agents are required to provide Sprint with the order, after which the company provisions the law enforcement account to allow an agency to track the targeted phone number. Court orders cover a 60-day period, and agents can do automated pings to obtain real-time GPS data every three minutes throughout that 60-day period. Taylor says this accounts for the 8 million figure. b If you can access the info every three minutes over 60 days, that adds up pretty quickly,b he told Threat Level. He added that the GPS data includes only latitude and longitude and the date and time of the ping. The automated system was set up so that law enforcement agents wouldnbt have to contact Sprintbs electronic surveillance team each time they wanted to ping a phone number throughout the 60 days of a court order. Agents still have to obtain a subpoena to get historic call detail records, such as phone numbers called, the date, time and duration of calls and the cell site and sector from which the calls were made. b Image: The FBI won a court order to track this Sprint Nextel cell phonebs movements while hunting for a fugitive in Ohio last October. (Source: U.S. District Court Southern Distict of Ohio). Home page image of cell tower: Phil Strahl/Flickr
On Wed, Dec 2, 2009 at 7:27 AM, Eugen Leitl <eugen@leitl.org> wrote:
... Sprint Nextel provided law enforcement agencies with customer location data more than 8 million times between September 2008 and October 2009...
i am more interested in the redacted details of this little snippet: "Our pricing schedules reveal (for just two examples) that upon the lawful request of law enforcement we are able to [XXX two examples redacted by USMS XXX]. In cooperation with law enforcement, we do not release that information to the general public out of concern that a criminal may become aware of our capabilities, see a change in his service, correctly assume that the change was made at the lawful request of law enforcement and alter his behavior to thwart a law enforcement investigation." what two examples of lawful intercept on Verizon lines would introduce a subtle "change in service" detectable by someone paying attention?
On Wed, 2 Dec 2009, coderman wrote:
On Wed, Dec 2, 2009 at 7:27 AM, Eugen Leitl <eugen@leitl.org> wrote:
... Sprint Nextel provided law enforcement agencies with customer location data more than 8 million times between September 2008 and October 2009...
i am more interested in the redacted details of this little snippet:
"Our pricing schedules reveal (for just two examples) that upon the lawful request of law enforcement we are able to [XXX two examples redacted by USMS XXX]. In cooperation with law enforcement, we do not release that information to the general public out of concern that a criminal may become aware of our capabilities, see a change in his service, correctly assume that the change was made at the lawful request of law enforcement and alter his behavior to thwart a law enforcement investigation."
what two examples of lawful intercept on Verizon lines would introduce a subtle "change in service" detectable by someone paying attention?
Preventing reliable call connections to certain numbers from succeeding comes to mind. -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xF6D40CF5 0xpgp_key_mgmt_is_broken-dont_bother "Never belong to any party, always oppose privileged classes and public plunderers, never lack sympathy with the poor, always remain devoted to the public welfare, never be satisfied with merely printing news, always be drastically independent, never be afraid to attack wrong, whether by predatory plutocracy or predatory poverty." Joseph Pulitzer 1907 Speech
On Wed, Dec 2, 2009 at 8:08 AM, coderman <coderman@gmail.com> wrote:
... what two examples of lawful intercept on Verizon lines would introduce a subtle "change in service" detectable by someone paying attention?
based on the recently released http://cryptome.org/isp-spy/verizon-spy.pdf a couple ideas include: "surveillance cameras on utility poles" (page 14) though on page 16 the discussion seems to imply that verizon will only provide network access to the camera placed there by LE and using verizon right of way / poles / facilities. and "Voicemail pass code reset" would definitely be visible to a customer. (same for sprint)
On Sun, 2009-12-06 at 19:45 -0800, coderman wrote:
On Wed, Dec 2, 2009 at 8:08 AM, coderman <coderman@gmail.com> wrote:
... what two examples of lawful intercept on Verizon lines would introduce a subtle "change in service" detectable by someone paying attention? [...] and "Voicemail pass code reset" would definitely be visible to a customer. (same for sprint)
What need would LEAs have to do a voicemail pass code reset on a customer without that customer's consent? Is it a "mess with their heads" move? -- Shawn K. Quinn <skquinn@speakeasy.net>
On Sun, Dec 6, 2009 at 8:23 PM, Shawn K. Quinn <skquinn@speakeasy.net> wrote:
... What need would LEAs have to do a voicemail pass code reset on a customer without that customer's consent? Is it a "mess with their heads" move?
the stated need is to access voice mail that may be stored in a customer's account prior to a tap in place. in such instances access to existing recordings require a passcode reset so LE can access, with the side effect of this activity becoming known to subject. (if they assume it is LE and not some random glitch, of course :) perhaps this info is out of date and stored messages are now easily accessible via other mechanisms; it seems an odd constraint...
On Wed, 2 Dec 2009, coderman wrote:
On Wed, Dec 2, 2009 at 7:27 AM, Eugen Leitl <eugen@leitl.org> wrote:
... Sprint Nextel provided law enforcement agencies with customer location data more than 8 million times between September 2008 and October 2009...
i am more interested in the redacted details of this little snippet:
"Our pricing schedules reveal (for just two examples) that upon the lawful request of law enforcement we are able to [XXX two examples redacted by USMS XXX]. In cooperation with law enforcement, we do not release that information to the general public out of concern that a criminal may become aware of our capabilities, see a change in his service, correctly assume that the change was made at the lawful request of law enforcement and alter his behavior to thwart a law enforcement investigation."
what two examples of lawful intercept on Verizon lines would introduce a subtle "change in service" detectable by someone paying attention?
Maybe they would notice their handset continuously running low on battery, even without placing calls ? Or maybe some lag, or delay in connection setup as call data or voice data, etc., is routed somewhere non-standard, or perhaps "repeated" on a parallel circuit ?
On Mon, Dec 7, 2009 at 10:21 PM, John Case <case@sdf.lonestar.org> wrote:
... Maybe they would notice their handset continuously running low on battery, even without placing calls ?
Or maybe some lag, or delay in connection setup as call data or voice data, etc., is routed somewhere non-standard, or perhaps "repeated" on a parallel circuit ?
C) ALL OF THE ABOVE
participants (5)
-
coderman
-
Eugen Leitl
-
J.A. Terranson
-
John Case
-
Shawn K. Quinn