Sprint fed customer GPS data to cops over 8 million times

Fri Dec 4 06:50:17 PST 2009

http://arstechnica.com/telecom/news/2009/12/sprint-fed-customer-gps-data-to-leos-over-8-million-times.ars

Sprint fed customer GPS data to cops over 8 million times

A blogger has released audio of Sprint's Electronic Surveillance Manager
describing the carrier's cooperation with law enforcement. Among the
revelations are that Sprint has so far filled over 8 million requests from
LEOs for customer GPS data.

By Jon Stokes | Last updated December 1, 2009 5:38 PM

Christopher Soghoian, a graduate student at Indiana University's School of
Informatics and Computing, has made public an audio recording of
Sprint/Nextel's Electronic Surveillance Manager describing how his company
has provided GPS location data about its wireless customers to law
enforcement over 8 million times. That's potentially millions of
Sprint/Nextel customers who not only were probably unaware that their
wireless provider even had an Electronic Surveillance Department, but who
certainly did not know that law enforcement offers could log into a special
Sprint Web portal and, without ever having to demonstrate probable cause to a
judge, gain access to geolocation logs detailing where they've been and where
they are.

Through a mix of documents unearthed by Freedom of Information Act requests
and the aforementioned recording, Soghoian describes how "the government
routinely obtains customer records from ISPs detailing the telephone numbers
dialed, text messages, emails and instant messages sent, web pages browsed,
the queries submitted to search engines, and geolocation data, detailing
exactly where an individual was located at a particular date and time."

The fact that federal, state, and local law enforcement can obtain
communications "metadata"bURLs of sites visited, e-mail message headers,
numbers dialed, GPS locations, etc.bwithout any real oversight or reporting
requirements should be shocking, but it isn't. The courts ruled in 2005 that
law enforcement doesn't need to show probable cause to obtain your physical
location via the cell phone grid. All of the aforementioned metadata can be
accessed with an easy-to-obtain pen register/trap & trace order. But given
the volume of requests, it's hard to imagine that the courts are involved in
all of these.

Soghoian's lengthy post makes at least two important points, the first of
which is that there are no reliable statistics on the real volume and scope
of government surveillance because such numbers are either not published
(sometimes in violation of the legally mandated reporting requirements) or
they contain huge gaps. The second point is that the lack of reporting makes
it difficult to determine just how involved the courts actually are in all of
this, in terms of whether these requests are all backed by subpoenas.

Underlying both of these issues is the fact that Sprint has made it so easy
for law enforcement to gain access to customer data on a 24/7 basis through
the use of its Web portal and large compliance department. Regarding the
latter, here's another quote from Paul Taylor, the aforementioned
Sprint/Nextel Electronic Surveillance Manager:

"In the electronic surveillance group at Sprint, I have 3 supervisors. 30 ES
techs, and 15 contractors. On the subpoena compliance side, which is anything
historical, stored content, stored records, is about 35 employees, maybe 4-5
supervisors, and 30 contractors. There's like 110 all together."

All of those people are there solely to serve up customer data to law
enforcement, and other comments by Taylor indicate that his staff will
probably grow. Sprint only recently made the GPS data available through the
Web portal, and that has caused the number of requests to go through the
roof. The company apparently plans on expanding the menu of surveillance
options that are accessible via the Web. Taylor again:

    "[M]y major concern is the volume of requests. We have a lot of things
that are automated but that's just scratching the surface. One of the things,
like with our GPS tool. We turned it on the web interface for law enforcement
about one year ago last month, and we just passed 8 million requests. So
there is no way on earth my team could have handled 8 million requests from
law enforcement, just for GPS alone. So the tool has just really caught on
fire with law enforcement. They also love that it is extremely inexpensive to
operate and easy, so, just [because of] the sheer volume of requests they
anticipate us automating other features, and I just don't know how we'll
handle the millions and millions of requests that are going to come in."

I'm sure they'll find some way to deal with the "millions and millions" of
warrantless surveillance requests, and no one will bother to even curb the
practice, much less stop it. I've been reporting on this exact
metadata/surveillance issue for years now, and it just gets worse. The
stressed, jobless, indebted public doesn't care, and Congress doesn't either.
If I'm still on this beat in 5 years, I'm sure I'll still be rewriting this
same story for the thousandth time. 