Sprint fed customer GPS data to cops over 8 million times

http://arstechnica.com/telecom/news/2009/12/sprint-fed-customer-gps-data-to-leos-over-8-million-times.ars

Christopher Soghoian, a graduate student at Indiana University's School of Informatics and Computing, has made public an audio recording of Sprint/Nextel's Electronic Surveillance Manager describing how his company has provided GPS location data about its wireless customers to law enforcement over 8 million times. That's potentially millions of Sprint/Nextel customers who not only were probably unaware that their wireless provider even had an Electronic Surveillance Department, but who certainly did not know that law enforcement offers could log into a special Sprint Web portal and, without ever having to demonstrate probable cause to a judge, gain access to geolocation logs detailing where they've been and where they are.

Through a mix of documents unearthed by Freedom of Information Act requests and the aforementioned recording, Soghoian describes how "the government routinely obtains customer records from ISPs detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and geolocation data, detailing exactly where an individual was located at a particular date and time."

The fact that federal, state, and local law enforcement can obtain communications "metadata"—URLs of sites visited, e-mail message headers, numbers dialed, GPS locations, etc.—without any real oversight or reporting requirements should be shocking, but it isn't. The courts ruled in 2005 that law enforcement doesn't need to show probable cause to obtain your physical location via the cell phone grid. All of the aforementioned metadata can be accessed with an easy-to-obtain pen register/trap & trace order. But given the volume of requests, it's hard to imagine that the courts are involved in all of these.

Soghoian's lengthy post makes at least two important points, the first of which is that there are no reliable statistics on the real volume and scope of government surveillance because such numbers are either not published (sometimes in violation of the legally mandated reporting requirements) or they contain huge gaps. The second point is that the lack of reporting makes it difficult to determine just how involved the courts actually are in all of this, in terms of whether these requests are all backed by subpoenas.

Underlying both of these issues is the fact that Sprint has made it so easy for law enforcement to gain access to customer data on a 24/7 basis through the use of its Web portal and large compliance department. Regarding the latter, here's another quote from Paul Taylor, the aforementioned Sprint/Nextel Electronic Surveillance Manager:

"In the electronic surveillance group at Sprint, I have 3 supervisors. 30 ES techs, and 15 contractors. On the subpoena compliance side, which is anything historical, stored content, stored records, is about 35 employees, maybe 4-5 supervisors, and 30 contractors. There's like 110 all together."

:hi:

Everyone thought you were going to be out of work with the the new administration, but I be things are just humming along. I heard you're building a massive new data center in my state now. Got those optical crystal chips working yet? Wait, 20 years ahead of avowed technology...that means you had those at least by 1995. That would mean you can log digital every action we make every moment of every day.

Man, it's beginning to feel like a zoo, or a test lab around here.

All of the aforementioned metadata can be accessed with an easy-to-obtain pen register/trap & trace order. But given the volume of requests, it's hard to imagine that the courts are involved in all of these.

Thank you.

Here all this time I thought I had my cell phone GPS locator turned off except for 911. I guess the only way you can turn that off for Agent Mike is to remove the batteries.

they all are, Sprint just got caught out. I heard too that turning the cell phone off doesn't stop the transmitting / receiving, you physically have to take out the battery.

:hangover:

Great one. I love ars technica!

Unfortunately for us, the Law Enforcement types who love this could care less. They know we the people won't say shit. And if we do, Congress will just say it's necessary for NATIONAL SECURITY.

too late to recommend, but here's the kick.