If you’re a Sprint customer, you’ll want to pay attention to this:
A blogger named Christopher Soghoian has uncovered evidence that Sprint handed over customer GPS location data to law enforcement officials, not just once or even a few hundred times, but in response to millions of requests (or pings) covering thousands of separate instances.
Soghoian unearthed audio of Paul Taylor, Sprint/Nextel's Electronic Surveillance Manager, talking about how the carrier gave GPS data of its wireless customers to authorities more than 8 million times. Says Soghoian, “The government routinely obtains customer records from ISPs detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and geolocation data, detailing exactly where an individual was located at a particular date and time."
That’s a lot of data, and in Sprint’s case, there’s a huge team to handle them — including three supervisors, 30 techs and 15 contractors, plus 70 other people dedicated to historical surveillance records. That’s a department of about 110 devoted to serving up subscribers’ personal info to the police. (Wow. Who knew the Pin-dropping network even had an electronic surveillance department?)
If the volume of requests doesn’t surprise you, then maybe the method will: Sprint went the extra step to make it simpler and easier for law enforcement to obtain the data. It created a special web portal last year that serves up location and behavior data 24 hours a day, seven days a week, all without those customers even knowing. This is what’s known. What’s unknown is whether the process requires pesky things, like probable cause, petitions or court orders — you know, lawful process. But regardless, the mere existence of an easy log-in system has naturally spurred on a surge of requests from authorities.
Obviously, the innocent have nothing to fear, but that’s not really the point. If this easy-access system doesn't require a lawful process — and it doesn't seem like it does, since there's been an increase of requests since its implementation — then privacy watchdogs could take this as a breach of civil liberties and basic rights. So chances are good, really good, that this won’t be the last we hear about this. I’m expecting an uproar and a demand for carrier policy and legislative changes to follow shortly.
But those of us who are into tech may be more jaded than that. We know how accessible data is, and that something as intangible as privacy can be hard to uphold. But even so, comments made by Taylor, the Electronic Surveillance Manager, still surprise me. He doesn’t seem at all bothered about the privacy issue, and instead, just focuses on the uptick in workload:
"[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just [because of] the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in."
Millions and millions, eh? What a can of worms. If I were the gambling sort, I’d guess that the chances of all those requests having proper legal procedures backing them up are slim to none. And I probably wouldn’t bet that everyone who handles that easily gotten data — from internal staffers to police officers and feds — have completely honest intentions. But these are minor concerns compared to one department’s workload. (Sheesh.)
What are your thoughts on this? Unforgivable privacy breach and a violation of your rights? Or a small sacrifice to help law enforcement protect the public? Weigh in below.
UPDATE: PD reader Freaknasty brought up a good point that Sprint has responded directly about the matter since this story broke. Statements made by the carrier clarify that the "8 million times" refers to the number of pings to the network for location info. These pings can occur a multitude of times for a single case. Most recently, Matt Sullivan of Sprint Nextel commented at the Crunchgear blog — referenced in the above "Via" link to a post written by John Biggs — to dispute many of the allegations. Here's Sullivan's comment, in its entirety:
I’m hoping that I can help clear this up. You’re correct that the number is grossly inflated. Unfortunately, the original blogger mischaracterized and released a sound bite without attempting to verify it.
The “8 million” figure does not represent the number of customers whose location information was provided to law enforcement, nor does it represent the instances or cases in which law enforcement contacted Sprint seeking customer location information.
Instead, the figure represents the number of individual automated requests, or “pings”, for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year. The critical point is that a single case or investigation may generate thousands of individual requests to the network as the law enforcement or public safety agency attempts to track or locate an individual over the course of days or weeks.
As a result, the 8 million automated requests or pings were generated by THOUSANDS (NOT millions) of instances in which law enforcement or public safety agencies sought customer location information. Several thousand instances over the course of a year should not be shocking given that Sprint has more than 47 million customers and requests from law enforcement and public safety agencies are due to a variety of circumstances: exigent or emergency situations (missing person cases), criminal investigations, or cases where a Sprint customer consents to sharing location information (car is stolen and owner realizes his phone is in the car so he allows law enforcement to track his phone.)
Also, responding to public safety or law enforcements requests is not unique to Sprint, nor is it a revelation.
In all cases Sprint requires a valid legal request appropriate for the circumstances, meaning the request must be accompanied by either a subpoena, court order or customer consent. In all cases, Sprint complies with applicable state and federal laws.
So that is the statement. As I said in my comments below, I'm still a little dubious that subpoenas are required for all requests (maybe because there's a Web portal, one whose ease of use was glorified by the surveillance manager). But if it is true, then it certainly does help allay concerns that carriers are passing out our data without discretion.
Author John Biggs posted a rebuttal, and it raised an interesting question: Are authorities being made privvy to info that is beyond the scope of investigation? That led me to wonder what happens when suspects turn out to be innocent. Are they then informed that their data was compromised? And should we feel better that this just affects thousands instead of millions of people? For the record, it doesn't for me. I'm just left wondering (not if we are) but how much we are being surveilled without our knowledge. These are important questions, and ones that shouldn't be taken lightly.