Sprint leaked customer GPS data to the cops…

Kenneth Hynek • 4th Dec 2009 • Society, Crime and Punishment, Society, Freespeechery, The Sciences, Mobile Communications • Christopher Soghoian, email, geolocation, GPS, Indiana University, law enforcement, Sprint

…EIGHT MILLION times.

As Jon Stewart might say: “Oh, for f**k’s sake.”

Through a mix of documents unearthed by Freedom of Information Act requests and the aforementioned recording, [Christopher Soghoian, a graduate student at Indiana University's School of Informatics and Computing] describes how “the government routinely obtains customer records from ISPs detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and geolocation data, detailing exactly where an individual was located at a particular date and time.”

The fact that federal, state, and local law enforcement can obtain communications “metadata” — URLs of sites visited, e-mail message headers, numbers dialed, GPS locations, etc. — without any real oversight or reporting requirements should be shocking, but it isn’t. The courts ruled in 2005 that law enforcement doesn’t need to show probable cause to obtain your physical location via the cell phone grid. All of the aforementioned metadata can be accessed with an easy-to-obtain pen register/trap & trace order. But given the volume of requests, it’s hard to imagine that the courts are involved in all of these.

That’s comforting, isn’t it? Nothing really to worry about…it just means that police officers can use your cell phone to track you down without having to go through anything so messy as due process or, y’know, a judge’s office. Warrants? Who needs warrants?

Actually, in a sense, it’s probably not as bad as it sounds. Eight million is a darn big number, to be sure, but there doesn’t seem to be a lot of evidence to suggest that all eight million requests resulted in further police action. Indeed, it may be the case that only a relatively small subset did.

And at any rate, the police still have to go to Sprint and make the information request, right? And that probably makes for a fairly tedious process in and of itself, right? It’s not like Sprint is streamlining the data acquisition process for law enforcement agencies, right?

Speaking at ISS World 2009 (a conference for law enforcement and telecom industry-types responsible for “lawful interception, electronic investigations and network Intelligence gathering”), Sprint Nextel’s very own Paul Taylor, Manager of Electronic Surveillance, lamented on the sheer volume of requests the company’s received in the past year for precise GPS data for Sprint customers. How did the company meet such high demand? Apparently, his team built a special “web interface” which “has just really caught on fire with law enforcement.”

Underlying both of these issues is the fact that Sprint has made it so easy for law enforcement to gain access to customer data on a 24/7 basis through the use of its Web portal and large compliance department. Regarding the latter, here’s another quote from Paul Taylor, the aforementioned Sprint/Nextel Electronic Surveillance Manager:

“In the electronic surveillance group at Sprint, I have 3 supervisors. 30 ES techs, and 15 contractors. On the subpoena compliance side, which is anything historical, stored content, stored records, is about 35 employees, maybe 4-5 supervisors, and 30 contractors. There’s like 110 all together.”

Oh for f**k’s sake.

Time to rethink that Sprint contract, eh, good reader?