Slashdot Mirror
Sprint Revealed Customer GPS Data 8 Million Times
An anonymous reader sends along Chris Soghoian's blog entry revealing that Sprint Nextel provided law enforcement agencies with its customers' GPS location information over 8 million times between September 2008 and October 2009. The data point comes from a closed industry conference that Soghoian attended, at which Paul Taylor, Electronic Surveillance Manager at Sprint Nextel, said: "[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in." Soghoian's post details the laws around disclosure of wiretap and other interception data — one of which the Department of Justice has been violating since 2004 — and calls for more disclosure of the levels of all forms of surveillance.
What's that?
Automated tool for locating cells? wow that sounds like an invitation for disaster and abuse. So what happens first, someone hacks it, or it's used in a 1984 style manner? (my guess is the latter has already happened/happening.)
Mine, though I seriously doubt all the other major carriers aren't also doing this. Maybe I'll go back to using pre-paid phones plus Google voice to rule them all, Google versus the Feds, who do you trust less?
Hmmmmm, what is the http:// address of that service, I have some congress critters I would like to know there whereabouts.
So what?
THL phish sticks
I think sprint should consider removing the karma feature from the CIA message boards.
Many companies track their employees too using tools like Xora (xora.com). The City of Chicago uses it extensively to track city workers...
As if... So, tell me, how many of these were legal crime fighting uses and how many were just cops checking up on their girlfriends, ect. 8 million. and thet's just Sprint.
That could easily be 15 people, one "location" revealed per GPS heartbeat for the full year+month. Or a slightly larger number of people tracked for smaller periods of time. No, I didn't read the article, but 8,000,000 sounds ridiculously high for individual requests.
I can never keep track of what side I'm on, is it Oceania, Eurasia, or Eastasia?
Yesterday's unmedicated-schizophrenic black helicopterite conspiracy theory is today's mundane maybe-the-media-will-actually-bother-to-pick-it-up-I-think-we-have-some-space-on-page-six story.
I just don't understand how this could be legal. The fact that Sprint is being open about this seems to suggest that they have done nothing wrong, and this is business as usual. If so, is this standard with other cell providers as well? I could have sworn I've read an article elsewhere, where someone was trying to locate a missing person and contacted the cell provider to have them give them GPS coords and they refused to turn them over without a court order (cannot find it after some searching)... yet they give the police unlimited access without so much as a court provided rubber stamp machine?!
The problem with this kind of tool, and really it boils down to all the increasing surveillance options available to law enforcement (trust me, my ass is fully violated, I live in the UK) - they make it trivial for anyone interested with the correct clearance to go to town and infringe on someones rights. This kind of tool rarely has the correct AAA criteria set up for it (nor does any of the increasing computerised government systems), so more and more of our personal data is being shipped wholesale, without our permission, into the hands of people who are either incompetant or not suitable to handle it.
These kind of tools need peer-review as to their use, and an accountable audit procedure.
Sticking feathers up your butt does not make you a chicken.
My blackberry has a crappy GPS. Doesn't work indoors, and doesn't work half the time in the car.
Take that, iphone fanbois!!!!!!
Well since Google bends over backwards for the People's Republic, I'm sure that when the Feds push it they will do whatever the Feds want.
I trust the Feds more than Google, at least with the Feds there is a chance at court, not with Google.
I am now really glad I don't have GPS in my cellphone. In fact, I am glad I almost never even have my cellphone with me anymore...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
There is a simple fix for this problem: Someone with law enforcement access needs to log in, look up the numbers for some prominent politicians and CEOs, and start posting their locations on a public site. When we can watch the watchmen, they will restore proper checks and balances (require a warrant or similar).
I suspect that focusing the spotlight on the roaches at the top will send them scurrying for cover in rapid order.
HA! I just wasted some of your bandwidth with a frivolous sig!
You think the cops are watching YOU? What are you doing that makes you so paranoid?
That's great that they have a web interface to service the law enforcement needs to track people by the GPS in their cell phone. How does the web site verify a valid warrant? Does the web site ask them to hold it up to the screen for verification?
This was interesting:
The first agency within DOJ to respond was the U.S. Marshals Service (USMS), who informed me that they had price lists on file for Cox, Comcast, Yahoo! and Verizon. Since the price lists were provided to USMS voluntarily, the companies were given the opportunity to object to the disclosure of their documents. Neither Comcast nor Cox objected (perhaps because their price lists were already public), while both Verizon and Yahoo! objected to the disclosure.
I am sure all the major providers are guilty of this. Regardless, I am curious to see if 911 operators are lumped into those requests. Many of them may be dispatch trying to find someone's cell phone from an accident or someone in trouble.
A GPS does not transmit. It only receives.
It does not even transmit a little tiny bit, not even like 'not really transmitting because isn't so little'. Or even transmit that it's not transmitting at all, like a "Hello, I am here, just ignore me". It is silent like the death of the grave from sunup to sundown.
Cell phones transmit, though.
So you can safely carry around a GPS without being tracked, but a Nokia 2100 would make you blip.
I think because of Paul Taylors attitude " and I just don't know how we'll handle the millions and millions of requests that are going to come in."
Most smart people will gravitate toward other service providers rather than become a statistic picked up by cops just 'cause they're cops and they wanted to."
When the industry picks up that we want more privacy then we'll get it. Or else.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
I imagine they pull your GPS location if you call 911 and, given the issues with 911 handling on a cellphone, I'd be pleased to hear that they did. Is this 8 million incidents of the police trying to locate a suspect, or 8 million incidents of a 911 dispatcher reacting to a "Oh my god there's blood everywher~..."
I appreciate it could be a little of both, and I am displeased if the police have been given unfettered access to this data for non-emergencies, but I'm witholding my outrage until I get some context on this one.
So if America's population is currently 305 million...
305million / 8million = 38.125
38.125 / 30days = 1.27
How wide spread is this application? One state? Two states? Is it limited to federal? I would like to know the stats on this during Bush's reign...
Wait, wut?
So this happened: Government: Would you provide us an interface to check up on GPS locations without warrants?
Version: Sure.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
and then go learn what "web services" are.
You think the cops are watching YOU? What are you doing that makes you so paranoid?
That's cute, quaint, and outdated. It used to be that the state had limited resources and therefore, of economic necessity, it could only focus its manpower and its surveillance capability on what it considered to be the most dangerous/influential dissidents. That has been the case, historically.
Technologies like automated GPS and massive databases have changed the game. The more technology advances, the cheaper it becomes to surveil more and more people. A state that would have had to focus its efforts on the 50 most dangerous dissidents 100 years ago can now use those same resources to monitor hundreds or thousands. Over time, that becomes more and more the case. You now have modern governments with plenty of manpower, nearly unlimited funding (thanks to deficit spending), and high technology which can efficiently keep tabs on millions of people at once. The more this is the case, the less unusual you have to be to stand out from the crowd and attract unwanted attention and scrutiny. We are quickly heading towards a future where even expressing a slightly unpopular political opinion can get you noticed whether or not you are informed of this fact.
Think of all the people who have committed no crimes, have not even been accused of a crime, yet end up on the "no-fly" list for no apparent reason and are not allowed to find out why. Right here in America, the "land of the free." Then consider that this list is special because its existence is publically acknowledged and its use appears to be relatively limited.
It is a miracle that curiosity survives formal education. - Einstein
While the Lenihan order and decision did say that the government cannot demand location information without a search warrant, that decision has been appealed by the current administration. And even if the DOJ loses that appeal, the decision would only apply to a limited section of the country - other courts could decide differently.
The bigger issue is that electronic communications laws are badly out-of-date. There are so many grey areas and loopholes that Sprint and the DOJ can easily argue with a straight face that GPS records are not protected by the Constitution, are not protected by federal or state law, can be demanded without a search warrant, can even be voluntarily handed over with no process whatsoever, do not have to be logged, and do not require anyone ever to tell the person whose location information was collected that they were tracked. And while the courts often do get it right eventually, that's a really slow battle - we need a better approach than that.
We (the ACLU) are launching a new campaign, Demand Your dotRights, to push companies and lawmakers to provide real protections for our personal information. The "Electronic Communication Privacy Act," which is supposed to protect information like GPS records, was passed in 1986(!) - it just doesn't fit any more.
We hope you will all sign on and join our efforts to push Sprint, lawmakers, and others to respect individual privacy. It clearly won't be an easy battle (seeing how Sprint is actually proud of its "over 8 million GPS record requests served" title), but with enough support, we hope to make a difference - and we could use your help!
...I'm willing to take a crack at some amateur number crunching.
Per billshrink, Sprint is responsible for 51M out of 268M or so that are in the cell phone market. 8M of those were monitored via data collected via Sprint, and it is unknown whether or how this number scales across the other providers.
Google holds the US population at 304M.
CNN has the US prison/probation/parole population at 7.3M.
Right off the bat, it seems like you have a greater chance of having the government track your GPS data than being actually convicted of a crime. And this assumes the numbers are equal, where they are not.
7.3M from a total of 304M is 2.4%. The odds of you being a criminal are approximately three in one hundred.
8M from a total of 51M is 15.6%.
6.5 times as many people, proportionately, were spied upon by Sprint on behalf of law enforcement.
Extrapolating that out, something close to 50M people's cell phone data was shared with law enforcement. Looking at the prison population numbers, this means for every criminal in the entire system, something like five were investigated. And that doesn't completely hold up either because those 7.3M aren't cell customers on the one hand, and not every citizen in the US is a member of the market share.
And this is just the data we know about.
Again, the math here is almost certainly wrong, but I'm sure some bright slashdot folks can come along and help us with that.
I'm going back to a pager.
You think the cops are watching YOU? What are you doing that makes you so paranoid?
Welcome back Glenn Beck! Hey you should really make an account here so we can all subscribe to your slashdot RSS feed.
At least with google they'll only give your GPS location to advertisers, not the police.
To make wireless communications possible, our network knows the general location of your phone or wireless device whenever it is turned on. Your wireless device sends out a periodic signal to the nearest radio tower/cell site so that our network will know where to route an incoming communication and how to properly bill for the service. This is necessary to make wireless communications possible. Location information derived from providing our voice service, in addition to being covered by this Policy, is CPNI and is protected as described above.
If you dial 9-1-1 for emergency services, we provide your call location to a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility. The law also permits us to disclose the call location of a device on our network without a user's consent (1) to a user's legal guardian or members of a user's immediate family in an emergency situation that involves the risk of death or serious physical harm, (2) to database management services or information providers solely to assist in delivering emergency services, (3) if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure of a device's location on the network without delay, and (4) in "aggregate" form. Aggregate data is collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed.
We offer wireless location-based applications that use your wireless network location to provide the service you request. For example, you may choose to subscribe to a service that provides driving directions on your wireless device. Please review the terms and conditions for each service for additional information about how the location information will be used or disclosed. It is important to note, if you let others use location-based services to which you've subscribed as the account holder (or if you let others use your handset if such handset has location tracking capabilities), it is your responsibility to inform that user that his or her location may be tracked.
Your wireless Internet service may also be personalized using your zip code or other location identifiers. We use this information to serve you relevant content, and we treat the information like any other personal information under this Policy.
this seems to indicate some fairly loose wording regarding emergency services, which would include the police.
Now, from T-Mobile's privacy policy:
Location-Based Services
Our network detects your device's approximate location whenever it is turned on (subject to coverage limitations). This location technology makes the routing of wireless communications possible and is also the basis for providing enhanced emergency 9-1-1 service, which permits us to provide your general location to a public safety answering point, emergency medical service provider, or emergency dispatch provider. We may also use this technology to disclose, without a user's consent, the approximate location of a wireless device to a governmental entity or law enforcement authority when we are served with lawful process or reasonably believe there is an emergency involving risk of death or serious physical harm.
With your consent, we may also provide location-based services or provide third-parties access to approximate location information so they may provide such services to you. You should carefully review the specific T-Mobile terms and conditions applicable to your use of location-based services for any special privacy implications or rules. You should also carefully review the privacy policies and other terms of third-parties with whom you have authorized the sharing of your location information, and you should consider the risks involved in
I don't know if this is specific to Google maps on Android, but when I have the GPS turned off the wireless triangulation is off by at least a half of a mile every time. Makes me wonder if I get in a car wreck in a ditch if they'd really be able to find me.
What makes Sprint/Nextel think all those requests come from law enforcement?
It was rumored that the FBI's "carnivore" monitoring system was predominantly utilized by unauthorized third-parties, and there's been considerable speculation that until recently remote wiretaps were being performed predominantly by individuals from overseas (from what I understood from a friend that was an engineer for AT&T, he felt that they were some combination of industrial spies and just plain miscellaneous hackers).
I'd think, the 1st Amendment ought to protect their speech, at least... Maybe, wasting the judge's time is contempt, but I am very-very-very worried about people getting fined for expressing their legal opinions — they didn't curse the judge or refuse to rise up. Simply ruling against them is one thing, fining them for even bringing the matter up is a "chilling message".
In Soviet Washington the swamp drains you.
The article mentions Verizon turning over data as well. They are currently the leader in marketshare in the cell phone market too. I am sure they all do this...
I can think of a whole bunch of examples where this technology could be misused.
Here's an obvious example. You feel passionately about some cause so you go to some rally in a park somewhere. Mind you this rally is totally peaceful and people even cleanup after themselves!
However, unknown to you the "Feds" have setup a program that queries this database looking for anybody whose within the boundaries of the park and puts all the names into a big dossier.
It would be very easy to append that dossier to the do not fly list.
Suddenly you're turned away at the airport and when you go to investigate why (if you can even find out!) you're told "You attended a rally for 'X', we've deemed the people of X and those whose support X (it's a bad letter anyway...) to be a terrorist organization or an organization that supports terrorists."
Yes Francis, the world has gone crazy.
I am all for privacy, but some of you need to take off the tin foil caps. As a law clerk to a federal magistrate judge, I deal with these things all the time. Allow me to clarify some confusion. When it comes to electronic communications, there are two major tools available to law enforcement: intercepts (like a wiretap) and pen registers/trap and trace devices (pen for short). Intercepts are when you listen to the substantive communication, like the dialog of a phone call. Intercepts constitute a "search" under the 4th Amendment, and therefore require a warrant. Due to public pressure, Congress has heightened the Constitutional warrant requirements for electronic communications, requiring even more from law enforcement. Telephone wiretaps are the most common type of intercept, but they are still relatively rare as they cost approximately $60,000 per month to maintain. Pens record the information provided to the third-party company that is routing the communication, for example the phone number. The Supreme Court ruled that this information is not protected by the 4th Amendment. The Court held that the phone company is free to disclose the information, and you therefore have no expectation of privacy. Agree or not, that is the law. Without 4th Amendment protection, there is no warrant requirement and no need for probable cause. As with wiretaps, however, Congress decided to provided some level of privacy protection even though the Constitution didn't require it. Federal law requires that the information sought will likely be relevant to an ongoing investigation--a rather low standard. It may seem shocking that all this information can be taken by law enforcement, but this is the way it has always been. In any case, even a civil case between two individuals, "private" information like bank records, call records, all sorts of things can be subpoenaed. Electronic information is no different. As far as obtaining user GPS data 8 million times, a pen that seeks GPS data will apply to a particular phone number, but it will not be limited to one sample. If police are tracking the movements of say a drug dealer, attempting to identify his supplier, the GPS data will be polled repeatedly to track his movement. For example, once per half hour for a month would be about 1,440 requests. When this fact is factored into the size of the US population, 8 million seems like much less of a big deal. In the end, the information being obtained without a warrant is all information you freely gave to a third party. Of course that brings up questions with companies like Google, who are third-parties potentially storing all of your personal documents. Whether that information can be obtained without a warrant has not been definitively answered. Ultimately, the question will come down to whether one has an "expectation of privacy," and that decision will be made by the courts.
When people (and corporations are people) do their patriotic duty for their countries? Your duty and loyalty should be to humanity instead.
I mean, perhaps I am being too idealistic, but, is anyone on slashdot ready to mobilize and do anything about this kind of 1984ish abuse yet? I know its fun to slap up quotes from our favorite Orwellian novel and talk about how the new boss is the same as the old boss, but are we interested in hitting the pavement and trying to get something to change?
I'm not saying I have any answers, but maybe we could at least try some stuff. We could print off pictures of Big Brother in poster form and tape them over automated radar signs, or just on street posts and such. Perhaps they could even have a url to a website that compiles information regarding cases like this that is easy to remember. Is there a site like that? There must be some web programmers here on slashdot, how's about we start one. BigBrotherCourt.com or some such thing.
Maybe we could start some groups to go around to local events like fairs and farmer's markets to educate people on tools they can use to protect their privacy like encryption and tor. Maybe some door-door activism is in order? I don't like that idea myself, but it could be a start.
What about the pirate party? Last time I checked, their US branch was extremely lacking at best. Anyone else willing to reregister in support of freedom?
Perhaps we could write some letters to our congress critters discussing the need to develop tech-centric courts for cases involving technology that the average lay person oggles at in a stupor?
I don't really have answers myself, but there are some ideas at least. Are we slashdotters willing to do something yet (other than our jobs)? Or are we still going to remain confined to 'cyberspace?'
Motorcycles, Robots, Space Gossip and More!
The article is has a good amount of detail, or "meat" if you will, but I'm going to pick on this headline as they always annoy me. When I hear sprint provided location information "8 million times" I wonder if we are talking about 8 million GPS logs or if we are talking about 8 million separate points. If this means separate GPS points and the phone logs a location every 30 seconds then any one phone logs 2880 locations a day. This would break down to tracking something like 280 suspects for 10 days each, not too bad. If this is the scarier statistic of 8000000 separate GPS logs for unique individuals, I'm guessing officers are checking where their wives/kids/friends/non-friends go, and that would be a bit concerning.
Are mobile phones running Android safer than the closed source, locked down phone OS'es that can report your GPS position to the network without you ever knowing it happened?
--
make install -not war
305million / 8million = 38.125
So for every time Sprint turned over GPS data there are 38 Americans. Usually we express this the other way around. 8/305 = 2.6%
That is, if each request represented a unique individual, which is probably not the case.
When any law enforcement agency or G'ment gets involved, look for the MOST dirtiest and coniving way that they can use an object and you WILL be very close to the truth
"republicans/rightists" have defending the personal freedom to own/carry a gun, and have been rolling back the restrictions passed in 1993-1994 by the other party.
It is true that the current administration is failing to live up to a lot of campaign promises, however.
GSM phones can be turned on remotely by a probe from the network by a qualified entity[1]. Your phone isn't communicating to the cell towers when it's off, this is very much true. However, it just takes someone in the government high enough up the food chain and a judge's okay to boot up your phone.
I really wouldn't worry about it unless you're a mobster, an agent for a foreign government, or a terrorist, but they definitely have the capability to be rather scary, which is precisely why those latter entities have moved on to "burn phones" and older, more reliable methods of message passing.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
So that's 21,917 requests per day???? Every Day.
Seems a bit unrealistic to me.
I don't think he would come back.
There's still that little "raped a girl in 1990 issue to clear up" you know.
Vote Ron Paul, our forthcoming savior.
Cell towers are not omnidirectional. Well, the tower as a whole MIGHT be, but usually each tower is comprised of multiple sector antennas, usually 60 degrees wide each. 6 x 60 = 360. I guarantee you they can tell from which sector antenna your cell ping is coming from. They can locate you fairly well from one tower.
Seriously, does this surprise anyone?
What's happening on the Now Network
Everyone take a deep breath. 8M is the number of web requests to their server in en entire year, not the number of phones that were "of interest."
From a comment in TFA:
using System.Awesome;
You think the cops are watching YOU? What are you doing that makes you so paranoid?
8 million hits, just on Sprint users. I use Sprint. And you are hopelessly naive to think that I need to feel guilty, or do anything (wrong or not) in order to get watched by the cops. I was watched by a cop yesterday in line at the grocery store. I had one follow me home from work a few weeks ago- guess what I was "doing to be paranoid"? I was driving a light colored 4-door car. Just so happened they were looking for a car that "matched" that description.
Ever gone into public? Chances are you stood next to someone in a store that had pot or crack in their pocket- that guy that shows up at the gas station every day around the same time you do to get a coffee? Guess what, he got busted and now you are being watched because your phone and his have regular "meetings". Probably to buy/sell drugs. Or maybe child porn.
It's not paranoia. Such types of tools need oversight and accountability. They don't have any. Oh, and by the way, I'm a low-paid IT guy who fixes copiers, and the cop that has access takes a 45 minute shit every night at 9pm. Usually asks me to yell at him if the desk phone rings & never locks his terminal. I've been keeping track of where your teenage daughter spends her time, because I like them young & like to hear them squeal.
Get the picture yet? If not, you won't... until you suddenly find yourself, for reasons you won't every really understand, labeled as an "undesirable".
While it's true that 'law enforcement' has proven many times that it needs far more over-site and disclosure, I'd like to point out that these are not necessarily malicious requests. Most people use their cell phones for everything, including 911 calls. If a dispatcher feels officer response is necessary they might be inclined to find your cells location.
Does anyone know how many 911 calls come from cell phones annually?
Heh. In the case stated you, and anyone else cleaning up, would also be subject to lawsuit from one or more of the local public worker's unions. Cleaning up the park like that is stealing good union jobs, after all.
Check out Shane Harris' article, and the ACLU issues briefing "The Matrix" in this collection of pdf's converted to html with links to citations, etc. There are also a couple of CRS reports, and the original ACLU and EFF lawsuit complaints there. http://thewall.civiblog.org/rsf/nsa.html
-dcm
Just out of curiosity, I picked up my G1 Android (T-Mobile) phone, turned on its maps - and it showed my current position as about 7 blocks south of where I actually am (in my home office). This isn't at all unusual. GPS is notoriously flakey, and it'd be really unnerving to read of a court accepting GPS position data as evidence.
As an extreme case, a few months ago while sitting in the car with my wife driving, I checked the phone's position. At first, it showed the correct position, driving south a couple of miles from here on Boston's Route 128 circumference highway. Then suddenly it showed us jump to a point about 100 miles east-southeast, driving north about 15 miles off the coast of Cape Cod. According to the phone, we drove along out in the ocean for 10 minutes or so, and then just as quickly popped back to a highway parallel to the street we were on, but a couple blocks away. It would be fun to see a court deal with this "evidence" about our (or at least my phone's) position at that time.
We also have a couple Garmin GPS gadgets in our cars. Several years ago, while driving south on a local street in a nearby town (Concord), I noticed the GPS showed my position as about a block north of where I was - and moving north at around 100 mph. Traffic was light, so I glanced at it frequently, and watched my position pop to the correct one. So I quickly switched to the numerical display, and saw that I was travelling south on the street at over 200 mph (or 300 kph if you prefer). Again, I had thoughts of the gadget's record of my travels being presented as evidence in court. "Do you often get your car up to over 200 mph on local streets like this?" Actually, I sorta doubt that the car could take the stresses of that particular maneuver.
I've been on the lookout for stories of GPS data being used in court cases. But so far, I haven't read of any. Does anyone here know about this? Are any courts actually accepting GPS data as evidence? From my experience with a few brands of GPS receivers, I'd be sorta nervous at the thought that my freedom or life savings might depend on the accuracy of such data. Judges and others with legal training do seem to have something of a history of credulity when it comes to technological information that can be subpoenaed.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
For the same reason, you trust Sprint (to have your GPS data) more than you trust the police.
For one, the insurance companies don't have access to your income figures and other financial information — but the government does. When the same government agency has full access to both datasets, I say, they know too much about us.
But, hey, if you don't care, you must be one of the few lucky ones with nothing to hide. Right?
In Soviet Washington the swamp drains you.