Slashdot Mirror
Sprint Revealed Customer GPS Data 8 Million Times
An anonymous reader sends along Chris Soghoian's blog entry revealing that Sprint Nextel provided law enforcement agencies with its customers' GPS location information over 8 million times between September 2008 and October 2009. The data point comes from a closed industry conference that Soghoian attended, at which Paul Taylor, Electronic Surveillance Manager at Sprint Nextel, said: "[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in." Soghoian's post details the laws around disclosure of wiretap and other interception data — one of which the Department of Justice has been violating since 2004 — and calls for more disclosure of the levels of all forms of surveillance.
Automated tool for locating cells? wow that sounds like an invitation for disaster and abuse. So what happens first, someone hacks it, or it's used in a 1984 style manner? (my guess is the latter has already happened/happening.)
As if... So, tell me, how many of these were legal crime fighting uses and how many were just cops checking up on their girlfriends, ect. 8 million. and thet's just Sprint.
That could easily be 15 people, one "location" revealed per GPS heartbeat for the full year+month. Or a slightly larger number of people tracked for smaller periods of time. No, I didn't read the article, but 8,000,000 sounds ridiculously high for individual requests.
Yesterday's unmedicated-schizophrenic black helicopterite conspiracy theory is today's mundane maybe-the-media-will-actually-bother-to-pick-it-up-I-think-we-have-some-space-on-page-six story.
I just don't understand how this could be legal. The fact that Sprint is being open about this seems to suggest that they have done nothing wrong, and this is business as usual. If so, is this standard with other cell providers as well? I could have sworn I've read an article elsewhere, where someone was trying to locate a missing person and contacted the cell provider to have them give them GPS coords and they refused to turn them over without a court order (cannot find it after some searching)... yet they give the police unlimited access without so much as a court provided rubber stamp machine?!
That's great that they have a web interface to service the law enforcement needs to track people by the GPS in their cell phone. How does the web site verify a valid warrant? Does the web site ask them to hold it up to the screen for verification?
This was interesting:
The first agency within DOJ to respond was the U.S. Marshals Service (USMS), who informed me that they had price lists on file for Cox, Comcast, Yahoo! and Verizon. Since the price lists were provided to USMS voluntarily, the companies were given the opportunity to object to the disclosure of their documents. Neither Comcast nor Cox objected (perhaps because their price lists were already public), while both Verizon and Yahoo! objected to the disclosure.
I am sure all the major providers are guilty of this. Regardless, I am curious to see if 911 operators are lumped into those requests. Many of them may be dispatch trying to find someone's cell phone from an accident or someone in trouble.
You're not taking into account that cell towers are omnidirectional.
You need 3 towers. If there are two, you could be in either of the two places of equal distance. You need the third tower to take the ambiguity away.
http://www.hacking--thealliance.50megs.com/images/cell_triangulation.gif
--
BMO
You think the cops are watching YOU? What are you doing that makes you so paranoid?
That's cute, quaint, and outdated. It used to be that the state had limited resources and therefore, of economic necessity, it could only focus its manpower and its surveillance capability on what it considered to be the most dangerous/influential dissidents. That has been the case, historically.
Technologies like automated GPS and massive databases have changed the game. The more technology advances, the cheaper it becomes to surveil more and more people. A state that would have had to focus its efforts on the 50 most dangerous dissidents 100 years ago can now use those same resources to monitor hundreds or thousands. Over time, that becomes more and more the case. You now have modern governments with plenty of manpower, nearly unlimited funding (thanks to deficit spending), and high technology which can efficiently keep tabs on millions of people at once. The more this is the case, the less unusual you have to be to stand out from the crowd and attract unwanted attention and scrutiny. We are quickly heading towards a future where even expressing a slightly unpopular political opinion can get you noticed whether or not you are informed of this fact.
Think of all the people who have committed no crimes, have not even been accused of a crime, yet end up on the "no-fly" list for no apparent reason and are not allowed to find out why. Right here in America, the "land of the free." Then consider that this list is special because its existence is publically acknowledged and its use appears to be relatively limited.
It is a miracle that curiosity survives formal education. - Einstein
While the Lenihan order and decision did say that the government cannot demand location information without a search warrant, that decision has been appealed by the current administration. And even if the DOJ loses that appeal, the decision would only apply to a limited section of the country - other courts could decide differently.
The bigger issue is that electronic communications laws are badly out-of-date. There are so many grey areas and loopholes that Sprint and the DOJ can easily argue with a straight face that GPS records are not protected by the Constitution, are not protected by federal or state law, can be demanded without a search warrant, can even be voluntarily handed over with no process whatsoever, do not have to be logged, and do not require anyone ever to tell the person whose location information was collected that they were tracked. And while the courts often do get it right eventually, that's a really slow battle - we need a better approach than that.
We (the ACLU) are launching a new campaign, Demand Your dotRights, to push companies and lawmakers to provide real protections for our personal information. The "Electronic Communication Privacy Act," which is supposed to protect information like GPS records, was passed in 1986(!) - it just doesn't fit any more.
We hope you will all sign on and join our efforts to push Sprint, lawmakers, and others to respect individual privacy. It clearly won't be an easy battle (seeing how Sprint is actually proud of its "over 8 million GPS record requests served" title), but with enough support, we hope to make a difference - and we could use your help!
...I'm willing to take a crack at some amateur number crunching.
Per billshrink, Sprint is responsible for 51M out of 268M or so that are in the cell phone market. 8M of those were monitored via data collected via Sprint, and it is unknown whether or how this number scales across the other providers.
Google holds the US population at 304M.
CNN has the US prison/probation/parole population at 7.3M.
Right off the bat, it seems like you have a greater chance of having the government track your GPS data than being actually convicted of a crime. And this assumes the numbers are equal, where they are not.
7.3M from a total of 304M is 2.4%. The odds of you being a criminal are approximately three in one hundred.
8M from a total of 51M is 15.6%.
6.5 times as many people, proportionately, were spied upon by Sprint on behalf of law enforcement.
Extrapolating that out, something close to 50M people's cell phone data was shared with law enforcement. Looking at the prison population numbers, this means for every criminal in the entire system, something like five were investigated. And that doesn't completely hold up either because those 7.3M aren't cell customers on the one hand, and not every citizen in the US is a member of the market share.
And this is just the data we know about.
Again, the math here is almost certainly wrong, but I'm sure some bright slashdot folks can come along and help us with that.
To make wireless communications possible, our network knows the general location of your phone or wireless device whenever it is turned on. Your wireless device sends out a periodic signal to the nearest radio tower/cell site so that our network will know where to route an incoming communication and how to properly bill for the service. This is necessary to make wireless communications possible. Location information derived from providing our voice service, in addition to being covered by this Policy, is CPNI and is protected as described above.
If you dial 9-1-1 for emergency services, we provide your call location to a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility. The law also permits us to disclose the call location of a device on our network without a user's consent (1) to a user's legal guardian or members of a user's immediate family in an emergency situation that involves the risk of death or serious physical harm, (2) to database management services or information providers solely to assist in delivering emergency services, (3) if we reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure of a device's location on the network without delay, and (4) in "aggregate" form. Aggregate data is collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed.
We offer wireless location-based applications that use your wireless network location to provide the service you request. For example, you may choose to subscribe to a service that provides driving directions on your wireless device. Please review the terms and conditions for each service for additional information about how the location information will be used or disclosed. It is important to note, if you let others use location-based services to which you've subscribed as the account holder (or if you let others use your handset if such handset has location tracking capabilities), it is your responsibility to inform that user that his or her location may be tracked.
Your wireless Internet service may also be personalized using your zip code or other location identifiers. We use this information to serve you relevant content, and we treat the information like any other personal information under this Policy.
this seems to indicate some fairly loose wording regarding emergency services, which would include the police.
Now, from T-Mobile's privacy policy:
Location-Based Services
Our network detects your device's approximate location whenever it is turned on (subject to coverage limitations). This location technology makes the routing of wireless communications possible and is also the basis for providing enhanced emergency 9-1-1 service, which permits us to provide your general location to a public safety answering point, emergency medical service provider, or emergency dispatch provider. We may also use this technology to disclose, without a user's consent, the approximate location of a wireless device to a governmental entity or law enforcement authority when we are served with lawful process or reasonably believe there is an emergency involving risk of death or serious physical harm.
With your consent, we may also provide location-based services or provide third-parties access to approximate location information so they may provide such services to you. You should carefully review the specific T-Mobile terms and conditions applicable to your use of location-based services for any special privacy implications or rules. You should also carefully review the privacy policies and other terms of third-parties with whom you have authorized the sharing of your location information, and you should consider the risks involved in
I'd think, the 1st Amendment ought to protect their speech, at least... Maybe, wasting the judge's time is contempt, but I am very-very-very worried about people getting fined for expressing their legal opinions — they didn't curse the judge or refuse to rise up. Simply ruling against them is one thing, fining them for even bringing the matter up is a "chilling message".
In Soviet Washington the swamp drains you.
I can think of a whole bunch of examples where this technology could be misused.
Here's an obvious example. You feel passionately about some cause so you go to some rally in a park somewhere. Mind you this rally is totally peaceful and people even cleanup after themselves!
However, unknown to you the "Feds" have setup a program that queries this database looking for anybody whose within the boundaries of the park and puts all the names into a big dossier.
It would be very easy to append that dossier to the do not fly list.
Suddenly you're turned away at the airport and when you go to investigate why (if you can even find out!) you're told "You attended a rally for 'X', we've deemed the people of X and those whose support X (it's a bad letter anyway...) to be a terrorist organization or an organization that supports terrorists."
Yes Francis, the world has gone crazy.
I am all for privacy, but some of you need to take off the tin foil caps. As a law clerk to a federal magistrate judge, I deal with these things all the time. Allow me to clarify some confusion. When it comes to electronic communications, there are two major tools available to law enforcement: intercepts (like a wiretap) and pen registers/trap and trace devices (pen for short). Intercepts are when you listen to the substantive communication, like the dialog of a phone call. Intercepts constitute a "search" under the 4th Amendment, and therefore require a warrant. Due to public pressure, Congress has heightened the Constitutional warrant requirements for electronic communications, requiring even more from law enforcement. Telephone wiretaps are the most common type of intercept, but they are still relatively rare as they cost approximately $60,000 per month to maintain. Pens record the information provided to the third-party company that is routing the communication, for example the phone number. The Supreme Court ruled that this information is not protected by the 4th Amendment. The Court held that the phone company is free to disclose the information, and you therefore have no expectation of privacy. Agree or not, that is the law. Without 4th Amendment protection, there is no warrant requirement and no need for probable cause. As with wiretaps, however, Congress decided to provided some level of privacy protection even though the Constitution didn't require it. Federal law requires that the information sought will likely be relevant to an ongoing investigation--a rather low standard. It may seem shocking that all this information can be taken by law enforcement, but this is the way it has always been. In any case, even a civil case between two individuals, "private" information like bank records, call records, all sorts of things can be subpoenaed. Electronic information is no different. As far as obtaining user GPS data 8 million times, a pen that seeks GPS data will apply to a particular phone number, but it will not be limited to one sample. If police are tracking the movements of say a drug dealer, attempting to identify his supplier, the GPS data will be polled repeatedly to track his movement. For example, once per half hour for a month would be about 1,440 requests. When this fact is factored into the size of the US population, 8 million seems like much less of a big deal. In the end, the information being obtained without a warrant is all information you freely gave to a third party. Of course that brings up questions with companies like Google, who are third-parties potentially storing all of your personal documents. Whether that information can be obtained without a warrant has not been definitively answered. Ultimately, the question will come down to whether one has an "expectation of privacy," and that decision will be made by the courts.