Earlier this week, security researcher and blogger Chris Soghoian published "8 Million Reasons for Real Surveillance Oversight," in which he shared the following factoid:
Sprint Nextel provided law enforcement agencies with its customers' (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.His source? Sprint's manager of electronic surveillance, Paul Taylor, who spoke about the telecom's generosity with its customer's location data at a big DC wiretapping confab in October.
Soghoian is not your average blogger. In October 2006, he made headlines by demonstrating what an oxymoron "airport security" had become by printing fake boarding passes for a Northwest Airlines flight -- and then posted the program he used to do it on the Web so that everyone could give it a try.
That earned him investigations by the FBI and the Transportation Safety Administration. (He was cleared by both.)
Since then he's exposed security and privacy vulnerabilities in Firefox, Facebook, and Google. In August, he joined the FTC's Bureau of Consumer Protection. In short, the man knows his stuff.
Sprint's reply: Yes, it shared 8 million-plus records with law enforcement, but that number includes all "pings" it delivered. Since each person who was tracked might generate thousands of pings over a period of surveillance (up to one every three minutes), the actual number of people tracked was far lower. The number also includes e911 calls and other instances where law enforcement officials were trying to locate a person in peril.
Still, that's a hell of a lot of pings. And that doesn't even scratch the surface of what telecoms will spill when Johnny Law comes a knockin'.
The same Sprint manager revealed that Sprint has about 110 full-time staffers dedicated to fulfilling government requests for calling, texting, Web surfing, and geolocation data about its customers. But that's not even the main reason they store all this data. Per Taylor:
On the Sprint 3G network... If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months ... We don't store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte ... but ultimately, that's why we store the data ... It's because marketing wants to rifle through the data.
It gets worse. Telecoms are not required to keep track of who's requesting your geolocation data, why they're doing it, or what they're using it for. Unlike with wiretaps or orders that allow telecoms to share data about who you talked to (but not what you said), there are no laws requiring federal agencies to disclose this information.
Compared to a couple of thousand legal wiretaps that are approved each year by the courts, the number of requests for telecom data is in the tens of thousands -- and possibly much more, says Soghoian.
And it's not just telecoms. ISPs like Comcast and Cox and your favorite search engines and social networks receive thousands of requests for data from law enforcement -- also without the public's knowledge. Per Soghoian:
The reporting requirements for intercepts and pen registers only apply to the surveillance of live communications. However, communications or customer records that are in storage by third parties, such as email messages, photos or other files maintained in the cloud by services like Google, Microsoft, Yahoo Facebook and MySpace are routinely disclosed to law enforcement, and there is no legal requirement that statistics on these kinds of requests be compiled or published.
Ask Google, Yahoo, or Microsoft how many times the feds or the flatfoots come round asking for the goods, and they refuse to comment. AOL and Facebook are more forthcoming, though -- they get 1,000 requests (AOL) and 300 to 600 (Facebook) a month.
You don't have to be paranoid or a criminal to imagine the various ways this information can be abused. Telecoms could make huge profits by selling your location data to marketers. Divorce attorneys, insurance companies, and employers all would love to get their hands on information about where you've been. The only thing keeping this stuff from being shared or sold are the ever-mutable privacy policies of the companies that collect this data.
For the past five years I've asked companies that collect location-based data what protections I have against my data being shared with third parties. The answer I have always gotten: Companies that store this data must comply with legal orders (so if the cops want this info, they can have it); there are no laws that give me control over my location data or even let me find out who else has it; and private companies are free to abuse this data but would be fools to do so because they'd lose their customers' trust.
Personally, I don't buy that last argument. Yes, they'd be fools. But some would do it anyway and make as much money as they could until the FTC eventually got around to suing them, probably five years after the fact. That's no protection at all.
I'm on board with Soghoian: We need laws that not only disclose who's watching where we go, but also giving consumers control over who else gets to know.
In the future, lawyers and the cops won't have to ask "where were you on the night of Dec. 4, 2009?" They'll know already, because they'll have your cell phone records in hand. Think about that, the next time you leave the house with your constant companion.