Sprint Revealed GPS Data To Authorities 8 Million Times In The Last Year [Updated]

from the yowzers dept

This seems too insane to be true, but the EFF points us to a report, based on a Freedom of Information Act request, that claims Sprint provided law enforcement with GPS location data a staggering 8 million times in the last year. Sprint apparently set up some sort of portal that made such requests easier, and it sounds like law enforcement took advantage of that in a major way. The report also notes that this information should have been disclosed to Congress, under a 1999 law, but the Justice Department has ignored the law for the past five years. The rest of the report also looks at some other concerning factors, such as the fact that the government seems to regularly get all sorts of info from service providers, with little oversight. On top of that, it explains why so many service providers agree to it: they charge the government for such info, and it's quite lucrative. As such, they actually have the incentive to encourage the government to ask for more information and to deliver it to them as quickly and efficiently as possible. However, you have to wonder how so many requests are being made with such little oversight -- and how often this means the process is abused to spy on individuals with no legal basis. Update: Sprint is now trying to explain this by saying that the numbers represent number of "pings" and that can include thousands of pings per a single investigation. In a single investigation, once law enforcement has a court order, it can check someone's location every 3 minutes for up to 60 days -- and that's what made the number so inflated.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Dec 1st, 2009 @ 1:56pm

    t-o insane?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Derek Reed (profile), Dec 1st, 2009 @ 1:58pm

    Wow

    That full article is impressive. To all, I'd strongly recommend at least skimming it. Christopher Soghoian makes very few assertions (still makes a few though) without backing them up with links to documents or audio. He often follows what could be taken out of context as a slanderous conjecture with disclaimers such as "That doesn't mean the published stats are necessarily incorrect -- merely that most types of surveillance are not reported."

    It's a good read, and if nothing else, plenty of links to damning documents and audio.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    ACLU of Northern California (profile), Dec 1st, 2009 @ 2:04pm

    outdated privacy laws

    A huge part of the problem is the fact that our current privacy laws are completely outdated. Law enforcement agencies can request geolocation data and other private information from companies with little or no court oversight, and the customer is unlikely to ever even know that their information was disclosed.

    You can read more about the issue at our Location Information page here: http://tr.im/GkQT.

    ACLU of Northern California – dotRights Campaign

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Isaac Ludwig, Dec 1st, 2009 @ 2:13pm

    I agree with Derek...

    ...read the article people. It's really quite stunning, especially the actual amounts of money charged per "service" required.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 1st, 2009 @ 2:25pm

    That's quite the lemonaid stand someone set up there-

    So let me get this right: The Federal Government mandates, and subsidizes wireless company e911 systems (with taxpayer money) so the Government can spend taxpayer money which allows some overbearing guy keep tabs on his ex and send an alert when she leaves the movie theater?

    Please, sign me up for that plan!

    And in unrelated news, it was finally discovered why Jerry Springer was suddenly can canceled. Apparently all the regular guests went to work for the Government.


    I wonder if Dark Helmet going to create that character I mentioned last week. It would be super awesome.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 1st, 2009 @ 2:55pm

    GPS data wants to be free.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 1st, 2009 @ 2:58pm

    Nice article, but I have to ask:

    GPS data is often provided directly as part of a 911 call. It would be VERY interesting to see an actual breakdown of the numbers - out of those 8 million times, how many were part of a criminal investigation, and how many were normal 911 style calls?

    I can't help but thinking this is a case of numbers being used to create a scare without actually explaining what those numbers are.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Derek Reed (profile), Dec 1st, 2009 @ 3:17pm

      Re:

      There's more than just that "8 million GPS" requests being bandied about here, call records and wiretaps have some incredibly interesting trends in reported numbers and requests over the last 10 years. From the linked article:

      First, Verizon revealed in its letter that it "receives tens of thousands of requests for customer records, or other customer information from law enforcement."

      Assuming a conservative estimate of 20,000 requests per year, Verizon alone receives more requests from law enforcement per year than can be explained by any published surveillance statistics.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 1st, 2009 @ 3:24pm

        Re: Re:

        Again, I think there is a situation here where different parties may be calling things by different names, and ending up making it look like a bigger pile of stuff than it really is.

        Requesting customer records isn't always part of "surveillance". It could be part of a criminal investigation (such as to find out the name / address of a dead person), or to track back a phone number used in a Craigslist pimping ad. Because there is no indication, no breakdown, no way to tell if we are talking apples to apples comparisions, it's just a golly gee shit number that means little.

        It's intended to scare, and Mike linking and talking about it is just helping to share the scare, without actually looking at what the numbers really are.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Dec 1st, 2009 @ 3:35pm

          Re: Re: Re:

          Nice Strawman.

          Apparently you didn't read the article.

          This is broken down in the article and accompanying audio. The point is that these days, it don't even need it to be a part of a criminal investigation, as evidenced by completely automating GPS tracking causing 8M "hits within a few months" according to SprintNextel Reps.

          When you go from zero to 8M in a few months, how can you believe there isn't potential for abuse?

          Plus, what you see is that telecoms are in bed with the government, a complete 180 from the 1970s where Personal Information was well protected from prying through subpoenas, and due process. Partially because of Watergate.

           

          reply to this | link to this | view in chronology ]

        •  
          icon
          Derek Reed (profile), Dec 1st, 2009 @ 3:36pm

          Re: Re: Re:

          A valid point, and one not raised in Mike's opinion nor the original article as you've correctly pointed out, but if you're implying there's nothing to be concerned about here I think you also making a lapse in judgement that could cause more harm than good.

          One of the other main points brought up by Soghoian is the downward trend in reported electronic surveillance requests. It's highly suspect that that is the case, or if it is, it's hiding what's really going on. Even if electronic surveillance hasn't skyrocketed, we just don't know because the true picture isn't shown by the reported numbers.

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Dec 1st, 2009 @ 3:43pm

            Re: Re: Re: Re:

            Again, you guys aren't thinking about what these requests could be, and certainly not related to any surveillance.

            Example, a person is missing. Check the GPS database to see if their phone is on somewhere. That might be a place to start. A guy claims he "didn't do it" (whatever it was) and says he was in Jersey at the time. A quick check of the database shows his phone was in fact in jersey at the time. Hmm! In those cases, example, I wouldn't expect to see an electronic surveillance notice issued, would you?

            I looked at the original article, but I didn't lose my life listening to an audio for a story that reads more like guys with defective tinfoil hats more than anything else.

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              Derek Reed (profile), Dec 1st, 2009 @ 3:52pm

              Re: Re: Re: Re: Re:

              I hear what you're saying, there's definitely just cause for an ISP saying we get X requests, and that number being significantly higher than the Y requests that are reported by enforcement, not least of which the examples you cite and the update from sprint in Mike's summary. My concern is the lack of transparency shown by the downward trend in Y requests, and in the clear lack of transparency on what those X requests are as evidenced by the tooth and nail fighting to even get hints at what those numbers are.

              We don't know, you may be right, but there are things to be concerned about here.

               

              reply to this | link to this | view in chronology ]

              •  
                identicon
                Anonymous Coward, Dec 1st, 2009 @ 4:04pm

                Re: Re: Re: Re: Re: Re:

                Well, here is an example: in the past, to get phone records might have automatically triggered as "Y" report. But now with the direct position information system, maybe less phone records are being pulled and more direct location infomation is being looked at, that isn't a "Y" request.

                It isn't clear that the GPS data is being used for surveillance, but possibly for many other uses not related to specifically watching a suspect or the equivalent of a wiretap or similar. perhaps that goes in the "Z" pile that isn't being reported or included here.

                Stories like this always seem to end up wrapped in tin foil. To me it reads like scare mongering.

                 

                reply to this | link to this | view in chronology ]

                •  
                  icon
                  nasch (profile), Dec 2nd, 2009 @ 9:32am

                  Re: Re: Re: Re: Re: Re: Re:

                  It isn't clear that the GPS data is being used for surveillance, but possibly for many other uses not related to specifically watching a suspect or the equivalent of a wiretap or similar. perhaps that goes in the "Z" pile that isn't being reported or included here.

                  And the fact that only Sprint and the Justice Department know what is actually going on doesn't concern you at all?

                   

                  reply to this | link to this | view in chronology ]

            •  
              identicon
              Anonymous Coward, Dec 1st, 2009 @ 3:57pm

              Re: Re: Re: Re: Re:

              The article mainly focuses on DPI, and potential for CALEA abuse. GPS is only one small part of the article, but it showcases the big legal gap between carriers and law enforcement.

              Mainly, it's a bunch of Telecom Execs trying to substantiate their jobs, and continue to live within the bounds of the "Massive and illegal program" to wiretap and data-mine Americans' communications, in a post 9-11 era, including potential monetization of customer data and customer information.

              Just like you are doing. It's fine that you're willing to give up your liberty. If you think it's worth coupons, have at it.

               

              reply to this | link to this | view in chronology ]

            •  
              icon
              John Fenderson (profile), Dec 2nd, 2009 @ 9:11am

              Re: Re: Re: Re: Re:

              "In those cases, example, I wouldn't expect to see an electronic surveillance notice issued, would you?"

              Yes, I would, actually.

              Law enforcement powers to directly access our records is such a strong, blunt instrument that I would expect that a notice is issued each and every time they are used, whether part of a criminal investigation or not.

              It isn't tin-foil-hat stuff to point out that law enforcement has a long and rich history of abusing the powers granted to it, and thus it's wise to continually scrutinize every application of those powers to prevent further abuse. Given that the trend over the past few decades has been to expand their powers significantly, I expect that oversight would expand in proportion.

               

              reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 1st, 2009 @ 3:23pm

      Re:

      The MP3 audio has a rep from Sprint's lawful intercept team. They said 8,000,000 requests occurred through their law enforcement web site, which is separate from e911.

      e911 is a different system.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 1st, 2009 @ 3:00pm

    Wow. Christopher has some good information. I wonder if he's FOIA'ed pricing of lawful intercept for online services such as Skype/IM/email/Paypal.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    vyvyan, Dec 1st, 2009 @ 3:01pm

    from the original article: "since the Department of Justice simply ignores the law"

    Very promising indeed. Now I'm waiting for "Congress ignore the Constitution" quoted somewhere. That will make my day.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 1st, 2009 @ 3:45pm

    Per subscriber...

    Lets see, with 49 million subscribers, that's only about one access per 6 subscribers.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Derek Reed (profile), Dec 1st, 2009 @ 4:08pm

    The Update

    Update: Sprint is now trying to explain this by saying that the numbers represent number of "pings" and that can include thousands of pings per a single investigation. In a single investigation, once law enforcement has a court order, it can check someone's location every 3 minutes for up to 60 days -- and that's what made the number so inflated.

    A few words different and there would have been no attitude. Even if you really feel the need to make it clear that you doubt Sprint's response, there's no need to put it in those exact words. "Sprint is now trying to explain this" could be easily written as "Sprint has responded". Things like this only serve as fodder for your critics. I'm by no means saying I'm above this, but I hold your writing to a higher standard because of your greater visibility and the editing resources you (should) have. A few choice wording differences could really raise the level of professionalism without detracting from the voice of your opinions.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Mike Masnick (profile), Dec 1st, 2009 @ 4:13pm

      Re: The Update

      A few words different and there would have been no attitude.

      No attitude intended. I believe you're reading *way* too much into the update.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 2nd, 2009 @ 5:03am

        Re: Re: The Update

        I think you run with stories like this to get the old "moral outrage" vibe going without worrying about the facts.

        The guys with the tin foil hats that wrote the original story now look like fools, because they failed to get all of the information before going off on a rant. You look like a fool because you took their word for it.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        Derek Reed (profile), Dec 4th, 2009 @ 3:34pm

        Re: Re: The Update

        Granted.

        I do spend too much time reading (into) this. Perhaps others (such as AC above me here) made the better point.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Rd, Dec 1st, 2009 @ 4:09pm

    Re: There's a word for people like you..

    There is a word for people like you from a few decades ago: Collaborator. There should be only one cure for a collaborator as well.

    You are not an American. You are a traitor.

    I cant believe I breathe the same air as something like you.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    AnonCow, Dec 1st, 2009 @ 4:30pm

    Regardless of the total number of request, the one significant datapoint that is missing is the number of arrests and convictions that were specifically related to the wiretaps, GPS requests, or other similar "wiretap" request.

    I'll bet that the current ratio is probably under 1%.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 1st, 2009 @ 4:45pm

    The spokesman wouldn’t disclose how many of Sprint’s 48 million customers had their GPS data shared, or indicate the number of unique surveillance requests from law enforcement.

    Ok, so how many is it? Sprint is only saying that it *could* be less that the 8 million, not that it *is* by any specific amount. If they're hiding the numbers, who's to say it isn't nearly 8 million customers?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Cam, Dec 1st, 2009 @ 6:32pm

    Anonymous Coward

    Whose side are you on? Why should we believe the postings of someone who is so afraid of big government he/she cannot put his/her name to the posting? Sorry, either side you take, you have no credibility with me. I have read the article and my conclusion is Sprint has handed out as much information the government was willing to pay for without a concern of customer's privacy. It sounds like the only privacy someone can have is to power down their phone and remove their batteries, otherwise Sprint will happily give your GPS location (for starters) to any Joe Friday running a Dragnet.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 1st, 2009 @ 9:22pm

      Re: Anonymous Coward

      Why should we believe the postings of someone who is so afraid of big government he/she cannot put his/her name to the posting? Sorry, either side you take, you have no credibility with me.

      Heh, that's funny come from some posting with a fake made up name. Maybe you should post as "Mr. Hypocrite".

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Cam, Dec 1st, 2009 @ 6:32pm

    Anonymous Coward

    Whose side are you on? Why should we believe the postings of someone who is so afraid of big government he/she cannot put his/her name to the posting? Sorry, either side you take, you have no credibility with me. I have read the article and my conclusion is Sprint has handed out as much information the government was willing to pay for without a concern of customer's privacy. It sounds like the only privacy someone can have is to power down their phone and remove their batteries, otherwise Sprint will happily give your GPS location (for starters) to any Joe Friday running a Dragnet.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    trollicus, Dec 1st, 2009 @ 7:02pm

    hacked phone

    Anyone want to buy a hacked phone that returns a random GPS location?

    I may have a whole new business!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Hephaestus (profile), Dec 2nd, 2009 @ 7:45am

    numbers

    60 days x 24 hours x 20 times per hour = 28,800 pings per warrent

    8,000,000 pings / 28,8000 = 277.77 people (best case)

    Worst case they used it to find people on the intermittently and the number goes way up.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 2nd, 2009 @ 8:28am

      Re: numbers

      But most importantly, the real number isn't 8 million individuals, but rather a number between 277.77 and 8 million, likely much closer to the low number than the high number. That in turn blows out all of the concern about there being less surveillance reported, as this number isn't anywhere near as high as they thought it was.

      Essentially, guys in tin foil hats creating "news" where no news exists.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        nasch (profile), Dec 2nd, 2009 @ 9:54am

        Re: Re: numbers

        But most importantly, the real number isn't 8 million individuals, but rather a number between 277.77 and 8 million, likely much closer to the low number than the high number.

        Thanks, I feel so much better now that you have made stuff up about the situation.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    SwingState (profile), Dec 2nd, 2009 @ 7:51am

    Sensationalist Reporting - Not News

    Info a responsible reporter obtained:

    There are four circumstances under which law enforcement agents can use the Sprint website and obtain GPS data: 1) under the authority of a court order; 2) to track the location of a customer who has made a 911 call; 3) in an emergency situation, such as tracking someone lost in the wilderness or trying to locate an abducted child or hostage; 4) with a customer’s consent.

    Who doesn't want their missing child tracked by GPS?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      nasch (profile), Dec 2nd, 2009 @ 9:56am

      Re: Sensationalist Reporting - Not News

      There are four circumstances under which law enforcement agents are legally permitted to use the Sprint website and obtain GPS data:

      There, fixed that for you. Personally, I am not at all convinced those are the only situations in which they're actually using the data, especially since they are apparently ignoring the requirement to report to Congress. Executive power with no oversight? What could go wrong??

      Who doesn't want their missing child tracked by GPS?

      Those straw men sure fall down easy, huh?

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        SwingState (profile), Dec 2nd, 2009 @ 11:38am

        Re: Re: Sensationalist Reporting - Not News

        Actually, I pretty much know it for fact.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 2nd, 2009 @ 12:58pm

        Re: Re: Sensationalist Reporting - Not News

        since they are apparently ignoring the requirement to report to Congress

        Unproven by the story presented. Since we don't know how many of those 8 million requests were on the same number / phone, we don't know how many INDIVIDUAL numbers were checked. Therefore, there is no way to match up the requests to any reporting that needs to be done.

        You are drawing a conclusion where there is not conclusive evidence, just the tin foil hat dudes ranting, and they have already been shown to be wrong on at least part of the story.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Derek Reed (profile), Dec 4th, 2009 @ 3:45pm

          Re: Re: Re: Sensationalist Reporting - Not News

          I really hope most of you aside from this AC looked at the article and not just Mike's rant on one item brought up in it.

          (1) Nothing reported in the article was shown to be wrong, but we did get slightly more details on ONE of the numbers mentioned, which if nothing else, is a net positive from bringing all this up. Sprint responding and giving information is a good thing, and helps support the merits and intent of the article.

          (2) There were several other gaps aside from the "8 million" pointed out in the article itself. Such as:
          First, Verizon revealed in its letter that it "receives tens of thousands of requests for customer records, or other customer information from law enforcement."

          Assuming a conservative estimate of 20,000 requests per year, Verizon alone receives more requests from law enforcement per year than can be explained by any published surveillance statistics.

           

          reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This