LEOs Got 8 Million (!) Geo-Location Data from Verizion in a Year

Chris Soghoian posts a bombshell or two at slight paranoia: 8 Million Reasons for Real Surveillance Oversight

Executive Summary

Sprint Nextel provided law enforcement agencies with its customers' (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

The evidence documenting this surveillance program comes in the form of an audio recording of Sprint's Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies' extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics — since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

(Spotted via Ed Felton, Soghoian: 8 Million Reasons for Real Surveillance Oversight).

As Chris Soghoian says, it is really staggering that law enforcement could make so many requests in a year or so and even more staggering that such a sea change in the government/privacy balance could happen with no public notice or debate.

This entry was posted in Law: Privacy. Bookmark the permalink.

7 Responses to LEOs Got 8 Million (!) Geo-Location Data from Verizion in a Year

  1. New Nym says:

    It’s kinda unfortunate —though understandable— that Chris chose to headline the EIGHT-MILLION number (omg!!!1!!1one1!!). That bit of sensationalism naturally dominated the news. Along with Sprint’s response(*) characterizing the eight-million number as ‘misunderstood’ and ‘taken out of context.’

    A more curious piece of Chris’ post got buried…

    The numbers he got for electronic intercept orders are unbelievable:

    The number of electronic intercept orders, which are required to intercept Internet traffic and other computer assisted communications is surprisingly low. There were just 10 electronic intercept orders requested in 2008, and only 4 of those were from the Federal government — which was itself a massive increase over the one single order sought by the entire Department of Justice in both 2006 and 2007.

    [Graph]

    This graph, and the information contained within it, simply does not make sense. […]

     

    These electronic intercept numbers are simply incredible.

    I don’t know what to make of them.

     

     

    (*) Hyperlink redacted due to comment reject. Error message was approximately:

    Your comment submission failed for the following reasons:

    Your comment could not be submitted due to questionable content: http://www.blogger.com / comment

    Please correct the error in the form below, then press Post to post your comment.

    Hyperlink was approximately:

    https:// http://www.blogger.com /comment.g?blogID=16750015&postID=6756864815105235940#c8356921199576661112

    Spaces injected to pass content filter.

  2. national money laundering strategy says:

    They’re using the standard of whether an individual is relevant to an ongoing investigation, but the government has failed to demonstrate they’re not applying a “six degrees of Kevin Bacon” approach to determining relevance. In fact, there’s evidence that they are applying this approach. Title 18, 2703 provides certain standards for obtaining records, but the standards for a pen register order are lower.

    One might expect that network service providers are not in the business of surveillance, but many of these companies charge the government upwards of $1000 per surveillance request fulfilled. How many subscribers or ad click-throughs does this amount to? $500 hammer anyone? CALEA has helped streamline many of these processes.

    Microsoft’s webpage for its law enforcement forensics tool brags: “If it’s vital to government, it’s mission critical to Microsoft.”
    http://www.microsoft.com/industry/government/solutions/cofee/default.aspx

  3. news update says:

    News Update

    Files have now been taken down.

    Update now posted on Chris Soghoian’s blog:

    UPDATE 12/3/2009 @ 12:20PM: I received a phone call from an executive at TeleStrategies, the firm who organized the ISS World conference. He claimed that my recordings violated copyright law, and asked that I remove the mp3 recordings of the two panel sessions, as well as the YouTube/Vimeo/Ikbis versions I had embedded onto this blog. While I believe that my recording and posting of the audio was lawful, as a good faith gesture, I have taken down the mp3s and the .zip file from my web hosting account, and removed the files from Vimeo/YouTube/Ikbis.

    If anyone needs a copy of the files, I have reason to believe that third parties have archived copies around the net.

  4. Orin Kerr says:

    I believe there is much less to this than first appears for reasons introduced here.

  5. Yahoo!’s “Compliance Guide for Law Enforcement” is now up on WikiLeaks.

    If you’re behind on the story so far, see Kim Zetter’s Friday article, “Yahoo Issues Takedown Notice for Spying Price List”. In short, this is the document that Yahoo! didn’t want given up under FOIA.

    Meanwhile, cryptome is still live—hasn’t been nuked yet.

  6. Yuriy Mizyuk says:

    This is a response to Chris Soghoian by Matt Sullivan, Sprint Nextel (from the Chris’ blog):

    Chris,

    As a follow-up to my earlier e-mail, I wanted to properly characterize the “8 million” figure that you prominently feature in your blog and email.

    The “8 million” figure does not represent the number of customers whose location information was provided to law enforcement, nor does it represent the instances or cases in which law enforcement contacted Sprint seeking customer location information.

    Instead, the figure represents the number of individual automated requests, or “pings”, for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year. The critical point is that a single case or investigation may generate thousands of individual requests to the network as the law enforcement or public safety agency attempts to track or locate an individual over the course of days or weeks.

    As a result, the 8 million automated requests or pings were generated by thousands (NOT millions) of instances in which law enforcement or public safety agencies sought customer location information. Several thousand instances over the course of a year should not be shocking given that we have 47 million customers and requests from law enforcement and public safety agencies are due to a variety of circumstances: exigent or emergency situations, criminal investigations, or cases where a Sprint customer consents to sharing location information.

    It’s also important to note that we complied with applicable state and federal laws in all of the instances where we fulfilled a law enforcement or public safety request for location information.

    Matt Sullivan
    Sprint Nextel
    Matthew.sullivan@sprint.com

  7. I wish that you had linked to Posner’s opinions on rape and baby-selling.

Comments are closed.