Sprint Nextel is downplaying a controversial blog report that claims it provided customer GPS location data to law enforcement authorities more than 8 million times between September 2008 and October 2009.
In a statement Tuesday, the company called the figure a gross misrepresentation and said it doesn't represent the actual number of customers whose location information was provided -- nor does it represent the number of times law enforcement contacted Sprint directly seeking data. Instead, the number indicates automated individual requests, or "pings," by authorities for specific location information needed for investigations over the 13-month period.
Typically, a single investigation could generate thousands of individual requests to the network by law enforcement officials trying to track or locate a person over several days or weeks. That means the 8 million automated requests were probably generated by thousands of customer searches -- not millions, Sprint said.
Sprint's comments followed a blog report published earlier this week by Christopher Soghoian, a security researcher who attended a recent closed-door conference on electronic surveillance technologies and practices.
During a panel discussion at the conference, Paul Taylor, Sprint's manager of electronic surveillance, talked about the sizable number of requests for customer GPS data after Sprint rolled out a new Web portal for automating such requests.
In an audio clip of Taylor's comments posted on Soghoian's blog and now mirrored elsewhere, the Sprint executive is heard expressing concern about the volume of requests that came in after the Web interface went live. "There is no way on Earth my team could have handled 8 million requests from law enforcement, just for GPS alone," without the portal, Taylor said. "So the tool has just really caught on fire with law enforcement."
Taylor also expressed concern about the company's ability to handle the "millions and millions of requests" expected in future. He said Sprint now has 110 employees and contractors working full time to comply with requests for customer records from law enforcement officials.
Soghoian's report prompted an immediate outcry from privacy advocates, many of whom were surprised at the volume of location-based surveillance it appeared to reveal. In a blog post, Kevin Bankston, a senior staff attorney for the Electronic Frontier Foundation, said that what Soghoian reported was "more shocking and frightening" than anyone imagined.
"Eight million would have been a shocking number, even if it had included every single legal request to every single carrier for every single type of customer information. That Sprint alone received 8 million requests just from law enforcement only for GPS data is absolutely mind-boggling," Bankston wrote.
Sprint's clarification yesterday did little to mute that alarm among several privacy advocates, who said the episode highlights the need for legal standards governing the collection of location-based information.
"When it comes to law enforcement access to location information, it really is the Wild West," said Gregory Nojeim, senior counsel for the Center for Democracy and Technolgy (CDT), a Washington-based think tank. "There are no statutory standards that tell authorities how much evidence they need to have before they can track a cell phone user's location."
That has put carriers in a tough spot because they are not sure what to require from law enforcement authorities seeking such information, he said.
"In our view, there has to be a court order. The issue is, under what standard should the order be issued? You could have a court order based on a very low reasonable-cause standard or a court order based on probable cause, which is a very high standard," Nojeim said, adding that the CDT supports the latter for location-based tracking.
John Verdi, senior counsel for the Electronic Privacy Information Center in Washington, said the number of law enforcement requests made to Sprint -- and almost certainly to other carriers -- is a reminder of the need for good accountability procedures for electronic surveillance.
The lack of transparency governing law enforcement's use of electronic surveillance technology has frustrated attempts at oversight and has created "blank spaces" in telecommunications surveillance law, he said. In this case, the actual number of Sprint customers tracked does not matter. What's more important is greater transparency about the searches and why they're needed, Verdi said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.