Sprint downplays report it shared GPS data with feds
Law enforcement 'pinged' networks over 8M times in 13 months, company admits
Computerworld - Sprint Nextel is downplaying a controversial blog report that claims it provided customer GPS location data to law enforcement authorities more than 8 million times between September 2008 and October 2009.
In a statement Tuesday, the company called the figure a gross misrepresentation and said it doesn't represent the actual number of customers whose location information was provided -- nor does it represent the number of times law enforcement contacted Sprint directly seeking data. Instead, the number indicates automated individual requests, or "pings," by authorities for specific location information needed for investigations over the 13-month period.
Typically, a single investigation could generate thousands of individual requests to the network by law enforcement officials trying to track or locate a person over several days or weeks. That means the 8 million automated requests were probably generated by thousands of customer searches -- not millions, Sprint said.
Sprint's comments followed a blog report published earlier this week by Christopher Soghoian, a security researcher who attended a recent closed-door conference on electronic surveillance technologies and practices.
During a panel discussion at the conference, Paul Taylor, Sprint's manager of electronic surveillance, talked about the sizable number of requests for customer GPS data after Sprint rolled out a new Web portal for automating such requests.
In an audio clip of Taylor's comments posted on Soghoian's blog and now mirrored elsewhere, the Sprint executive is heard expressing concern about the volume of requests that came in after the Web interface went live. "There is no way on Earth my team could have handled 8 million requests from law enforcement, just for GPS alone," without the portal, Taylor said. "So the tool has just really caught on fire with law enforcement."
Taylor also expressed concern about the company's ability to handle the "millions and millions of requests" expected in future. He said Sprint now has 110 employees and contractors working full time to comply with requests for customer records from law enforcement officials.
Soghoian's report prompted an immediate outcry from privacy advocates, many of whom were surprised at the volume of location-based surveillance it appeared to reveal. In a blog post, Kevin Bankston, a senior staff attorney for the Electronic Frontier Foundation, said that what Soghoian reported was "more shocking and frightening" than anyone imagined.
"Eight million would have been a shocking number, even if it had included every single legal request to every single carrier for every single type of customer information. That Sprint alone received 8 million requests just from law enforcement only for GPS data is absolutely mind-boggling," Bankston wrote.
Sprint's clarification yesterday did little to mute that alarm among several privacy advocates, who said the episode highlights the need for legal standards governing the collection of location-based information.
"When it comes to law enforcement access to location information, it really is the Wild West," said Gregory Nojeim, senior counsel for the Center for Democracy and Technolgy (CDT), a Washington-based think tank. "There are no statutory standards that tell authorities how much evidence they need to have before they can track a cell phone user's location."
That has put carriers in a tough spot because they are not sure what to require from law enforcement authorities seeking such information, he said.
"In our view, there has to be a court order. The issue is, under what standard should the order be issued? You could have a court order based on a very low reasonable-cause standard or a court order based on probable cause, which is a very high standard," Nojeim said, adding that the CDT supports the latter for location-based tracking.
John Verdi, senior counsel for the Electronic Privacy Information Center in Washington, said the number of law enforcement requests made to Sprint -- and almost certainly to other carriers -- is a reminder of the need for good accountability procedures for electronic surveillance.
The lack of transparency governing law enforcement's use of electronic surveillance technology has frustrated attempts at oversight and has created "blank spaces" in telecommunications surveillance law, he said. In this case, the actual number of Sprint customers tracked does not matter. What's more important is greater transparency about the searches and why they're needed, Verdi said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Legal in Computerworld's Legal Topic Center.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Legal White Papers | Webcasts