Did Sprint violate customer privacy 8 million times?

A blogger alleges that phone companies and ISPs are routinely providing data on their customers' activities to law enforcement... without a warrant. In IT Blogwatch, bloggers search for the truth.

By Richi Jennings. December 2, 2009.


Sprint logo
Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention don't try this at home...

    Jon 'Hannibal' Stokes stokes the fire:

Christopher Soghoian ... has made public an audio recording of Sprint/Nextel's Electronic Surveillance Manager describing how his company has provided ... location data about its wireless customers to law enforcement over 8 million times. That's potentially millions of Sprint/Nextel customers who ... did not know that law enforcement offers could log into a special Sprint Web portal and, without ever having to demonstrate probable cause to a judge, gain access to geolocation logs detailing where they've been and where they are.


The fact that federal, state, and local law enforcement can obtain communications "metadata"—URLs of sites visited, e-mail message headers, numbers dialed, GPS locations, etc.—without any real oversight or reporting requirements should be shocking, but it isn't. ... All of the aforementioned metadata can be accessed with an easy-to-obtain pen register/trap & trace order. But given the volume of requests, it's hard to imagine that the courts are involved in all of these.

Ed Felten is deeply troubled:

If you're interested at all in surveillance policy, go and read Chris Soghoian's long and impassioned post today. Chris drops several bombshells into the debate, including an audio recording of a closed-door talk by Sprint/NexTel's Electronic Surveillance Manager, bragging about how easy the company has made it for law enforcement to get customers' location data -- so easy that the company has serviced over eight million law enforcement requests for customer location data.


[It's] all implying that electronic surveillance is much more widespread that many of us had thought. ... How many were justified, we don't know. We can't know -- and that's a big part of the problem. It's deeply troubling that this has happened without significant public debate.

Christopher Soghoian pleads for "real surveillance oversight":

Internet service providers and telecommunications companies play a significant, yet little known role in law enforcement and intelligence gathering. ... These Internet/telecommunications firms all have special departments, many open 24 hours per day, whose staff do nothing but respond to legal requests.


If you were to believe the public surveillance statistics, you might come away with the idea that government surveillance is exceedingly rare in the United States. ... However, while there are many ways the government can monitor an individual, very few of these methods require an intercept order.

The EFF's Kevin Bankston is shocked:

Soghoian taped astonishing comments by Paul Taylor, Sprint/Nextel's Manager of Electronic Surveillance. ... Taylor noted a shocking number of requests that Sprint had received in the past year for ... location data revealing the location and movements of Sprint's customers. That number? EIGHT MILLION.


[It's] absolutely mind-boggling. ... Cell phone tracking poses a threat to locational privacy ... EFF has been fighting in the courts for years to ensure that the government only tracks a cell phone's location when it has a search warrant based on probable case. ... A dangerous level of secrecy surrounds law enforcement's communications surveillance practices like a dense fog.

Sprint's Rich Pesce fished for an official response and caught this:

The comments made by a Sprint corporate security officer during a recent conference have been taken out of context by this blogger. Specifically, the “8 million” figure, which the blogger highlights in his email and blog post, has been grossly misrepresented. The figure does not represent the number of customers whose location information was provided to law enforcement.


Instances where law enforcement agencies seek customer location information include ... Amber Alert events, criminal investigations, or cases where a Sprint customer consents to sharing location information. ... Sprint takes our customers’ privacy extremely seriously and all law enforcement and public safety requests for customer location information are processed in accordance with applicable state and federal laws.

To which, Ed Felten responds:

It's possible that the Sprint guy was just bragging or inflating the numbers. But what does it say that company officials want to puff up the number of times they released customer data?

Note, too, that this isn't the only large number in Chris's post. To get the whole picture, read his post.

So what's your take?
Get involved: leave a comment.

And finally...

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter, or richij on FriendFeed, pretend to be richij's friend on Facebook, or just use good old email: itblogwatch@richij.com.

Don't miss out on IT Blogwatch:

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon