In some cases, carriers upgrading their older systems have recreated security vulnerabilities simply by not studying those that have gone before; the implementation, not the technology, is often to blame. Windows server platforms and other recent converts to telephony services regularly fall down the historical steps (PDF format) of UNIX/IP and SS7 security, bumping their collective heads on every step.
Other risks to the integrity of call tracking and recording data come from plain old stupid mistakes, and I'm not just picking on T-Mobile; AT&T/Cingular, Sprint, Verizon and others have all had their moments of fat-fingery shame.Years ago, an associate found a national mobile carrier's primary Oracle-based billing system for the entire continental US to be using a public IP address and default passwords, and used SQL*NET over his AOL dial-up to make his point to the system administrators. Another carrier kept critical data on desktop workstations with a single point of failure, and lost the identity data for a few cities' worth of customers when one old Sparc20 failed.
Legal and intelligence problems arise when the information in these systems is assumed to be accurate, and the flawed data ends up misused in court because the evidentiary chain of custody starts long after the potential accuracy problems and vulnerabilities to integrity. Simply put, I wouldn't want to have a difficult investigation or weak court case further undermined by easily compromised data masquerading as evidence.
Whether this is all worth the loss of civil liberties is a discussion for another forum. Whatever the outcome, it's clear that mobile phone location and tracking data is often a guess at best -- data of which good investigators ought to be deeply skeptical.
Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a major refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.