I know this shouldn't surprise me, but alas it still does. Wired reported a few days ago (somehow I missed the initial story), via some actual investigative reporting by blogger and privacy activist Christopher Soghoian:
Sprint Nextel provided law enforcement agencies with customer location data more than 8 million times between September 2008 and October 2009, according to a company manager who disclosed the statistic at a non-public interception and wiretapping conference in October.
The manager also revealed the existence of a previously undisclosed web portal that Sprint provides law enforcement to conduct automated "pings" to track users. Through the website, authorized agents can type in a mobile phone number and obtain global positioning system (GPS) coordinates of the phone.
Now of course the sharing of customer information is troubling, but I find the knowledge they have a web portal where a phone number can be entered and their location information passed onto law enforcement officials even more troubling. So lets talk about that for a few minutes.
This information was gathered when Christopher Soghoian attended a private conference titled the Intelligence Support Systems (ISS) for Lawful Interception, Criminal Investigations and Intelligence Gathering. Since that time Sprint has admitted on a company blog that the numbers in the Wired article are accurate, but the interpretation of them way off the mark.
Somehow they seem to think that admitting they provided information on their customers 8 million times isn't nearly as bad when they explain it wasn't 8 million customers (they have more then 45 million customers in the United States), but just maybe a couple thousands of customers with repeated information requests.
But the fact Sprint created a web-based portal where law enforcement officials could easily enter a phone number and get the exact location of that person scares the heck out of me. We even have screen caps of what the results look like:
According to Wired there are very specific guidelines on when government officials can gain access to GPS information:
There are four circumstances under which law enforcement agents can use the Sprint website and obtain GPS data: 1) under the authority of a court order; 2) to track the location of a customer who has made a 911 call; 3) in an emergency situation, such as tracking someone lost in the wilderness or trying to locate an abducted child or hostage; 4) with a customer’s consent.
Sprint thus far have proved no court orders and not a single Sprint customer has come forward saying they were informed they were being tracked. The question then becomes isn't a portal, that it is believed that could be accessed by any browser on any computer, allow a lot of potential for abuse. I mean what did the government officials do, hold up the court order to the web cam to prove they have the legal right to access these customer records and location?
Why all of this is so wrong is outlined in this interview with a lawyer from the Electronic Frontier Foundation interviewed yesterday on the G4 tech program Attack Of The Show (it won't embed, so here is a direct link to it).
There is just no oversight on what the heck is going on here. Years ago an AT&T engineer came forward to tell Wired that the government was running all the Internet traffic that ran through their data center in San Fransisco through their own switch, meaning they could monitor everything. The EFF is still in court attempting to find out what legal recourse they had to do this and if it was being done in other AT&T data centers throughout the United States. Heck they can't even get the government to outline what information they were gathering and on whom.
We are supposed to live in a free society. Run by the rule of law. But the potential for abuses here are almost limitless, and these are just two small of examples of what might actually be happening.
I mean we wouldn't even know about Sprint doing this if the guy speaking at the conference didn't have some "loose lips." This needs to end.