Sprint Revealed Customer GPS Data 8 Million Times 315
An anonymous reader sends along Chris Soghoian's blog entry revealing that Sprint Nextel provided law enforcement agencies with its customers' GPS location information over 8 million times between September 2008 and October 2009. The data point comes from a closed industry conference that Soghoian attended, at which Paul Taylor, Electronic Surveillance Manager at Sprint Nextel, said: "[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in." Soghoian's post details the laws around disclosure of wiretap and other interception data — one of which the Department of Justice has been violating since 2004 — and calls for more disclosure of the levels of all forms of surveillance.
Re:automated tool for locating cells? (Score:5, Informative)
Automated tool for locating cells? wow that sounds like an invitation for disaster and abuse. So what happens first, someone hacks it, or it's used in a 1984 style manner? (my guess is the latter has already happened/happening.)
Your latter guess has been mandated by law since the passage of the 1996 telecommunications act. Your cell phone can be listened to and tracked anywhere within coverage area as long as your cellphone has its battery inserted.
Not just for law enforcement (Score:1, Informative)
Many companies track their employees too using tools like Xora (xora.com). The City of Chicago uses it extensively to track city workers...
8 million times? (Score:3, Informative)
Just Sprint, or others as well? (Score:5, Informative)
Re:automated tool for locating cells? (Score:4, Informative)
Welcome to the Technetronic era!
FYI, Zbigniew Brzezinski [wikipedia.org] is one of America's most influential foreign policy strategists.
Re:Just Sprint, or others as well? (Score:5, Informative)
Not just Sprint (Score:3, Informative)
This was interesting:
The first agency within DOJ to respond was the U.S. Marshals Service (USMS), who informed me that they had price lists on file for Cox, Comcast, Yahoo! and Verizon. Since the price lists were provided to USMS voluntarily, the companies were given the opportunity to object to the disclosure of their documents. Neither Comcast nor Cox objected (perhaps because their price lists were already public), while both Verizon and Yahoo! objected to the disclosure.
I am sure all the major providers are guilty of this. Regardless, I am curious to see if 911 operators are lumped into those requests. Many of them may be dispatch trying to find someone's cell phone from an accident or someone in trouble.
Re:automated tool for locating cells? (Score:5, Informative)
Re:automated tool for locating cells? (Score:1, Informative)
Hey, idiot [theonion.com], maybe you would be interested in reading this article [fivethirtyeight.com] which explains why you're wrong.
Re:automated tool for locating cells? (Score:3, Informative)
Yeah but triangulation is difficult and time-consuming, plus far from exact. It also requires knowing where somebody is at, else you'll be triangulating Baltimore when the suspect is over in Philly. In contrast GPS is like a big sign that says, "Here he is" as it moves across the cop's map. It's precise, instant, and easy
Well, to be clear, triangulation is easy if you are the cell company or software running on the device. Google maps has (and still does) used triangulation to get pretty accurate location for years - before GPS was as common or when GPS signals are unavaliable. That still requires hacking either sprint's network or the device itself, but it's just good to be clear that not having GPS on a device doesn't save us much.
-Taylor
Re:automated tool for locating cells? (Score:5, Informative)
It also requires knowing where somebody is at, else you'll be triangulating Baltimore when the suspect is over in Philly.
You'd know that anyway. The cellular network is broken up into zones to lessen the load on the paging channel. Pages are the way that the network locates your phone for incoming calls, pings, SMS, etc. If you had one giant nationwide paging zone then you'd have far too many paging requests to handle. So they break the network up into zones and at a minimum are always going to know which zone your phone is located in. In a rural area these zones might stretch for quite a distance but in more urban areas they tend to be smaller, as more phones equals more paging traffic.
The minute your phone makes/receives a call or SMS they know which tower it's on. From that point forward it's child's play to locate the customer. You don't even need to do triangulation either. At a minimum you can figure out which sector of the tower they are on -- that will narrow down their location to a 120 degree slice of the tower's coverage. With GSM you can use the timing advance to figure out their range from the tower, in 550 meter segments. I believe there's also a way to compute the distance from the tower in CDMA networks without needing to do triangulation.
Re:I'm immune! (Score:3, Informative)
You're not taking into account that cell towers are omnidirectional.
You need 3 towers. If there are two, you could be in either of the two places of equal distance. You need the third tower to take the ambiguity away.
http://www.hacking--thealliance.50megs.com/images/cell_triangulation.gif [50megs.com]
--
BMO
Out-of-date laws are the culprit (Score:5, Informative)
While the Lenihan order [eff.org] and decision did say that the government cannot demand location information without a search warrant, that decision has been appealed by the current administration [irregulartimes.com]. And even if the DOJ loses that appeal, the decision would only apply to a limited section of the country - other courts could decide differently.
The bigger issue is that electronic communications laws are badly out-of-date. There are so many grey areas and loopholes that Sprint and the DOJ can easily argue with a straight face that GPS records are not protected by the Constitution, are not protected by federal or state law, can be demanded without a search warrant, can even be voluntarily handed over with no process whatsoever, do not have to be logged, and do not require anyone ever to tell the person whose location information was collected that they were tracked. And while the courts often do get it right eventually, that's a really slow battle - we need a better approach than that.
We (the ACLU) are launching a new campaign, Demand Your dotRights [dotrights.org], to push companies and lawmakers to provide real protections for our personal information. The "Electronic Communication Privacy Act," which is supposed to protect information like GPS records, was passed in 1986(!) - it just doesn't fit any more.
We hope you will all sign on and join our efforts to push Sprint, lawmakers, and others to respect individual privacy. It clearly won't be an easy battle (seeing how Sprint is actually proud of its "over 8 million GPS record requests served" title), but with enough support, we hope to make a difference - and we could use your help!
It's legal, and it's no big deal (Score:4, Informative)
Re:I'm immune! (Score:1, Informative)
You're not taking into account that cell towers are omnidirectional.
Actually, in most cases they're not omnidirectional. Most cell sites are "sectorized cells," in which there are three (or sometimes six) distinct sectors radiating from a central point. In general, if you see three antennas on each side of a cell tower, it's sectorized; the omnidirectional towers usually have three candlestick-like antennas that stick up from the tower frame.
In many (but not all) cases, information from two cell sites may be all that's needed to locate the subscriber if it's possible to know both the antenna face being used to communicate with the mobile station as well as the approximate distance from the two towers.
But you're right that three sites are required if the sites are omnidirectional, and there are some cases where three sites are still required even in a sectorized-cell deployment.
Re:automated tool for locating cells? (Score:2, Informative)
Re:automated tool for locating cells? (Score:2, Informative)
http://electronics.howstuffworks.com/gps-phone.htm [howstuffworks.com]