Telecommunications operator Sprint is downplaying a recent report that claims Sprint shared customers’ GPS location information with federal authorities more than 8 million times between September 2008 and October 2009. The report, originally published in security researcher Christopher Soghoian’s blog slight paranoia, raised questions of how much surveillance federal agencies really conduct via mobile devices…and how willing mobile operators are to hand over those data. Sprint is claiming that the figure most-cited in the blog—8 million requests—that Sprint turned over data more than 8 million times—doesn’t mean Sprint turned over information on 8 million customers; instead, the figure represents the aggregate number of requests Sprint fulfilled over the course of investigations that may have lasted days or weeks. According to Sprint, the number of customers affected by the searches total in the thousands, not the millions.
The controversy erupted when Soghoian posted an audio recording of a session at the closed-door ISS World conference in which Sprint’s head of electronic surveillance, Paul Taylor, rather giddily spoke about the volume of GPS data requests Sprint had been able to process for law enforcement after setting up a Web portal for automating the request process. (The recordings have since been taken offline, with the organizers of the ISS World conference claiming they violate copyright.) Taylor also said Sprint has 110 employees and contractors dedicated solely to disclosing customer data to law enforcement.
Taylor’s comments do not discuss whether Sprint is requiring warrants or court orders before disclosing customer data, or what security measures it has put in place to secure its automated Web portal.
Privacy advocates have expressed alarm at the sheer number of requests processed by Sprint. “Eight million would have been a shocking number even if it had included every single legal request to every single carrier for every single type of customer information,” wrote Electronic Fronteir Foundation attorney Kevin Bankston in the EFF blog. “That Sprint alone received eight million requests just from law enforcement only for GPS data is absolutely mind-boggling.
Sprint maintains that a single investigation can generate thousands of requests for GPS data as law enforcement personnel gather evidence or attempt to track an individual.
Communications operators are not part of any government of law enforcement agency, but have historically worked tightly (and often clandestinely) with law enforcement agencies, often without warrants or court orders to turn over customer records. Under President Bush, it is believed U.S. telecommunications operators complied with the NSA’s “warrantless wiretapping” program to arbitrarily monitor communications with individuals outside the U.S., even if the other end of the communication was in the United States.
