Chris Soghoian posts a bombshell or two at slight paranoia: 8 Million Reasons for Real Surveillance Oversight
Executive Summary
Sprint Nextel provided law enforcement agencies with its customers' (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.
The evidence documenting this surveillance program comes in the form of an audio recording of Sprint's Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.
It is unclear if Federal law enforcement agencies' extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics — since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.
(Spotted via Ed Felton, Soghoian: 8 Million Reasons for Real Surveillance Oversight).
As Chris Soghoian says, it is really staggering that law enforcement could make so many requests in a year or so and even more staggering that such a sea change in the government/privacy balance could happen with no public notice or debate.
It’s kinda unfortunate —though understandable— that Chris chose to headline the EIGHT-MILLION number (omg!!!1!!1one1!!). That bit of sensationalism naturally dominated the news. Along with Sprint’s response(*) characterizing the eight-million number as ‘misunderstood’ and ‘taken out of context.’
A more curious piece of Chris’ post got buried…
The numbers he got for electronic intercept orders are unbelievable:
These electronic intercept numbers are simply incredible.
I don’t know what to make of them.
(*) Hyperlink redacted due to comment reject. Error message was approximately:
Hyperlink was approximately:
Spaces injected to pass content filter.
They’re using the standard of whether an individual is relevant to an ongoing investigation, but the government has failed to demonstrate they’re not applying a “six degrees of Kevin Bacon” approach to determining relevance. In fact, there’s evidence that they are applying this approach. Title 18, 2703 provides certain standards for obtaining records, but the standards for a pen register order are lower.
One might expect that network service providers are not in the business of surveillance, but many of these companies charge the government upwards of $1000 per surveillance request fulfilled. How many subscribers or ad click-throughs does this amount to? $500 hammer anyone? CALEA has helped streamline many of these processes.
Microsoft’s webpage for its law enforcement forensics tool brags: “If it’s vital to government, it’s mission critical to Microsoft.”
http://www.microsoft.com/industry/government/solutions/cofee/default.aspx
News Update
Files have now been taken down.
Update now posted on Chris Soghoian’s blog:
If anyone needs a copy of the files, I have reason to believe that third parties have archived copies around the net.
I believe there is much less to this than first appears for reasons introduced here.
Yahoo!s “Compliance Guide for Law Enforcement” is now up on WikiLeaks.
If you’re behind on the story so far, see Kim Zetter’s Friday article, “Yahoo Issues Takedown Notice for Spying Price List”. In short, this is the document that Yahoo! didn’t want given up under FOIA.
Meanwhile, cryptome is still live—hasn’t been nuked yet.
This is a response to Chris Soghoian by Matt Sullivan, Sprint Nextel (from the Chris’ blog):
Chris,
As a follow-up to my earlier e-mail, I wanted to properly characterize the 8 million figure that you prominently feature in your blog and email.
The 8 million figure does not represent the number of customers whose location information was provided to law enforcement, nor does it represent the instances or cases in which law enforcement contacted Sprint seeking customer location information.
Instead, the figure represents the number of individual automated requests, or “pings”, for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year. The critical point is that a single case or investigation may generate thousands of individual requests to the network as the law enforcement or public safety agency attempts to track or locate an individual over the course of days or weeks.
As a result, the 8 million automated requests or pings were generated by thousands (NOT millions) of instances in which law enforcement or public safety agencies sought customer location information. Several thousand instances over the course of a year should not be shocking given that we have 47 million customers and requests from law enforcement and public safety agencies are due to a variety of circumstances: exigent or emergency situations, criminal investigations, or cases where a Sprint customer consents to sharing location information.
Its also important to note that we complied with applicable state and federal laws in all of the instances where we fulfilled a law enforcement or public safety request for location information.
Matt Sullivan
Sprint Nextel
Matthew.sullivan@sprint.com
I wish that you had linked to Posner’s opinions on rape and baby-selling.