Wednesday, December 02, 2009

WIRED: 'Feds ‘Pinged’ Sprint GPS Data 8 Million Times Over a Year'

Wired's Threat Level blog picks up the Sprint Nextel story with new information from the company about the significance of the "8 million" figure cited by its Electronic Surveillance Manager.

According to the company, law enforcement authorities used a Sprint Nextel web portal to initiate 8 million "pings" to cell phones, which allowed officials to track the owners' locations. The company says that does not mean 8 million individual customers were tracked, but they won't say how many were.

The manager also revealed the existence of a previously undisclosed web portal that Sprint provides law enforcement to conduct automated “pings” to track users. Through the website, authorized agents can type in a mobile phone number and obtain global positioning system (GPS) coordinates of the phone.

The revelations, uncovered by blogger and privacy activist Christopher Soghoian, have spawned questions about the number of Sprint customers who have been under surveillance, as well as the legal process agents followed to obtain such data.

But a Sprint Nextel spokesman said that Soghoian, who recorded the Sprint manager’s statements at the closed conference, misunderstood what the figure represents. The number of customers whose GPS data was provided to local, state and federal law enforcement agencies was much less than 8 million, as was the total number of individual requests for data.

The spokesman wouldn’t disclose how many of Sprint’s 48 million customers had their GPS data shared, or indicate the number of unique surveillance requests from law enforcement. But he said that a single surveillance order against a lone target could generate thousands of GPS “pings” to the cell phone, as the police track the subject’s movements over the course of days or weeks. That, Sprint claims, is the source of the 8 million figure: it’s the cumulative number of times Sprint cell phones covertly reported their location to law enforcement over the year.

The spokesman also said that law enforcement agents have to obtain a court order for the data, except in special emergency circumstances.
Despite the company's denial, in the audio posted on Christopher Soghoian's blog, Sprint Nextel's Electronic Surveillance Manager, Paul Taylor, refers very clearly to "8 million requests from law enforcement, just for GPS alone," and praises the company's web interface for making it possible to fulfill those requests.