Sprint Nextel provided law enforcement agencies with customer location data more than 8 million times between September 2008 and October 2009, according to a company manager who disclosed the statistic at a non-public interception and wiretapping conference in October.
The manager also revealed the existence of a previously undisclosed web portal that Sprint provides law enforcement to conduct automated “pings” to track users. Through the website, authorized agents can type in a mobile phone number and obtain global positioning system (GPS) coordinates of the phone.
The revelations, uncovered by blogger and privacy activist Christopher Soghoian, have spawned questions about the number of Sprint customers who have been under surveillance, as well as the legal process agents followed to obtain such data.
But a Sprint Nextel spokesman said that Soghoian, who recorded the Sprint manager’s statements at the closed conference, misunderstood what the figure represents. The number of customers whose GPS data was provided to local, state and federal law enforcement agencies was much less than 8 million, as was the total number of individual requests for data.
But Sprint spokesman John Taylor (who is not related to Paul Taylor) says Soghoian had “grossly misrepresented” the 8 million figure, which doesn’t refer to unique requests or to individual customers, but to the total number of “pings” made on every number for the duration of a law enforcement request.
“The figure represents the number of individual pings for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year,” said spokesman Taylor. “It’s critical to note that a single case or investigation may generate thousands of individual pings to the network as the law enforcement or public safety agency attempts to track or locate an individual.”
There are four circumstances under which law enforcement agents can use the Sprint website and obtain GPS data: 1) under the authority of a court order; 2) to track the location of a customer who has made a 911 call; 3) in an emergency situation, such as tracking someone lost in the wilderness or trying to locate an abducted child or hostage; 4) with a customer’s consent.
In the case of court orders, Taylor said agents are required to provide Sprint with the order, after which the company provisions the law enforcement account to allow an agency to track the targeted phone number. Court orders cover a 60-day period, and agents can do automated pings to obtain real-time GPS data every three minutes throughout that 60-day period. Taylor says this accounts for the 8 million figure.
“If you can access the info every three minutes over 60 days, that adds up pretty quickly,” he told Threat Level.
He added that the GPS data includes only latitude and longitude and the date and time of the ping.
The automated system was set up so that law enforcement agents wouldn’t have to contact Sprint’s electronic surveillance team each time they wanted to ping a phone number throughout the 60 days of a court order. Agents still have to obtain a subpoena to get historic call detail records, such as phone numbers called, the date, time and duration of calls and the cell site and sector from which the calls were made.