In the first audit of its kind, Cellphone carriers disclosed that U.S. law enforcement officials made over 1.3 million requests for customer information last year, and the frequency of cellphone surveillance is on the rise.
In June, Rep. Edward Markey (D-Mass.), co-chair of the Congressional Bi-Partisan Privacy Caucus, asked nine cellphone carriers serving millions of U.S. subscribers to share information on how frequently they were asked by law enforcement to share information about their customers, how these requests are processed, what fees they charge for complying and other details concerning the authorities' use of cellphones as data sources.
The responses from the carriers, who in several instances noted staffing large teams working 24 hours a day to process the flood of data requests, underscore the wealth of data that can be mined from cellphones that increasingly log their users' every move. They also highlight the privacy concerns associated with a lack of oversight governing the personal information that authorities can access.
So what data exactly were the cellphone companies sharing? And why? Any "Law & Order" aficionado should be able to guess: Text messages, location information, and lists of incoming and outgoing calls were all fair game for the authorities, the carriers explained in their letters replying to the congressional inquiry.
Sprint offered a detailed description of what legal hoops law enforcement agents must jump through to obtain different types of customer data:
Basic subscriber information, which is strictly limited to six specific categories of information (name, address, local/long distance records (or records of session times and duration), length/type of service, telephone/subscriber number and means and source of payment), is the only information that can be disclosed to law enforcement pursuant to an administrative, grand jury or trial subpoena.
In addition, Sprint's senior vice president of government affairs wrote that a wiretap and "the stored content of a customer's communications (e.g., text messages)" can "only be disclosed to law enforcement pursuant to a warrant or court order based on probable cause." A warrant is also required to access location information, which can include both both real-time location data collected from a subscriber's GPS and historical location data based on a user's proximity to cell towers, though exceptions may be made in emergency situations "involving danger of death or serious physical injury."
AT&T wrote that it would offer a user's location information to "a public safety entity when a call is made to 911" or if "an emergency involving immediate danger of death or serious physical injury to any person requires or justifies disclosure without delay."
According to Verizon's breakdown of the 260,000 data requests it received from law enforcement last year, authorities were frequently hunting down details that were more personal than an address:
About half of these requests were subpoenas; generally speaking, law enforcement can only seek subscriber or call detail records (the type of information on a phone bill) through a subpoena [...] The other half were warrants and orders (generally for phone bill information, wiretaps, pen registers [which track incoming calls], traps and traces [which track outgoing calls], text message information and location information) or emergency requests.
Verizon also shared its price list for complying with authorities' surveillance requests. Handing over up to five days of stored text messages costs $50, and a wiretap order costs at least $775. It also has a seventy-person team working twenty-four hours a day, seven days a week to handle incoming requests for user information.
All the data handed over to law enforcement is going to "a variety of matters including national security, drug activities, murders, thefts, kidnappings and terrorism, to name a few," according to T-Mobile.
Rep. Markey, however, expressed concern that law enforcement agents may be overstepping their bounds and plans to propose regulation that would impose limits on what subscriber information can be accessed.
"We cannot allow privacy protections to be swept aside with the sweeping nature of these information requests, especially for innocent consumers,” Markey said in a statement. He told The New York Times that when it comes to protecting people's privacy, "There's a real danger we’ve already crossed the line."
Sprint chided regulators for not doing more to specify in what cases location data could be shared -- and withheld -- from the government.
"Given the importance of this issue and the competing and at times contradictory legal standards, Sprint believes that Congress should clarify the legal requirements for disclosure of all types of location information to law enforcement personnel," the carrier wrote.