Back when telephones were devices that sat on the hallway table or hung on the kitchen wall, people who called you knew where you were; a phone number named a physical location. The phone company knew that the call had been answered, but it had no idea who took the call. That is no longer the case. With the ubiquitous use of cellphones, people calling you have no idea where you are. Instead it is the the phone companies that know who is answering and where it is you are. AT&T, Verizon, Sprint, T-Mobile know all about where you've been, where you're going, where you're likely to go -- and perhaps even who's going with you.
There are lots of reasons for the phone companies to have that information. Knowing where you are is necessary for getting calls through, while knowing where you're going helps cellular providers provide service. For example, if you're traveling on an Acela, the provider can reserve towers in advance, which prevents your call from being dropped. Knowing who's going with you is a side effect of tracking that person's travels alongside yours. But such transactional information is highly revealing of private information. What do the cellular carriers do with the data? Do you know?
A Freedom of Information Act (FOIA) request by ACLU of North Carolina has revealed a Department of Justice memo showing that Verizon keeps tracking data for "a rolling year," T-Mobile officially for 4-6 months, but "really a year or more," AT&T/Cingular since July 2008, Sprint for 18-24 months. That's not all. While T-Mobile, AT&T/Cingular, and Sprint do not retain the content of your text messages, Verizon does -- for 3-5 days. That's interesting, very interesting. After all, the content of text messages is content, not transactional data. Verizon is not the only provider to keep such content; Virgin Mobile stores text messages for ninety days. Logging onto to the Web while on your smart phone? Verizon stores your IP session information -- where you were browsing and for how long -- for ninety days, Sprint and Nextel for sixty.
Law enforcement finds this data immensely useful. The French police have long used the tracking data from cell phones -- both on and off -- to trace who is using stolen credit cards. U.S. law enforcement has used such information to solve murder cases, bank robberies, and drop the length of time it takes to catch fugitives from forty-two days to two. Law enforcement has also put the data to other uses, including tracking citizens engaged in political protest.
Location information is powerful information and it's no wonder that law enforcement would find the data from the cell phone providers so useful. A single order for transactional communications records can provide the same information as a surveillance team of five working for a month. That's part of the reason that requests for such transactional information have shot up to over twenty thousand "hybrid" orders annually per carrier (a hybrid order combines past and future location information in a single court request). That large number should give pause.
Currently such data is available as long as the information being sought is likely to be part of an "ongoing criminal investigation." That is a fairly minimal requirement, but even such minimal requirements are not always followed. Earlier documents released under FOIA requests include an FBI agent expressing concern that,
We deal mostly with the Fugitive Squad here and, like in many other offices, these guys have a reputation for cutting corners (I'm not bashing them; it's the way they do business). Getting a court order is absolutely the last step, if they have to. Before I had a blow-up with a particular Agent almost exactly one year ago, we were constantly asked to call our contacts at service providers to see if we could get various information without having to get a court order ... Doing this once or twice turns into SOP [Standard Operating Procedure] ... I also had a problem with the Fugitive guys calling the service providers and telling them it was I who was calling .... We also had an Agent try to knowingly pass a bad court order to us.
And a 2010 report by the FBI Inspector General on agents' use of exigent letters -- letters written by agents requesting immediate access to telephone records stating that appropriate subpoenas had already been submitted -- showed that "the FBI circumvented the requirements of the Electronic Communications Privacy Act, NSL statutes and violated the Attorney General's Guidelines for FBI National Security Investigations and Foreign Intelligence Collection." Many of the exigent letters never received the required legal follow-up; sometimes subscriber data was given by providers without a written request by FBI agents (meaning auditing requests was essentially impossible). In only 11% of the cases was the data appropriately specific as to what information was being requested, and date ranges were often missing. The result was that often telephone company personnel supplied far more data than the FBI was legally authorized to receive. This included information on the phone records of reporters from the New York Times and the Washington Post -- information that was likely to reveal reporters' sources.
The dangers are clear. The information that cell providers have is rich and highly revealing. The laws governing release of the data are weak, and law enforcement has abused access to this data. Across the pond, the News of the World hacking scandal showed that the police and service providers are not immune from sharing private customer information, including location data, with outsiders.
Yet cell phone use is no longer a choice, but essentially a necessity. Already there are more cell phones than wireline phones in the United States. Pay phones have virtually disappeared. In 2009 AT&T petitioned the FCC to determine a date for the end of POTS -- plain old telephone service. The days of the wireline phone are numbered. The time when your caller knew where you were -- and the phone company did not -- are almost over. Soon circumstances will force everyone to carry the phones that track you as you travel.
This societal change makes it imperative that there be strict controls on what data is being retained, and for how long. Users -- couples divorcing, businesspeople whose phones are paid for by the company, anyone with a cell phone -- should know what data is being kept, and what the policies are on release of that information. Such policies should be public as part of the service contract. Release of the information should be subject to the same stringent protections as a wiretap order. The fact that cell phone providers learn this information as a result of the technology doesn't mean that it should be easily accessible. The data of where you are, where you are going, who might be with you is highly private information. It is time that communications privacy law caught up with the twenty-first century.