8 Comments

Summary:

Nothing gets buzz flowing like a security scare. A tape recording suggesting that Sprint provided law enforcement agencies with customer location data over 8 million times in one year has been made public. This is a sticky issue, but Sprint Nextel has a rebuttal.

Nothing gets buzz flowing like a security scare. A tape recording suggesting that Sprint provided law enforcement agencies with customer location data over 8 million times in one year has been made public, Ars Technica and others reported yesterday. This is a sticky issue, but Sprint Nextel has a rebuttal.

The recording that started the controversy (found at the bottom of this post and posted to YouTube), captures Paul Taylor, manager of Sprint’s Electronic Surveillance Team, speaking at the ISS World Conference in Washington, D.C., on Oct. 13. Christopher Soghoian, an Indiana University graduate student, posted the recording. In it, Taylor does indeed make reference to “8 million requests” for customer location data from law enforcement agencies in one year, and makes it more than once.

However, I spoke with Sprint Nextel spokesman Matt Sullivan, who said that Soghoian’s post “didn’t attempt to clarify” a number of important issues. First, Sullivan noted, the 8 million number is actually for individual pings to customer handsets generated by any given law enforcement agency during ongoing attempts to locate those devices.

Sullivan didn’t dispute the fact that Sprint sometimes allows law enforcement agencies to track customer handsets. In fact, the company has a portal that lets them do so easily, if they have “a valid request,” which is typically generated by a court order or a subpoena.

The portal facilitates “automated requests to our network that provide latitude and longitude information” for a handset, according to Sullivan. However, a single law enforcement agency might generate thousands of pings when attempting to locate just one customer, which means, he said, that the actual number of consumers for whom there were location attempts would be in the thousands for a year — nowhere near 8 million.

“We have 47 million customers, and, given that, we don’t think thousands of annual location attempts is unreasonable,” Sullivan added. He didn’t clarify how many “thousands” there were, but said that Sprint will provide an exact number.

Soghoian is working on a dissertation focused on surveillance, and his post gathers lots of interesting data points about the growing trend toward ISPs and carriers sharing customer data. As often happens with widely reported stories on security, though, this latest report focused on what looks like a largely inflated number.

  1. I think I personally sent one thousand requests one weekend when I was keeping track of my teenage daughter…

    Share
  2. Yeah, right. And I’ve got a nice bridge to sell you too.

    Share
  3. Jerry Fleckhiemer Wednesday, December 2, 2009

    You have to know what he is talking about in the audio to comment on this article. First, what is a “ping”? Second, what does the 8 million consist of, pings or subscriber phone numbers? With this clarification, you can correctly qualify a response to that except of a presentation.

    With that said, lets take the worst case, 8 million subscriber, network-generated, location requests. First of all, it is impossible for law enforcement to generate 8 million subpeonas to back up every locate, so Sprint has admitted to some CPNI violations. This happens all the time and most wouldn’t care if it is their daughter that law enforcement is trying to locate, but that doesn’t make it legal or lawful. A good judge can ask the right questions like a the production of subscriber list “pinged” and associated subpeonas or exigent forms.

    Share
  4. GigaOM, are you tech reporters/journalists, or propagandists for Sprint?

    Share
  5. What is the bet that not all of the ‘valid requests’ were court-ordered?

    Also, 8 million is not an inflated number. Even assuming that it was an average of 8000 ‘pings’ per person, that’s 8000 people! In reality, it was probably far lesser than 1000 pings per person and far more than 8000 people.

    Share
  6. I wonder how much sprint was paid for each of these lookups? I’m thinking into the hundreds of dollars EACH going by what other phone companies were charging for similiar deals.

    Share
  7. How many people is it ok to send private data on? I thought we were the customers here?

    Share
  8. Obviously the concern here is that the requests were for valid legal activities, and not being used to harass activists or the ex’s new boyfriend, for example.

    Share

Comments have been disabled for this post