Nothing gets buzz flowing like a security scare. A tape recording suggesting that Sprint provided law enforcement agencies with customer location data over 8 million times in one year has been made public, Ars Technica and others reported yesterday. This is a sticky issue, but Sprint Nextel has a rebuttal.
The recording that started the controversy (found at the bottom of this post and posted to YouTube), captures Paul Taylor, manager of Sprint’s Electronic Surveillance Team, speaking at the ISS World Conference in Washington, D.C., on Oct. 13. Christopher Soghoian, an Indiana University graduate student, posted the recording. In it, Taylor does indeed make reference to “8 million requests” for customer location data from law enforcement agencies in one year, and makes it more than once.
However, I spoke with Sprint Nextel spokesman Matt Sullivan, who said that Soghoian’s post “didn’t attempt to clarify” a number of important issues. First, Sullivan noted, the 8 million number is actually for individual pings to customer handsets generated by any given law enforcement agency during ongoing attempts to locate those devices.
Sullivan didn’t dispute the fact that Sprint sometimes allows law enforcement agencies to track customer handsets. In fact, the company has a portal that lets them do so easily, if they have “a valid request,” which is typically generated by a court order or a subpoena.
The portal facilitates “automated requests to our network that provide latitude and longitude information” for a handset, according to Sullivan. However, a single law enforcement agency might generate thousands of pings when attempting to locate just one customer, which means, he said, that the actual number of consumers for whom there were location attempts would be in the thousands for a year — nowhere near 8 million.
“We have 47 million customers, and, given that, we don’t think thousands of annual location attempts is unreasonable,” Sullivan added. He didn’t clarify how many “thousands” there were, but said that Sprint will provide an exact number.
Soghoian is working on a dissertation focused on surveillance, and his post gathers lots of interesting data points about the growing trend toward ISPs and carriers sharing customer data. As often happens with widely reported stories on security, though, this latest report focused on what looks like a largely inflated number.