Simply Security - News, Views, and Opinions from Trend Micro

Posted on August 7th, 2012 in Data Privacy by Simply Security | 2 Comments | Tags: Data Privacy

Cellphone surveillance requests from law enforcement agents are raising some serious data privacy concerns.

U.S. wireless carriers are being placed in a decidedly difficult spot these days as they attempt to satisfy the seemingly divergent priorities of law enforcement officials and consumer protection advocates. In a first-of-its-kind report, the New York Times recently quantified the scope of government-requested cellphone surveillance practices courtesy of data sets gathered through a congressional probe.

In response to a March 2012 article from the Times detailing the prevalence of cellphone data tracking among law enforcement agencies, Massachusetts Representative Edward Markey recently launched an investigation that resulted in nine U.S. wireless carriers being asked to describe their roles in the proceedings.

"Law enforcement agencies are looking for a needle, but what are they doing with the haystack?" Markey explained in a prepared statement. "We need to know how law enforcement differentiates between records of innocent people and those that are subjects of investigation, as well as how it handles, administers and disposes of this information."

Now that wireless carriers have provided the requested information, even Markey admits that he is surprised by the findings.

Thousands of requests per day

According to the Times, the nine carriers collectively responded to 1.3 million requests for customer data in 2011 alone. In these scenarios, local, state and federal law enforcement agents requested everything from text messages to callers' physical locations. AT&T officials estimated that their company fields an average of more than 700 requests each day, for example, with approximately 230 classified as emergencies. T-Mobile led all carriers with a conservatively estimated average of 1,500 data requests per day, observing a 12 to 16 percent annual increase over the past five years.

The expanded scope of cellphone surveillance could also be seen in the reimbursement requests filed by carriers. Considering the technical complexity and man-hours required to locate and reproduce subscriber data on-demand, AT&T was able to bill law enforcement agencies for a subtotal of $8.3 million. Conversely, Cricket – one of the smaller carriers – noted that it is likely losing money on surveillance operations as government requests overwhelm internal resources.

Nevertheless, New York-based detective Peter Modafferi is one of many suggesting that the increase in cellphone monitoring is simply a product of the times. In an interview with the newspaper, he noted that nearly every crime scene he investigates now contains some type of mobile device. Information pulled from these gadgets can help uncover crucial details, such as a victim's recent whereabouts and communications.

Carriers as de facto attorneys

The Times explicitly highlighted the fact that all activities reported by the wireless carriers were aboveboard and completely legal. But a dangerous gray area is emerging.

With a flood of new requests coming in each day, several companies have had to recruit specialized teams. Verizon, for example, now has 70 employees dedicated to facilitating law enforcement requests and a legal team that works around the clock. Smaller carriers, however, have had to outsource some of these responsibilities, adding even more actors into the data security chain of command.

In any case, consumer protection advocates have suggested that the companies cannot and should not be expected to make complex legal interpretations. The fact that C Spire has rejected an estimated 15 percent of the more than 12,000 requests it has received in the past five years is making some wonder about the quality and legality of what might be slipping through the cracks.

Red flags have also been raised regarding the frequency with which requests are classified as emergencies and fast-tracked for processing with fewer legal hurdles. In fact, some are suggesting that last year's 14 percent decline in requests for federal wiretapping warrants is a product of agencies choosing the path of least resistance and strong-arming wireless carriers.

In an interview with the Times, American Civil Liberties Union attorney Chris Calabrese insisted that whatever the resolution may be, the inconsistent standards governing mobile data requests and processing can no longer be ignored.

"The standards really are all over the place," Calabrese told reporters. "Nobody is saying don't use these tools. What we're saying is do it with consistent standards and in a way that recognizes that these are tools that can really impact people's privacy."

One of the more concerning – and prevalent – practices that has drawn the ire of Calabrese and others is known as cell tower "dumping." According to the Times, this essentially involves police agencies pulling all data on subscribers who were accessing a cell tower during a certain period of time. While this can help informal temporal components of an investigation, it can also generate hundreds or even thousands of profiles on innocent citizens with no criminal involvement.

Whether it's ensuring law enforcement agents paint with a thinner brush or developing new data security safeguards during information processing, these new revelations should – at the very least – inspire a private sector pushback that forces officials to justify and hopefully evolve their surveillance activities.

Data Security News from SimplySecurity.com by Trend Micro