Who’s Watching?

Christopher Soghoian is a graduate student and PhD candidate in the School of Informatics and Computing at Indiana University.  He has also stirred up quite a bit of conversation in the last few days with a blog post he wrote this past Tuesday, “8 Million Reasons for Real Surveillance Oversight”.   Mr. Soghoian obtained an audio recording of a discussion, by the Manager of Electronic Surveillance for Sprint, in which it was revealed that, during the period between September 2008 and October 2009, Sprint had supplied its customers’ individual GPS location data to law enforcement agencies more than 8 million times.   The discussion took place at an “Intelligence Support Systems” conference held in Washington DC  in October, 2009.  The large number of completed requests was facilitated by a new Web-based inquiry tool Sprint provided:

Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

It is not clear what, if any, authorization law enforcement personnel need to access this data.  It is not at all clear that the accesses are even recorded or reported in any systematic way:

It is unclear if Federal law enforcement agencies’ extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics — since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

Although some statistics on communications surveillance are reported, they are not comprehensive, and it is not clear exactly what is and is not reported.

Mr. Soghoian also files a Freedom of Information Act [FOIA] request to obtain the service and pricing manuals to learn how much the service providers charge to intercept your communications for the government.  He says this was an attempt to get a handle on how much surveillance was occurring by “following the money”.  According to an article in Wired, Yahoo! and Verizon filed objection letters to the FOIA request.    Yahoo! is apparently afraid people will say mean things about them:

Yahoo writes in its 12-page objection letter (.pdf), that if its pricing information were disclosed to Soghoian, he would use it “to ’shame’ Yahoo! and other companies — and to ’shock’ their customers.”

Verizon is apparently worried that it will be besieged by an army of amateur intelligence operatives:

“Customers may see a listing of records, information or assistance that is available only to law enforcement,” Verizon writes in its letter, “but call in to Verizon and seek those same services. Such calls would stretch limited resources, especially those that are reserved only for law enforcement emergencies.”

Some providers, such as Comcast and Cox Communications, were more forthcoming.  Cox, for example, “charges $3,500 for the first 30 days of a wiretap, and $2,500 for each additional 30 days. Thirty days worth of a customer’s call detail records costs $40.”

It is worth reading all of Mr. Soghoian’s blog post; he provides a great deal of background information.  This is all disturbing on a few level:

• As Bruce Schneier has often said, setting up the surveillance apparatus of a police state is poor civic hygiene.  If it is there, it is likely to be used.
• Although there are well-established legal protocols for some kinds of communications surveillance (e.g., telephone wiretaps), it seems clear that the rules have not kept up with the technology.
• Putting together an easy-to-use Web interface to allow law enforcement people to access confidential customer data strikes me as an exceedingly stupid idea.  I rather doubt it will be the first Web interface in history with no security problems.

I can think of no good reason why the general legal protocol and aggregate statistics for surveillance activities should not be made public.  Unless we think all the Bad Guys are imbeciles, they already know people will try to monitor their communications (after all, they can watch CSI, too).  Is there something else we’re trying to hide?