According to a graduate student’s research into the spying policies of major U.S. telecommunications companies, at a recent security conference a Sprint surveillance manager told a group of onlookers that half of all police requests include the target’s text messages.
Half of millions — including some 8 million automated, web-based requests for GPS location, all in just over a year’s time.
The revelation was made by Indiana University grad Christopher Soghoian, as part of his PhD dissertation published Dec. 1, 2009.
He attributes the stunning number to Paul Taylor, an Electronic Surveillance Manager with Sprint Nextel, who was speaking recently at the Washington, D.C. International Securities Systems conference, otherwise known as ISS World.
“Looking around at the name badges pinned to the suits milling around the refreshment area, it really was a who’s who of the spies and those who enable their spying,” he wrote. “Household name telecom companies and equipment vendors, US government agencies (both law enforcement and intel). Also present were representatives from foreign governments — Columbia, Mexico, Algeria, and Nigeria, who, like many of the US government employees, spent quite a bit of time at the vendor booths, picking up free pens and coffee mugs while they learned about the latest and greatest surveillance products currently on the market.”
According to Soghoian, it was during the telecom service providers roundtable discussion that Taylor dropped the bombs.
“[M]y major concern is the volume of requests. We have a lot of things that are automated but that’s just scratching the surface,” he said in an audio recording that has since been removed due to alleged copyright violation. “One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement.”
“He’s talking about the wonderful automated backend Sprint runs for law enforcement, LSite, which allows investigators to rapidly retrieve information directly, without the burden of having to get a human being to respond to every specific request for data,” added Julian Sanchez at the Cato Institute. “Rather, says Sprint, each of those 8 million requests represents a time when an FBI computer or agent pulled up a target’s location data using their portal or API. (I don’t think you can Tweet subpoenas yet.) For an investigation whose targets are under ongoing realtime surveillance over a period of weeks or months, that could very well add up to hundreds or thousands of requests for a few individuals. So those 8 million data requests, according to a Sprint representative in the comments, actually ‘only’ represent ‘several thousand’ discrete cases.”
Taylor continued: “Two or three years ago, we probably had less than 10% of our requests including text messaging. Now, over half of all of our surveillance includes SMS messaging.”
He added that his team, which handles all of Sprint’s police requests, is 110 people strong.
“It’s useful to keep in mind that, as Sprint spokesman Matt Sullivan [said], ‘every wireless carrier has a team and a system’ through which police can access GPS data,” noted a follow-up report by Talking Points Memo. “Sprint is the company unlucky enough to find itself the focus of scrutiny, but it reportedly controls just 18% of the U.S. wireless market, making it the third largest carrier.”
GPS location “likely outnumber[s] all other forms of surveillance request,” Soghoian added.
Sprint has over 47 million customers in the U.S.