On Thursday, the New York Times published a blockbuster piece revealing how US law enforcement have access to a system that can geo-locate nearly any phone in the country without an officer necessarily having a court order. Now, Motherboard has obtained the letters that Senator Ron Wyden sent to the Federal Communications Commission (FCC) and telecommunications companies demanding answers on the controversial surveillance system.
“I am writing to insist that AT&T take proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data, including real-time location information, by at least one other company to the government,” a May 8 letter sent from Wyden to the President and Chief Executive Officer of AT&T reads.
According to the New York Times report, a former sheriff of Mississippi County, Mo., used an obscure service called Securus to surveill targets’ cell phones, including a judge and other law enforcement officials. That system is typically used by marketers to obtain location data from mobile carriers. As well as AT&T, the system can exploit data from Sprint, T-Mobile, and Verizon, and law enforcement can essentially self-certify that they have legal authorisation to use the service, the report suggests.
In his letter to AT&T, which has similar text to letters sent to other carriers, Wyden writes that this check amounts of “nothing more than the legal equivalent of a pinky promise.”
“The fact that Securus provides this service at all suggests that AT&T does not sufficiently control access to your customers’ private information,” the letter adds.
Wyden then lays out several steps for carriers to follow, such as undertaking an audit of each third party they sell customer data to, to determine how the company uses that data; notify customers whose location information was disclosed without their consent; terminate relationships with third parties that have misrepresented customer consent or abused their access to sensitive customer data; and provide a service for customers to view a list of third parties their data has been shared with.
“Americans should be able to obtain this information from wireless carriers, just as they can obtain from the consumer credit agencies a list of the private parties who have accessed their credit reports,” the letter reads.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
In his additional letter to the FCC, Wyden asks the department to “promptly investigate Securus, the wireless carriers’ failure to maintain exclusive control over law enforcement access to their customers’ location data, and also conduct a broad investigation into what demonstration of customer consent, if any, each wireless carrier requires from other companies before the carries provide them with customer location information and other data.”
Tobias Engel, a security researcher and expert in mobile phone surveillance techniques, told Motherboard in an online chat “this is not about hacking at the core network level or mis-using technical services which were not designed to do this, but simply the US carriers selling out their subscribers.”
“LE [law enforcement] is piggybacking onto this ‘commercial’ option which seems to have a much lower entry barrier than if they requested this kind of access from the carriers themselves,” he added.
Nicholas Weaver, a senior researcher at the International Computer Science Institute at the University of California, Berkeley, told Motherboard in a Twitter message "This once again shows that data is like an oil spill: the contamination gets everywhere. The notion that a chain of 3+ companies, including one specifically intended for marketing, is able to resell access to everyone's real-time location with pretty high precision is disturbing but it shouldn't be surprising."
"In the US, we don't have legal protection against the misuse of our data outside limited categories. So for example, we do have good protection on social security and (depending on the state) DMV info. But our utilities or anybody else not explicitly regulated will sell, resell, rebundle, repackage, and redistribute for practically any purpose they can," he added.
Here are the full letters: