This total may well represent tens or hundreds of thousands more actual individuals due to the law enforcement practice of requesting so-called “cell phone tower dumps” in which carriers provide all the phone numbers of mobile phone users that connect with a tower during a specific period of time.
Senator Markey began his investigation last year, revealing 1.3 million requests in 2011 for wireless data by federal, state, and local law enforcement. In this year’s request for information, Senator Markey expanded his inquiry to include information about emergency requests for information, data retention policies, what legal standard - whether a warrant or a lower standard - is used for each type of information request, and the costs for fulfilling requests.
The responses received reveal surveillance startling in both volume and scope:
- There were approximately 1.1 million federal, state, and local law enforcement requests for cell phone records to wireless carriers in 2012. (The number is an underreporting of requests because Sprint did not provide complete information in its response.) There were 1.3 million requests in 2011.
- There were approximately 9,000 cell tower dumps reported in 2012 (with not all companies reporting).
- AT&T, Verizon and Sprint reported 56,400 emergency requests for information (non-911 calls). These requests are self-certified by police with no independent audit.
- There is a high cost for wireless surveillance. AT&T received $10 million; T-Mobile received $11 million; and Verizon less than $5 million in just 2012 alone.
- Some wireless companies do not require a warrant for some type of geolocation information. For example, AT&T requires a warrant for real-time but not for historical records and T-Mobile requires only a subpoena for historical records.
- There is no uniform data retention policy for location information derived from cell towers. Companies reported retaining information from between 6-18 months, while AT&T reported retaining information for up to five years.
- Some wireless companies are supplying the content of communications without a warrant. AT&T discloses stored texts or voicemails that are older than 180 days old with a subpoena. In contrast, Verizon has a warrant standard for texts (but not necessarily for voicemails). T-Mobile requires a warrant for texts and voicemails.
The proposed legislation would:
- Require regular disclosures from law enforcement on the nature and volume of requests.
- Curb bulk data information requests such as cell tower dumps that capture information on a large group of mobile phone users at a particular period of time, and require that any request be more narrowly tailored, when possible.
- Require, in the case of emergency circumstances, a signed, sworn statement from law enforcement authorities after receipt of information from a carrier that justifies the need for the emergency access.
- Mandate creation of rules by the Federal Communications Commission to limit how long wireless carriers can retain consumers’ personal information. Right now, no such standards exist.
- Require location tracking authorization only with a warrant when there is probable cause to believe it will uncover evidence of a crime. This is the traditional standard for police to search individual homes.
The senator sent letters to U.S. Cellular, Sprint Nextel, T-Mobile USA Inc., Leap Wireless Inc./ Cricket Communications, Inc., MetroPCS, Verizon Communications Inc., AT&T, and C Spire Wireless, and a copy of the responses from the wireless carriers can be found here.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.