In First U.S. Accounting of Wireless Phone Surveillance, Carriers Reveal 1.3 Million Requests For User Data

Cellphone Surveillance via Atlantic

So here's the scary number: the major wireless carriers (Verizon, AT&T, Sprint, T-Mobile, and a couple little guys like U.S. Cellular and Cricket) revealed that in total, in 2011, they received 1.3 million requests for user data from law enforcement agencies. They released this information only after an inquiry by Congressman Edward J. Markey. This is the first time we've had any overarching glimpse at how (and how often) the carriers work with law enforcement.

This is a major step forward towards transparency. It received a front-page New York Times story, and certainly a fair bit of coverage elsewhere. It provides much more information than we've ever had before, especially from AT&T, which lists a few categories of requests as well as the specific (very tiny) number of requests AT&T refused to honor. But! That 1.3 million number leaves out some legitimately important information. Most important: what information is revealed, exactly, and how often do the carriers comply?

WHAT HAVE WE LEARNED?

As much as these findings should and do freak us out a little, the carriers are no happier about them. These law enforcement agencies are not good to work with, it seems; they are supposed to pay the carriers for their time in digging up this information, and often don't. The carriers hire staffs of people just to handle the requests (AT&T has over 100 dedicated to this task full-time). Occasionally a request is denied. The smaller, less corporate-talk-y carriers like pre-paid outfit TracFone voiced their concerns about the surveillance, saying that TracFone "does not participate in or condone such unauthorized tracking." Rarely, but occasionally, a carrier will actually report a request to the FBI for being too insane. (None of the carriers provided examples of this.)

Of the four biggest carriers, only AT&T revealed how often these requests/demands were deemed acceptable and complied with. Of the 131,400 subpoenas and 49,700 warrants it received in 2011, only 965 were rejected. (For reference: AT&T had 103,200,000 customers that year. On average, that makes more than one subpoena for every thousand AT&T customers (although it's just possible that one very naughty customer got all the subpoenas.)) Verizon, the biggest national carrier, received 260,000 requests. The demands have risen in number by, the carriers agree, about 12-16 percent.

Interesting tidbit: MetroPCS, a small, mostly budget/pre-paid carrier with just over a million users 9.5 million users (compare that to AT&T's 100 million), said in its response that it fulfilled "fewer than 12,000 requests a month" between January 2006 and May 2012. Assuming, conservatively, a figure of 11,500 (it's likely more; "fewer than 12,000" implies a figure close to 12,000), that means an annual figure of 138,000, averaged between 2006 and 2012. AT&T, which is a hundred times bigger, received 260,400 in 2011 alone. MetroPCS's figure is likely low, since the number of requests raised significantly between 2006 and 2012 among all carriers and the company provided a mere monthly average. And yet AT&T had less than twice the requests of MetroPCS. Update: MetroPCS subscriber number updated to be less wrong.

MetroPCS, it should be noted, is a low-priced carrier. According to Quantcast, its site (likely representative of its customers) is heavily weighted towards young and less educated people, as well as African Americans and Latinos.

WHAT DO WE STILL NOT KNOW?

The carriers have access to everything. Phone calls, text messages, search histories, usage histories, locations, elevations, movements over time. As modern people we have mostly chosen to pretend like we aren't aware of how vulnerable we are. But what information have these law enforcement agencies been after?

The companies basically did not say anything about who is requesting what. It could be anything from a 911 operator needing to know the location of an incapacitated caller (scariness quotient: very low) to the FBI wanting to know the call history of a suspected terrorist (scariness quotient: pretty high) to a blanket request from a local police force seeking unwarranted wiretaps (scariness quotient: extremely high). Many of those calls, including the three I just named, can be called "emergency" requests which require no warrant or waiting period.

How many were emergencies? No idea.

Then there were "tower dumps," in which a law enforcement agency makes one request to access all the information from one entire tower. This could allow them access to hundreds or thousands of users. A tower dump, by the way, counts as one of those 1.3 million, even though it affects many, many more.

How many were tower dumps? We wonder.

Congressman Markey says: "We need to know how law enforcement differentiates between records of innocent people, and those that are subjects of investigation, as well as how it handles, administers, and disposes of this information."

Read the full story over at the New York Times.