July 9, 2012 11:25AM

Government Surveillance of Cell Users: 1.3 Million Annual Requests and Rising

Last week, I wrote that the annual report on government wiretaps has become increasingly misleading and irrelevant, as new technologies have granted investigators a wide array of powerful and intrusive electronic surveillance tools that don't meet the legal definition of a "wiretap"—or require police to meet the same strict standards of proof before they can be used. Today, The New York Times provides a dramatic and shocking illustration of the point, with a story revealing that cell phone companies report receiving a mind-boggling 1.3 million government requests for information about their customers in 2011, an estimate that almost certainly understates the true number. (Rep. Ed Markey has now posted these reports from the carriers online.) Here's the Times' Eric Lichtblau:

In the first public accounting of its kind, cellphone carriers reported that they responded to a startling 1.3 million demands for subscriber information last year from law enforcement agencies seeking text messages, caller locations and other information in the course of investigations.

The cellphone carriers’ reports, which come in response to a Congressional inquiry, document an explosion in cellphone surveillance in the last five years, with the companies turning over records thousands of times a day in response to police emergencies, court orders, law enforcement subpoenas and other requests. [...]

AT&T alone now responds to an average of more than 700 requests a day, with about 230 of them regarded as emergencies that do not require the normal court orders and subpoena. That is roughly triple the number it fielded in 2007, the company said. Law enforcement requests of all kinds have been rising among the other carriers as well, with annual increases of between 12 percent and 16 percent in the last five years. Sprint, which did not break down its figures in as much detail as other carriers, led all companies last year in reporting what amounted to at least 1,500 data requests on average a day.

Incredibly, Lichtblau notes, these are probably lowball numbers, because of incomplete record keeping: The government doesn't generally tabulate or report this sort of information, and but for a novel request from Congress a few months ago, the public would normally have no way of getting the numbers from the companies. Moreover, a single "request" may in some cases reveal information about hundreds or thousands of innocent customers, thanks to the growing popularity of so-called "tower dumps"—which police use to demand a list of every mobile user who was within range of a particular tower at a given date and time. Nor does it cover requests to Internet providers and online companies: Google alone, remember, reported fielding 12,271 law enforcement requests last year.

A big part of what's driving this explosive growth is the realization that cell phones can now be used as highly precise tracking devices—and even provide a substantial amount of historical information about a suspect's location. That's compounded by ever-falling data storage costs, which have made it common for cell providers to hang on to subscriber information for months, or even years. Phones have also been transformed over the past decade from simple voice calling devices to full-fledged computers. Many people—youths and ethnic minorities disproportionately—now primarily access the Internet via smartphone, which means mobile carriers will often be able to provide data necessary to track a user's Web or e-mail habits. A few carriers even retain the contents of text message after they've been transmitted—though there's no obvious legitimate business reason to do so—which would make them available as "stored communications" and eliminate the need for a full-blown wiretap order.

There's also a potential feedback loop in play: As several carriers note, thousands of requests per day is a fair amount of paperwork to handle, which has motivated some carriers to look for more efficient and automated ways of handling law enforcement requests. We know that Sprint, for example, has developed an interface for law enforcement called "LSite," which allows requests to be submitted electronically and turned around extremely fast, as one executive explained at a closed-door 2009 surveillance conference:

We have actually our LSite [Application Programming Interface (API)] is, there is no agreement that you have to sign. We give it to every single law enforcement manufacturer, the vendors, the law enforcement collection system vendors, we also give it to our CALEA vendors, and we've given it to the FBI, we've given it to NYPD, to the Drug Enforcement Agency. We have a pilot program with them, where they have a subpoena generation system in-house where their agents actually sit down and enter case data, it gets approved by the head guy at the office, and then from there, it gets electronically sent to Sprint, and we get it ... So, the DEA is using this, they're sending a lot and the turn-around time is 12-24 hours. So we see a lot of uses there.

That may be one reason that Sprint—with only about half as many subscribers as Verizon or AT&T—leads the pack in number of requests handled. A glut of requests leads to more plug-and-play surveillance solutions, which leads to still more requests.

It's absurd that only now are we learning these astonishing figures for the first time—and no sane reason Congress should not provide for regular, annual reporting of aggregate data for the kinds of requests that we can now clearly see constitute the overwhelming majority of 21st century government surveillance. That first, common-sense step would be easy. Then we'd at least be in a position to start asking harder questions, like: How can we guarantee effective oversight over such an incredible quantity of government monitoring? Is the cost to privacy of such routine data collection justified by measurable improvements in law enforcement outcomes? With 1.3 million requests each year, isn't it high time we updated and clarified the Electronic Communications Privacy Act? With 1.3 million requests each year—and apparently growing fast—these are questions we can't afford to put off any longer.