How Shall I Wiretap Thee? Let Me Count the Ways

On Monday, I puzzled over a strange data point to come out of a series of newly-released reports from cell phone carriers revealing, for the first time, the incredible quantity of government surveillance of Americans through their mobile devices: One company, Sprint, had reported dealing with a staggering 52,029 "court orders for wiretaps" over a five year period, which was more than double the officially reported number of criminal and national security wiretaps over the same period. I think I've got a benign explanation for that puzzle—briefly, it all depends on how you're counting—but one that also underscores how impossible it is to get a meaningful grasp on the real scope of government surveillance without some kind of formal, standardized reporting mechanism.

First, the explanation. Forbes reporter Andy Greenberg—always an invaluable source on technology and privacy issues—shared my curiosity and reached out to Sprint, whose response he forwarded to me:

Sprint was counting the targets (i.e. phone numbers) and the work effort involved for Sprint.  For example, Sprint counted each target on an order, and each order often has multiple target numbers.  In addition, Sprint operates several technologies and platforms which increases the work effort associated with provisioning a wiretap. For example, if a wiretap order requests interception of both the voice calls and the direct connect calls, that is essentially the provisioning of two separate wiretaps and so Sprint counts them separately. Finally, Sprint also counts separately any extensions of the initial order (i.e. an additional request regarding the same phone numbers.)  We believe these accounting differences are the reason Sprints numbers appear to be greater than other carriers.

That makes a good deal of sense. The annual wiretap report tallies up the number of approved wiretap applications, but since criminal wiretaps are overwhelmingly used in large narcotics investigations, you'd expect a single application to cover many individuals, and probably multiple phone lines or accounts for each individual. The numbers bear out that intuition: The average approved application ran for 42 days and picked up 3,716 communications involving 113 different people—or 88 communications per day. Either those are some very chatty drug dealers, or the average wiretap order covers several individuals and phone lines. Given that Sprint is the third largest carrier, but leads the pack when it comes to prepaid phones—which cautious dealers sometimes cycle through in an effort to stymie surveillance—you might expect them to have an especially high number of different lines covered under the aegis of a single authorization.

The trouble is, if you look at all the carrier responses, it's clear that they're not reporting "requests" in any kind of standardized way. Verizon and AT&T just give an aggregate number of "requests" for last year, with no indication of how they're counting requests. Is a single piece of paper targeting voice, data, and text message records for each of a dozen individuals one request, a dozen requests, or 36 requests? Or maybe 24 because two of the three are lumped together? Sprint gives a five-year total broken down into wiretaps, pen registers, and location requests—though doesn't give a breakdown of the specific authorities implicated, and makes no separate mention of other kinds of records orders, which certainly exist. Sprint also gives a count of subpoenas, but suggests that here it's actually just counting pieces of paper, not individuals, with multiple accounts typically encompassed by each subpoena. The smaller U.S. Cellular breaks its information down into nine different types of authorities, but doesn't specify the type of information—such as location tracking—sought in each order.

The estimate of "1.3 million requests" each year is therefore a bit of a Frankenstein statistic, because it seems obvious there's no consistent way the different carriers are counting requests—and even within a single carrier, the method seems to vary by category of information. If everyone counted the way the wiretap report does—"applications approved" without regard to the number of persons or facilities targeted—odds are you'd get a substantially smaller number. If you count count targets and facilities, you probably get a much larger one—though even that may understate the situation. For example, Sprint notes that the Justice Department believes it can use tracking authority not only to geolocate the target for whom they have an order, but also any "associates" those people communicate with, at least during the course of the call—which you could probably make a case for counting as a separate "request" for information about another individual's account.

What we pretty clearly need is some kind of standardized, regular reporting of the full gamut of electronic surveillance government does, so that Congress and the public can make informed decisions about how well the system is working—and spot new technologies that might work to circumvent existing safeguards. The alternative is what we've seen happen with location tracking—a tool that has become incredibly pervasive behind our backs. Sprint alone reports nearly 200,000 location orders over the past five years. Extrapolate that out to the other carriers—and factor in the concentration of requests in more recent years, since everyone seems to report an upward trend—and we're likely talking about at least 100,000 annually.  Congress is only just now starting to consider clear, uniform standards for this intrusive surveillance, in part because nobody had any real sense of the incredible rate at which the practice had increased and spreed. Legislators like to talk about striking a reasonable balance between civil liberties and the needs of intelligence or law enforcement—but even accepting that  problematic metaphor, how can they possibly strike a balance when they can't even see the scales?