7/20/2012: This story has been updated.
In response to a congressional inquiry, mobile phone companies on Monday finally disclosed just how many times they’ve handed over users’ cellphone data to the FBI and other law enforcement agencies. By the New York Times’ count, cellphone companies responded to 1.3 million demands for subscribers’ information last year from law enforcement. Many of the records, such as location data, don’t require search warrants or much court oversight.
Both police and cell service providers had long resisted releasing details on the scope of cellphone surveillance. But the new disclosures from cellphone companies still leave a slew of unanswered questions. Here’s what we have yet to learn.
So more than a million people had their cellphone records picked up law enforcement surveillance?
Actually, it’s probably far more than that, but we can’t know for sure.
While the Times calculated the number of overall requests from law enforcement, each of those requests could cover more than one person.
For instance, when seeking location information, law enforcement agencies frequently ask for “tower dumps,” which list every phone in range of a cell tower at a particular time. In cities, where cell towers are located close together, it is possible that the locations of thousands of people might be swept up in a single request.
Even outside of urban areas, ubiquitous small boxes known as microcells, which help you get cell reception in crowded places like shopping malls, also record highly precise location data. Sprint noted in its letter to Congress that each subpoena it received “typically” asked for information on multiple subscribers.
The Times’ calculation also doesn’t include specifics from T-Mobile, one of the four largest carriers, because it did not initially provide them, saying “T-Mobile does not disclose the number of requests we receive from law enforcement annually.” Since then, T-Mobile has said it responded to 191,000 requests in 2011.
When do police have the right to snoop on your location data?
The law isn’t settled yet, but location information is generally far easier for police to get than a warrant for a wiretap.
A warrant is generally required for police to place a wiretap or track phones in real time, meaning police must have proof they have probable cause that the search will reveal evidence of a crime. But for police to get location data, many courts hold that police need only show that the data would contain “specific and articulable facts” related to a case.
Privacy activists have long held that requests for location data require a search warrant to be constitutional. They say police are essentially using cellphones as tracking devices. But the Supreme Court hasn’t ruled on the issue, and Congress has yet to pass a law addressing it.
Police obtain court orders for basic subscriber information so frequently that some mobile phone companies have established websites— here’s one— with forms that police can fill out in minutes.
The Obama Administration’s Department of Justice has said mobile phone users have “no reasonable expectation of privacy.”
For their part, cellphone companies have supported congressional efforts to make it tougher for police to get location records. An industry representative spoke at House hearing in favor of a bill that would require law enforcement agencies to obtain a warrant before demanding mobile phone users’ location information.
Exactly who are police tracking?
It’s unclear how connected to a criminal investigation you have to be for law enforcement agencies to request your cellphone information. Stephen Smith, a magistrate judge in southern Texas who has advocated for clearer standards for location data requests, said law enforcement authorities sometimes even request information for every mobile phone a suspect has called.
“If you call and order a pizza, they might request the delivery guy’s records,” Smith said. These court orders are usually kept secret— during an ongoing investigation, police don’t want to tip off a suspect— but as a result, the vast majority of cellphone subscribers being tracked have no idea police or the FBI have their historical location information, whether they were suspected of a crime or not.
What sorts of investigations do the requests serve?
It’s not clear.
Police departments have frequently argued that requiring a warrant to obtain cellphone location information would cripple investigations into violent crimes like kidnapping. But it’s unknown what proportion of law enforcement requests actually relate to these types of serious crimes.
“If 80 percent are for drug cases or robberies and two percent are for child sexual predators, it would help if you could put a number on those things,” Smith said. “We’d be in a better position to legislate.”
So what data did police request the most?
That’s also unclear.
Most of the companies didn’t release an exact breakdown of police requests. So we don’t know how many of the requests were for location data and how many were for call records, billing information or other data.
Some of the overall numbers leave questions too. Sprint has about half the subscriber base of Verizon and AT&T. But it reported that it received about 500,000 requests overall from law enforcement last year. That far outpaces its competitors.
We spoke to Sprint spokeswoman Stephanie Vinge Walsh who said that Sprint counted each person whose data is sucked up via a police request. It’s not clear exactly how the other companies totaled the requests they handled.
Which agencies have been requesting the data?
Once again, we don’t know.
The cellphone companies didn’t say what proportion of requests was made by federal authorities and what proportion came from state and local police departments.
The American Civil Liberties Union earlier this year culled data from dozens of police departments, showing wide discrepancies in the ease with which police could obtain cellphone location data. Some police departments routinely obtained warrants; others requested swathes of records with far less court oversight. In response to a question from Congress about whether police had misused phone tracking, T-Mobile said it had identified two cases, which it referred to the FBI.
What does law enforcement do with the data after it’s collected?
It depends on who is requesting it.
As Smith, the Texas magistrate judge, pointed out in a recent paper, any information that’s not used as evidence in court is unlikely to become public. Cellphone companies’ data retention policies vary widely, and the duration of time law enforcement hangs on to the data it obtains is unknown.
An earlier version of this story said that T-Mobile, in answer to a congressional query, had refused to provide a count of cellphone data requests it received from law enforcement. It has been updated to say that T-Mobile did not initially provide a count. T-Mobile did not include the figure in its May 23 letter answering Rep. Ed Markey’s request for the data. However, the company says it later told Markey’s staff privately that it had received 191,000 law enforcement data requests in 2011. Markey’s office agreed to keep the figure confidential.