Hot Topics
Application Security Cyberlaw Cybersecurity Data Security Featured Mobile Security Security Boulevard (Original) Spotlight 

Uvalde Shooting Investigation Reveals Major Privacy Violation

Avatar photo by Mark Rasch on June 20, 2022

In Carpenter v. United States, the Supreme Court noted that, in order for law enforcement officials to obtain location data for cell phones, they needed to have a warrant signed by a neutral and detached magistrate, establish probable cause to believe that the location data was relevant to a criminal case and ensure that the warrant was narrowly drawn to provide only the location data for which they had probable cause.

Or, the cops could have a blank check(book).

In the wake of the shootings in Uvalde, Texas, the FBI and others have been investigating the actions (and inactions) of law enforcement agents in the area. They focused on the actions of Deputy U.S. Marshal Adrian Pena, who was assigned to the Lone Star (Texas) Fugitive Task Force in the Uvalde County Sheriff’s office. In an indictment filed June 7, 2022, the Department of Justice alleged that Pena used his law enforcement credentials to unlawfully access a database of cell phone location data for personal purposes—to look up the location of friends and family members. While the charges are similar to those that were rejected by the U.S. Supreme Court under the computer hacking statute in Van Buren v. United States (a Georgia cop improperly used a law enforcement database for non-law enforcement purposes), the Texas federal prosecutors avoided this problem by charging Pena with fraud in connection with “confidential phone records” as well as with lying about his activities to investigators and falsifying records. More significant, however, is the fact that the database of cell phone location data exists at all. As the indictment explains, a company called Securus expanded from providing prison phone services to providing geolocation services.

The indictment explains:

Securus also offered a service called Location-Based Services (LBS) to its law enforcement clients. The on-demand feature of the LBS platform allowed registered users to obtain approximate latitude and longitude coordinates associated with a particular cellular telephone number (“location data”). Securus purchased the location data from 3Cinteractive Corporation, which was located in Boca Raton, Florida. 3Cinteractive Corporation, in turn, purchased such data from Technocom Corporation (doing business as LocationSmart), which was located in Carlsbad, California. Technocom Corporation (doing business as LocationSmart) purchased this data directly from telecommunications services providers. This capability enabled Securus’s registered users to obtain the location data entered in the LBS platform, or, in other words, to ascertain the approximate physical location of a particular cellular telephone on demand.

Let’s tease this out a bit. The telecommunications service providers (Verizon, T-Mobile, AT&T) sold location data to Technocom who sold it to 3Cinteractive who sold it to Securus who then sold it to Texas law enforcement agencies (and others). In fact, the sale of location data is a multibillion-dollar industry.

Federal law requires telecom carriers to protect the confidentiality of consumer proprietary network information (CPNI) which is defined as including “information that relates to the … location … of a telecommunications service subscribed to by any customer… .” The law does permit the disclosure of “aggregate customer information” defined as “collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed”; for example, cell location data was used to determine the location (and origin) of Black Lives Matter protesters. Even though this aggregate location data is theoretically stripped of identifiers, a bit of data analytics and reference to other databases can easily deanonymize this data.

But the indictment makes it clear that the database that Pena is alleged to have accessed improperly includes location data associated with specific phone numbers—not aggregated or anonymized records. In addition, federal regulations do permit telecom providers to use CPNI without customer approval in limited circumstances, such as to provide additional services or to protect themselves from fraud or abuse. But nothing in the law permits the wholesale sale of identifiable location data by telecoms—even to law enforcement agencies. The regulation also provides that call location information concerning the use of a commercial mobile service cannot be disclosed “without the express prior authorization of the customer.”

Telecoms and Cell Location Data

So where did this database that deputy Pena accessed illegally come from?

For years, telecoms were selling access to location data services to third-party marketers provided that the marketers themselves told the telecom that they—the marketers—had obtained the consent of the consumers to obtain and use the data. In this way, marketers could access the data (or sell access to that data) provided that the party to whom they sold the data similarly indicated that they had consent to use the data. It was turtles all the way down. Ultimately, access to the data was then provided to various law enforcement agencies.

In the case of Securus, it might seem unusual that a company that provides collect calls to prisoners would have a database filled with the location data of non-prisoners. There’s a story behind this practice.

Securus paid various prisons for the right to provide very expensive phone service to prisoners. They would split the exorbitant fees they charged with the prison officials by contract, so the prison had an incentive to keep the prices high. As a “security” measure, they offered a “service” whereby a family member or other communicant with a prisoner would have to, as a condition of making or receiving a call from an inmate, opt in to having their cell phone location collected—importantly, not just while they were on the phone with the prisoner, but forever. If you didn’t opt in, you couldn’t make or receive the call. The location data, however, did not come from the friend or relative’s cell phone—it came via API from the cell provider. And the API was not limited to just those persons. So Securus was given full access to the cell location data on everyone—not just those calling prisoners. To keep their lucrative contracts with prisons, Securus provided access to the database to law enforcement agencies for free—a “gratuity” if they kept Securus phones in the prisons. The law enforcement agencies were more than happy to oblige, and, as the Pena indictment showed, they were happy to access the location database freely.

Ultimately, the FCC cracked down on this practice. In February 2020, the FCC proposed a more than $200 million fine against wireless providers for disclosing their customers’ locations without consent. In fact, the case, formally called a Notice of Apparent Liability for Forfeiture and Admonishment, was initiated upon public reports that a sheriff in Missouri used a Securus database to track the cell phones of state troopers and a Mississippi County (Missouri) judge, often checking the location of deputies dozens of times a day. The FCC notice observed that “all four carriers [AT&T, Sprint, T-Mobile and Verizon] sold access to their customers’ location information to data “aggregators,” who then resold such information to third-party location-based service providers like Securus. In addition, the carriers and data brokers were selling access to the data to bounty hunters, automobile dealers for repossession as well as to marketers.

Presumably, all of this stopped with the FCC fines. But not necessarily.

Real-time cell phone location data is not just collected by carriers. Whenever you load an app, it has the ability to collect location data directly from the phone or from the phone’s GPS. That’s why you can use apps like Waze, Apple Maps, Google Maps, etc., which, because of their nature, require location data to operate. Other apps—like MLB At Bat, for example—use location data not just to direct you to the right baseball team, but also to enforce major league baseball’s blackout restrictions on the broadcast of games. In fact, virtually every app on your phone has the ability to collect your location data, provided that you either opt in or fail to opt out of the data collection. While different cell phone environments work differently, typically the phone will pop up a notice that says, in effect, “X app would like to use your location” and then might give you the options “No, never,” “OK, but only when I am using the app,” or “Sure, what the hell, track me all the time.” But these limitations govern when they can collect your location; the why and what they can do with the data is typically buried in the app’s terms of service or terms of use, and are written in a way that provides the maximum flexibility to the app developer to collect, store, sell, transmit or use the data (and data analytics) as much as possible.

Enriching Lives Through Technology?

Take, for example, a random app like that of Best Buy. The Best Buy privacy policy does not say anything about the collection or use of cell phone location data. They do state that they will only use data “to enrich lives through technology” but they don’t specify whose lives they are enriching—customers or shareholders? They also state that they won’t “sell” (as “sell” is traditionally defined) your data. As traditionally defined? You mean, sell as in transfer ownership to? As distinguished from “lease?” Or as distinguished from “provide access to?” I am a lawyer, and I can’t even tell you how “sell” is traditionally defined. So, I have no clue what Best Buy thinks it can and cannot do with my cell location data.

So, data aggregators are now buying cell location data not from cell carriers but from app developers. They then aggregate all that location data and sell access to the aggregated data. They also sell (or provide for free) access to that database to law enforcement agencies. So, the same cell location data is now available, but it’s no longer CPNI.

Effectively, this is an unregulated industry—and one that is lucrative to data brokers and useful to law enforcement agents seeking to avoid the necessity of having to obtain a warrant for data. But for people interested in protecting privacy, the lack of effective regulation means that their privacy is at risk.

Oh, and the $200 million FCC fine? It still hasn’t been collected.

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark

Secure Guardrails