Al Gidari – Mobile phones and surveillance

Is your cellphone watching your every move?

Almost certainly. But the interesting question is this: who can access that data?

Lawyer Al Gidari of Perkins Cole in Seattle has spent years litigating this question, and offers a provocative and nuanced talk at the Berkman Center on the complex questions of where the law – generally speaking, US law – is going with respect to location information.

Gidari represented McCaw Cellular in the early 1990s, as cell networks started to transform the nature of telecommunications. He explains that the old saying, “If you build it, they will come” is true… but “they” are criminals. The early adopters of cellphone networks were criminals who cloned analog cellphones and sold international phonecalls on street corners for $5 a minute. Gidari tells us that as many as 70% of traffic on early cellphone towers was this sort of fraud – the earliest work done on pinpointing the location of cellphone users was by cellphone companies, trying to catch the guys who were ripping them off.

As the wireless companies figured out how to locate people abusing their services, the “three letter agencies” followed along. Legendary hacker Kevin Mitnick was caught by law enforcement, using a cellular modem that was detected by “location-aware technologies” developed by the phone companies to fight fraud. Cases like this made law enforcement aware that they could use phone company technology to locate criminals. But the move from analog to digital technologies meant that most law enforcement officials didn’t have the ability to locate mobile phone users without using tools provided by the telcos.

In 1994, the Communications Assistance for Law Enforcement Act (CALEA) was signed into law and changed the playing field for telcos and law enforcement. Telcos took four years to build a standard that was widely adopted and allowed them to deliver information to law enforcement in a consistent fashion. As CALEA was written into law and surveillance-capable technology was baked into telco equipment, a conversation opened regarding location information. FBI director Louis Freeh told the press that his agency wasn’t seeking this sort of information, and that stories about location information were “a red herring being promoted by privacy zealots.”

CALEA separated subscriber information – the name on an account, the address, how long someone had a service – from network information – what cellular towers were involved with a phonecall. The subscriber information was accessible with an easily obtained subpoena, with no judicial review. It was as easy for law enforcement as obtaining a pen register, a log of what calls were made to and from a particular phone during a period of time. To obtain the network information, CALEA dictated a higher standard – an independent judge would need to review a request and determine that the information was neccesary towards an ongoing investigation. Judges have little discretion in evaluating requests for subscriber information, but significantly more regarding this sort of location information.

This information can be pretty detailed. When your phone is on, it’s registering on a tower, authenticating that you’re authorized to use the network and tracking what tower you’re near so it can route calls to you. That information is considered ephemeral – telcos clear their caches of this information quickly. But the information associated with calls you initiate lingers longer – for historical reasons, the tower you were closest to when you initiated a call is logged (that was for billing purposes, to share call costs with the network you were roaming on). That data is recorded and backed up daily, so it’s available historically.

There are other ways location information about your mobile phone can be collected. Third-party providers like Google Maps learn your location every time you use their application to map the area around your current location. It’s unclear how long they keep this data, or who might access it. Similarly, it’s unclear whether the companies that provide 911 services for telephone companies are storing location information or who might access it.

In considering the legality of accessing location information, Gidari recommends we think about three kinds of data:

Historical data – Who was using a specific tower at a specific moment in time, or where was a particular customer during a specific timeframe
Ping data – Network operators and some third-party providers are able to send a one-time ping to a phone to locate it at a specific time
Prospective data – By tracking phones over a long period of time, and mapping individuals traffic, or larger traffic flows, it’s possible to predict where people are likely to be

CALEA, Gidari tells us, only dealt with historical data, not with one-time pings or prospective data. Unsurprisingly, law enforcement has gotten very interested in all these forms of data and there are now profound debates about what data should be accessible. Gidari reports a meeting in a courtroom with law enforcement when his interlocutor unholstered a weapon, placed it on the table and said, “You’re aiding terrorists if you don’t give this data to us prospectively.”

Carriers have long maintained that location information shouldn’t be accessible just based on a request for a pen register. Law enforcement went to the DOJ, and the DOJ responded that there needed to be “additional authorizations.” A very complicated battle resulted, and the current state of the art appears to be in the hands of whatever magistrates are assessing requests on a given day. Most magistrates have sided with the telcos, and argue that this is a 4th ammendment issue – Gidari tells us that the government ends up “forum shopping” to find magistrates who believe location information should be released on laxer standards.

Because “everybody needs certainty”, he predicts we’ll see legislation clarifying this situation soon. The DOJ wants the lowest standard – the proof that this information is relavent to an investigation. Telcos and privacy groups want a higher standard, probably based on probable cause.

The implications are important. You can imagine law enforcement asking for information on everyone near a particular cell tower in a ten minute period, hoping to locate witnesses to a drug transaction. Since third-party providers are largely exempt from these rules, you can imagine situations where a provider might sell location information to a jealous spouse as a “family finder” service. What standards should apply?

In the meantime, Gidari worries that companies are being asked to take extraordinary steps. He tells us about a request for information on a missing child – the company was ordered to ping a phone every 15 minutes for 24 hours. “That’s a lot of pings and a lot of staff time.” The request turned out to be from a sherrif who’s daughter didn’t come home after a date. There’s no way to know if these requests are legitimate or not. And increasingly, they’re coming from creative lawyers as well as from law enforcement. An ambitious DA noticed that a mobile phone had been found in a container that contained counterfit condoms – he was able to order records of all the phone numbers that phone had contacted. Right now these requests all require magistrate’s discretion, and there’s no constant standard… and therefore no way of knowing who really has access to location data and under what conditions.

David Weinberger’s notes on the talk, with excellent coverage of the question and answer afterwards.