Stricter Wireless Data Collection Rules for Police Needed, Lawmakers Say

The new data was in response to an inquiry initiated by Rep. Ed Markey, D-Mass., to discover how often law enforcement agencies are collecting consumer information from the nation’s top wireless companies. Markey said the news was “startling in the volume and scope of requests” and urged his colleagues to ensure better privacy protections for wireless users. He said more transparency is needed to determine how law enforcement differentiates between records of innocent people, and those that are subjects of investigation, as well as how it handles, administers, and disposes of this information. The nine carriers who responded to Markey were U.S. Cellular, Sprint Nextel, T-Mobile, Leap Wireless/Cricket Communications, MetroPCS, Verizon Wireless, AT&T, C Spire and TracFone Wireless.

Senate Privacy Subcommittee Chairman Al Franken, D-Minn., said the magnitude of the requests is “very troubling, and it is especially troubling that law enforcement agencies aren’t themselves taking greater steps to monitor or control these requests. ... It’s clear we must do more to strike the right balance between the needs of law enforcement and privacy.” Franken is a sponsor of the Location Privacy Protection Act (S-1223), which would require companies to obtain express consent from consumers before collecting or sharing their location data with third parties. The bill also contains a provision that would require companies that track more than 5,000 mobile devices to protect the data from disclosure, tell inquisitive consumers what data they track, and delete the data if requested.

Lawmakers also touted the Geolocation Privacy and Surveillance (GPS) Act as a means to help resolve legal ambiguities over how geolocation data are treated. The bill, introduced last year in the House (HR-2168) and Senate (S-1212), would specifically limit police and government entities from warrantless tracking of individuals’ location data.

"The government should have probable cause and a warrant before it can track a citizen’s location using GPS devices,” said Rep. Bob Goodlatte, R-Va., in statement via email. “I strongly support the [GPS] Act because it corrects a lack of clarity and protects individual liberty by creating a legal framework for government agencies, commercial entities, and private citizens.” Goodlatte said he intends to continue working to advance the bill.

Rep. Dana Rohrabacher, R-Calif., told us: “If you believe in liberty, you have to believe if law enforcement at any level is paying special attention to an individual, they need to get a warrant. Period.” Rohrabacher is a co-sponsor of the House GPS bill, which will ensure that individual privacy is protected from “any over reach of law enforcement,” his spokeswoman said in an email.

Reforming the 26-year-old Electronic Communications Privacy Act (ECPA) is a “top priority” for Senate Judiciary Committee Chairman Pat Leahy, D-Vt., his spokeswoman told us via email. Leahy is the author of the ECPA Amendments Act (S-1011), which aims to offer new privacy protections for email, text messages, social networking messages and other electronic communications. The spokeswoman could not confirm whether the carriers’ reports would change Leahy’s approach to ECPA reform but said “these safeguards are important and have been a focus of the Chairman’s for quite a while.”

In 2011 AT&T received about 260,400 customer record requests from law enforcement agencies, a 37 percent increase from the year prior (http://xrl.us/bnf9qm). The company said it received $8.2 million from law enforcement agencies to compensate it for the cost of collecting customer phone usage information, saying such revenue is unlikely to cover the company’s actual costs. A spokesman for AT&T would not comment.

Verizon said in its letter to Markey it received about 260,000 requests for customer information in 2011, and the requests have grown 15 percent each year over the past five years (http://xrl.us/bnf9qu). The company does not seek reimbursement for responding to law enforcement requests “in the majority of instances,” the letter said. Specifically the company only seeks to recoup costs for retrieving text message content, or complying with wiretap orders, pen registers orders or trap and trace orders.

Verizon “scrupulously follows the law when releasing information in response to law enforcement requests,” said company spokesman Ed McFadden in an email. “Absent a life-threatening emergency or customer consent, Verizon Wireless always requires law enforcement agencies to provide appropriate legal process. Verizon Wireless also does not profit from complying with such requests; we do not charge for complying with subpoenas or emergency requests, and when we do charge, we do so as permitted by law and to recoup reasonable costs,” he said.

The number of law enforcement requests for customer information has “risen dramatically” in the last decade, said T-Mobile in its letter to Markey (http://xrl.us/bnf9v3). Though the company would not specifically disclose the number of requests it received, it said the number has increased by about 12 to 16 percent each year since 2002. T-Mobile said that on two occasions in the last three years the company identified “inappropriate requests” for cellphone tracking that it referred to the FBI. In addition, the company identified “several instances” where individuals posed as law enforcement officers to obtain cellphone information.

"Today’s new information makes it clear that law enforcement has carte blanche to follow the trail [wireless users] leave behind,” said Christopher Calabrese, ACLU legislative counsel. “The cell phone data of innocent Americans is almost certainly swept up in these requests. Without clear safeguards and standards for how law enforcement gathers and stores location information, there is a massive privacy gap that leaves all of us vulnerable. It’s time for Congress to get serious about protecting our cell phone data and pass the GPS Act."

"This is a significant development that should put wind in the sails of the ECPA reform effort,” said Gregory Nojeim, a senior counsel at the Center for Democracy and Technology. “Nobody knew the extent of law enforcement demands on mobile phone carriers. And now that the info is public consumers and members of Congress will want to know what is being done with all of this personal information law enforcement is demanding,” he said. “In addition members of Congress will ask if the standards that law enforcement agencies must meet to obtain sensitive information is adequate. These disclosures suggest that those standards may not be adequate.” Nojeim said legislation like the GPS Act would “bring clarity that the providers really need when faced with law enforcement requests for information for which no standard is specified particularly for location information.”

The numbers are significant because they “really highlight the need for legislation in this area,” said Alan Butler, an appellate advocacy counsel for the Electronic Privacy Information Center. “We need to revise the laws we currently have in place for law enforcement’s access to this data,” he said. “The GPS Act is thought to require a more robust legal process for the legal disclosure of this information. We need to reconsider how we define customer information.”