In Carpenter v. United States, the Supreme Court noted that, in order for law enforcement officials to obtain location data for cell phones, they needed to have a warrant signed by a neutral and detached magistrate, establish probable cause to believe that the location data was relevant to a criminal case and ensure that the warrant was narrowly drawn to provide only the location data for which they had probable cause.
Or, the cops could have a blank check(book).
In the wake of the shootings in Uvalde, Texas, the FBI and others have been investigating the actions (and inactions) of law enforcement agents in the area. They focused on the actions of Deputy U.S. Marshal Adrian Pena, who was assigned to the Lone Star (Texas) Fugitive Task Force in the Uvalde County Sheriff’s office. In an indictment filed June 7, 2022, the Department of Justice alleged that Pena used his law enforcement credentials to unlawfully access a database of cell phone location data for personal purposes—to look up the location of friends and family members. While the charges are similar to those that were rejected by the U.S. Supreme Court under the computer hacking statute in Van Buren v. United States (a Georgia cop improperly used a law enforcement database for non-law enforcement purposes), the Texas federal prosecutors avoided this problem by charging Pena with fraud in connection with “confidential phone records” as well as with lying about his activities to investigators and falsifying records. More significant, however, is the fact that the database of cell phone location data exists at all. As the indictment explains, a company called Securus expanded from providing prison phone services to providing geolocation services.
The indictment explains:
Securus also offered a service called Location-Based Services (LBS) to its law enforcement clients. The on-demand feature of the LBS platform allowed registered users to obtain approximate latitude and longitude coordinates associated with a particular cellular telephone number (“location data”). Securus purchased the location data from 3Cinteractive Corporation, which was located in Boca Raton, Florida. 3Cinteractive Corporation, in turn, purchased such data from Technocom Corporation (doing business as LocationSmart), which was located in Carlsbad, California. Technocom Corporation (doing business as LocationSmart) purchased this data directly from telecommunications services providers. This capability enabled Securus’s registered users to obtain the location data entered in the LBS platform, or, in other words, to ascertain the approximate physical location of a particular cellular telephone on demand.
Let’s tease this out a bit. The telecommunications service providers (Verizon, T-Mobile, AT&T) sold location data to Technocom who sold it to 3Cinteractive who sold it to Securus who then sold it to Texas law enforcement agencies (and others). In fact, the sale of location data is a multibillion-dollar industry.
Federal law requires telecom carriers to protect the confidentiality of consumer proprietary network information (CPNI) which is defined as including “information that relates to the … location … of a telecommunications service subscribed to by any customer… .” The law does permit the disclosure of “aggregate customer information” defined as “collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed”; for example, cell location data was used to determine the location (and origin) of Black Lives Matter protesters. Even though this aggregate location data is theoretically stripped of identifiers, a bit of data analytics and reference to other databases can easily deanonymize this data.
But the indictment makes it clear that the database that Pena is alleged to have accessed improperly includes location data associated with specific phone numbers—not aggregated or anonymized records. In addition, federal regulations do permit telecom providers to use CPNI without customer approval in limited circumstances, such as to provide additional services or to protect themselves from fraud or abuse. But nothing in the law permits the wholesale sale of identifiable location data by telecoms—even to law enforcement agencies. The regulation also provides that call location information concerning the use of a commercial mobile service cannot be disclosed “without the express prior authorization of the customer.”
Telecoms and Cell Location Data
So where did this database that deputy Pena accessed illegally come from?
For years, telecoms were selling access to location data services to third-party marketers provided that the marketers themselves told the telecom that they—the marketers—had obtained the consent of the consumers to obtain and use the data. In this way, marketers could access the data (or sell access to that data) provided that the party to whom they sold the data similarly indicated that they had consent to use the data. It was turtles all the way down. Ultimately, access to the data was then provided to various law enforcement agencies.
In the case of Securus, it might seem unusual that a company that provides collect calls to prisoners would have a database filled with the location data of non-prisoners. There’s a story behind this practice.
Securus paid various prisons for the right to provide very expensive phone service to prisoners. They would split the exorbitant fees they charged with the prison officials by contract, so the prison had an incentive to keep the prices high. As a “security” measure, they offered a “service” whereby a family member or other communicant with a prisoner would have to, as a condition of making or receiving a call from an inmate, opt in to having their cell phone location collected—importantly, not just while they were on the phone with the prisoner, but forever. If you didn’t opt in, you couldn’t make or receive the call. The location data, however, did not come from the friend or relative’s cell phone—it came via API from the cell provider. And the API was not limited to just those persons. So Securus was given full access to the cell location data on everyone—not just those calling prisoners. To keep their lucrative contracts with prisons, Securus provided access to the database to law enforcement agencies for free—a “gratuity” if they kept Securus phones in the prisons. The law enforcement agencies were more than happy to oblige, and, as the Pena indictment showed, they were happy to access the location database freely.
Ultimately, the FCC cracked down on this practice. In February 2020, the FCC proposed a more than $200 million fine against wireless providers for disclosing their customers’ locations without consent. In fact, the case, formally called a Notice of Apparent Liability for Forfeiture and Admonishment, was initiated upon public reports that a sheriff in Missouri used a Securus database to track the cell phones of state troopers and a Mississippi County (Missouri) judge, often checking the location of deputies dozens of times a day. The FCC notice observed that “all four carriers [AT&T, Sprint, T-Mobile and Verizon] sold access to their customers’ location information to data “aggregators,” who then resold such information to third-party location-based service providers like Securus. In addition, the carriers and data brokers were selling access to the data to bounty hunters, automobile dealers for repossession as well as to marketers.
Presumably, all of this stopped with the FCC fines. But not necessarily.
Enriching Lives Through Technology?
So, data aggregators are now buying cell location data not from cell carriers but from app developers. They then aggregate all that location data and sell access to the aggregated data. They also sell (or provide for free) access to that database to law enforcement agencies. So, the same cell location data is now available, but it’s no longer CPNI.
Effectively, this is an unregulated industry—and one that is lucrative to data brokers and useful to law enforcement agents seeking to avoid the necessity of having to obtain a warrant for data. But for people interested in protecting privacy, the lack of effective regulation means that their privacy is at risk.
Oh, and the $200 million FCC fine? It still hasn’t been collected.