Wednesday, May 16, 2018

Privacy? What privacy?


Yet again, we're reminded that we live in a de facto surveillance state.  It's just been privatized.

The digital privacy world was rocked late Thursday evening when The New York Times reported on Securus, a prison telecom company that has a service enabling law enforcement officers to locate most American cell phones within seconds. The company does this via a basic Web interface leveraging a location API—creating a way to effectively access a massive real-time database of cell-site records.

Securus’ location ability relies on other data brokers and location aggregators that obtain that information directly from mobile providers, usually for the purposes of providing some commercial service like an opt-in product discount triggered by being near a certain location. ("You’re near a Carl’s Jr.! Stop in now for a free order of fries with purchase!")

. . .

Currently, the Supreme Court is set to rule on the case of Carpenter v. United States, which asks whether police can obtain more than 120 days' worth of cell-site location information of a criminal suspect without a warrant. In that case, as is common in many investigations, law enforcement presented a cell provider with a court order to obtain such historical data. But the ability to obtain real-time location data that Securus reportedly offers skips that entire process, and it's potentially far more invasive.

Securus’ location service as used by law enforcement is also currently being scrutinized. The service is at the heart of an ongoing federal prosecution of a former Missouri sheriff’s deputy who allegedly used it at least 11 times against a judge and other law enforcement officers.

. . .

"Top officials at Securus confirmed to my office that Securus takes no steps to verify that uploaded documents in fact provide authorization for real-time surveillance, or conduct any review of surveillance requests," Wyden continued. "Securus claimed, incorrectly, that correctional facilities, not Securus, must ensure that correctional officers don’t misuse the Web portal."

There's more at the link.

Note that Securus does not get its data directly from the telecom companies, but from third-party aggregators.  What's more, anyone who can access it from a purportedly law enforcement account - whether real, or hacked - can request location information on any cellphone in the country, providing only an online assertion that the request is legal.  It's not checked or verified in any way.  Furthermore, the service doesn't depend on whether or not the phone's GPS is enabled.  It can track anything connected to the cellular network, anywhere.

Think of what this means for criminals.  For a major organization such as a Mexican drug cartel, or organized crime in the USA, it'll be child's play to set up or hack into a Securus account.  Once that's done, it can input the cellphone number of any individual it wants to follow or monitor, up to and including law enforcement personnel's private phones or tablets.  That done, it knows where they are on an almost real-time basis.  What better way to know whether they're following criminals, or meeting with suspected informers?  "That cop spent half an hour in Jaime's shop.  What was Jaime selling him?  Tortillas - or information?"  Too bad for Jaime if a cartel suspects him of being an informer.

On the personal level, too, this is frightening.  I can see this coming into play in divorces, civil court actions, and many other situations.  Parents may use it to track their kids, domineering spouses may use it to track their (in)significant others, private investigators may use it to track clients . . . the possibilities are endless.  At present, at least a nominal affirmation that the access is for law enforcement purposes is required;  but the time may not be far away that it can be done with no explanation or justification at all.  What if someone sets up a server in Canada, or Mexico, or the Caribbean, accessing the same third-party aggregation data and providing it to all comers, with no questions asked except the number of their credit card?

Once again, George Orwell is proved to have been prescient.

Peter

1 comment:

ALL COMMENTS ARE MODERATED. THEY WILL APPEAR AFTER OWNER APPROVAL, WHICH MAY BE DELAYED.