Privacy SOS

Companies like AT&T and Verizon, as well as every other wireless provider in the United States, are required by law to retain information about their customers in case the government wants access to it. A recent study by security researchers in Germany depicts just how detailed a picture these companies can paint about the daily lives of ordinary people: they know where you've been and who you associate with.

Cell phones have truly changed the game for law enforcement investigations and surveillance. Whereas with land lines, investigators were once required to obtain court-issued warrants in order to “tap” and eavesdrop on private conversations, with mobile phones the content of conversations has become subordinated to what's called “transactional data,” including location information. Transactional data includes the time, date, and location when and where the call was made; the phone numbers called; and the length of calls in minutes. 

Today, law enforcement is often more interested in transactional data than it is in the content, the actual spoken words, of those calls. And because the law hasn't caught up to mobile technology, the government regularly obtains this transactional information from telecommunications companies without a warrant. Sometimes the government uses what are called “administrative subpoenas;” sometimes they just ask and receive.

While we don't know exact numbers on how often law enforcement accesses this intimate, personal information without warrants, specific leaks demonstrate that the problem is massive and growing. As Wired.com reported in December, 2009

Sprint Nextel provided law enforcement agencies with customer location data more than 8 million times between September 2008 and October 2009, according to a company manager who disclosed the statistic at a non-public interception and wiretapping conference in October.

In one particularly egregious case, a German telecom company was found to have tracked its own employees using the data from those employees' mobile phones. Besides looking into historical data about the employees' whereabouts, allegations have surfaced charging the company of spying on their employees' locations in real time. This kind of spying has a serious chilling effect on free speech. Perhaps it's no surprise to find out that this same German telecom also hired a private spy agency founded by a man who once worked for the notorious East German secret police, the Stasi. 

The problems discussed above stem from telecommunications companies retaining and sharing your private data with the government. But there's another problem with our mobile phones and our privacy: in many cases, our phones themselves are storing location information about us, creating a very dangerous and easily exploitable security hazard open to theft and hacking.

Do you feel comfortable knowing that all of your location information is stored in a file on your phone? 

According to this April 2011 Guardian article, the iPhone automatically stores location information on the device itself, creating a data base of GPS and time and date markers showing everywhere the phone has ever travelled. Given that most people travel everywhere with their phones, iPhone users should now be aware that their phones are keeping detailed tabs on their travel histories. The map below was constructed using data from one iPhone, showing where and how often the user traveled in Southern England:

The security researchers who found this file on the iPhone have set up a website explaining in detail how it works, and what you can do. The researchers, Pete Warden and Alasdair Allan, have also created a program that allows people to see these files on their computers. That's because every time you connect your iPhone to your computer, this file is transmitted to your computer. Warden says he hasn't figured out a way to delete the file.

As of today, Apple hasn't responded to questions about why it would put this kind of tracking software in the phone. Google's Android system allegedly keeps the same data. Both companies reportedly send this location data back to their own data bases more than once per day. 

Unfortunately, because our electronic privacy laws haven't been updated since 1986, they don't provide for strong, clear protections for this kind of location data. Therefore it's likely that law enforcement is getting access to this data without a warrant from a judge.

So the police can get your location data from AT&T, Apple, Google, Verizon and Sprint, but they can also now swipe all of your phone's data directly off the phone. The Michigan ACLU is charging that police officers in that state are using a new technology called “Cellubrite UFE” to copy all kinds of personal data from peoples' cell phones, even during regular traffic stops. The Cellubrite snatches up your:

recently dialled numbers, SMSes, Facebook/Twitter posts, emails, bookmarks, Web history, cookies, notes, MMS, IMs, lists of recent Bluetooth devices, journeys, GPS fixes, call logs, and a list of your contacts.

All of that information is taken from people without a court order, without any probable cause or reasonable suspicion to suspect someone has committed or will commit a crime. 

So, be careful how you use your phone. Until we force Congress to update our woefully obsolete electronic communications privacy laws, you should assume that your mobile data is not private. Want to fight for your privacy? Take action now.

© 2021 ACLU of Massachusetts.