Those smartphones we're always carrying with us? The police have a simple way to turn them into a tracking device without our knowledge.
On Thursday, The New York Times revealed that Securus Technologies, a service that monitors calls to prison inmates, has been used by a former Missouri sheriff to monitor people's phones and track their location. The sheriff, who was charged for the tracking in state and federal courts, allegedly used the program to track a judge and five other police officers.
He was able to do this because Securus quietly offers another service that can find almost any phone in the US within seconds. The company has that data because it buys real-time location information from major wireless carriers, which is typically meant for marketers who want to target advertising based on where you are.
Police officers tracking cell phones through wireless carriers has become a more prominent legal issue as technology has made the process much easier over the last few years. The Supreme Court is reviewing a case on whether the government needs a warrant to demand your phone's location history. The legal issues surrounding this topic are why Securus' simple method strikes such a nerve -- it's often expected that the Fourth Amendment protects innocent people from digital surveillance.
The revelation throws into question the boundaries of law enforcement and once again raises concerns about just how much privacy we have, an issue that remains in the spotlight following Facebook's Cambridge Analytica flap and breaches that have led to companies like Yahoo and Equifax losing our information.
It's also spurred Sen. Ron Wyden, a Democrat from Oregon, to start taking a serious look at Securus, whose service is used by more than 3,450 law enforcement agencies, according to the company's marketing material. Securus told Wyden that its web portal allows surveillance of customers of "every major US wireless carrier."
In a letter to AT&T CEO Randall Stephenson, Wyden said all police officers needed to do to get access to a location was enter a cell phone number on Securus' website, then upload a file they say is an official document that gives them permission to get the info.
"Senior officials from Securus have confirmed to my office that it never checks the legitimacy of those uploaded documents to determine whether they are in fact court orders and has dismissed suggestions that it is obligated to do so," Wyden wrote in his letter, which he sent Tuesday. The senator called this process the "legal equivalent of a pinky promise," and demanded an investigation from AT&T.
In a separate letter Tuesday, Wyden wrote to Ajit Pai, chairman of the Federal Communications Commission, asking that the FCC look into Securus and how wireless carriers fail to protect people's location data.
AT&T said it's "aware of the letter and will provide a response."
"We're still trying to verify, but if this company is, in fact, doing this with our customers' data, we will take steps to stop it," a Verizon spokesman said.
A Sprint spokeswoman said the company shares phone locations only with customer consent or in response to law enforcement orders. She added that Sprint has received Wyden's letter and is responding.
T-Mobile didn't respond to a request for comment.
The FCC said it's received the letter and is reviewing it.
Demanding answers about phone tracking
The program is detailed in a publicly available document from the state of Georgia, with Securus bragging that it can track any number "within seconds."
Wyden listed steps wireless carriers should take to ensure privacy, starting with an audit of every outside party they share personal data with.
The senator also wants carriers to ensure that customers must consent to their data being available, and to immediately end any data-sharing with companies that abuse that data. In his letter, Wyden asked that carriers allow customers to see all the third parties that have access to their data.
He demanded answers from AT&T, asking the company to send details on all third parties the carrier has shared location data with in the last five years.
In a blog post, the ACLU said Securus may have violated a federal law that prohibits lying to phone companies to obtain confidential records.
"Major telecommunications carriers who ultimately facilitate these abuses also deserve blame," the ACLU said in its post. "In cases where phone companies provide location information, they have a responsibility to ensure that it is only disclosed in appropriate circumstances."
Securus, in a statement emailed late Friday, said Wyden's letter to Pai contained "multiple inaccuracies and misleading statements" and it outlined some of the "safeguards in place today to help ensure that LBS is used appropriately."
It said, for example, that the service is only available to law enforcement customers who are authorized users within those organizations. "Our customer contracts and LBS user agreements require that LBS only be used for lawful purposes. And we provide training to customers on the need to provide proper documentation when conducting searches."
And at LBS enabled facilities, Securus says it obtains location data for inmate calls to wireless phones "and follows the best-practices guidelines of the CTIA by obtaining consent from the called party prior to provident law enforcement with the telephone's approximate geographic location."
The company maintains that its verifications "are entirely reasonable."
"Securus requires documentation and reasonably relies on the professionalism and integrity of our law enforcement customers and their counsel," its statement read. "Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel."
Here's where you can read Sen. Wyden's letter to AT&T and Wyden's letter to the FCC.
First published May 11, 9:33 a.m. PT
Updates, 10:13 a.m.: Includes comment from Sprint; 12:37 p.m.: Adds comment from Verizon; 4:08 p.m. PT: Adds statement from Securus; May 14, 9:51 a.m. : adds statement from AT&T.
'Hello, humans': Google's Duplex could make Assistant the most lifelike AI yet.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.