According to media reports, American officials know of 20 suspected cases of swine flu in the United States. At least 8 of those involve students at a private high school in New York, some of whom had recently returned from a trip to Mexico.
As government officials (in both the public health and national security fields) scramble to contain this outbreak, they are likely to turn to mobile phones and the records of customers' physical location history in order to identify other individuals who might have come into contact with the infected persons.
I think it is probably fair to assume that any student with enough money to both attend a private high school in New York and go on a spring break trip to Mexico likely has enough money for a cell phone.
Given how many people have already been infected in Mexico, it is unlikely that US government officials would feel the need to obtain physical location information from the roaming records of those teens while they were abroad. However, from the moment that they stepped foot in a US airport, the identities of the persons they came into contact with are likely going to be sought after.
The increasing use of location information
Those in the privacy community have long sounded the alarm about the increasing use of location information by law enforcement agencies. For example, the Washington Post wrote back in 2007 that:
Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers.
In some cases, judges have granted the requests without requiring the government to demonstrate that there is probable cause to believe that a crime is taking place or that the inquiry will yield evidence of a crime.
At a recent Berkman Center event, telecom lawyer Al Gidari revealed that each of the major wireless phone companies receives 100 requests per week for location information (4 companies * 100 requests per week = 20,000 requests per year). Furthermore, one request doesn't necessarily mean one person, but can mean "tell us the names of everyone near the corner of 1st and Main St at midnight on Saturday."
When phone records are sought in terrorism investigations, the FBI commonly asks for a "community of interest" -- that is, the names of everyone that a suspect has called, and then the names of the people that those persons have called. There is no reason to believe that similar techniques would not be used by public health officials looking to get information on the spread of the swine flu. For example, they could ask the wireless phone companies for the names and addresses of every person known to have been within 100 ft of someone known to have been infected.
Given that most historical cellular location records lack street level accuracy, such investigation methods would likely result in huge numbers of false positives -- that is, people who had been in the same neighborhood as infected persons, but who never came into close contact with them.
No warrant, no problem
Law enforcement agents routinely seek and gain location information without a warrant or any form of court order. In exigent circumstances such as kidnappings and terrorist threats, the information can usually be gained with a single phone call -- since telecom companies are loathe to say no to an emergency. It is equally likely that now, with bodies piling up in Mexico, and headlines across the world with news of the swine flu, that telecom company lawyers will likely not wish to second guess the requests of US government officials.
However, in the process, huge swaths of detailed location information detailing the movements of millions of Americans could be turned over to public health, law enforcement and intelligence agencies without any assurances that the data will only be used to prevent a swine flu epidemic. Once that data is given to the Government, there is little that can be done afterwards to stop it from being used for other purposes -- such as the war on drugs or investigations of "right wing extremists."
I want to be clear -- I am not taking a moral position here on the sharing and use of this data. The goal of this blog post is merely to try and draw attention to the fact that this information is going to be shared with government agencies, if it hasn't happened already. Furthermore, those of us in the privacy community need to make sure that if this information is handed over for public health purposes, that this is the only permitted use of the data -- and that it is not allowed to find its way into long term storage on government servers in Quantico, Virginia or Ft. Meade, Maryland.