Monday, April 27, 2009

Governmental response to Swine Flu and the threat to privacy

While much of the media attention over the past day or two on the swine flu threat has focused on the very real public health issues, there are some rather troubling potential privacy issues that also deserve a bit of attention.

According to media reports, American officials know of 20 suspected cases of swine flu in the United States. At least 8 of those involve students at a private high school in New York, some of whom had recently returned from a trip to Mexico.

As government officials (in both the public health and national security fields) scramble to contain this outbreak, they are likely to turn to mobile phones and the records of customers' physical location history in order to identify other individuals who might have come into contact with the infected persons.

I think it is probably fair to assume that any student with enough money to both attend a private high school in New York and go on a spring break trip to Mexico likely has enough money for a cell phone.

Given how many people have already been infected in Mexico, it is unlikely that US government officials would feel the need to obtain physical location information from the roaming records of those teens while they were abroad. However, from the moment that they stepped foot in a US airport, the identities of the persons they came into contact with are likely going to be sought after.

The increasing use of location information

Those in the privacy community have long sounded the alarm about the increasing use of location information by law enforcement agencies. For example, the Washington Post wrote back in 2007 that:
Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers.

In some cases, judges have granted the requests without requiring the government to demonstrate that there is probable cause to believe that a crime is taking place or that the inquiry will yield evidence of a crime.

At a recent Berkman Center event, telecom lawyer Al Gidari revealed that each of the major wireless phone companies receives 100 requests per week for location information (4 companies * 100 requests per week = 20,000 requests per year). Furthermore, one request doesn't necessarily mean one person, but can mean "tell us the names of everyone near the corner of 1st and Main St at midnight on Saturday."

When phone records are sought in terrorism investigations, the FBI commonly asks for a "community of interest" -- that is, the names of everyone that a suspect has called, and then the names of the people that those persons have called. There is no reason to believe that similar techniques would not be used by public health officials looking to get information on the spread of the swine flu. For example, they could ask the wireless phone companies for the names and addresses of every person known to have been within 100 ft of someone known to have been infected.

Given that most historical cellular location records lack street level accuracy, such investigation methods would likely result in huge numbers of false positives -- that is, people who had been in the same neighborhood as infected persons, but who never came into close contact with them.

No warrant, no problem

Law enforcement agents routinely seek and gain location information without a warrant or any form of court order. In exigent circumstances such as kidnappings and terrorist threats, the information can usually be gained with a single phone call -- since telecom companies are loathe to say no to an emergency. It is equally likely that now, with bodies piling up in Mexico, and headlines across the world with news of the swine flu, that telecom company lawyers will likely not wish to second guess the requests of US government officials.

However, in the process, huge swaths of detailed location information detailing the movements of millions of Americans could be turned over to public health, law enforcement and intelligence agencies without any assurances that the data will only be used to prevent a swine flu epidemic. Once that data is given to the Government, there is little that can be done afterwards to stop it from being used for other purposes -- such as the war on drugs or investigations of "right wing extremists."

I want to be clear -- I am not taking a moral position here on the sharing and use of this data. The goal of this blog post is merely to try and draw attention to the fact that this information is going to be shared with government agencies, if it hasn't happened already. Furthermore, those of us in the privacy community need to make sure that if this information is handed over for public health purposes, that this is the only permitted use of the data -- and that it is not allowed to find its way into long term storage on government servers in Quantico, Virginia or Ft. Meade, Maryland.

1 comment:

the-pathogen said...

I would like to share with you some of my experience in this field, incase any of it is new information for you.

First, I was a technician for Sprint for 3 years, and the capability to track customers has been in the consumer market for 2.5 years (it's called Family Tracker). CDMA networks intrinsically have the ability to monitor locations, and new phones use their "Assisted-GPS" chip to update the location to the network every minute or so. I was once approached by a local police department to see if we could retrieve such data, and I could only view the most recent month's locations (only by tower used for phone calls). It appeared that after a new bill generates, the excess information is purged from the system. To implement such a tracking system (if one is not already in place) would simply be a matter of software - and if Sprint objected, then the feds could subversively install such software.

Theoretically the federal government could retrieve the locations the NY students made calls - but nothing else unless another system has been put into place.

My mother worked for the DEA for around 3 years, and she would often complain to me about Sprint's ability to retrieve customer data on whim. Apparently all the major carriers voluntarily and immediately disclose any and all information about their customers to the government, where as Sprint would charge $150 dollars and it would take two weeks. The Federal Government became so upset with Sprint's practice that in 2007 the FBI in several cities canceled their Nextel service after failed negotiations with Sprint in Kansas City over the $150 dollar charge. The DEA followed suit in several cities.

After talking to my mother about the type of information cellular companies send to the federal government (and with my inside knowledge of Sprint's consumer data system) it became obvious that telecom companies are sending a stripped down version of the "call history" from consumer bills and text messages in a pdf format through an email. In Sprint's case, it was the entire phone bill with call history (for $75) and text messages for the last 18 months (for $75). I doubt Sprint will change this practice of charging the federal government, my mother told me that in a single month she spent 5,000 dollars on customer information. She left the DEA in late 2008.

The cooperation of these telecom giants has paid off huge: opening the island of Cuba up for a cell phone network, retroactive immunity for routinely violating the privacy of their customers, and less regulation than the Financial Sector.

I know you can't verify any of this (and neither can I really), but I hope you found it interesting or useful. Shoot me a message if you want to know more.