Sprint denies 'massive' disclosure of customer information
Sprint has denied making a massive disclosure of sensitive information to law enforcement agencies.
Indiana University doctoral student and privacy researcher Christopher Soghoian has alleged that Sprint Nextel provided agencies with customer GPS location data over eight million times between September 2008 and October 2009.
"This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers," he says. "It is unclear if federal law enforcement agencies' extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics - since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004."
In his blog post, he publishes an audio recording of Paul Taylor, Sprint's Manager of Electronic Surveillance, discussing the company's activities at an industry conference in October.
He says: "With our GPS tool, we've just turned it on - the web interface for law enforcement - about one year ago last month, and we just passed eight million requests. So there's no way on earth my team could have handled eight million requests from law enforcement just for GPS alone, so the tool has just really caught on fire with law enforcement."
But Sprint claims that Soghoian has got the wrong end of the stick, and says the figure of eight million has been taken out of context.
"The figure does not represent the number of customers whose location information was provided to law enforcement, as this blogger suggests," says the company in a statement.
"Instead, the figure represents the number of individual “pings” for specific location information, made to the Sprint network as part of a series of law enforcement investigations and public safety assistance requests during the past year. It’s critical to note that a single case or investigation may generate thousands of individual pings to the network as the law enforcement or public safety agency attempts to track or locate an individual.
So if, say, the average number of pings is 1,000 per person - which seems like quite a lot - the company only provided data on eight thousand people. So that's all right.