Updated An American telco that provides costly phone services to prisoners has been accused of harvesting location data on American phone users – and selling it to the police with no oversight.
Senator Ron Wyden (D-OR) has asked America's comms watchdog – the Federal Communications Commission – and wireless carriers to investigate how Securus Technologies had been allowed to buy records on people's whereabouts and share it with law enforcement agencies.
That's all citizens, by the way, not just prisoners. Securus sold details of where you have been in the States, based on your phone's location, to the cops.
Wyden in his letter to FCC chairman Ajit Pai said he recently learned that Securus Technologies buys real-time location data from major wireless carriers, and makes that data available to authorities through an online portal.
"This practice skirts wires carriers’ legal obligation to be the sole conduit by which the government conducts surveillance of Americans’ phone records, and needlessly exposes millions of Americans to potential abuse and surveillance by the government," Wyden wrote.
As described by Wyden, Securus nominally complies with the required presentation of lawful process by allowing correctional officers to get data on any US phone number by submitting a document purporting to be official permission.
But he says the company told him it doesn't verify that the documents are valid court orders.
Prison telco recorded inmates' lawyer-client calls, hack revealsREAD MORE
To illustrate the potential problem with what Securus has been doing, Wyden pointed to a report in the New York Times about how the former sheriff of Mississippi County, Missouri, recently was charged for allegedly conducting illegal surveillance through information gained from Securus' portal. Prosecutors claim he tracked the cellphones of a judge and State Highway Patrol officers, among others.
It's not the first time Securus has run into trouble for its lax attitude to privacy. In 2015 it was revealed that the company had been recording conversations between inmates and their lawyers, although the company claims nothing improper went on.
The telco is also currently being sued for the high prices it charges its literally captive audience. In one of the jails it operates in inmates are charged $3.16 for the first minute of call time and service fees are also levied.
The Register asked Securus for comment but we've not heard back.
Telcos also under the spotlight
Wyden also wrote to major US wireless carriers, asking them to take steps to protect customer privacy. In his letter to AT&T CEO Randall Stephenson, he wrote, "The fact that Securus provides this service at all suggests AT&T does not sufficiently control access to your customers' private information."
Wyden wants AT&T, Sprint, T-Mobile and Verizon to conduct an audit of third-party companies that receive customer personal information, to inform customers about the arrangement and obtain their consent, to end relationships where customer privacy has been abused, and to create a web portal that allows customers to see their data.
A spokesperson for AT&T did not immediately respond to a request for comment.
According to the New York Times, Securus said its service relies on cell tower data rather than GPS data originating from an individual's phone. The report suggests there may a distinction under the law between these two data sets, even though they both boil down to map coordinates.
Later this year, the US Supreme Court is expected to decide whether a warrant is necessary to obtain phone location data when it issues a ruling in United States v. Carpenter. ®
Updated to add
After this story was filed, an AT&T spokesperson in an email to The Register said: "We have a best practices approach to handling our customers’ data. We are aware of the letter and will provide a response."
And in a two-page statement, Securus defended its Location-Based Services application, alleging that Wyden’s claims are inaccurate.
The statement insisted that Securus location data improves public safety, citing its role in the peaceful recovery of an abducted three-year-old and in foiling a planned prison break. With reference to concerns that the company fails to verify the legality of documents claiming data access authorization, the biz contends that’s not its job.
“These verification requirements are entirely reasonable,” the company’s statement reads.
“Securus requires documentation and reasonably relies on the professionalism and integrity of our law enforcement customers and their counsel. Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel.”
Sponsored: Webcast: Simplify data protection on AWS