Privacy and Security

Security and Systematic Flaws Allowed Anyone to Track Any Cell Phone in Real Time

Local law enforcement agencies may have been able to access cell phone location data without a warrant, according to stories exploding across the media. At the heart of the controversy is a company called LocationSmart. The company aggregated, in real-time, mobile phone data including location information and made the data available to law enforcement, providers of other services, or anyone who understood how to use its website.

The vulnerabilities, and misuse of technology, emphasizes the need for state and local law enforcement officials to comply with all state and federal laws regarding cell phone data collection. It also illustrates the need for policymakers to exercise their oversight functions, ensuring that law enforcement entities are properly employing available technologies and following existing laws.

While attention is now on LocationSmart, when the story first broke, it focused on another company, Securus Technologies. Securus provides a number of services, including prison calls and monitoring services to determine the location of cell phone calls in an effort to identify and eliminate contraband phones in prisons.

According to the original story, a sheriff in Missouri misused the Securus cell phone tracking service to obtain location information for several different officials. He did so at least eleven times, each time without a warrant.

As researchers dug further into the service, they found that Securus obtained location information from LocationSmart. Data aggregators, such as LocationSmart, help mobile phone companies comply with legitimate requests from law enforcement. These requests include accessing phone location, call records, and so on. Aggregators also help mobile phone companies comply with other requests where the phone user may have acquiesced to the request.

Two different vulnerabilities were discovered, one with LocationSmart and one with Securus. A security researcher from Carnegie Mellon University in Pittsburgh found a bug in LocationSmart’s website. The bug allowed anyone with basic computer knowledge to access LocationSmart’s database and query the location of a mobile phone. The service returned a location often within a few hundred yards of where the phone was located.

LocationSmart has access to cell carrier networks and typically sells access to its data to companies like Securus. LocationSmart requires express consent from cell phone consumers prior to location data usage. The bug in LocationSmart’s system allowed anyone to bypass the need to obtain consent by using a demo tool—a bug the company has reportedly patched since the story broke.

While the company is in the process of confirming no one was able to exploit the vulnerability, the Federation Communications Commission has confirmed that “the matter has been referred to the enforcement bureau.”

The vulnerability with Securus relates to supporting legal documentation. When law enforcement uses the company’s technology to track cell phones, officials are supposed to upload warrants, subpoenas, or any other legal document evidencing the appropriate authorization to conduct the search. Unfortunately, it appears that Securus never confirmed whether documents were, in fact, uploaded or whether those documents were authentic. This allowed the sheriff to obtain location information, without warrants, on individuals he wanted to track rather than suspects or those subject to lawful tracking orders.

In both cases, the vulnerabilities provide individuals, including law enforcement officials, the opportunity to track cell phone location information with little more than a few clicks of a mouse. In the case of Securus, such an opportunity is available only to those entities with the necessary subscription to the service, but the technology can be improperly exploited.

A number of states have laws requiring law enforcement officials obtain warrants, or in some cases subpoenas, for cell phone records. The American Legislative Exchange Council also has model policy protecting geolocation information. If law enforcement agencies find ways to track cell phone locations without warrants, or other necessary documents, by using services such as those highlighted in the stories, any evidence gathered could be suppressed by a court prior to a trial.

Law enforcement officials should always ensure they comply with state and federal law regarding the collection of cell phone location information. Policymakers should take whatever steps necessary to ensure their law enforcement agencies respect cell phone user’s privacy and that the agencies properly use the technologies and opportunities available.

In Depth: Privacy and Security

A market environment is essential for future success of the Internet. A consumer and private-sector-driven approach to privacy via self-regulation avoids undue regulatory burden that would threaten a thriving electronic marketplace. The Internet has flourished due in large part to the unregulated environment in which it has developed and grown.

+ Privacy and Security In Depth