Prison phone service can expose the location of anyone with a phone

In late April, somebody sent a letter containing meth to an inmate at an Arizona jail.

Tracking down the correspondent was no problem. Police looked at phone calls between the meth sender’s address and the inmate and then made an arrest, according to what Matthew Thomas, chief deputy of the Pinal County Sheriff’s Office, told the New York Times.

It was push-button easy thanks to the police having access to a location data lookup service from a company called Securus Technologies that provides and monitors calls to inmates. According to the Times, marketing documents show that the service, which is typically used by marketers and other businesses, gets the location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon.

It’s far too easy to get that data, some say. Privacy experts, at least one legislator, and inmates’ families say the service, which is fed by data from a mobile marketing company called 3Cinteractive, enables users to look up the whereabouts of nearly any mobile phone in the country, within seconds, without verifying the warrants or affidavits that Securus requires users to upload.

The system is typically used by marketers who offer deals to people based on their location.

It brings back memories of a Google scheme, revealed last year, that aims to track users in real life. As Google announced at its annual Marketing Next conference in May 2017, it wants to go beyond just serving ads to consumers. Using an artificial intelligence (AI) tool called Attribution, it said it would follow us around to see where we go, tracking us across devices and channels – mobile, desktop and in physical stores – to see what we’re buying, to match purchases up with what ads we’ve seen, and to then automatically tell marketers what we’re up to and what ads have paid off.

The Electronic Privacy Information Center (EPIC) was none too happy about the idea. In short order, EPIC filed a complaint with the Federal Trade Commission (FTC) to stop Google from tracking in-store purchases.

Likewise, people whose locations have been allegedly tracked without legal authorization via Securus’s service aren’t happy about it either. In an ongoing federal prosecution, a Grand Jury has alleged that Cory Hutcheson, a former Missouri sheriff’s deputy, used Securus at least 11 times to look up people’s information without legal authority. He’s facing 11 counts of alleged forgery against targets that include a judge and members of the State Highway Patrol. Hutcheson was dismissed last year for a separate, unrelated matter, and he’s pleaded not guilty to surveillance and forgery charges.

Securus is one of the largest prison phone providers in the country. Its marketing material is, naturally, on the warm and fuzzy side: its phone service keeps inmates in touch with their families, it says, while location data helps to track down people afflicted with Alzheimer’s.

But as the ACLU notes, the company is also known for the steep costs of inmates’ calls, for limiting families to video-only visits, and for violating attorney-client privilege by recording phone calls between prisoners and their attorneys.

Last week, the company was in the limelight for what the ACLU calls “even more troubling practices.” Namely, as Senator Ron Wyden charged in letters made public on Friday, Securus is “[undermining] the privacy and civil liberties of millions upon millions of Americans.”

In those letters, Wyden demanded action from the Federal Communications Commission (FCC) and several major telecommunications companies, describing Securus’s ability to obtain and share the phone location data of virtually anyone who uses a phone.

Wyden says that Securus is buying real-time location from the wireless carriers and providing it to the government through a self-service web portal “for nothing more than the legal equivalent of a pinky promise.”

All correctional officers have to do is go to the portal, enter any phone number, and then upload a document that purports to be an “official document giving permission” to get at the data.

A spokesman for Securus told the Times that the company requires customers to upload a legal document, such as a warrant or affidavit, and certify that the activity was authorized:

Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel.

The spokesman also said that Securus restricts its services only to law enforcement and corrections facilities, and that not all officials at a given location have access to the system.

Wyden said in his letters that Securus officials told him that the company does nothing to verify that uploaded documents provide judicial authorization for real-time location surveillance. Nor do they conduct any review of surveillance requests. He also said that Securus was wrong when it said that it’s up to correctional facilities to make sure employees don’t misuse the web portal.

As pointed out by Ars Technica, the Supreme Court is now set to rule on the case of Carpenter v. United States: a case that aims, after years of confusion, to iron out what kind of privacy – if any – Americans can expect with regards to their phones’ location data.

Law enforcement in that case relied on vast amounts of data collected from cellphone companies that showed the movements of Timothy Ivory Carpenter, who police said was the ringleader of a robbery spree.

As of May 2015, a US court had ruled that police could access phone location data without a warrant. But that decision didn’t resolve the issue, given that it ran counter to lower courts in several states having ruled that phone records are constitutionally protected, including Montana, Maine, Minnesota, Massachusetts, and New Jersey.

With all these contradictory laws, the question of what authorization, if any, law enforcement needs to get at our location data is legally complicated.

But why bother with the process at all? Securus’s service entirely cuts through the red tape, Wyden says:

It is incredibly troubling that Securus provides location data to the government at all – let alone that it does so without a verified court order or other legal process.

As you can see in a publicly available screenshot (PDF: page 30) of Securus’s online portal, the company simply requires an investigator to check a box to “certify the attached document is an official document giving permission to look up the location on this phone number requested.”

The investigator “then inputs the cellular number that is to be tracked and within seconds, the approximate location of the cell phone will be displayed on a graphical map of the area.”

In other words, just check a box.

So much easier than dealing with the Fourth Amendment.