Researchers expose vulnerabilities in 4G/LTE enabled devices
Researchers expose vulnerabilities in 4G/LTE enabled devices

After a former Missouri  was indicted for, among other things, tracking the cell phones of numerous persons, including some state troopers, without the benefit of a court order, Sen. Ron Wyden, D-Ore., has asked the Federal Communications Commission (FCC) to investigate the wireless carriers that allow law enforcement to have “unrestricted access to the location data” of their customers.

"I recently learned that Securus Technologies, a major provider of correctional-facility telephone services, purchases real-time location information from major wireless carriers and provides the information, via a self-service web portal, for nothing more than the legal equivalent of a pinky promise,” Wyden wrote to FCC Chairman Ajit Pai of the carrier used by the Missouri sheriff. “This practice skirts wires carriers' legal obligation to be the sole conduit by which the government conducts surveillance of Americans' phone records, and needlessly exposes millions of Americans to potential abuse and surveillance by the government.”

Wyden told Pai that accessing private data was as easy as visiting the carrier's web portal, entering a wireless number an uploading “an ‘official document giving permission” to get real-time location data.

“It is incredibly troubling that Securus provides location data to the government at all, let alone that it does so without a verified court order or other legal process,” wrote Wyden.

Calling the Securus set-up “ripe for abuse,” the American Civil Liberties Union (ACLU) said it was “bad enough that Securus, with the assistance of major telecommunications carriers, has established this backdoor to private data held by telecommunications companies.” A look at the company's own documentation shows that they apparently  “offer additional ‘location-based services' that exploit incarcerated individuals and their families.”  

Wyden asked the FCC to investigate the carriers and their “failure to maintain exclusive control over law enforcement access to their customers' location data” as well as a broader probe into the type of consent each carrier requires from other companies before sharing the data with them.

“The phone carriers must take full responsibility for their role in facilitating — and profiting from — Securus' exploitative services. They should immediately terminate any contracts that allow Securus or companies that provide similar services to access location information,” according to an ACLU blog post. “The phone carriers should also get to the bottom of how Securus was allowed to obtain this data in the first place. They should ensure that all law enforcement requests for location data are submitted to and vetted by them directly and information is only disclosed in other circumstances when appropriate.”  

The rights organization said customers have the “right to know if their information was improperly disclosed” and called for phone companies to immediately notify them if it was then “develop transparency mechanisms that allow individuals to easily see who else may have been given access to their data.”

In addition to an FCC investigation of Securus and other companies like it, the ACLU called for the commission to take additional steps to compel telecommunications providers to “adequately safeguard data from this type of abuse.” 

State attorneys general, too, should conduct probes of their own to see if Securus and providers violate their state privacy laws. “While these inquiries are ongoing, facilities should halt their Securus contracts, and ensure that individuals contacting incarcerated loves ones are provided a realistic way to opt out of location surveillance,” the ACLU said.

Wyden told Pai Securus officials “claimed, incorrectly,” to his office “that correctional facilities, not Securus, must ensure that correctional officers don't misuse the web portal.” The senator also wrote similar letters to U.S. wireless carriers asking them to take proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data.”