Cory Hutcheson, a young sheriff elected in 2016 to lead deputies in rural Mississippi County, Missouri, faces a host of state and federal charges for, among other things, inappropriately using cell phone tracking technology to keep tabs on a judge and members of the state highway patrol.
He was suspended from office a year ago (following the violent death of a jail inmate) as the various cases weave through the courts. On Thursday, The New York Times reported some details on how exactly Hutcheson was able to track people's locations. The implications are both concerning and terribly predictable for those who follow tech surveillance.
Hutcheson apparently used a service provided by a private contractor, Securus Technologies, to keep tabs on phones. According to the Times, the service is provided only to law enforcement agencies, and there is a process that users are supposed to follow to make sure the person requesting the data is authorized to do so. That did not seem to happen here:
Asked about Securus's vetting of surveillance requests, a company spokesman said that it required customers to upload a legal document, such as a warrant or affidavit, and certify that the activity was authorized.
"Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel," the spokesman said in a statement. Securus offers services only to law enforcement and corrections facilities, and not all officials at a given location have access to the system, the spokesman said.
From here the reporting takes a bit of an odd turn. Hutcheson is accused of a wide range of misconduct, including forging documents to give him the authorization to engage in tech surveillance back when he was a deputy. Yet there's a suggestion in the story that Securus is in some way responsible for Hutcheson's behavior:
Senator Ron Wyden, Democrat of Oregon, wrote in a letter this week to the Federal Communications Commission that Securus confirmed that it did not "conduct any review of surveillance requests." The senator said relying on customers to provide documentation was inadequate. "Wireless carriers have an obligation to take affirmative steps to verify law enforcement requests," he wrote, adding that Securus did not follow those procedures.
But Securus isn't a "carrier" in this instance, so it's not clear whether it's mandatory for the company to require court orders or user permission to share location data. In fact, the Times story has two experts disagreeing on whether this data can be shared voluntarily and secretly under the federal Telecommunications Act.
Yet Wyden seems to think that it should fall under the role of these businesses to make sure law enforcement officials are not violating people's privacy. Oversight of police conduct is not something that's supposed to be outsourced to private tech companies.
This complaint from Wyden is part of a trend of attempting to hold tech companies somehow responsible when government has been either unable or unwilling to prevent people like Hutcheson from abusing their access to private data.
If Hutcheson used forgery to fake his clearance to engage in secret surveillance, the problem isn't with Securus, is it? It's a much different issue: public officials abusing their power. That's not something private companies are responsible for. The problem is insufficient government oversight of police behavior.