Surveillance

Where Have You Been? Your Cellphone Knows and Is Willing to Tell

Your cellphone is tracking your movements and, despite legal protections, federal, state, and local officials are finding new and disturbing ways to use that information.

|


If you've ever walked through a shopping center and received a text-messaged coupon for the store you've just passed, you have a hint that your location isn't exactly a secret. Somebody out there knows where you are and is putting that information to use.

That sort of proximity marketing might be super-creepy or really helpful, depending on your tastes. But location-tracking can be dangerous if you're up against a government agency, which are more prone to shackles than to special offers. Your cellphone is tracking your movements and, despite legal protections, federal, state, and local officials are finding new and disturbing ways to use that information.

Some cops saw the potential for tracking people through their phones long before the law formally caught up.

Cory Hutcheson, the former sheriff of Mississippi County, Missouri, was sentenced last April to six months in federal prison and four on house arrest for illegally tracking people's phones without a warrant. Among the people he tracked without legal cause were his predecessor in office, state troopers, and a county judge.

"For a three year period, including after being elected Sheriff of Mississippi County, Hutcheson uploaded false and fraudulent documents to a law enforcement database to obtain the location of over 200 mobile phone users," according to the U.S. Attorney's Office for the Eastern District of Missouri. "Hutcheson submitted thousands of requests and obtained the location data of hundreds individual phone subscribers without valid legal authorization, and without the consent or knowledge of the targeted individual."

Hutcheson did his tracking through Securus, a prison phone provider that offered law enforcement officials location services on communications devices.* According to a 2018 ZDNet investigation into the relationship, Securus got its cellphone location data from LocationSmart, which partners with major mobile communications providers. The arrangement bypassed restrictions on government agencies acquiring such data directly from telecoms.

Fourth Amendment protections for cellphone location records gained a boost from Carpenter v United States in 2018, which found that "historical cell-site records present even greater privacy concerns" than GPS tagging of vehicles. But it's not yet clear how far the new protections go. Besides, Securus already required legal documentation for location requests—Hutcheson just dummied-up the paperwork.

But bad cops gonna bad cop, and they're going to do their worst with whatever tools you give them. That should be taken as a cautionary tale about the inevitable abuse of everything provided to government agencies.

Good cops—or at least, those playing by the rules—like to know where your cellphone is, too, and their actions aren't necessarily much more reassuring.

"U.S. Immigration and Customs Enforcement … has used [cellphone location] data to help identify immigrants who were later arrested," The Wall Street Journal reported last week. "U.S. Customs and Border Protection, another agency under DHS, uses the information to look for cellphone activity in unusual places, such as remote stretches of desert that straddle the Mexican border."

Homeland Security draws its location data from Venntel, an aggregator which itself acquires information not from telecoms, but from app companies. Think about your mapping apps, or the weather app that adjusts its forecast as you move around, or the food-ordering app that tells you which vendors are nearby. Those handy capabilities require tracking your movements, and those movements are valuable to end-users that include the Department of Homeland Security.

That said, most apps obscure individual identities in their shared data. The information purchased by the Department of Homeland Security should reveal where phones are and their movements to and from places, but unlike the LocationSmart/Securus tracking, it shouldn't connect to actual identities. That pseudonymized data, available from commercial vendors and escaping (officials believe) the restrictions of the Carpenter ruling, is still useful to government officials.

"The data was used to detect cellphones moving through what was later discovered to be a tunnel created by drug smugglers between the U.S. and Mexico that terminated in a closed Kentucky Fried Chicken outlet on the U.S. side near San Luis, Ariz., said people with knowledge of the operation," the Journal notes.

But if you correlate the data from several apps, or put together a pattern of life, you can reconnect a moving dot on a map with a human identity. "Several people in the location business said that it would be relatively simple to figure out individual identities in this kind of data," according to a New York Times report on the industry.

Most of the safeguards, it should be noted, are intended to protect people from hackers and private sector misuse of personal information. Even the Carpenter decision doesn't make specific location data on people's movements, linked to their names, unavailable—it just says that government officials need to get a warrant to track individuals. The sort of individual cellphone tracking that Sheriff Hutcheson applied to his political enemies remains available to government agencies who are willing and able to secure a search warrant.

The phones in our pockets act as location beacons, signaling generic movements of people to agencies who might want to know where groups are gathering, and broadcasting our personal locations to officials who are willing to jump through the legal hoops (or pretend to do so) to map out our travels.

Just remember that, no matter what safeguards are in place, your super-helpful cellphone is a terrible tattletale. When you carry it, your phone creates a continuous trail of where you've been, and it will tell anybody who asks in the right way.

*CORRECTION: An earlier version of this article suggested that Securus was still in operation and may be available for general use. Before its discontinuation in 2018, the service was offered only to law enforcement officials who provided documentation.