Securus Technologies markets a product to law enforcement that taps into realtime cell-tower data from mobile carriers to produce fine-grained location tracking of anyone carrying a phone; it is nominally marketed to find parolees and wandering Alzheimer's patients, but because it has no checks or balances, cops can query it willy-nilly to find anyone's location.
That's what, Cory Hutcheson, ex-Sheriff of Mississippi County, MO, is accused of doing; prosecutors say that for three years, Hutcheson abused Securus's system to track all kinds of people — even a local judge — without a warrant.
Securus claims that it restricts the use of its system to legally permitted surveillance, requiring users to upload warrants or court orders prior to use; but it does not vet or review those orders before granting access. Securus also does not make the alleged court orders visible to carriers before it queries their databases, meaning that the phone companies have to take Securus's word for it.
The carriers, meanwhile, are exploiting a loophole in privacy laws that nominally prohibit selling this kind of data: by burying "consent" to the sale of your location data in their lengthy, never-read agreements, the carriers are able to circumvent the law; primarily to sell your data to marketers, but also to surveillance companies like Securus.
Hutcheson is a great object lesson in the problems with "extraordinary access" or "lawful interception" rules that weaken digital security to help law enforcement. The US has about 18,000 police agencies, and Hutcheson presided over a sparsely populated, rural district. Before the latest indictments, he was already under indictment for forgery and for illegal surveillance; he lost his job following the death of an inmate in his custody (though of course, no one was held accountable for that death).
He is a crooked, corrupt cop, in other words. Whether you think he's typical or atypical, if he represents even one percent of law enforcement agents who have access to tools that allow their wielders to attack the public in far-reaching frightening ways, that means that criminals and spies and griefers have a wide pool of corrupt officials to choose from if they want to abuse the system.
We're all familiar with the detective movies where someone writes down a license plate and the PI casually remarks that he'll get a friend on the force to run the plate and find the drivers' identity. It's just not surprising that a cop might allow a friend to "harmlessly" abuse a police database. When we discuss backdooring phone crypto or other far-reaching attacks on the security of the digital world, we're really saying, "Cops and dirty cops and friends of dirty cops and their friends will all have access to all your digital life."
Privacy concerns about Securus and location services were raised to the F.C.C. last year before the company's sale to Platinum Equity, a private equity firm, for about $1.5 billion. Lee Petro, a lawyer representing a group of inmate family members, wrote letters urging the commission to reject the deal, based in part on concerns about locating people who spoke with inmates over the phone.
Securus, founded in Dallas in 1986, has marketed its location service as a way for officials to monitor where inmates placed calls. Securus has said this would block escape attempts and the smuggling of contraband into jails and prisons, and help track calls to areas "known for generating illegal activity."
In an email, Securus said the service was based on cell tower information, not on phone GPS.
Securus received the data from a mobile marketing company called 3Cinteractive, according to 2013 documents from the Florida Department of Corrections. Securus said that for confidentiality reasons it could not confirm whether that deal was still in place, but a spokesman for Mr. Wyden said the company told the senator's office it was. In turn, 3Cinteractive got its data from LocationSmart, a firm known as a location aggregator, according to documents from those companies. LocationSmart buys access to the data from all the major American carriers, it says.
Service Meant to Monitor Inmates' Calls Could Track You, Too [Jennifer Valentino-DeVries/New York Times]