The digital privacy world was rocked late Thursday evening when The New York Times reported on Securus, a prison telecom company that has a service enabling law enforcement officers to locate most American cell phones within seconds. The company does this via a basic Web interface leveraging a location API—creating a way to effectively access a massive real-time database of cell-site records.The API - Applications Program Interface - is the key. It's what appears to be Securus' contribution to the tracking. The API makes it possible for any programmer to write applications that use this data. The data itself is not from Securus. They rely on data brokers and location aggregators that obtain that information directly from mobile providers.
The Texas-based Securus reportedly gets its data from 3CInteractive, which in turn buys data from LocationSmart. Ars reached 3CInteractive's general counsel, Scott Elk, who referred us to a spokesperson. The spokesperson did not immediately respond to our query. But currently, anyone can get a sense of the power of a location API by trying out a demo from LocationSmart itself.If you want to see where the fight over the end of the Fourth Amendment is currently taking place, this may not be it exactly, but I bet you can see it from here.
Securus’ location service as used by law enforcement is also currently being scrutinized. The service is at the heart of an ongoing federal prosecution of a former Missouri sheriff’s deputy who allegedly used it at least 11 times against a judge and other law enforcement officers.The reason the data is available is because cell phones need to "talk" with the towers and the towers triangulate on a given number to aid in handling the call. If several towers receive the handset, as is usually the case, they can tell by signal strength changes the likely direction the phone is moving, so that they can hand off to the next cell more easily.
"To access this private data, correctional officers simply visit Securus’ Web portal, enter any US wireless phone number, and then upload a document purporting to be an official document giving permission to obtain real-time location data," Wyden wrote.
With the Securus system, the phone's location isn't obtained from the phone's GPS; the provider's knowing the location has nothing to do with a phone being a Smart phone or a dumb old flip phone, and it has nothing to do with turning "location services" off. The location awareness comes simply from being a phone on the cellular network.
Similarly, while the location provided by triangulating between cell towers is low resolution - they might know that the phone is somewhere in a quarter or half mile diameter circle - this was adequate for a lot of criminal prosecutions. If someone's argument was "I wasn't even there", and the phone records verified they weren't within that quarter mile circle but in another cell some distance away, the story checked. GPS enhances that measurement. You can envision someone being falsely accused of something by a third party but being in the same cell as the third party. Perhaps they're within a few hundred yards of the accuser; two or three houses or apartments away. They're really "not even there", but the location being accurate only to within a quarter or half mile circle is incapable of proving or disproving that.
In the old days, people used to wonder if the FBI had a file on them and we used to say the easiest way to get an FBI file started on you was to request a copy of your FBI file under the Freedom of Information Act. I just can't help but wonder if checking to see if your phone (or browser, landline, and so on) can be tracked is a way to ensure that it gets tracked. But then I tell myself it's already tracked anyway.