Photo: Getty

A case in which a Missouri sheriff is accused of illegally tracking citizen’s cellphone location for personal reasons is putting the spotlight on a little-known service that allows police to gain people’s location data with little oversight. The complex scheme involves the practices of telemarketers, inmate call services, and major telecoms like AT&T slipping through the cracks of regulation.

Corey Hutcheson was elected sheriff of Mississippi County, Missouri, in 2016, but the FBI was reportedly investigating him as far back as 2014 when he was just a deputy. He was indicted last year on 11 counts of identity theft and he has many other potential offenses hanging over his head, including first-degree robbery, seven counts of forgery, another seven counts of tampering with computer data, and one count of notary misconduct. The indictments stem from Hutcheson’s access to an obscure location tracking system offered by Securus Technologies, a major provider of inmate call services to jails and prisons in the U.S.

Advertisement

In addition to selling phone service for inmate calls at exorbitant rates that have become an industry standard, Securus has another service that allows customers to ping a cellphone and gather location information based on its proximity to wireless towers. The company advertises this feature as a way to track down missing persons or hunt down murderers, but it’s ripe for abuse. Hutcheson is accused of using the system to locate his predecessor, a county judge, several state troopers, and a local journalist covering his alleged corrupt actions.

The New York Times reports:

The service provided by Securus reveals a potential weakness in a system that is supposed to protect the private information of millions of cellphone users. With customers’ consent, carriers sell the ability to acquire location data for marketing purposes like providing coupons when someone is near a business, or services like roadside assistance or bank fraud protection. Companies that use the data generally sign contracts pledging to get people’s approval — through a response to a text message, for example, or the push of a button on a menu — or to otherwise use the data legally...

Courts are split on whether investigators need a warrant based on probable cause to acquire location data. In some states, a warrant is required for any sort of cellphone tracking. In other states, it is needed only if an investigator wants the data in real time. And in others no warrant is needed at all.

Advertisement

Earlier this week, Senator Ron Wyden sent a letter to the Federal Communications Commission asking for an investigation into wireless carriers working with companies like Securus. Wyden’s office provided the letter to Gizmodo in which he characterizes the practice as “abusive and potentially unlawful.” He claims that the self-service portal used by the system fails to provide proper verification of legal orders and the privacy agreement between companies like Securus and wireless carriers amounts to “the legal equivalent of a pinky promise.” Wyden also wrote that top officials at Securus informed his office the company doesn’t take steps to verify documents uploaded by law enforcement for authorization of the surveillance.

In an email to Gizmodo, FCC Senior Communications Advisor Neil Grace confirmed the receipt of Wyden’s letter. “We have received the letter and are reviewing it,” Grace said.

In a demonstration of the complex web that this industry uses to get around privacy protections, the Times reports that all the major wireless carriers in the U.S. provide data to a location aggregator called LocationSmart. That information is sold to 3Cinteractive, a telemarketing company. Based on documents from Florida Department of Corrections, the Times determined that Securus then purchases the data from 3Cinteractive, but Securus declined to confirm that information for “confidentiality reasons.”

Advertisement

Wyden’s office also wrote letters to the CEOs of AT&T, Sprint, T-Mobile, and Verizon. He outlined steps that need to be taken to protect customers’ privacy and demanded answers on which third-parties each company is working with. They were given a June 15 deadline to respond.

It should provide no comfort that Sheriff Hutcheson was indicted for allegedly abusing the system. If the long list of accusation against him proves to be true, it’s safe to say that he was recklessly and blatantly corrupt. Hutcheson’s case shows a man who believed that his badge allowed him to do anything he wanted, and it took three years of investigation to bring charges. It took a man dying in one of his cells to get him removed from office. There’s no reason to believe officers that are less brazen in their corruption aren’t getting away with abusing this system every day.

[The New York Times]

Advertisement