Thousands of jails and prisons across the United States use a company called Securus Technologies to provide and monitor calls to inmates.
But the former sheriff of Mississippi County, Missouri, used a lesser-known Securus service to track people’s cellphones, including those of other officers, without court orders, according to charges filed against him in state and federal court.
The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon, documents show.
Between 2014 and 2017, the sheriff used the service at least 11 times, prosecutors said. His alleged targets included a judge and members of the State Highway Patrol. The sheriff, Cory Hutcheson, who was dismissed last year in an unrelated matter, has pleaded not guilty in the surveillance cases.
As location tracking has become more accurate, and as more people carry their phones at every waking moment, the ability of law enforcement officers and companies like Securus to get that data has become an ever greater privacy concern.
Securus offers the location-finding service as an additional feature for law enforcement and corrections officials, part of an effort to entice customers in a lucrative but competitive industry. In promotional packets, the company, one of the largest prison phone providers in the country, recounts several instances in which the service was used.
In one, a woman sentenced to drug rehab left the center but was eventually located by an official using the service. Other examples include an official who found a missing Alzheimer’s patient and detectives who used “precise location information positioning” to get “within 42 feet of the suspect’s location” in a murder case.
Asked about Securus’ vetting of surveillance requests, a company spokesman said that it required customers to upload a legal document, such as a warrant or affidavit, and certify that the activity was authorized.
“Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel,” the spokesman said in a statement. Securus offers services only to law enforcement and corrections facilities, and not all officials at a given location have access to the system, the spokesman said.
Sen. Ron Wyden, D-Ore., wrote in a letter this week to the Federal Communications Commission that Securus confirmed that it did not “conduct any review of surveillance requests.” The senator said relying on customers to provide documentation was inadequate. “Wireless carriers have an obligation to take affirmative steps to verify law enforcement requests,” he wrote, adding that Securus did not follow those procedures.
The service provided by Securus reveals a potential weakness in a system that is supposed to protect the private information of millions of cellphone users. With customers’ consent, carriers sell the ability to acquire location data for marketing purposes like providing coupons when someone is near a business, or services like roadside assistance or bank fraud protection. Companies that use the data generally sign contracts pledging to get people’s approval – through a response to a text message, for example, or the push of a button on a menu – or to otherwise use the data legally.
But the contracts between the companies, including Securus, are “the legal equivalent of a pinkie promise,” Wyden wrote. The FCC said it was reviewing the letter.
Courts are split on whether investigators need a warrant based on probable cause to acquire location data. In some states, a warrant is required for any sort of cellphone tracking. In other states, it is needed only if an investigator wants the data in real time. And in others no warrant is needed at all.
The Justice Department has said its policy is to get warrants for real-time location tracking. The Supreme Court has ruled that putting a GPS tracker on a car counts as a search under the Fourth Amendment, but this was because installing the device involved touching a person’s property – something that does not happen when a cellphone is pinged.
Phone companies have a legal responsibility under the Telecommunications Act to protect consumer data, including call location, and can provide it in response to a legal order or sell it for use with customer consent. But lawyers interviewed by The New York Times disagreed on whether location information that was not gathered during the course of a call had the same protections under the law.
As long as they are following their own privacy policies, cellphone carriers “are largely free to do what they want with the information they obtain, including location information, as long as it’s unrelated to a phone call,” said Albert Gidari, the consulting director of privacy at the Stanford Center for Internet and Society and a former technology and telecommunications lawyer. Even when the phone is not making a call, the system receives location data, accurate within a few hundred feet, by communicating with the device and asking it which cellphone towers it is near.
Other experts said the law should apply for any communications on the network, not just phone calls. “If the phone companies are giving someone a direct portal into the real-time location data on all of their customers, they should be policing it,” said Laura Moy, the deputy director of the Georgetown Law Center on Privacy & Technology.
Wyden, in his letter to the FCC, also said that carriers had an obligation to verify whether law enforcement requests were legal. But Securus cuts the carriers out of the review process, because the carriers do not receive the legal documents.
The letter called for an FCC investigation into Securus, as well as the phone companies and their protections of user data. Wyden also sent letters to the major carriers, seeking audits of their relationships with companies that buy consumer data. Representatives for AT&T, Sprint, T-Mobile and Verizon said the companies had received the letters and were investigating.
“If this company is, in fact, doing this with our customers’ data, we will take steps to stop it,” said Rich Young, a Verizon spokesman. T-Mobile said it “would take appropriate action” if it found any misuse of data.
AT&T also said it followed industry “best practices” in handling data, and Sprint said it shared location information only with customer consent or in response to lawful requests.
Privacy concerns about Securus and location services were raised to the FCC last year before the company’s sale to Platinum Equity, a private equity firm, for about $1.5 billion. Lee Petro, a lawyer representing a group of inmate family members, wrote letters urging the commission to reject the deal, based in part on concerns about locating people who spoke with inmates over the phone.
Securus, founded in Dallas in 1986, has marketed its location service as a way for officials to monitor where inmates placed calls. Securus has said this would block escape attempts and the smuggling of contraband into jails and prisons, and help track calls to areas “known for generating illegal activity.”
In an email, Securus said the service was based on cell tower information, not on phone GPS.
Securus received the data from a mobile marketing company called 3Cinteractive, according to 2013 documents from the Florida Department of Corrections. Securus said that for confidentiality reasons it could not confirm whether that deal was still in place, but a spokesman for Wyden said the company told the senator’s office it was. In turn, 3Cinteractive got its data from LocationSmart, a firm known as a location aggregator, according to documents from those companies. LocationSmart buys access to the data from all the major American carriers, it says.
LocationSmart and 3Cinteractive did not respond to requests for comment.
Securus said it got consent before tracking phone calls made from prisons, requiring those on the receiving end to press a button agreeing to the collection of location data.
The location service has proved to be a selling point. Matthew Thomas, chief deputy of the Pinal County Sheriff’s Office in Arizona, said that the department had been using Securus’ location tool for about a month, and that it had already come in handy. “We use it for search-and-rescue operations, and at the jail they use it to maintain security and to put cases together,” he said.
Thomas said that only three people in the office could log in to the system, and that the office did monthly audits to ensure its proper use.
About three weeks ago, Thomas said, someone mailed a letter containing methamphetamine to an inmate. By using the location tool, Thomas said, investigators were able to link phone calls between the address and the inmate and make an arrest.
For search-and-rescue cases, Thomas said, the Securus tool was more efficient than requesting data through the phone companies. “It makes it a lot faster response for our crew,” he said.
In such instances, the people being located cannot give consent, so the official is supposed to upload a warrant, affidavit or court order to justify the surveillance.
Securus said that it had cooperated with officials investigating the case in Missouri.
Hutcheson, the defendant in the surveillance case, was charged with forgery in state court last year and also by a federal grand jury in March over similar offenses related to the phone pinging. He was removed from his duties as sheriff in 2017 after an inmate’s death, though he was not charged with a crime in that matter. The Highway Patrol officers who were allegedly tracked filed suit in federal court. Hutcheson’s lawyer declined to comment on the litigation.