88 COMMUNI CATI ONS OF THE ACM | JULY 2011 | VOL. 54 | NO.

7
review articles
Justice Brandeis wrote this warning
when all telephones were wired and
dedicated solely to speech communi-
cation. Since then we have witnessed
the development of cellular technology
and the convergence of a wide variety
of functions onto the cellular platform.
The combination of mobility and data
services has led cellular technology to
play an increasingly important role in
economic and social networks, from
forming the basis for new markets to
facilitating political action across the
globe. It is thus critical to recognize
that cellular telephony is a surveillance
technology that generates a vast store
of personal information, information
that has become a focus for law en-
forcement and marketing. The subse-
quent use of the collected data, both
overt and covert, affects the use of cel-
lular technology, as well as the individ-
uals who use it and the society in which
it has become ubiquitous.
In this article, I review how the
courts have attempted to balance the
needs of law enforcement and market-
ers against the privacy rights of indi-
viduals. The social science literature
on the impact of surveillance on the
individual and on society is surveyed
and then applied to the specic case
of cellular telephony. I conclude with
a closer look at the mechanics of cel-
lular data collection and a demonstra-
THE EVIL INCIDENT to invasion of the privacy of the
telephone is far greater than that involved in tampering
with the mails. Whenever a telephone line is tapped, the
privacy of the persons at both ends of the line is invaded,
and all conversations between them upon any subject,
and although proper, condential, and privileged,
may be overheard. Moreover, the tapping of one mans
telephone line involves the tapping of the telephone of
every other person whom he may call, or who may call
him. As a means of espionage, writs of assistance and
general warrants are but puny instruments of tyranny
and oppression when compared with wiretapping.
Justice Louis Brandeis, Dissenting Opinion
Olmstead v. United States, 277 U.S. 438 (1928)
key insights
The consolidation of all major forms of
modern electronic communication onto
the cellular platform and the ubiquity
and power of the cellular platform have
led to major changes in personal and
social dynamics, political action, and
economics. It is thus vitally important
to recognize that cellular telephony is a
surveillance technology.
Professionals interested in the design and
deployment of cellular technology will
receive an overview of the current legal
status of cellular databases, as well as
the impact of the use of this data on the
individual and society.
A private overlay will allow cellular
subscribers to enjoy the same user
experience without providing private
information.
Cellular
Telephony
and the
Question
of Privacy
DOI : 10. 1145/1965724. 1965745
A private overlay may ease concerns
over surveillance tools supported by
cellular networks.
BY STEPHEN B. WICKER
JULY 2011 | VOL. 54 | NO. 7 | COMMUNI CATI ONS OF THE ACM 89
I
L
L
U
S
T
R
A
T
I
O
N

B
Y

A
L
E
X

W
I
L
L
I
A
M
S
O
N
tion that a cellular network need not
be a surveillance network; relatively
simple public-key technology can be
used to create a private overlay, allow-
ing subscribers to make the most of
cellular technology without the fear of
creating a data record that can be ex-
ploited by others.
Telephony and the Bill of Rights
During the U.S.s colonial period, Brit-
ish troops used writs of assistance as
the basis for general searches for con-
traband in the homes of the colonists.
8

In an effort to prevent such searches in
the new republic, the Fourth Amend-
ment was included in the Bill of Rights.
The Fourth Amendment protects
against unreasonable searches and
seizures, and states that no warrant
shall issue but upon probable cause.
The amendments language says noth-
ing, however, about telephones or elec-
tronic communication. The means
by which legal protection against tel-
ephonic surveillance evolved through
judicial interpretation of the Fourth
Amendment is summarized here.
Content. The rst signicant Su-
preme Court case to address wiretap-
ping was Olmstead v. The United States
(1928). In a 5-4 decision, the Court de-
termined that the police use of a wire-
tap was not search and seizure. Writing
for the majority, Chief Justice Taft ex-
pressed an extremely literal interpreta-
tion of search and seizure:
The [Fourth] Amendment does not
forbid what was done here. There was
no searching. There was no seizure. The
evidence was secured by the use of the
sense of hearing and that only. There
was no entry of the houses or ofces of
the defendants.
Chief Justice William Howard Taft
Olmstead v. United States,
277 U.S. 438 (1928)
The rst of the two holdings of the
Olmstead decisionthe interception
of a conversation is not seizurewas
reversed in Berger v. New York (1967).
Acting under a New York law of the
time, police planted listening devic-
es in the ofce of an attorney named
Ralph Berger. Berger was subsequent-
ly indicted, tried, and convicted for
conspiracy to bribe a public ofcial.
In its opinion, the Supreme Court fo-
cused on the extremely broad author-
ity granted by the statute: Law enforce-
ment authorities were only required
to identify the individual and the
phone number to be tapped in order
to obtain authorization for a wiretap.
Likening this type of warrant to the
general warrants used by the British in
the American colonies, the Court over-
turned the New York statute. In doing
so, the Court held that conversations
were indeed protected by the Fourth
Amendment, and that the intercep-
90 COMMUNI CATI ONS OF THE ACM | JULY 2011 | VOL. 54 | NO. 7
review articles
The surveillance
architecture
adopted for cellular
networks generates
a pool of data that
feeds into law
enforcements
and marketers
desire for personal
information.
tion of a conversation was a seizure.
The second of the Olmstead hold-
ingswhere there is no physical tres-
pass, there can be no searchfell
that same year. In Katz v. United States
(1967), the Court considered the case
of Charles Katz, who had used a pay
phone in Los Angeles to place illegal
bets in Miami and Boston. Without
obtaining a warrant, FBI agents placed
listening devices outside of the phone
booth and recorded Katz end of sev-
eral conversations. The transcripts of
these conversations were introduced
during Katz trial, and presumably
played a role in his conviction. In re-
sponse to his appeal, the Supreme
Court ruled that tapping phone calls
placed from a phone booth required a
warrant. The majority opinion explic-
itly overturned Olmstead, holding that
the Fourth Amendment protects peo-
ple, not places; trespass was no longer
necessary for the Fourth Amendment
to be implicated.
Justice Harlans concurring opin-
ion introduced a two-part test for de-
termining whether the Fourth Amend-
ment should be applied in a given
situation:

The person must have exhibited
an actual (subjective) expectation of
privacy;

This expectation is one that society
is prepared to recognize as reasonable.
Thus by 1967 Olmstead was com-
pletely reversed, and the Court was ap-
plying Fourth Amendment protection
to the content of telephone calls. How-
ever, the context of telephone and oth-
er electronic communication did not
receive the same level of protection.
Context. The distinction between
the content and context of electronic
communication is best understood
through the analogy of postal mail.
The content information is the letter it-
selfthe written or typed communica-
tion generated by one party for the pur-
pose of communicating with another
party. As with the content of a tele-
phone call, letters are protected by a
series of rather strict regulations.
a
The
context information consists of the
information on the outside of the en-
velope, information used by the com-
a See Ex Parte Jackson, 96 U.S. (6 Otto) 727, 733
(1877); Walter v. United States, 447 U.S. 649,
651 (1980).
munication system to establish com-
munication between the two parties.
In the case of the postal system, this
consists primarily of the mailing and
return addresses, but may also include
postmarks or other information that
accumulates in transit. In the case of
a cellular telephone call, context data
includes the number the caller dials,
the number from which the caller di-
als, the location of the caller, the time
of the call, and its duration.
Courts and legislatures have been
far less protective of context informa-
tion than content. The basic rationale
is that the user understands context
information is needed to complete
the communication process, and
that in using the technology, context
information is freely given to the net-
work. It follows that, according to the
courts, there is no reasonable expec-
tation of privacy in this information,
and the Fourth Amendment is not im-
plicated.
The key precedent is United States
v. Miller (1976), a case with far reach-
ing implications for the public use of
a wide variety of communication net-
works. The case involved a modern-
day bootlegger named Mitch Miller;
prohibition was not the issue, the fo-
cus was instead on the more mundane
matter of taxation. While putting out a
re at Millers warehouse, reghters
and police discovered 175 gallons of
whiskey that did not have the requisite
tax stamps. Investigators obtained,
without a warrant, copies of Millers
deposit slips and checks. The can-
celled checks showed that Miller had
purchased material for the construc-
tion of a still. Miller was subsequently
convicted of possessing an unregis-
tered still.
Miller appealed, claiming that his
Fourth Amendment rights had been
violated; the investigators should have
obtained a warrant before acquiring
his bank records. The Supreme Court
disagreed. Writing for the Court, Jus-
tice Powell stated that:
There is no legitimate expectation of
privacy in the contents of the original
checks and deposit slips, since the checks
are not condential communications,
but negotiable instruments to be used
in commercial transactions, and all the
documents obtained contain only in-
review articles
JULY 2011 | VOL. 54 | NO. 7 | COMMUNI CATI ONS OF THE ACM 91
formation voluntarily conveyed to the
banks and exposed to their employees
in the ordinary course of business (em-
phasis added).
Justice Lewis Powell
United States v. Miller,
425 U.S. 435 (1976)
The Miller ruling was applied to elec-
tronic communication a few years later
in the case of Smith v. Maryland (1979). In
this case, Michael Lee Smith burglarized
a womans home and then made harass-
ing telephone calls to her after the fact. In
response to a request from investigators,
the telephone company installed a pen
register at the central ofce that served
Smiths home telephone line. A pen
register is a device that records all of the
numbers dialed from a given telephone
line. In this particular case, the pen reg-
ister captured the victims phone num-
ber being dialed on Smiths telephone
line; as a result, a warrant for a search of
Smiths home was obtained, evidence
was found, and Smith was subsequently
convicted of robbery. Smith appealed,
claiming that the use of the pen register
violated his Fourth Amendment rights.
The Supreme Court disagreed. On the
basis of the Katz reasonable expectation
test and the results of the Miller case, Jus-
tice Blackmun wrote that:
First, it is doubtful that telephone us-
ers in general have any expectation of pri-
vacy regarding the numbers they dial, since
they typically know that they must con-
vey phone numbers to the telephone com-
pany and that the company has facilities
for recording this information and does
in fact record it for various legitimate busi-
ness purposes (emphasis added).
Justice Harry Blackmun
Smith v. Maryland,
442 U.S. 735 (1979)
By 1979, the Court had clearly distin-
guished privacy rights regarding the con-
tent of telephone calls from the rights ac-
corded to their context. This distinction
was embedded in the Electronic Com-
munication Privacy Act of 1986 (ECPA
12
),
which includes three titles that provide
varying levels of protection for various
types of electronic communication:

Title I: Electronic Communications
in Transit;

Title II: Stored Electronic Communi-
cation; and

Title III: Pen Register/Trap and
ment is made. According to Title II,
law enforcement agencies can obtain
this information by providing specic
and articulable facts showing that the
information is relevant and material
to an ongoing investigation, a proce-
dural hurdle that is substantially lower
than the probable cause require-
ment for a warrant.
d
Prospective or real-time cell site
data is forward looking. A request for
prospective data is a request that the
service provider provide a continuous
update of the cell sites with which the
subscriber has made contact. The legal
status of prospective data depends in
part on whether or not a cellular tele-
phone is considered a tracking device.
e

Several courts
f
have ruled that a cell-
phone is not a tracking device and that
Title III of the ECPA is the ruling au-
thority. In these cases the registration
messages emitted have been likened
to the numbers dialed by the user. The
legal protection under Title III is mini-
mal, requiring only that an attorney for
the government certify that the infor-
mation to be obtained is relevant to an
ongoing criminal investigation.
12
Other courts,
g
however, have come
to the opposite conclusion. In 2005
Judge Orenstein of the Eastern District
of New York denied a law enforcement
request for prospective cell site data.
d The details of the requirements for a warrant
can be found in Rule 41 of the Federal Rules of
Criminal Procedure.
e See In re Application for Pen Register and
Trap/Trace Device with Cell Site Location Au-
thority, H-05-557M S.D. Tex., Oct. 14, 2005: [a]
Rule 41 probable cause warrant was (and is)
the standard procedure for authorizing the in-
stallation and use of mobile tracking devices.
See United States v. Karo, (1984).
f See, for example, In re Application for an Or-
der Authorizing the Extension and Use of a
Pen Register Device, 2007 WL 397129 (E.D.
Cal. Feb. 1, 2007); In re Application of the Unit-
ed States, 411 F. Supp. 2d 678 (W.D. La. 2006);
In re Application of the United States for an
Order for Prospective Cell Site Location Info.,
460 F. Supp. 2d 448 (S.D.N.Y. 2006) (S.D.N.Y.
II); In re Application of the United States of
America, 433 F.Supp.2d 804 (S.D. Tex. 2006)
g See, for example, re Application of United
States of America for an Order Authorizing
the Disclosure of Prospective Cell Site Info.,
2006 WL 2871743 (E.D. Wis. Oct. 6, 2006); In
re Application of the United States of America,
441 F. Supp. 2d 816 (S.D. Tex. 2006); In re Ap-
plication for an Order Authorizing the Instal-
lation and Use of a Pen Register and Directing
the Disclosure of Telecomm. Records, 439 F.
Supp. 2d 456 (D. Md. 2006).
Trace Devices.
b
Title I covers the content of elec-
tronic communication, and generally
requires a warrant for the disclosure of
the content. Title II, sometimes referred
to as the Stored Communications Act
(SCA), covers stored wire and electronic
communications, as well as transac-
tional records. Title III, sometimes re-
ferred to as the Pen Register Act, covers
pen registers and related devices.
There has been a great deal of court
time spent debating which of the three
titles applies to the information col-
lected by a cellular network. This is
an important issue, as it determines
the legal burdens that law enforce-
ment must overcome to obtain the
data. Title II has been found to cover
historical cell site data.
c
Historical cell
site data is a list of the cell sites visited
by a subscriber up until the point in
time that the request by law enforce-
b A trap and trace device is similar to a pen reg-
ister, but instead of capturing numbers dialed
from a given number, it captures the numbers
of parties that dial to a given number.
c See In re Applications, 509 F. Supp. 2d 76
(D. Mass. 2007); In re Application, 2007 WL
3036849 (S.D. Tex. Oct. 17, 2007). I
L
L
U
S
T
R
A
T
I
O
N

B
Y

A
L
E
X

W
I
L
L
I
A
M
S
O
N
92 COMMUNI CATI ONS OF THE ACM | JULY 2011 | VOL. 54 | NO. 7
review articles
communications service.
j

Perhaps the most signicant im-
pact of CALEA on cellular systems will
be through its amended provisions
affecting voice-over-IP (VoIP). Under
CALEA, VoIP service providers cannot
release IP calls to travel freely between
subscriber terminal adapters; instead,
the service provider must anchor most
calls, creating a xed point that must
be traversed by call packets in both di-
rections.
k
Upon the presentation of an
appropriate warrant, a duplicate call
stream is generated at this xed point
and passed to a law enforcement agen-
cy. Such restrictions will almost cer-
tainly apply to 4G cellular platforms,
which will implement all-IP solutions
for voice and data.
l
Several of the provisions of the USA
PATRIOT Act
m
also have current and fu-
ture implications for cellular systems.
The PATRIOT Act amended much of
the legislation discussed earlier,
n
the
following provides a brief summary of
a few key elements.

Section 204 amended Title II of the
ECPA so that stored voicemail can be
obtained by the government through a
search warrant rather than through the
more stringent process of obtaining a
wiretap order.
o

Section 216 expanded the pen reg-
ister and trap and trace provisions of
the ECPA to explicitly cover the context
j 47 U.S.C. Section 1002(a)
k The xed point often takes the form of a Ses-
sion Border Controller (SBC). See, for exam-
ple, The Benets of Router-Integrated Session
Border Control, White paper, Juniper Net-
works, http://www.juniper.net/us/en/local/pdf/
whitepapers/2000311-en.pdf and http://tools.
ietf.org/html/draft-ietf-sipping-sbc-funcs-00.
l For a discussion of potential vulnerabilities of
CALEA monitoring systems, see Ptzmann et
al.
35
and Sherr et al.
41
m Uniting and Strengthening America by Provid-
ing Appropriate Tools Required to Intercept
and Obstruct Terrorism Act of 2001, signed
into law Oct. 26, 2001.
n A detailed discussion can be found at http://
epic.org/privacy/terrorism/usapatriot/#history.
Many of the provisions discussed here had as-
sociated sunset clauses, but as recently as Mar.
1, 2010, Congress has continued to provide ex-
tensions to these clauses.
o For a comparison of the two procedures, see,
for example, Susan Friewald:
19
Because of
the particular dangers of abusing electronic
surveillance, the Court required that agents
who wanted to conduct it had to surmount
several procedural hurdles signicantly more
demanding than the probable cause warrant
needed to search a home.
Judge Orenstein found
h
that a cell-
phone was in fact a tracking device,
and that a showing of probable cause
was necessary to obtain prospective
cell site data. On Sept. 7, 2010 the Unit-
ed States Court of Appeals for the Third
Circuit upheld a lower courts opinion
that a cellular telephone was in fact a
tracking device, and further ruled that
it is within a magistrate judges discre-
tion to require a showing of probable
cause before granting a request for his-
torical cell site data.
i
CALEA and the USA PATRIOT Act.
Clearly the information made avail-
able by the cellular architecture has
motivated law enforcement to pursue
it. And having gotten used to this mas-
sive source of personal information,
law enforcement would like to keep the
data conduits open. The development
and commercialization of new tele-
phone technologies in the 1980s and
1990s caused concern that less sur-
veillance-friendly architectures were
becoming the norm. This prompted
law enforcement to ask Congress for
legislation that would require service
providers to provide a common means
for surveillance regardless of the tech-
nology in use. The Director of the FBI
made the point quite clearly in testi-
mony before Congress:
The purpose of this legislation, quite
simply, is to maintain technological ca-
pabilities commensurate with existing
statutory authority; that is, to prevent
advanced telecommunications technol-
ogy from repealing, de facto, statutory
authority now existing and conferred to
us by the Congress.
Former FBI Director Louis Freeh
18
The result of this effortthe Com-
munications Assistance for Law En-
forcement Act (CALEA
4
)was passed
on the last night of the 1994 congressio-
nal session. CALEA requires that ser-
vice providers facilitat[e] authorized
communications interceptions and
access to call-identifying information
unobtrusively and with a minimum of
interference with any subscribers tele-
h 384 F. Supp.2d 562 (E.D.N.Y. 2005)
i See The Matter Of The Application Of The Unit-
ed States Of America For An Order Directing A
Provider Of Electronic Communication Service
To Disclose Records To The Government, 3d.
Cir., 08-4227.
of Internet trafc. The URLs visited
from a cellular platform, for example,
thus receive the low level of protection
provided by Title III of the ECPA.

Section 217 permits government
interception of the communications
of a computer trespasser if the owner
or operator of a protected computer
authorizes the interception.
The last of the provisions, common-
ly referred to as the computer trespass-
er provision, has caused concern as it
appears to allow interception of all traf-
c through intermediate routers and
switches if the owners of the equipment
authorize the interception. This could,
for example, include all trafc through
a gateway GPRS support nodethe in-
terface between 3G cellular networks
and the Internet. Given that the service
providers have been granted immunity
from lawsuits led in response to their
cooperation with intelligence agen-
cies,
27
this provision was particularly
troubling to some privacy advocates.
p
It should be noted that some re-
searchers have argued that the PATRI-
OT Act has simply claried existing
policy. Orin Kerr, for example, has pro-
vided a detailed argument that none
of the changes altered the basic statu-
tory structure of the Electronic Com-
munications Privacy Act of 1986.
26
The Right to Market. Thus far, I have
focused on the laws and regulations
that limit law enforcements access
to the data collected by cellular ser-
vice providers. But what of the service
providers themselves? A quick tour
through some recent case law is inter-
esting in that it shows how the carriers
view their right to use this informa-
tion, and the commercial value that
they place on it. In what follows there
will be two basic questions: Are the car-
riers limited in how they may use the
data for their own marketing? Are they
limited in their ability to sell the data to
third parties?
On January 3, 1996 Congress
passed the Telecommunications Act
of 1996, the rst major restructuring
of telecom law since 1934. Section
222 of the Act states that [e]very tele-
communications carrier has a duty
to protect the condentiality of pro-
prietary information of, and relating
p See, for example, http://epic.org/privacy/ter-
rorism/usapatriot/.
review articles
JULY 2011 | VOL. 54 | NO. 7 | COMMUNI CATI ONS OF THE ACM 93
In dynamic political
situations, many
users will be aware
of the potential for
surveillance, and
will thus put self-
imposed limitations
on their use of
cellular technology.
to, other telecommunication carri-
ers, equipment manufacturers, and
customers.
44
With regard to custom-
ers, section 222 dened customer
proprietary network information
(CPNI) to be information that relates
to the quantity, technical congura-
tion, type, destination, location, and
amount of use of a telecommunica-
tions service subscribed to by any cus-
tomer of a telecommunications car-
rier, and that is made available to the
carrier by the customer solely by virtue
of the carrier-customer relationship.
Note that Congress was somewhat pre-
scient in its inclusion of location.
In the 1998 order passed by the FCC
to implement section 222, the FCC im-
posed an opt-in requirement on any
carrier that wanted to use a customers
data to market additional services to
that customer. The carriers had to ob-
tain a customers afrmative, explicit
consent before using or sharing that
customers information outside of the
existing relationship with the carrier.
14

The carriers sued the FCC in the 10th
Circuit Court of Appeals (U.S. West, Inc.
v. FCC), claiming that the opt-in rule
violated their First and Fifth Amend-
ment rights. With regard to the First
Amendment, the carriers argued that
the FCCs rules were an unconsti-
tutional restriction on the carriers
rights to speak with their customers.
The carriers Fifth Amendment argu-
ment relied on the Takings Clause; the
last phrase in the Fifth Amendment,
the Takings Clause states that private
property [shall not] be taken for public
use, without just compensation. The
carriers argued that CPNI represents
valuable property that belongs to the
carriers and the regulations greatly di-
minish its value.
47
In a 2-1 decision, the Circuit Court
agreed with the carriers First Amend-
ment argument. While acknowledging
that the speech involved was commer-
cial and that such speech receives less
protection than, for example, political
speech, the Court held the FCCs rule
was more extensive than is necessary
to serve the governments interest.
Writing for the Court, Judge Tacha
stated that Even assuming that tele-
communications customers value the
privacy of CPNI, the FCC record does
not adequately show that an opt-out
strategy would not sufciently protect
customer privacy.
Judge Tacha did not address the
Fifth Amendment argument, but
Judge Briscoe, writing in dissent, made
his opinion clear, stating that I view
U.S. Wests petition for review as little
more than a run-of-the-mill attack on
an agency order clothed by ingenious
argument in the garb of First and Fifth
Amendment issues.
In response to the Tenth Circuits
decision, the FCC modied its rules
in 2002, allowing for an opt-out rule
for sharing of customer information
between a carrier and its afliates for
marketing purposes.
15
The 2002 rule
also addressed the sharing of infor-
mation with independent contrac-
tors for marketing communications-
related services. An opt-out rule was
deemed acceptable here as well, but
recognizing the additional privacy
risk, the FCC required that the carriers
establish condentiality agreements
with the contractors to further protect
consumer privacy.
In 2005, the Electronic Privacy Infor-
mation Center (EPIC) requested that
these third-party rules be modied.
Pointing to the use of pretextinga
practice in which third parties pretend
to have the authority to receive the data
and then use it for their own market-
ing, tracking, or other purposesEPIC
called for stricter rules that would pro-
tect the safety of the subscriber.
q
In
2007, the FCC passed yet another set
of rules, this time requiring that the
carriers obtain opt-in consent from
a customer before disclosing that cus-
tomers [information] to a carriers
joint venture partner or independent
contractor for the purpose of market-
ing communications-related services
to that customer.
16
The carriers sued, once again as-
serting their First Amendment rights.
In National Cable & Telecommunication
Assoc. v. F.C.C. (2009), the U.S. Court
of Appeals for the District of Colum-
bia Circuit conducted a meticulous
analysis in which the judges consid-
ered whether the government had met
its constitutional burden in regulat-
ing what all agreed was commercial
speech. In the end, the Court upheld
q In 2006 Congress passed the Telephone Re-
cords and Privacy Protection Act of 2006, mak-
ing pretexting illegal.
94 COMMUNI CATI ONS OF THE ACM | JULY 2011 | VOL. 54 | NO. 7
review articles
the FCCs rules, asserting that they
were proportionate to the interests
sought to be advanced.
Which brings us up to date: an opt-
out rule governs the carriers use of
CPNI in their own marketing, while an
opt-in rule covers the transfer of this
data to third parties for their own mar-
keting purposes.
Concluding thoughts on the law. In
summary, the surveillance architec-
ture adopted for cellular networks gen-
erates a pool of data that feeds into law
enforcements and marketers desire
for personal information. The result
has been a long-running legal battle in
which the privacy rights of individuals
are continuously traded off against le-
gal and economic imperatives.
The Impact of Cellular Surveillance
The social science literature on sur-
veillance and privacy covers a great
deal of ground, so I will begin with a
few basic assumptions that will nar-
row the eld a bit. We rst assume
that the primary impact of surveil-
lance is a reduction in privacy. The
next stepa denition for privacy
has proven in the past to be a notori-
ously difcult problem. Attempts at
denitions are usually followed by
a urry of articles pointing out why
the denition doesnt work in one or
more contexts.
r
An all-encompassing
denition is not necessary for our pur-
poses, however, as we are focusing on
the impact of surveillance on the use
of the cellular platform. We need only
note that a common element of most
privacy theories is the metaphor of
a zone of seclusion, a zone in which
the agent can control access to vari-
ous types of personal information.
33

The value of such a zone lies in part in
the agents perception of solitude and
safety. The agent feels free to exercise
various thoughts and behaviors with-
out threat of censure, and is thus able
to develop a sense of self-realization.
Self-realization is a core personal and
social valueit has been cited as the
basis for valuing free speech,
37
thus
enmeshing privacy in a web of values
that animate democratic systems of
r A sense of the back and forth can be obtained
by starting at the beginning of Schoemans
excellent anthology
38
and reading straight
through.
protest against Philippine President
Joseph Estrada and the Ukranian Or-
ange Revolution of 2004.
A Kenyan example typies both the
use of the platform as a political tool
and the potential consequences of
surveillance. In January 2008, it was
reported that incumbent presidential
candidate Mwai Kibaki had rigged the
Kenyan presidential election. A texting
campaign to promote demonstrations
began almost immediately, with the
discourse quickly devolving into racial
hatred.
21
Instead of shutting down the
SMS system, the Kenyan authorities
sent messages of peace and calm to the
nine million Safaricom subscribers.
After the violence subsided, cellular
service providers gave the Kenyan gov-
ernment a list of some 1,700 individu-
als who had allegedly used texting to
promote mob violence.
36
The Kenyan
Parliament is debating a law that places
limits on the contents of text messages.
Cellular networks have thus be-
come a key platform for political
speech. The impact of surveillance on
such use can be developed through
analogy to Jeremy Benthams Panopti-
con.
2
The Panopticon was a proposed
prison in which the cells were arranged
radially about a central tower. The cells
were backlit so that a guard in the tower
could always see the prisoners, but the
prisoners could never see the guards.
Bentham characterized the Panopti-
con as providing a new mode of ob-
taining power of mind over mind, in a
quantity hitherto without example.
The analogy is obviouswe know
that wiretapping or location data col-
lection through use of the cellular
platform is possible, we just do not
know whether or when it is happen-
ing. It follows that in dynamic political
situations, many users will be aware of
the potential for surveillance, and will
thus put self-imposed limitations on
their use of cellular technology. Cel-
lular networks are thus a distributed
form of Panopticon.
45
The self-imposition of discipline is
a key element in this analysis. In Dis-
cipline and Punish, Michel Foucault
characterized the impact of the Panop-
ticons pervasive and undetectable sur-
veillance as assuring the automatic
functioning of power.
17
Foucault ar-
gued that this led to an internalization
of discipline that resulted in docile
government. Privacy is thus connect-
ed to personal as well as societal de-
velopment and well-being.
An overlapping yet distinct issue re-
lated to the cellular platform is the po-
tential for manipulation through the
use of personal information. As we will
see, the availability of personal infor-
mation increases the efcacy of adver-
tising and other attempts to drive the
agent to particular thoughts or actions.
The agents autonomy is thus at risk,
implicating another of the values im-
portant to democratic government.
6,11
From the standpoint of the cellular
platform, then, there are two issues to
be addressed: the relatively passive in-
fringement on the zone of seclusion
through eavesdropping and data col-
lection, and the more active infringe-
ment through manipulation based on
collected data. The passive infringers
generally consist of service providers
and law enforcement agencies, while
the more active take the form of mar-
keters, a group including service pro-
viders as well as third parties that have
purchased the collected data.
Passive surveillance. Passive privacy
infringement has its impact through
the cellular user communitys aware-
ness of the potential for surveillance.
The omnipresent potential for sur-
veillance affects several aspects of the
use of the cellular platform, including
social networking, family interaction,
and political expression. We will con-
sider the latter as an exemplary case,
but it should be borne in mind that this
is but one dimension of a multidimen-
sional problem.
The cellular platform has become
increasingly important as a means for
conveying political speech and orga-
nizing political behavior. The copiers
and FAX machines that enabled the
movements that brought down the
Soviet empire
s
have been replaced by
the cellphone and its immediately
available, highly portable texting and
video capabilities. Some of the more
salient examples of the political use of
the cellular platform have involved the
coordination of mass action against
political corruption, such as the 2001
s See, for example, Endre Dnyis Xerox Project:
Photocopy Machines as a Metaphor for an
Open Society. The Information Society 22, 2
(Apr. 2006), 111115.
review articles
JULY 2011 | VOL. 54 | NO. 7 | COMMUNI CATI ONS OF THE ACM 95
bodies, bodies that were ideal for the
regimented classrooms, factories, and
military of the modern state. Docility
can take many forms: Dawn Schrader,
for example, has noted the impact of
surveillance/observation on knowl-
edge acquisition patterns; the indi-
vidual under surveillance is intellectu-
ally docile, less likely to experiment or
to engage in what she calls epistemic
stretch.
39
Surveillance can literally
make us dumber over time. The impact
of the perception of surveillance on cel-
lular users is thus to limit experimen-
tation by the users, who subsequently
channel speech into safe and innoc-
uous pathways. It follows that given
the growing importance of the cellu-
lar platform as a means for political
speech, the surveillance capabilities
inherent in the design of cellular net-
works are a problem with deep politi-
cal ramications.
Active surveillance creates another,
overlapping, set of problems for the in-
dividual and society. The rst lies in the
use of the data to sort individuals into
categories that may limit their options
in various ways. In the second, the in-
formation ows themselves are manip-
ulative. We begin with the problem of
sorting, and then move on to the latter
form of manipulation.
In The Panoptic Sort, Oscar Gandy in-
vestigated the means by which panoptic
data is used to classify and sort individ-
uals.
20
Law enforcement, for example,
uses data to prole and thereby sort
people into those who are suspicious
and those who appear relatively harm-
less. Credit agencies use personal data
to perform a ner sort, allocating indi-
viduals into varying levels of credit wor-
thiness. Direct marketers use a similar
approach to determine who is most
likely to buy a given range of products.
Gandy notes that the latter creates an in-
sidious form of discrimination, as indi-
viduals are relegated to different infor-
mation streams based on the likelihood
they will buy a given item or service, and
individual perspectives and life oppor-
tunities are correspondingly limited.
In the cellular context, such sort-
ing is performed by both the service
providers and third-party marketers.
As we have seen, exemplars from both
groups have fought against FCC re-
strictions on the use of CPNI for selec-
tive marketing of communication and
evant information has been presented.
Framing plays an important role
in advertising. In Decoding Advertise-
ments,
48
Williamson uses the psycho-
analytic methodologies of Lacan and
Althusser to describe how targeted ad-
vertisements invite the individual into
a conceptual framework, creating a
sense of identity in which the individu-
al will naturally buy the proffered prod-
uct or service. Personal information is
used in this process to ne-tune the
frame, enhancing the sense in which
the advertisement names the indi-
vidual reader or viewer and thus draws
the consumer in and drives him or her
to the desired behavior.
The ability of the marketer to ne-
tune efforts is greatly enhanced when
the customers response to advertis-
ing can be directly observed, as is the
case with the cellular platform. This is
made possible through real-time inter-
active technologies that are embedded
in cellphones, such as Web browsers
with Internet connectivity. A simple ex-
ample (an example to which the author
is highly susceptible) involves an email
message describing a newly released
book that is available at a notable Web
retailer. The advertiser will know when
the email went out, when the link was
followed to the Web site, and whether
or not a purchase was made. Cell-based
social networking applications such as
Foursquare and Loopt take the process
a step further by using subscriber loca-
tion information as the basis for deliv-
ering location-based advertising. For
example, a user may be informed that
she is close to a restaurant that hap-
pens to serve her favorite food. She may
even be offered a discount, further add-
ing to the attraction. The efcacy of the
advertising can then be measured by
determining whether the user actually
enters the restaurant.
28
The problematic nature of such ex-
amples is not always clear, as some
would argue that they are pleased to
receive the advertisements and to be
informed, for example, of the availabil-
ity of their favorite food. So what is the
problem? Primarily, it lies in transpar-
encythe user may not understand the
nature of location data collection, or the
process that led to one restaurant or ser-
vice being proffered instead of another.
There has been a pre-selection process
that has taken place outside of the cellu-
other services.
There is an extensive literature on
how individual information ows can
be manipulative. For example, in his
Postscript on the Societies of Con-
trol, Gilles Deleuze introduces the
concept of modulation as an adap-
tive control mechanism in which an in-
formation stream from the individual
is used to ne-tune the information
provided to the individual, driving the
individual to the desired state of behav-
ior or belief.
9
The general idea here is that infor-
mation about an individual is used to
frame a decision problem in such a
manner that the individual is guided to
make the choice desired by the framer.
This has become an important concept
in economics and game theory; Tver-
sky and Kahneman, for example, have
shown that the rational actors percep-
tion of a decision problem is substan-
tially dependent on the how the prob-
lem is presentedwhat Tversky and
Kahneman refer to as the framing of
the problem.
46
Framing is so important
to decision making that individuals
have been shown to come to differing
conclusions depending on how the rel- I
L
L
U
S
T
R
A
T
I
O
N

B
Y

A
L
E
X

W
I
L
L
I
A
M
S
O
N
96 COMMUNI CATI ONS OF THE ACM | JULY 2011 | VOL. 54 | NO. 7
review articles
lar users eld of vision and cognizance.
The opportunity to explore and learn
on ones own has been correspondingly
limited and channeled, affecting both
self-realization and autonomy.
11
The
tightness of this Deleuzean feedback
loopits bandwidth and precisionis
particularly troubling.
Cellular Architecture,
Cellular Databases
What it is about the cellular network
that makes it so surveillance friendly,
and a potential threat to the individual
user and to society? The answer lies
in a series of design choices, choices
made in an attempt to solve the prob-
lem of establishing and maintaining
contact with a mobile user. The details
have lled many books (see, for exam-
ple, Etemad,
13
Holma and Toskala,
22

Kaarenenetal et al.,
24
and Mouly and
Pautet.
30
), but we need only trace the
path of a call that is incoming to a cel-
lular user to see how personal data is be-
ing collected and put to use.
The coverage area of a cellular net-
work is partitioned into relatively small
areas called cells, with each cell receiv-
ing a subset of the radio resources of
the overall network. Two cells may be
assigned identical spectral resources
a process called frequency reuseif
the cells are far enough apart to prevent
their radio transmissions from interfer-
ing with each other. A cell tower sits at
the center of each cell, establishing con-
nections between mobile users and the
wired cellular infrastructure. Location
areas are dened to consist of one or a
small number of cells. As we will see, the
location area is the nest level of granu-
larity used by the network in trying to
complete a call to a cellular platform.
We now consider an incoming call.
To complete an incoming call to a cellu-
lar phone, the network routes the call to
a mobile switching center (MSC
t
) that
is near the phone. Through a process
called paging, the MSC then causes the
called cellular phone to ring. When the
cellular user answers his or her phone,
the MSC completes the call and com-
munication can commence.
t As space is limited and such details are not im-
portant to the theme of this article, I will not
attempt to track vocabulary distinctions be-
tween second-, third-, and fourth-generation
cellular systems.
In order to perform this routing and
paging process, the network must keep
track of the location of the cellular tele-
phone. This is done through the regis-
tration process. All cellular telephones
that are powered on periodically trans-
mit registration messages that are re-
ceived by one or more nearby cell tow-
ers and then processed by the network.
The resulting location information
thus acquired is stored with varying lev-
els of granularity in several databases.
The databases of interest to us here
are the Home Location Register (HLR)
and the Visitor Location Register (VLR).
The HLR is a centralized database that
contains a variety of subscriber infor-
mation, including a relatively coarse
estimate of the subscribers current lo-
cation. HLRs are generally quite large;
there need be only one per cellular net-
work. VLRs, generally associated with
local switches, contain local registra-
tion data, including the identity of the
cell site through which registration
messages are received. There is typical-
ly one VLR per mobile switching center
(MSC) or equivalent.
The VLR stores the identication
number for the cell site through which
the registration message was received.
The identity of the MSC associated with
the VLR is forwarded to the Home Loca-
tion Register (HLR) that maintains the
records for the registering platform.
We can now track the progress of
an incoming call in more detail. Calls
from outside the cellular network will
generally enter the network through a
gateway MSC. The gateway MSC will use
the called number to identify and query
the appropriate HLR to determine how
to route the call. The call is then for-
warded to the MSC associated with the
last registration message, which in turn
queries the VLR to determine in which
location area to attempt to contact the
subscriber. The base station controller
associated with the location area then
causes a paging message to be sent to
the called cellular telephone, causing
it to ring. If the subscriber answers the
call, the MSC connects a pair of voice
channels (to and from the cellular plat-
form), and completes call setup.
The HLR and VLRs (or equivalents)
are thus the sources of the historic
and prospective cell site data dis-
cussed earlier in the survey of tele-
phone privacy law.
It remains possible,
however, to
secure cellular
networks against
surveillance.
review articles
JULY 2011 | VOL. 54 | NO. 7 | COMMUNI CATI ONS OF THE ACM 97
The question of whether a cellular
telephone is a tracking device has often
hinged on the resolution of the cell site
data. If the data consists solely of the
cell site ID, then the precision of the lo-
cation information is clearly a function
of the size of the cell. Cell sizes vary sig-
nicantly, but the following can be used
as a rough rule of thumb:
u
Urban: 1 mile radius
Suburban: 2 mile radius
Rural: >4 mile radius
It follows that through registration
messages alone, a subscribers location
is recorded to the level of a metropolitan
area at a minimum, and sometimes to
the level of a neighborhood.
So far I have focused on voice calls.
With regard to data calls, it should
be noted that 3G cellular separates the
core network into circuit-switched and
packet-switched domains, while 4G
is purely packet-switched. Data calls
are set up in packet-switched domains
through the support of a serving and a
gateway General Packet Radio Service
(GPRS) support node. The HLR and VLR
play registration, roaming, and mobil-
ity management roles for data calls that
are similar to those provided in voice
calls, so I will not go into further details
here except to note that location data is
accumulated in a similar manner.
In summary, the functionality of a
cellular network is based on the net-
works ability to track the cellular sub-
scriber. It was designed to collect and
store location information, inadver-
tently creating an attractive informa-
tion source for law enforcement and
marketing professionals, as described
previously. Next, we will see this need
not be the case.
A Private Overlay
So long as the cellular concept requires
that a piece of equipment be located
within a particular cell, there will be a
requirement in cellular systems that an
MSC be able to locate user equipment
at the level of one or a small number
of cell sites. It is important to note,
however, that it is the equipment that
needs to be located and not a specic,
u Jeff Pool, Innopath, private correspondence.
These areas are further reduced if the cell has
multiple sectors.
as before, with the difference that the
HLR and VLR location information is
associated with the RET, as opposed to
a phone number. Data calls can be kept
private by associating the RET with a
temporary IP address.
v
Incoming calls require that calling
parties know the RET. In order for the
RET to be associated with the correct
HLR, it will also be necessary that the
calling party identify the service pro-
vider that serves the called party. The
user in private cellular mode must thus
distribute, using public key encryp-
tion, his or her RET and the identity
of the service provider to those parties
from whom he or she would be willing
to receive a call.
Calls can be placed from the cellu-
lar platform in private mode using the
private context developed for incoming
calls, or it may prove desirable to reg-
ister outgoing calls on a call-by-call ba-
sis using distinct random strings. This
would reduce the amount of informa-
tion associated with a single random
string, thus reducing the ability of the
service provider to associate the private
context with a specic user.
We now must confront the prob-
lems of cloning and billing. Both can
be addressed by building a Trusted
Platform Module (TPM)
1
into the cel-
lular platform. The TPM (or an equiv-
alent device) can be programmed to
keep the certication message in a
cryptographically secure vault, and
thus unavailable to anyone wishing to
transfer it to another platform. When
the network receives a PER message, it
can thus be assured that the transmit-
ting phone actually received the certi-
cation message from the network. Re-
mote attestation can be used to ensure
that the software controlling the TPM
has not been altered.
The problem of billing has to be
clearly addressed, for the service pro-
vider faces the uncomfortable task
of providing service to an unknown
party. The solution lies, once again, in
v One version of the GPRS standard allowed for
an anonymous Packet Data Protocol (PDP)
context. This context associated a PDP address
at the SGSN with a temporary logical link iden-
tierthe IMSI was not associated with the
PDP address, and the context was thus anony-
mous. The details were described in early ver-
sions of section 9.2.2.3 of ETSI GSM 03.60, but
were later removed from the standard.
named subscriber. In this section we
will consider the possibility of creating
a private overlay for cellular systems
that protects user privacy by strictly
separating equipment identity from
user identity. The proposed overlay re-
quires the addition of a Public Key In-
frastructure (PKI).
10
The PKI provides
the network and all subscribers with
a public encryption key and a private
decryption key. With this addition, a
private overlay to the existing cellular
infrastructure can be established as
described below.
The scenario assumed here is that
of a cellular telephone with standard
capabilities to which has been add-
ed the ability to operate in a private
mode, a private mode in which the
service provider is unable to associ-
ate location data for the phone with
a specic user. The private mode is
predicated on a private registration
process, which is enabled by having
the network transmit once a day (or
at some suitable interval) an identi-
cal certication message to each au-
thorized subscriber. The certication
message that is sent to each subscrib-
er is encrypted using that subscribers
public encryption key.
When the user enables the private
cellular mode, the cellular platform
sends a Privacy Enabling Registration
(PER) message to the network. The
PER, consisting of the certication
message and a Random Equipment Tag
(RET), is encrypted using the networks
public encryption key. The certica-
tion message acts as a zero-knowledge
proof, showing the network that the
PER was sent by a valid user, but with-
out actually identifying the user (we
will address the problem of cloning in
a moment). The RET is a random num-
ber that will be entered into the VLR
and the HLR and treated as if it were a
phone number. The VLR and the HLR
will thus collect all of the informa-
tion needed to establish and maintain
phone calls to the cellular platform,
but will not associate this information
with a particular individual or phone
number. So long as the user chooses to
remain in private cellular mode, sub-
sequent registration messages will in-
clude the RET as opposed to the users
telephone number.
Call setup, mobility management,
and roaming will all be handled exactly
98 COMMUNI CATI ONS OF THE ACM | JULY 2011 | VOL. 54 | NO. 7
review articles
cial, economic, and political contexts.
It remains possible, however, to secure
cellular networks against surveillance.
The private cellular overlay proposed
here would serve this purpose while
potentially putting the subscriber in
control of his or her personal informa-
tion. Legal issues remain and legisla-
tion may be necessary before a private
cellular system can be made available
to the public, but a public discussion
as to whether we want a technology as
important as cellular to be open to co-
vert surveillance would be a good and
highly democratic idea.
Acknowledgments
This work was funded in part by the Na-
tional Science Foundation TRUST Sci-
ence and Technology Center and the
NSF Trustworthy Computing Program.
The author gratefully acknowledges
the technical and editorial assistance
of Sarah Hale, Lee Humphries, and
Jeff Pool. He also extends thanks to the
anonymous reviewers for their exten-
sive and insightful comments.
References
1. TPM Main, Part 1 Design Principles, Specication
Version 1.2, Level 2 Revision 103. Tech. rep., Trusted
Computing Group (July 9 2007).
2. Bentham, J. The Panopticon; or The Inspection House.
London, 1787. Miran Boovi (Ed.). Verso, London, UK,
1995.
3. Berger v. New York, 388 U.S. 41 (1967).
4. Communications Assistance for Law Enforcement Act
(CALEA, 47 U.S.C. xx10011010).
5. Clarke, R.A. Information technology and dataveillance.
Commun. ACM 31, 5 (May 1988), 498512.
6. Cohen, J. E. Examined lives: Informational privacy and
the subject as object. Stanford Law Review (2000).
7. Cortes, C., Pregibon, D., and Volinsky, C. Communities
of interest. In Proceedings of the 4
th
International
Conference on Advances in Intelligent Data Analysis
(2001), 105-114.
8. Cuddihy, W.J. The Fourth Amendment: Origins and
Original Meaning, 6021791. Oxford University Press,
2009. (See also the Ph.D. thesis with the same title,
Claremont Graduate School, 1990).
9. Deleuze, G. Postscript on the societies of control.
October 59 (1992), 37. (Winter).
10. Dife, W., and Hellman, M. New directions in
cryptography. IEEE Transactions on Information
Theory 22, 6 (1976), 644654.
11. Dworkin, G. The Theory and Practice of Autonomy.
University Press, Cambridge, 1988.
12. Electronic Communications Privacy Act.
13. Etemad, K. CDMA 2000 Evolution: System Concepts
and Design Principles. Wiley, NY, 2004.
14. Implementation of the Telecommunications Act of
1996: Telecommunications Carriers Use of Customer
Proprietary Network Information and Other Customer
Information (1998).
15. Implementation of the Telecommunications Act of
1996: Telecommunications Carriers Use of Customer
Proprietary Network Information and Other Customer
Information, 17 F.C.C.R. 14860 (2002).
16. Implementation of the Telecommunications Act of
1996: Telecommunications Carriers Use of Customer
Proprietary Network Information and Other Customer
Information.
17. Foucault, M. Discipline and Punish. Vintage, 1995,
(Surveiller et punir: Naissance de la Prison, 1975).
18. Freeh, L.J. Digital telephony and law enforcement
access to advanced telecommunications technologies
the TPM. The number of private call
minutes available to the platform can
be controlled through software in the
platform, with the software certied by
remote attestation. If need be, the pri-
vate call minutes can be prepaid.
The potential for considering the
private mode as a prepaid service may
have a signicant advantage with re-
spect to CALEA, as CALEA does not
currently cover prepaid cellular tele-
phones. In the U.S. and many other
countries, one may buy and use a pre-
paid cellular telephone without associ-
ating ones name with the phone.
w
The
proposed privacy overlay would thus
provide postpaid cellular telephone
users with the privacy benets of pre-
paid cellular.
x
Other problems remain to be ad-
dressed, of course. For example,
Cortes, Pregibon, and Volinsky have
shown that it is possible to identify
fraudulent users of a cellular system
by using call data to construct dy-
namic graphs, and then performing
a comparative analysis of subgraphs
that form communities of interest.
7

A similar comparative analysis can be
used for deanonymizing users of the
proposed system unless the random
tag is changed fairly frequently.
Conclusion
We have seen that cellular telephony
is a surveillance technology. Cellular
networks were designed, however un-
intentionally, to collect personal data,
thus creating an extremely attractive
source of information for law enforce-
ment agencies and marketers. The im-
pact of this surveillance on the users
and uses of the cellular platform is be-
coming increasingly important as the
platform plays a prominent role in so-
w According to the UPI, many of the cell phones
used to coordinate action in the Philippine up-
risings against former President Estrada were
unregistered, prepaid phones. See http://www.
upiasia.com/Politics/2008/01/21/texting_as_
an_activist_tool/6075/.
x On May 26, 2010, Senators Charles Schumer
(D-NY) and John Cornyn (R-TX) introduced
a billS.3427: The Pre-Paid Mobile Device
Identication Actthat would require that a
consumer provide his or her name, address,
and date of birth prior to the purchase of a
pre-paid mobile device or SIM card. As of May
2010, the bill had been read twice and referred
to the Committee on Commerce, Science, and
Transportation.
and services. Joint Hearings on H.R. 4922 and S. 2375,
103d Cong. 7, 1994.
19. Freiwald, S. First principles of communication privacy.
Stanford Technology Law Review 3 (2007).
20. Gandy, O.H. The Panoptic Sort: A Political Economy of
Personal Information. Westview Publishers, 1993.
21. Goldstein, J., and Rotich, J. Digitally networked
technology in kenyas 20072008 post-election crisis.
Tech. Rep. 200809, Harvard University, Berkman
Center for Internet & Society, Sept. 2008.
22. Holma, H., and Toskala, A. WCDMA for UMTS: Radio
Access for Third Generation Mobile Communications,
3rd Ed. Wiley, NY, 2004.
23. IMT-2000. International mobile
telecommunications-2000 standard.
24. Kaaranen, H., Ahtiainen, A., Laitinen, L., Naghian, S.
and Niemi, V. UMTS Networks, 2
nd
Ed. Wiley and Sons,
Hoboken, NJ 2005.
25. Katz v. United States, 389 U.S. 347 (1967).
26. Kerr, O.S. Internet surveillance law after the USA
Patriot Act: The big brother that isnt. Northwestern
University Law Review 97, 2 (20022003), 607611.
27. Lichtblau, E. Telecoms win dismissal of wiretap suits.
New York Times (June 3 2009).
28. Loopt2010. Loopt strengthens its location-based
advertising offerings, sets sights on hyperlocal
marketing. Mobile Marketing Watch (Feb. 17, 2010).
29. United States v. Miller, 425 U.S. 435 (1976).
30. Mouly, M., and Pautet, M.-B. The GSM System for
Mobile Communications. Self-published, 1992.
31. Nardone v. United States, 302 U.S. 379 (1937).
32. Networks, J. The benets of router-integrated session
border control. Tech. rep., Juniper Networks, 2009.
33. Nissenbaum, H. Privacy in Context: Technology, Policy,
and the Integrity of Social Life. Stanford University
Press, Palo Alto, CA, 2010.
34. Olmstead v. United States, 277 U.S. 438 (1928).
35. Ptzmann, A., Ptzmann, B., and Waidner, M. ISDN-
MIXes: Untraceable communication with very small
bandwidth overhead. In Proceedings of the GI/ITG
Conference on Communication in Distributed Systems
(1991). Springer-Verlag, 451463.
36. Querengesser, T. Kenya: Hate speech SMS offenders
already tracked (Mar. 2008).
37. Redish, M. Freedom of Expression: A Critical Analysis.
Michie Co, Charlottesville, NC, 984.
38. Schoeman, F.D., Ed. Philosophical Dimensions of
Privacy: An Anthology. Cambridge University Press,
1984.
39. Schrader, D.E. Intellectual safety, moral atmosphere,
and epistemology in college classrooms. Journal of
Adult Development 11, 2 (Apr. 2004).
40. Semaynes Case. Cokes Rep. 91a, 77 Eng. Rep. 194
(K.B. 1604).
41. Sherr, M., Cronin, E., Clark, S., and Blaze, M. Signaling
vulnerabilities in wiretapping systems. IEEE Security
& Privacy 3, 6 (2005), 13-25.
42. Smith v. Maryland, 442 U.S. 735 (1979).
43. Solove, D.J., and Schwartz, P.M. Privacy, Information,
and Technology; 2
nd
Ed. Aspen Publishers, Inc., 2008.
44. Telecommunications Act of 1996.
45. Toeniskoetter, S.B. Preventing a modern panopticon:
Law enforcement acquisition of real-time cellular
tracking data. Rich. J.L. & Tech. 13, 4 (2007), 149.
46. Tversky, A., and Kahneman, D. The framing of
decisions and the psychology of choice. Science 211,
4481 (Jan. 30 1981), 453-458.
47. U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999).
48. Williamson, J. Decoding Advertisements: Ideology and
Meaning in Advertising. Marion Boyars Publishers Ltd,
1978.
Stephen B. Wicker (wicker@ece.cornell.edu) is a
professor in the School of Electrical and Computer
Engineering, Cornell University, Ithaca, NY.
2011 ACM 0001-0782/11/07 $10.00