A newly publicized document shows that five local police departments in southeastern Virginia have been secretly and automatically sharing criminal suspects’ telephone metadata and compiling it into a large database for nearly two years.

According to a 2012 memorandum of understanding (MOU) published for the first time Monday by the Center for Investigative Reporting, the police departments from Hampton, Newport News, Norfolk, Chesapeake, and Suffolk all participate in something called the "Hampton Roads Telephone Analysis Sharing Network," or HRTASN.

The Peninsula Narcotics Enforcement Task Force, or PNETF, "will provide administrative and technical assistance to participating agencies in conducting pen register intercepts as described below."

According to that MOU, those agencies "agree to share telephone intelligence information derived from any source with the PNETF including: subpoenaed telephone call detail records, subpoenaed telephone subscriber information, and seized mobile devices. The telephone intelligence information will be stored in the master Pen-Link telephone database at the PNETF, and participating agencies can make inquires of the database by either telephone or e-mail contact with a PNETF member."

Such data transfers, the document goes on to explain, can happen automatically if the agency agrees to have certain software installed on its computer, or via e-mail or DVD.

The eight-page document doesn’t precisely make clear what type of analysis is done on this dataset, nor how many records are kept. But based on the above description, it seems clear that this would include all made and received calls, their duration, their provider, possible geo-location information, and probably any other data seized from a particular handset.

The fear is that by amassing such a large quantity of metadata, an inordinate amount of information can be gleaned from it. As Ars demonstrated in March 2014, metadata can be incredibly revelatory and can expose all kinds of information about a subject.

Ars has a filed Freedom of Information Act and state public records request with various agencies to learn more.

Feds are totally cool with it

Ars contacted all five of the police departments, only two of which responded with prepared statements on Tuesday—none responded to direct questions.

According to Sgt. Jason Price, the spokesman for the Hampton Police Division, the system is overseen by not only its five local police department members, but the PNETF also includes the Peninsula Association of Commonwealth Attorneys and the Virginia State Police.

"Meetings regularly include the US Attorney’s Office," Price said in a statement.

"The system is very commonly used in policing throughout the US for criminal intelligence, which is subject to federal guidelines contained in 28 CFR Part 23," he added. "The Hampton Police Division gathers, shares and retains information after obtaining a search warrant or court order in accordance with local, state, and federal law. The Government Data Collection and Dissemination Practices Act contains an exemption for personal information systems maintained by law enforcement that pertain to investigations and intelligence gathering related to criminal activity (VA Code §2.2-3802.7). The Network is covered by this exemption and is not contrary to the Attorney General’s opinion."

Corporal Melinda Wray, a spokeswoman for the Norfolk Police Department, said in a statement that her agency had participated in the HRTASN since 2013.

"Any phone records in the possession of the Norfolk Police Department are obtained pursuant to a court order or search warrant issued after a finding of probable cause by competent authority (judge or magistrate)," she said. "Any finding or probable cause requires a link to a specific criminal incident or investigation and is compliant with Virginia code. "Therefore, all telephone information is gathered, stored and retained in accordance with local, state and federal law."

Michael Kelly, the spokesman for the office of the Virginia Attorney General, said, "this is not something our office has been involved in" and referred Ars to the individual municipalities instead.

He did not respond to an e-mail or text message asking whether such a data exchange would be explicitly in line with Virginia law.

The American Civil Liberties Union of Virginia believes that such data aggregation could be in violation of Virginia's Government Data Collection and Dissemination Practices Act.

At least one Virginia lawmaker agrees.

On Tuesday, Chap Petersen, a Democratic state senator from Fairfax, concurred in a post on his website:

Again, Virginia law (Section 2.2-3800) is very clear: government cannot hold personal information in covert databases, which are inaccessible to ordinary citizens. Nor can it collect this personal data “except as explicitly or implicitly authorized by law.” Phone records which reveal your cell or home phone numbers are, by definition, records which contain personal information. While an agency can gather this information by subpoena or warrant for a criminal investigation, it cannot simply hold the data ad nauseam in a regional database until it is deemed relevant. This is exactly what 2.2-3800 was designed to prevent. We need some sort of ombudsman (the AG’s office?) to bring everyone into compliance. The law is already on the books and it’s clear.

A low standard

Privacy-minded legal experts were not surprised that such a system exists, but nonetheless lambasted its creation and use.

"My thought all along has been that any time the government gets information of a third-party through a cell tower dump or a stingray that it would keep it," Brian Owsley, a former federal magistrate judge in Texas and current law professor at Indiana Tech, said in an e-mail. "This indirectly supports my concern and bolsters my argument that there should be a protocol to protect third-party data and information that is swept during electronic surveillance."

For many years, local and federal authorities have had judges authorize the installation and/or use of a "pen register" and/or "trap and trace device" in order to determine call history and other data from a phone. In some cases, law enforcement has gone to judges asking for such a device or have falsely claimed a confidential informant, but in fact have deployed a stingray, a particularly sweeping and invasive surveillance tool.

As Owsley points out, "anything obtained through a pen register is obtained at a very low standard: ‘the court shall enter an ex parte order authorizing the installation and use of a pen register or trap and trace device anywhere within the United States, if the court finds that the attorney for the Government has certified to the court that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.’"

To be clear, getting a judge to sign off on a pen register is a far lower standard than being forced to show probable cause for a search warrant or wiretap order. Such a wiretap order requires law enforcement to not only specifically describe the alleged crimes, but also to demonstrate that all other means of investigation had been exhausted or would fail if they were attempted.

"Thus, the gathering and collection of information based on pen registers is very easy," Owsley added. "This can be compiled into a database for subsequent use by law enforcement, but only after it has been sought in a prior criminal investigation. If, however, the compilation is done for a stingray, then the amount of information can be exponentially much greater than a pen register. More important, the compiled data and information can be searched and used even though a third party may not have originally been a target of any criminal investigation or any court order specifically authorizing the third party to be the subject of an investigation."

Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation and former federal public defender, had no reason to believe that the practice was illegal—but was worrisome.

"I can’t think of any laws that restrict what the agencies can do with this sort of phone record data once they have it (that’s different than the restrictions put in place for National Security Agency-collected data or some of the new surveillance technologies like [license plate readers] or DNA where there are statutory restrictions)," he said by e-mail.

"And if there are no restrictions, then I suppose officers could use it and mine that data. But of course that shows the whole problem with this data collection, this collection and analysis of your phone patterns over extended periods of time with no oversight."

Owsley concurred with this line of reasoning.

"I do not think that law enforcement should be allowed to just transfer information in this manner," he said. "To allow [law enforcement] to do so would thwart even the low standards of a pen register. Moreover, it would allow them to transfer third-party data of people who courts have never authorized to be the basis of an electronic surveillance request. Nothing in the statutory language regarding pen registers that I am aware of contemplates the massive collection and compilation of such data."