9 January 1998: Update 2:
3 January 1998: Update
1 January 1998
Date: Tue, 30 Dec 1997 18:11:45 +0000
To: ukcrypto@maillist.ox.ac.uk
From: T Bruce Tober <octobersdad@reporters.net>
Subject: Mobile Phone Cell Location Surveillance Acknowledged
If they can track our movements via our mobile phones, what are the
privacy and other implications when they start playing with our crypto
as jack (the junkie's dad, allegedly) s***w starts playing with our
rights to use crypto?
------- Forwarded message follows -------
BTW: this technique is reputed to be used in North America as well.
Tracking of Swiss mobile phone users starts row
ZURICH, Dec 28 (Reuters) - Swiss police have secretly
tracked the whereabouts of mobile phone users via a telephone
company computer that records billions of movements going back
more than half a year, a Sunday newspaper reported.
The revelation in the SonntagsZeitung newspaper triggered
objections from politicians and the country's privacy ombudsman
about high-tech snooping on citizens who like the convenience of
a mobile phone.
Officials from state telephone company Swisscom confirmed
the practice, but insisted information about mobile customers
was only handed out on court orders.
``Swisscom has stored data on the movements of more than a
million mobile phone users. It can call up the location of all
its mobile subscribers down to a few hundred meters and going
back at least half a year,'' the paper reported.
snip
But it quoted Toni Stadelmann, head of Swisscom's mobile
phone division, as saying: ``We release the movement profile of
mobile telephone customers on a judge's order.''
SonntagsZeitung said there was no legal basis for storing
such information.
``I am unaware of any law that would allow the preventative
collection of data for investigative purposes,'' it quoted Odilo
Guntern, the federal ombudsman for protecting individuals'
privacy, as saying.
``Secretly collecting data is highly problematic,'' added
Alexander Tschaeppat, a judge and member of the lower house of
parliament.
<snip>
tbt --
--
|Bruce Tober, octobersdad@reporters.net, Birmingham, England +44-121-242-3832|
| Freelance PhotoJournalist - IT, Business, The Arts and lots more |
|pgp key ID 0x94F48255. Website - http://www.homeusers.prestel.co.uk/crecon/ |
To: cryptography@c2.net
Date: Tue, 30 Dec 1997 19:08:09 +0000
From: David M Walker <davidw@datamgmt.com>
Subject: Mobile phones used as trackers
The following article appeared on 29th December 1997 in the Times
(http://www.sunday-times.co.uk). I am the Technical Architect for
the Swisscom Mobile Data Warehouse project and comment below ...
-----------------------------------------------------------------
Mobile phones used as trackers
BY MICHAEL EVANS AND NIGEL HAWKES
MOBILE PHONES can be used as tracking devices to
pinpoint users within a few hundred yards, according to a
report yesterday.
Sonntags Zeitung, published in Zurich, said Swiss police
had been secretly tracking mobile phone users through a
telephone company computer.
"Swisscom [the state-owned telephone company] has
stored data on the movements of more than a million
mobile phone users and can call up the location of all its
mobile subscribers down to a few hundred metres and
going back at least half a year," the paper reports, adding:
"When it has to, it can exactly reconstruct, down to the
minute, who met whom, where and for how long for a
confidential tte--tte."
Swisscom officials confirmed the practice but said
information about mobile phone customers was handed
over only on production of a court order. The newspaper
claimed that about 3,000 base stations in Switzerland
tracked the location of mobile phones as soon as they
were switched on.
Renato Walti, an investigating magistrate in Zurich who
specialises in organised crime, told the paper: "This is a
very efficient investigation tool."
Toni Stadelmann, head of Swisscom's mobile phone
division, is quoted as saying: "We release the movement
profile of mobile telephone customers on a judge's order."
In Britain, six mobile phone companies are understood to
have arrangements with law enforcement agencies to
provide coding information on individual phones used by
suspected terrorists or serious criminals, but there are
legal and procedural restrictions. As in all intelligence and
police work, according to one intelligence source,
technical surveillance is carried out only for what the
source described as "focused" operations on key
individuals.
"Some people might think the law enforcement authorities
are tracking every mobile phone user, but that is complete
nonsense. We have to have our antennae out to get the
critical leads, but once we've got a lead we focus on that
individual and a lot of effort goes into filtering out
extraneous information."
Earlier this year there was a row in Australia when police
admitted that they were using the mobile phone network
to keep track of known criminals. Signals emitted by the
criminals' phones and picked up by local base stations
were being used to pinpoint people, providing "a very
valuable investigative tool", according to Sergeant Frank
Helsen of the New South Wales Police Service Crime
Data Centre.
The method worked even if the phones were not in use,
since they emit signals automatically every half hour. Data
collected by the phone companies whose base stations
pick up these calls was being reconstructed to pinpoint the
whereabouts of the phone users.
Chris Puplick, the chairman of the New South Wales
Council for Civil Liberties, protested that walking around
with a mobile phone was "like walking around with a
beeper or an implanted transmitter".
In the Australian case, the mobile phone companies said
that they did not routinely keep the data from phones but
would do so if a warrant were issued in advance. The
police service declined to say how often this happened.
In the Swiss case, it appears that the data is automatically
recorded.
------------------------------------------------------------------
It is true that while a call is in progress the person can be
tracked with standard radio tracking techniques. It is also true
that Phone Companies store the Call Data Record (CDR) for billing
and marketing purposes. Most Telcos now try to store 18 months of
this data (Swisscom will be about 2Tb of info after 18 months). The
CDR contains the base station or cell that was being used (remember
that a user in a car is likely to pass through many cells. Cells
overlap depending on location and may be small (a square kilometer
in a town) or large (fifty square kilometers in open flat
countryside).
But the statement:
"Swisscom [the state-owned telephone company] has
stored data on the movements of more than a million
mobile phone users and can call up the location of all its
mobile subscribers down to a few hundred metres and
going back at least half a year," the paper reports, adding:
"When it has to, it can exactly reconstruct, down to the
minute, who met whom, where and for how long for a
confidential tte--tte."
is totally implausable, we have enough problems with the volume
of CDR data as it is without storing the radio direction info
as well.
It is well known that subscribers may also not be the user, e.g.
a man may be a subscriber twice, but may give one phone to his
wife - so who is using the phone and how do you know that ?
Furthermore Swisscom have a service called 'Natel Easy-Go' where
you can pay cash for a pre-paid mobile phone. Unless the person
pays by credit card to re-charge the prepayment element you
don't even know who the subscriber is !
Finally the Police in most countries do use the CDR information
from Telcos both mobile and fixed line, and in most countries it
is controlled by court order. Even the limited information that
I have described as being available helps catch criminals, who
like all of us are creatures of habit and normally just pick up
the nearest phone !
davidw
To: cryptography@c2.net
Date: Tue, 30 Dec 1997 15:54:29 -0500
From: Lenny Foner <foner@media.mit.edu>
Subject: Mobile phones used as trackers
It is not completely unreasonable that the Swiss might be tracking
phones to tens or hundreds of meters; there are US companies whose
business it is to make such solutions available for celphone 911
response and "law enforcement purposes" (as they put it). As to
whether they really -are- doing so, that's for someone else to say.
See http://www.trueposition.com/tdoa.htm .
To: cryptography@c2.net
Date: Tue, 30 Dec 1997 14:36:22 -0800 (PST)
From: Phil Karn <karn@qualcomm.com>
Subject: Re: Mobile phones used as trackers
The article almost certainly refers to what the industry calls
"registration messages". These let the cellular network know which
cell you're in so incoming calls can be delivered directly to your
cell.
Cellular registration works much like bridging in an Ethernet network.
If the mobile has been heard from recently, the network can direct
that mobile's pages (incoming call notifications) to the cell in which
the mobile was last heard. Otherwise, the network can "flood page" the
mobile in all cells in the system.
Registration usually occurs when a cell site invites the mobiles in
its area to register themselves. This is an "explicit" registration.
This can occur automatically and completely without warning at any
time the phone is turned on. (Some phones, such as my Motorola Micro
TAC Lite, emit a soft click from the receiver when they register due
to mild RF interference from the transmitter to the audio circuits,
but this is clearly not a design feature.)
Implicit registration occurs when you make a call, much as it happens
when you send a packet in a bridged Ethernet network.
Registration is technically a carrier option. And it's a tradeoff
between decreased paging traffic and the overhead of the registration
traffic itself. But as cellular networks get larger, individual cells
get smaller and call traffic increases, the improved efficiency
becomes quite compelling. Intrasystem registration now seems pretty
much universal, at least in the US. My AMPS carrier here in SD, GTE,
requires a registration before it will even try to deliver a call --
i.e., there seems to be no flood paging at all.
Registration is *mandatory* when intER-carrier roaming is involved.
Some comments on the privacy implications of registration:
1. In my opinion, cellular registration is one of the most
problematical privacy issues in modern telecommunications. Unlike the
actual contents of a call, which can at least in theory (if not in
practice) be end-to-end encrypted against interception in the network,
registration information is user-to-network. The network needs that
information to do its job efficiently. I don't see how cryptography
can help here.
2. There is, however, no justification for *logging* registration
information. When the network wants to deliver a call to you, it needs
to know where you are *now* -- not where you were an hour or a day
ago. This seems like a good point on which to make policy.
3. Registration does actually provide one minor privacy enhancement
over flood paging. With flood paging, an RF eavesdropper anywhere in
the system can build a complete log of your incoming calls. With
registration, he has to be in the same cell with you.
The only countermeasure I can think of against registration tracking
is to keep your cell phone turned off anywhere you don't want the
world to know you've visited. One alternate way to receive your calls
is to carry a (one way!) pager. When you get a page, you then have the
option of turning on your cell phone (and revealing your location), or
returning the call on a pay or conventional telephone. Even the latter
technique runs the risk of having telephone call detail records
cross-correlated against a log of your pager messages, since the
latter are invariably in the clear.
Phil
To: cryptography@c2.net
Subject: Re: Mobile phones used as trackers
Date: Tue, 30 Dec 1997 17:55:50 -0500
From: "Perry E. Metzger" <perry@piermont.com>
Phil Karn writes:
> 1. In my opinion, cellular registration is one of the most
> problematical privacy issues in modern telecommunications. Unlike the
> actual contents of a call, which can at least in theory (if not in
> practice) be end-to-end encrypted against interception in the network,
> registration information is user-to-network. The network needs that
> information to do its job efficiently. I don't see how cryptography
> can help here.
Well, perhaps it could. In theory, Chaumian anonymous digital
credentials could make it possible for one to design a protocol that
permitted calls to be made anonymously and yet without fraud. On the
other hand, such a protocol would not permit users to *receive* calls
without being traced. However, perhaps some sort of cryptographic
protocols could be used to reduce exposure here, too.
The real problem, however, is not the possibility of using such
protocols to increase privacy, but the lack of respect for privacy
among the providers and, more importantly, in the government. As you
point out, simply not logging location information would be sufficient
to assure privacy, but we lack the will as a society to demand that.
Perry
To: cryptography@c2.net
Date: Tue, 30 Dec 1997 23:26:20 +0000
From: Ben Laurie <ben@algroup.co.uk>
Subject: Re: Mobile phones used as trackers
Phil Karn wrote:
> The only countermeasure I can think of against registration tracking
> is to keep your cell phone turned off anywhere you don't want the
> world to know you've visited.
Actually, you need to take the batteries out. My previous mobile (a
Nokia 2100) audibly interfered with land lines (or perhaps my headset),
and I have caught it registering itself when it is nominally off. I
haven't noticed my current phone (a StarTAC [which I would happily
exchange for a very light 2100]) doing it, but I haven't checked...
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd, |http://www.algroup.co.uk/Apache-SSL
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
To: cryptography@c2.net
Date: Tue, 30 Dec 1997 18:06:43 -0800 (PST)
From: Phil Karn <karn@qualcomm.com>
Subject: Re: Mobile phones used as trackers
>It is not completely unreasonable that the Swiss might be tracking
>phones to tens or hundreds of meters; there are US companies whose
>business it is to make such solutions available for celphone 911
>response and "law enforcement purposes" (as they put it). As to
>whether they really -are- doing so, that's for someone else to say.
As someone who has looked at how to do positioning for the FCC's
upcoming cellular 911 requirements, I can say that while several
workable approaches exist, it's just not all that easy to do
*reliably*. Even CDMA, which has a waveform not unlike GPS, has
problems with multipath reflections in urban environments.
So I suspect the article refers to being able to locate a user to a
cell, or to a sector of a multi-sectored cell. After all, that's
precisely the resolution the network needs to deliver your calls, and
to hand you off during calls.
Depending on the size of the cell or sector, you end up knowing the
user's location to anything from hundreds of meters in densely
populated areas to many km in rural or mountainous areas.
See the various books on the hunt for Kevin Mitnick for insights into
how cellular users can be located. They started with a cell/sector ID
(and a channel number) from the switch. This gave the approximate area
to begin using conventional RF direction finding techniques that many
hams will recognize from "fox hunting" contests.
Phil
JYA Note: Two of the Kevin Mitnick books are:
"Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted
Computer Outlaw -- By the Man Who Did It," by Tsutomu Shimomura, with
John Markoff, Hyperion, New York, 1996, 324 pp. ISBN 0-7868-6210-6.
"The Fugitive Game: Online With Kevin Mitnick, the Inside Story of the
Great Cyberchase," by Jonathan Littman, Little Brown, New York, 1996,
383 pp. ISBN 0-316-52858-7.
To: cryptography@c2.net
Date: Fri, 2 Jan 98 02:55 GMT+0100
From: 3umoelle@informatik.uni-hamburg.de (Ulf Möller)
Subject: Re: Mobile phones used as trackers
>Well, perhaps it could. In theory, Chaumian anonymous digital
>credentials could make it possible for one to design a protocol that
>permitted calls to be made anonymously and yet without fraud. On the
>other hand, such a protocol would not permit users to *receive* calls
>without being traced. However, perhaps some sort of cryptographic
>protocols could be used to reduce exposure here, too.
One approach is to use a decentralized trusted database for location
management. The confidential information (the location information or
an ephemeral pseudonym) might be stored in a computer at the user's
home. This technique can be combined with the usual protocols for
untraceable communication.
This is discussed in a number of papers by H. Federrath and others:
D. Kesdogan, H. Federrath, A. Jerichow, A. Pfitzmann: Location
Management Strategies increasing Privacy in Mobile Communication
Systems; IFIP SEC '96, Proceedings of the IFIP TC11, 39-48.
http://www.semper.org/sirene/lit/abstr96.html#FeJP1_96
H. Federrath, A. Jerichow, A. Pfitzmann: MIXes in Mobile Communication
Systems: Location Management with Privacy; Information Hiding 1996,
121-135.
http://www.semper.org/sirene/lit/abstr96.html#KFJP_96
H. Federrath, A. Jerichow, D. Kesdogan, A. Pfitzmann, O. Spaniol:
Mobilkommunikation ohne Bewegungsprofile; it+ti 38 (1996) 4, 24-29.
http://www.semper.org/sirene/lit/abstr96.html#FJKP_96
The issue of anonymity with mobile phones is also discussed in:
A. Herzberg, H. Krawczyk, G. Tsudik: On Travelling Incognito.
http://www.isi.edu/~gts/paps/hkt94.ps.gz
To: cryptography@c2.net,
Subject: Re: Mobile phones used as trackers
From: Andreas Bogk <andreas@artcom.de>
Date: 01 Jan 1998 23:17:13 +0100
>>>>> "Phil" == Phil Karn <karn@qualcomm.com> writes:
Phil> So I suspect the article refers to being able to locate a
Phil> user to a cell, or to a sector of a multi-sectored cell.
Phil> After all, that's precisely the resolution the network needs
Phil> to deliver your calls, and to hand you off during calls.
Well, in the case of GSM, the propagation delay between the terminal
and the cell is measured and compensated in order to have tighter
timeslot boundaries. The resolution of this measurement is about 500
meters.
Andreas
--
This story whether grounded in fact or not has been sanctioned
by the print mass media. It therefore is the truth.
To: cryptography@c2.net
Date: Fri, 2 Jan 1998 15:50:09 -0800 (PST)
From: Phil Karn <karn@qualcomm.com>
Subject: Re: Mobile phones used as trackers
>Well, in the case of GSM, the propagation delay between the terminal
>and the cell is measured and compensated in order to have tighter
>timeslot boundaries. The resolution of this measurement is about 500
>meters.
IS-95 CDMA uses a chipping rate of 1.2288 Mc/s, which is roughly
comparable to the GPS C/A code (1.023 Mc/s). So one would think it
could do as well as GPS in locating users, but there are problems.
As a passive (receive-only) system, GPS requires that you see 4
satellites to determine the four unknown values (latitude, longitude,
altitude and clock offset -- the latter being required even if you're
only interested in the first three).
Active closed-loop ranging systems (e.g., Qualcomm Omnitracs and some
proposed cellular ranging schemes) can use fewer measurements because
any clock offset cancels back at the sending station. But you are
often plagued by multipath propagation problems in urban environments.
Spread spectrum is good at dealing with the adverse effects of
multipath when you're communicating. But when you're also ranging, you
need that direct (unreflected) component so you can get an accurate
time delay measurement. And most of the time in urban canyons you
simply don't have a direct component to work with; it's all multipath.
Phil
Date: Tue, 6 Jan 1998 04:07:24 -0600
From: "Loren J. Rittle" <rittle@supra.rsch.comm.mot.com>
To: cypherpunks@cyberpass.net
Subject: Re: Mobile phones used as trackers
In article <199801012054.PAA25297@users.invweb.net>,
"William H. Geiger III" <whgiii@invweb.net> writes:
> It is my understanding that they can still track you with the cell phone
> turned off so long as there is power going to the box (most auto cell
> phones are hardwired into the cars electrical system).
This is the funniest thing I have read in some time. Assuming you
watch the show, I think you may have watched too many episodes of the
X-Files (TM).
When the subscriber unit (SU a.k.a. the cellular phone) is turned off,
"they" can't track you. Now, it is possible that some cars have
built-in SUs that automatically power-on whenever the car is started.
In this case, the SU is clearly turned on and the user knows it.
Analog cellular phone systems in the U.S. only force the SU to
transmit when they need too. As someone else already mentioned, from
the perspective of cellular system operators, bandwidth is in short
supply. The cellular system operators wouldn't stand for a bunch of
unneeded transmissions "just to track location".
Based upon my own personal informal study [1] and some past knowledge
of cellular-type systems [2], in general, I believe the following
about analog cellular systems fielded in the U.S.:
1) "They" might be able to get a location reading at power-on time.
The SU will check to see if it is being powered on within a
different cell than it was last registered. If the cell is
different, then the SU transmits a message on the cell's control
channel to reregister. If the SU believes it is in the same cell,
then it doesn't transmit anything at power-on time. If the SU
transmits, it will be a very short burst. This would allow an
attacker to see your location at power-on time.
2) When your SU is on, "they" can track your cell-to-cell movements.
Cells are on the order of 1-10 miles in diameter. The more
populated the area (actually, the more likely the system is to be
used in an area), the smaller the cell size. "They" will only get
a reading when you move between cells. The system uses a form of
hysteresis so your SU doesn't flip back and forth between two cells
while you are on the "edge" between cell. Actually, there are no
real edges to the cells in an RF cellular system. There is a bit
of overlap between cells and the cell boundaries actually move over
time due to environmental factors. I.e. your SU might be
stationary and yet decide to move to a different cell due to a
stronger signal being seen from a different cell at a particular
point in time.
3) "They" can track your fine-grain movement while you are engaged in
a call or call setup. This is because an SU transmits the entire
time these activities take place. Note that call setup can be for
either incoming or outgoing calls.
The above appear to be the only times an SU will transmit in a
properly functioning analog cellular system.
Now, if we change the rules to allow an active "spoof" attack or
participation by the service provider, I speculate that specific
attacks against one or a few people (well, actually against their SUs)
could be waged to track their fine-grain movement:
4) Continuously inform the SU that an incoming call is waiting. The
user would get an indication of this attack since the phone would
"ring" to signal an incoming call. OTOH, perhaps, there is a way
to inform the SU that an incoming call is waiting without allowing
the phone to enter the final state where it begins to "ring". A
detailed study of the air interface and SU implementations would be
required to understand if the silent attack is possible. This
attack could target one SU. Even if direct indications were not
seen by the user, battery life would be shortened somewhat.
5) Continuously force the SU to "see" a different cell code, thus
forcing it to continuously reregister. The user would get no
direct indication during the attack. However, battery life would
be shortened somewhat. There may be protection in the SU to ensure
a minimum time period between reregistrations. However, this would
just limit the fineness of the tracking. Again, detailed study
would be required. This attack would appear to target multiple SUs
in a given area.
If you assume your attacker is capable of (4), (5) and similar tricks
and you have something to hide, then I suppose turning your SU off and
on is a wise course of action.
However, the coarse-grain (pin-point location but only at widely
dispersed points in time) tracking afforded by (1) and (2) seem like
minimal threats. If you are concerned by (3), then please remind me
why you are using the analog cellular phone system.
Regards,
Loren
[1] My informal study was conducted with a Motorola Micro TAC Lite SU
and an HP 2.9 GHz Spectrum Analyzer on 1/5/98 and 1/6/98. My
analog cellular service provider is Ameritech in the Chicagoland
area.
[2] Disclaimer: I personally work on research related to the iDEN
system (which is an advanced form of digital cellular with
dispatch services and packet data) being rolled out nationwide in
the U.S. by Nextel along with other local and international
operators. Motorola recently shipped the millionth SU for iDEN.
I am only speaking for myself. I have never worked on analog
cellular systems nor read its specification.
--
Loren J. Rittle (rittle@comm.mot.com) PGP KeyIDs: 1024/B98B3249 2048/ADCE34A5
Systems Technology Research (IL02/2240) FP1024:6810D8AB3029874DD7065BC52067EAFD
Motorola, Inc. FP2048:FDC0292446937F2A240BC07D42763672
(847) 576-7794 Call for verification of fingerprints.