9 January 1998: Update 2:
3 January 1998: Update
1 January 1998
Date: Tue, 30 Dec 1997 18:11:45 +0000 To: ukcrypto@maillist.ox.ac.uk From: T Bruce Tober <octobersdad@reporters.net> Subject: Mobile Phone Cell Location Surveillance Acknowledged If they can track our movements via our mobile phones, what are the privacy and other implications when they start playing with our crypto as jack (the junkie's dad, allegedly) s***w starts playing with our rights to use crypto? ------- Forwarded message follows ------- BTW: this technique is reputed to be used in North America as well. Tracking of Swiss mobile phone users starts row ZURICH, Dec 28 (Reuters) - Swiss police have secretly tracked the whereabouts of mobile phone users via a telephone company computer that records billions of movements going back more than half a year, a Sunday newspaper reported. The revelation in the SonntagsZeitung newspaper triggered objections from politicians and the country's privacy ombudsman about high-tech snooping on citizens who like the convenience of a mobile phone. Officials from state telephone company Swisscom confirmed the practice, but insisted information about mobile customers was only handed out on court orders. ``Swisscom has stored data on the movements of more than a million mobile phone users. It can call up the location of all its mobile subscribers down to a few hundred meters and going back at least half a year,'' the paper reported. snip But it quoted Toni Stadelmann, head of Swisscom's mobile phone division, as saying: ``We release the movement profile of mobile telephone customers on a judge's order.'' SonntagsZeitung said there was no legal basis for storing such information. ``I am unaware of any law that would allow the preventative collection of data for investigative purposes,'' it quoted Odilo Guntern, the federal ombudsman for protecting individuals' privacy, as saying. ``Secretly collecting data is highly problematic,'' added Alexander Tschaeppat, a judge and member of the lower house of parliament. <snip> tbt -- -- |Bruce Tober, octobersdad@reporters.net, Birmingham, England +44-121-242-3832| | Freelance PhotoJournalist - IT, Business, The Arts and lots more | |pgp key ID 0x94F48255. Website - http://www.homeusers.prestel.co.uk/crecon/ |
To: cryptography@c2.net Date: Tue, 30 Dec 1997 19:08:09 +0000 From: David M Walker <davidw@datamgmt.com> Subject: Mobile phones used as trackers The following article appeared on 29th December 1997 in the Times (http://www.sunday-times.co.uk). I am the Technical Architect for the Swisscom Mobile Data Warehouse project and comment below ... ----------------------------------------------------------------- Mobile phones used as trackers BY MICHAEL EVANS AND NIGEL HAWKES MOBILE PHONES can be used as tracking devices to pinpoint users within a few hundred yards, according to a report yesterday. Sonntags Zeitung, published in Zurich, said Swiss police had been secretly tracking mobile phone users through a telephone company computer. "Swisscom [the state-owned telephone company] has stored data on the movements of more than a million mobile phone users and can call up the location of all its mobile subscribers down to a few hundred metres and going back at least half a year," the paper reports, adding: "When it has to, it can exactly reconstruct, down to the minute, who met whom, where and for how long for a confidential tte--tte." Swisscom officials confirmed the practice but said information about mobile phone customers was handed over only on production of a court order. The newspaper claimed that about 3,000 base stations in Switzerland tracked the location of mobile phones as soon as they were switched on. Renato Walti, an investigating magistrate in Zurich who specialises in organised crime, told the paper: "This is a very efficient investigation tool." Toni Stadelmann, head of Swisscom's mobile phone division, is quoted as saying: "We release the movement profile of mobile telephone customers on a judge's order." In Britain, six mobile phone companies are understood to have arrangements with law enforcement agencies to provide coding information on individual phones used by suspected terrorists or serious criminals, but there are legal and procedural restrictions. As in all intelligence and police work, according to one intelligence source, technical surveillance is carried out only for what the source described as "focused" operations on key individuals. "Some people might think the law enforcement authorities are tracking every mobile phone user, but that is complete nonsense. We have to have our antennae out to get the critical leads, but once we've got a lead we focus on that individual and a lot of effort goes into filtering out extraneous information." Earlier this year there was a row in Australia when police admitted that they were using the mobile phone network to keep track of known criminals. Signals emitted by the criminals' phones and picked up by local base stations were being used to pinpoint people, providing "a very valuable investigative tool", according to Sergeant Frank Helsen of the New South Wales Police Service Crime Data Centre. The method worked even if the phones were not in use, since they emit signals automatically every half hour. Data collected by the phone companies whose base stations pick up these calls was being reconstructed to pinpoint the whereabouts of the phone users. Chris Puplick, the chairman of the New South Wales Council for Civil Liberties, protested that walking around with a mobile phone was "like walking around with a beeper or an implanted transmitter". In the Australian case, the mobile phone companies said that they did not routinely keep the data from phones but would do so if a warrant were issued in advance. The police service declined to say how often this happened. In the Swiss case, it appears that the data is automatically recorded. ------------------------------------------------------------------ It is true that while a call is in progress the person can be tracked with standard radio tracking techniques. It is also true that Phone Companies store the Call Data Record (CDR) for billing and marketing purposes. Most Telcos now try to store 18 months of this data (Swisscom will be about 2Tb of info after 18 months). The CDR contains the base station or cell that was being used (remember that a user in a car is likely to pass through many cells. Cells overlap depending on location and may be small (a square kilometer in a town) or large (fifty square kilometers in open flat countryside). But the statement: "Swisscom [the state-owned telephone company] has stored data on the movements of more than a million mobile phone users and can call up the location of all its mobile subscribers down to a few hundred metres and going back at least half a year," the paper reports, adding: "When it has to, it can exactly reconstruct, down to the minute, who met whom, where and for how long for a confidential tte--tte." is totally implausable, we have enough problems with the volume of CDR data as it is without storing the radio direction info as well. It is well known that subscribers may also not be the user, e.g. a man may be a subscriber twice, but may give one phone to his wife - so who is using the phone and how do you know that ? Furthermore Swisscom have a service called 'Natel Easy-Go' where you can pay cash for a pre-paid mobile phone. Unless the person pays by credit card to re-charge the prepayment element you don't even know who the subscriber is ! Finally the Police in most countries do use the CDR information from Telcos both mobile and fixed line, and in most countries it is controlled by court order. Even the limited information that I have described as being available helps catch criminals, who like all of us are creatures of habit and normally just pick up the nearest phone ! davidw
To: cryptography@c2.net Date: Tue, 30 Dec 1997 15:54:29 -0500 From: Lenny Foner <foner@media.mit.edu> Subject: Mobile phones used as trackers It is not completely unreasonable that the Swiss might be tracking phones to tens or hundreds of meters; there are US companies whose business it is to make such solutions available for celphone 911 response and "law enforcement purposes" (as they put it). As to whether they really -are- doing so, that's for someone else to say. See http://www.trueposition.com/tdoa.htm .
To: cryptography@c2.net Date: Tue, 30 Dec 1997 14:36:22 -0800 (PST) From: Phil Karn <karn@qualcomm.com> Subject: Re: Mobile phones used as trackers The article almost certainly refers to what the industry calls "registration messages". These let the cellular network know which cell you're in so incoming calls can be delivered directly to your cell. Cellular registration works much like bridging in an Ethernet network. If the mobile has been heard from recently, the network can direct that mobile's pages (incoming call notifications) to the cell in which the mobile was last heard. Otherwise, the network can "flood page" the mobile in all cells in the system. Registration usually occurs when a cell site invites the mobiles in its area to register themselves. This is an "explicit" registration. This can occur automatically and completely without warning at any time the phone is turned on. (Some phones, such as my Motorola Micro TAC Lite, emit a soft click from the receiver when they register due to mild RF interference from the transmitter to the audio circuits, but this is clearly not a design feature.) Implicit registration occurs when you make a call, much as it happens when you send a packet in a bridged Ethernet network. Registration is technically a carrier option. And it's a tradeoff between decreased paging traffic and the overhead of the registration traffic itself. But as cellular networks get larger, individual cells get smaller and call traffic increases, the improved efficiency becomes quite compelling. Intrasystem registration now seems pretty much universal, at least in the US. My AMPS carrier here in SD, GTE, requires a registration before it will even try to deliver a call -- i.e., there seems to be no flood paging at all. Registration is *mandatory* when intER-carrier roaming is involved. Some comments on the privacy implications of registration: 1. In my opinion, cellular registration is one of the most problematical privacy issues in modern telecommunications. Unlike the actual contents of a call, which can at least in theory (if not in practice) be end-to-end encrypted against interception in the network, registration information is user-to-network. The network needs that information to do its job efficiently. I don't see how cryptography can help here. 2. There is, however, no justification for *logging* registration information. When the network wants to deliver a call to you, it needs to know where you are *now* -- not where you were an hour or a day ago. This seems like a good point on which to make policy. 3. Registration does actually provide one minor privacy enhancement over flood paging. With flood paging, an RF eavesdropper anywhere in the system can build a complete log of your incoming calls. With registration, he has to be in the same cell with you. The only countermeasure I can think of against registration tracking is to keep your cell phone turned off anywhere you don't want the world to know you've visited. One alternate way to receive your calls is to carry a (one way!) pager. When you get a page, you then have the option of turning on your cell phone (and revealing your location), or returning the call on a pay or conventional telephone. Even the latter technique runs the risk of having telephone call detail records cross-correlated against a log of your pager messages, since the latter are invariably in the clear. Phil
To: cryptography@c2.net Subject: Re: Mobile phones used as trackers Date: Tue, 30 Dec 1997 17:55:50 -0500 From: "Perry E. Metzger" <perry@piermont.com> Phil Karn writes: > 1. In my opinion, cellular registration is one of the most > problematical privacy issues in modern telecommunications. Unlike the > actual contents of a call, which can at least in theory (if not in > practice) be end-to-end encrypted against interception in the network, > registration information is user-to-network. The network needs that > information to do its job efficiently. I don't see how cryptography > can help here. Well, perhaps it could. In theory, Chaumian anonymous digital credentials could make it possible for one to design a protocol that permitted calls to be made anonymously and yet without fraud. On the other hand, such a protocol would not permit users to *receive* calls without being traced. However, perhaps some sort of cryptographic protocols could be used to reduce exposure here, too. The real problem, however, is not the possibility of using such protocols to increase privacy, but the lack of respect for privacy among the providers and, more importantly, in the government. As you point out, simply not logging location information would be sufficient to assure privacy, but we lack the will as a society to demand that. Perry
To: cryptography@c2.net Date: Tue, 30 Dec 1997 23:26:20 +0000 From: Ben Laurie <ben@algroup.co.uk> Subject: Re: Mobile phones used as trackers Phil Karn wrote: > The only countermeasure I can think of against registration tracking > is to keep your cell phone turned off anywhere you don't want the > world to know you've visited. Actually, you need to take the batteries out. My previous mobile (a Nokia 2100) audibly interfered with land lines (or perhaps my headset), and I have caught it registering itself when it is nominally off. I haven't noticed my current phone (a StarTAC [which I would happily exchange for a very light 2100]) doing it, but I haven't checked... Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686|Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author A.L. Digital Ltd, |http://www.algroup.co.uk/Apache-SSL London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
To: cryptography@c2.net Date: Tue, 30 Dec 1997 18:06:43 -0800 (PST) From: Phil Karn <karn@qualcomm.com> Subject: Re: Mobile phones used as trackers >It is not completely unreasonable that the Swiss might be tracking >phones to tens or hundreds of meters; there are US companies whose >business it is to make such solutions available for celphone 911 >response and "law enforcement purposes" (as they put it). As to >whether they really -are- doing so, that's for someone else to say. As someone who has looked at how to do positioning for the FCC's upcoming cellular 911 requirements, I can say that while several workable approaches exist, it's just not all that easy to do *reliably*. Even CDMA, which has a waveform not unlike GPS, has problems with multipath reflections in urban environments. So I suspect the article refers to being able to locate a user to a cell, or to a sector of a multi-sectored cell. After all, that's precisely the resolution the network needs to deliver your calls, and to hand you off during calls. Depending on the size of the cell or sector, you end up knowing the user's location to anything from hundreds of meters in densely populated areas to many km in rural or mountainous areas. See the various books on the hunt for Kevin Mitnick for insights into how cellular users can be located. They started with a cell/sector ID (and a channel number) from the switch. This gave the approximate area to begin using conventional RF direction finding techniques that many hams will recognize from "fox hunting" contests. Phil
JYA Note: Two of the Kevin Mitnick books are: "Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw -- By the Man Who Did It," by Tsutomu Shimomura, with John Markoff, Hyperion, New York, 1996, 324 pp. ISBN 0-7868-6210-6. "The Fugitive Game: Online With Kevin Mitnick, the Inside Story of the Great Cyberchase," by Jonathan Littman, Little Brown, New York, 1996, 383 pp. ISBN 0-316-52858-7.
To: cryptography@c2.net Date: Fri, 2 Jan 98 02:55 GMT+0100 From: 3umoelle@informatik.uni-hamburg.de (Ulf Möller) Subject: Re: Mobile phones used as trackers >Well, perhaps it could. In theory, Chaumian anonymous digital >credentials could make it possible for one to design a protocol that >permitted calls to be made anonymously and yet without fraud. On the >other hand, such a protocol would not permit users to *receive* calls >without being traced. However, perhaps some sort of cryptographic >protocols could be used to reduce exposure here, too. One approach is to use a decentralized trusted database for location management. The confidential information (the location information or an ephemeral pseudonym) might be stored in a computer at the user's home. This technique can be combined with the usual protocols for untraceable communication. This is discussed in a number of papers by H. Federrath and others: D. Kesdogan, H. Federrath, A. Jerichow, A. Pfitzmann: Location Management Strategies increasing Privacy in Mobile Communication Systems; IFIP SEC '96, Proceedings of the IFIP TC11, 39-48. http://www.semper.org/sirene/lit/abstr96.html#FeJP1_96 H. Federrath, A. Jerichow, A. Pfitzmann: MIXes in Mobile Communication Systems: Location Management with Privacy; Information Hiding 1996, 121-135. http://www.semper.org/sirene/lit/abstr96.html#KFJP_96 H. Federrath, A. Jerichow, D. Kesdogan, A. Pfitzmann, O. Spaniol: Mobilkommunikation ohne Bewegungsprofile; it+ti 38 (1996) 4, 24-29. http://www.semper.org/sirene/lit/abstr96.html#FJKP_96 The issue of anonymity with mobile phones is also discussed in: A. Herzberg, H. Krawczyk, G. Tsudik: On Travelling Incognito. http://www.isi.edu/~gts/paps/hkt94.ps.gz
To: cryptography@c2.net, Subject: Re: Mobile phones used as trackers From: Andreas Bogk <andreas@artcom.de> Date: 01 Jan 1998 23:17:13 +0100 >>>>> "Phil" == Phil Karn <karn@qualcomm.com> writes: Phil> So I suspect the article refers to being able to locate a Phil> user to a cell, or to a sector of a multi-sectored cell. Phil> After all, that's precisely the resolution the network needs Phil> to deliver your calls, and to hand you off during calls. Well, in the case of GSM, the propagation delay between the terminal and the cell is measured and compensated in order to have tighter timeslot boundaries. The resolution of this measurement is about 500 meters. Andreas -- This story whether grounded in fact or not has been sanctioned by the print mass media. It therefore is the truth.
To: cryptography@c2.net Date: Fri, 2 Jan 1998 15:50:09 -0800 (PST) From: Phil Karn <karn@qualcomm.com> Subject: Re: Mobile phones used as trackers >Well, in the case of GSM, the propagation delay between the terminal >and the cell is measured and compensated in order to have tighter >timeslot boundaries. The resolution of this measurement is about 500 >meters. IS-95 CDMA uses a chipping rate of 1.2288 Mc/s, which is roughly comparable to the GPS C/A code (1.023 Mc/s). So one would think it could do as well as GPS in locating users, but there are problems. As a passive (receive-only) system, GPS requires that you see 4 satellites to determine the four unknown values (latitude, longitude, altitude and clock offset -- the latter being required even if you're only interested in the first three). Active closed-loop ranging systems (e.g., Qualcomm Omnitracs and some proposed cellular ranging schemes) can use fewer measurements because any clock offset cancels back at the sending station. But you are often plagued by multipath propagation problems in urban environments. Spread spectrum is good at dealing with the adverse effects of multipath when you're communicating. But when you're also ranging, you need that direct (unreflected) component so you can get an accurate time delay measurement. And most of the time in urban canyons you simply don't have a direct component to work with; it's all multipath. Phil
Date: Tue, 6 Jan 1998 04:07:24 -0600 From: "Loren J. Rittle" <rittle@supra.rsch.comm.mot.com> To: cypherpunks@cyberpass.net Subject: Re: Mobile phones used as trackers In article <199801012054.PAA25297@users.invweb.net>, "William H. Geiger III" <whgiii@invweb.net> writes: > It is my understanding that they can still track you with the cell phone > turned off so long as there is power going to the box (most auto cell > phones are hardwired into the cars electrical system). This is the funniest thing I have read in some time. Assuming you watch the show, I think you may have watched too many episodes of the X-Files (TM). When the subscriber unit (SU a.k.a. the cellular phone) is turned off, "they" can't track you. Now, it is possible that some cars have built-in SUs that automatically power-on whenever the car is started. In this case, the SU is clearly turned on and the user knows it. Analog cellular phone systems in the U.S. only force the SU to transmit when they need too. As someone else already mentioned, from the perspective of cellular system operators, bandwidth is in short supply. The cellular system operators wouldn't stand for a bunch of unneeded transmissions "just to track location". Based upon my own personal informal study [1] and some past knowledge of cellular-type systems [2], in general, I believe the following about analog cellular systems fielded in the U.S.: 1) "They" might be able to get a location reading at power-on time. The SU will check to see if it is being powered on within a different cell than it was last registered. If the cell is different, then the SU transmits a message on the cell's control channel to reregister. If the SU believes it is in the same cell, then it doesn't transmit anything at power-on time. If the SU transmits, it will be a very short burst. This would allow an attacker to see your location at power-on time. 2) When your SU is on, "they" can track your cell-to-cell movements. Cells are on the order of 1-10 miles in diameter. The more populated the area (actually, the more likely the system is to be used in an area), the smaller the cell size. "They" will only get a reading when you move between cells. The system uses a form of hysteresis so your SU doesn't flip back and forth between two cells while you are on the "edge" between cell. Actually, there are no real edges to the cells in an RF cellular system. There is a bit of overlap between cells and the cell boundaries actually move over time due to environmental factors. I.e. your SU might be stationary and yet decide to move to a different cell due to a stronger signal being seen from a different cell at a particular point in time. 3) "They" can track your fine-grain movement while you are engaged in a call or call setup. This is because an SU transmits the entire time these activities take place. Note that call setup can be for either incoming or outgoing calls. The above appear to be the only times an SU will transmit in a properly functioning analog cellular system. Now, if we change the rules to allow an active "spoof" attack or participation by the service provider, I speculate that specific attacks against one or a few people (well, actually against their SUs) could be waged to track their fine-grain movement: 4) Continuously inform the SU that an incoming call is waiting. The user would get an indication of this attack since the phone would "ring" to signal an incoming call. OTOH, perhaps, there is a way to inform the SU that an incoming call is waiting without allowing the phone to enter the final state where it begins to "ring". A detailed study of the air interface and SU implementations would be required to understand if the silent attack is possible. This attack could target one SU. Even if direct indications were not seen by the user, battery life would be shortened somewhat. 5) Continuously force the SU to "see" a different cell code, thus forcing it to continuously reregister. The user would get no direct indication during the attack. However, battery life would be shortened somewhat. There may be protection in the SU to ensure a minimum time period between reregistrations. However, this would just limit the fineness of the tracking. Again, detailed study would be required. This attack would appear to target multiple SUs in a given area. If you assume your attacker is capable of (4), (5) and similar tricks and you have something to hide, then I suppose turning your SU off and on is a wise course of action. However, the coarse-grain (pin-point location but only at widely dispersed points in time) tracking afforded by (1) and (2) seem like minimal threats. If you are concerned by (3), then please remind me why you are using the analog cellular phone system. Regards, Loren [1] My informal study was conducted with a Motorola Micro TAC Lite SU and an HP 2.9 GHz Spectrum Analyzer on 1/5/98 and 1/6/98. My analog cellular service provider is Ameritech in the Chicagoland area. [2] Disclaimer: I personally work on research related to the iDEN system (which is an advanced form of digital cellular with dispatch services and packet data) being rolled out nationwide in the U.S. by Nextel along with other local and international operators. Motorola recently shipped the millionth SU for iDEN. I am only speaking for myself. I have never worked on analog cellular systems nor read its specification. -- Loren J. Rittle (rittle@comm.mot.com) PGP KeyIDs: 1024/B98B3249 2048/ADCE34A5 Systems Technology Research (IL02/2240) FP1024:6810D8AB3029874DD7065BC52067EAFD Motorola, Inc. FP2048:FDC0292446937F2A240BC07D42763672 (847) 576-7794 Call for verification of fingerprints.