Schneier on Security
A blog covering security and security technology.
« Jamming Aircraft Navigation Near Nuclear Power Plants |
| Watches a Security Threat »
September 29, 2005
Surveillance Via Cell Phones
It captures criminals:
Today, even murderers carry cell phones.
They may have left no witnesses, fingerprints or DNA. But if a murderer makes calls on a cell phone around the time of the crime (and they often do), they leave behind a trail of records that show not only who they called and at what time, but where they were when the call was made.
The cell phone records, which document what tower a caller was nearest when he dialed, can put a suspect at the scene of the crime with as much accuracy as an eyewitness. In urban areas crowded with cell towers, the records can pinpoint someone's location within a few blocks.
Should a suspect tell detectives he was in another part of town the night of the murder, records from cell phone towers can smash his alibi, giving detectives leverage in an interview.
I am fine with the police using this tool, as long as the warrant process is there to ensure that they don't abuse the tool.
Posted on September 29, 2005 at 11:36 AM
• 48 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Hmm...seems easy to game though. Professionals will realize this and just loan their mobile to an accomplice to make calls from another location, thereby setting up relatively strong alibi.
Note: You wouldn't even have to place a call. While your phone is turned on it maintains connectivity to the network even if no calls are placed or received.
Personally, I would just think of this as one more piece of telemetry, to be weighed in light of the sohpistication of the criminal behavior in question.
This is not "new". In San Diego a few years ago a trial for the murder of Danielle van Dam used records from Verizon to track the location of David Westerfield for the weekend when Danielle was first missing.
I listened to the trial on the radio and I believe it was helpful in the conviction of David Westerfield since it showed the freeways and highways he drove and the correlation to where witnesses claimed to have seen him and his RV. His odd travels from the beach to the dessert that weekend strenghten the idea that he was nevious and was trying to find a place where he could abuse and dump the body.
"Greg Sheets, a Verizon Wireless employee, details calls made to and from Westerfield's cell phone from Feb. 1 to Feb. 6"
"Westerfield told police he returned to the Silver Strand between 7:10 and 7:30 p.m. Sunday night. Sheets read jurors records showing that a call from his phone at 7:33 p.m. traveled through a cell tower in Mira Mesa, 22 miles from the beach. According to Sheets, calls are routed through the tower closest to the caller's location. If there is congestion, the calls are bounced to the next closest tower."
"I am fine with the police using this tool, as long as the warrant process is there to ensure that they don't abuse the tool."
I don't believe they are currently required to since the records are property of the phone company and the phone company can choose whether it wishes to cooperate with police.
"I don't believe they are currently required to since the records are property of the phone company and the phone company can choose whether it wishes to cooperate with police."
How would this be different from attaching a GPS unit to a persons car for surveilence? That is an activity which, I believe, does require a warrant.
The point is in a democratic society for the reasonable collection, use and disclosure of personal private information to follow an identified, legislated lawfully recognized purpose and no other. Well we just happened be recording your every move because your suspicious...you have nothing to hide, do you?
No warrant is currently required. All they need is a subpoena. (Actually, they don't even need that. They can just ask nicely, and if the phone company wants to they can turn over the records. And why wouldn't the phone company want to? Working nicely with the police is a goodness.)
"How would this be different from attaching a GPS unit to a persons car for surveilence?"
In Germany, the GPS unit wouldn't work if the suspect drove near a nuclear power plant :-)
Seems to work both ways. Wanted CIA agents were easily trailed by the Italians because of careless cell-phone habits:
"It wasn't their lavish spending in luxury hotels, their use of credit cards or even frequent-flier miles that drew attention. Instead it was a trail of casual cellphone use that tripped up the 19 purported CIA operatives wanted by Italian authorities in the alleged kidnapping of a radical Muslim cleric."
When in Rome...
Wait a minute! All of a sudden we ignore that as with digital signatures not being equal to signatures, cell phones are not equal to their owners? It is easy enough to "borrow" the phone, or given physical access for a short amount of time even to copy the SIM card. Furthermore, it is more than easy to register a phone in someone else´s name.
If we start to rely on such shaky evidence, we better start to be very afraid.
Will this give rise to Alibis-R-Us? FedEx them your cell phone with a timeframe you need an alibi for, and they will ensure that your phone gets used at Disneyland throughout that span. They'll mail your phone back afterward. But send cash, don't bill this to your credit card.
I am more and more frightened by the religious trust juries seem to have in technology.
How long before people get set up using these techinques?
It's not because my DNA is on the scene crime that I am the one who let it there! It's not because my cell phone (or should I say sim card?) was used that I was the one holding it!
Yeah, but there are _LOTS_ of ways to find out!
I have nothing to hide. Do you?
"It's not because my DNA is on the scene crime..."
And just how difficult is it to get a piece of your DNA? I believe you need look no further than the desk your sitting at for a strand of your hair.
The cell phone and the DNA together could surely hang you! At that point, you better hope you have a strong alibi. Even then, you have some 'splainin to do. :)
"I am fine with the police using this tool, as long as the warrant process is there to ensure that they don't abuse the tool."
I am fine with the police using this "tool", as long as they don't act like the rest of society and secretely record for porn. I don't care about warrants. Come and observe me all day long. Just protect me at an instant's notice.
"I have nothing to hide."
Tethered is a family name, then?
The UK Financial Times of the 2nd August 2005 [page 4 of the UK edition] reported that the UK police can ask mobile phone operators to download special software to a mobile telephone without the user’s knowledge or permission.
When this has been done the authorities can turn on the microphone of a mobile telephone and listen to any conversations in its vicinity. This capability only exists for mobile telephones which can accept downloaded software.
The telephone must be turned on for the microphone to be activated, but the user does not have to be making a call.
"The cell phone records, which document what tower a caller was nearest when he dialed, can put a suspect at the scene of the crime with as much accuracy as an eyewitness"
I hope the cellphone company engineers are pointing out to police the fact that a phone doesn't necessarily register with the nearest tower! It registers with the one with the strongest signal, which in a crowded urban environment can be a very different thing.
My phone is set up to display the name of the tower it is registering with, which can sometimes be quite interesting (well, it is if you're as geeky as I am). I used to work in an office that was high up a fairly tall skyscraper, and at my desk there my phone regularly registered with a cell that was nearly ten kilometres away. If stayed on the same floor but walked around to the other side of the building, it would register with another cell which was about five kilometres away, in the opposite direction.
Time of flight triangulation between multiple towers is a different story. THAT technique can give a very accurate record of the location of the device (although, as others have noted, not necessarily its owner), but needs to be set up specially because it is not part of normal operations. But merely looking at cell registrations will give only a very approximate idea of the location of the device.
"Tethered is a family name, then?"
Oh no, not at all. But Rose is.
And Bruce has my legitimate email address. :-P
What makes anyone confident that the phone companies will hold the records securely, so they cannot be tampered with?
Note: if your objective is to get your client acquitted, the falsification doesn't even have to be consistent - merely create enough doubt to damage the prosecution case. But if you want to get an innocent person framed, you'll have to work a little harder.
"Will this give rise to Alibis-R-Us? FedEx them your cell phone with a timeframe you need an alibi for, and they will ensure that your phone gets used at Disneyland throughout that span. They'll mail your phone back afterward. But send cash, don't bill this to your credit card."
Well, you've got some great points. Around 1998 or 1999 or so, some jackass with an Anger Management Problem sitting in traffic decided to get out of his car, reach into another persons car, grab the persons little dog, and throw it out into oncoming traffic.
I thought then would be a good time to put cameras in cars of those who wanted them, ship the video feeds up to our super cool satellite rings, and store that crap until someone needed it again.
The people who didn't want the cameras, should have the super cool satellites pointed SPECIFICALLY at their cars.
End of discussion.
cell phones automatically accepting and downloading software?! isn't this the ultimate way to build worm viruses for cell phones? some people have already cracked into computers and then used the built-in (laptop) or connected (desktop) microphone to spy on the individuals using that computer. this has also been done with webcams (camera phone anyone?)
So next time before someone commits a crime they'll just leave their phone far from the crime scene and then claim afterwards they were elsewhere.
Could you use this to create a good alibi?
How about if you setup your computer and mobile phone to call the victim around the time of the murder - from your home?
(Why would you use your mobile if you were at home? you can say you had just left your home to get a take-out when you felt the need to call your victim.)
You could leave a pre-recorded message if you wanted, but just having dialed the number would be enough.
After reading the article I have to say, I'm not very afraid of would-be murderers who are dumb enough to take a cell phone with them to the murder. How difficult is it to simply plan things ahead, and just leave the phones behind?
That's why the European Union is now pushing so hard into making data retention compulsory. It would allow police to access tracking information for everybody habing a cellphone. Of course, terrorism prevention is the excuse. In fact, the Madrid bombers were captured because one of their phones did not work, and that gave a trail leading to the gang' s hideout. BUT they didn't use any kind of tracking, just usual police routine (going after the phone seller, then his friends, buyers, etc).
But criminals are not stupid. You convict one criminal thanks to his phone, and the next one will be most careful to turn it off, leave it home or just dump it. This will only work as long as the criminals are unaware of this vulnerability. Is like cell phone surveillance: first the criminals thought it was untappable, now they know better.
Here in Norway this is basically part of every high profile case that is reported in the media. Several murder cases have substantial evidence based on the suspects movements with the cell phone, not just when calling but GSM phones register with the towers at regular intervals. In one case the location of the phone was pinpointed to the suspects bicycle after many expert reports and analysis about tower coverage under different conditions.
Even anonymous phones have been used as a call trail is followed to link the suspect to a given phone and then this phone is tracked using the towers.
In one case a 12 person team pulled of a robbery in one town where the local criminals were not believed to have the capacity for that kind of heist. I suspect that the police used analysis on multiple tower logs to identify suspicious phones as the travel pattern was pretty predictable.
The possibilities are endless, and clever criminals will probably come up with the patterns needed to work around all this in time.
Next weeks episode of "Spooks", (6th Oct, 21:00, BBC) gives us a brief and fictionalised look at this type of tracking and data correlation.
My take on this, is that this particular window of opportunity for the enforcement agencies is beginning to close as knowledge of its use becomes more widely known. As many have already commented here, professional criminals will be adapting their approach accordingly. Legal counsel will be working to discredit this type of evidence as unreliable.
I'm not sure it's even required that the suspect makes a call. At least on the GSM system, just having the phone switched on is enough, because it regularly "checks in" with the base station.
In the UK recently, Ian Huntley was convicted of the murder of two schoolgirls, partially on the evidence of mobile phone logs that placed him at the scene of the crime. He did not make or receive any calls.
I'm waiting for the day some terrorist uses a scarf or a t-shirt, threatening to strangle a passenger. We will all have to fly naked from that day on.
The cell phone provider I work for can use signal strength analysis from multiple towers at once to triangulate a position on a given handset. This requires handset activity, which can be generated by the network operator. This technique is more accurate when there is a higher density of stations around the handset. This occurs in higher population density areas.
This is worrying; another worrying cellphone-related technology is this:
Find the location of a mobile phone, anywhere in the UK; 21st century surveillance tech for the home market. Of course, this provider restricts the service; there are other providers however.
Belarusian police is using mobile phones tracking in their investigations since ~1996-98. But they are most advanced in this field in Eastern Europe, IMHO. Currently, they are able to build list of phones that were around place of crime in 30-40 mins, list of phones that where switched on/off around time of crime with locations and so on.
To rik: AFAIK, triangulating is the only method to find a location of a mobile phone. If i'm wrong, it would be very interesting to hear about other methods.
Regrettably, it doesn't take much intelligence to crush someone's skull with a blunt object. Additionally, the majority of murders (at least in my country) are committed in a "moment of passion" and hence it is not surprising that the perpetrator doesn't think ahead. Arguably you should fear this type _more_, since they are less likely to rationally evaluate either the nonviolent alternatives or the consequences....
Anecdotal evidence, at least, supports the view that popular entertainment about investigative techniques does indeed result in criminals attempting to circumvent those methods. Maybe we should ban CSI. Or require them to insert a certain a certain proportion of disinformation. 8^)
Oh, is this CDMA? In normal operations CDMA towers "diversify" signal delivery to the phone from multiple towers according to signal strength, but do so in a way which enables a record of time of flight from each tower to be easily recorded (to an accuracy of 0.8 microseconds, or 244 metres, for IS-95 CDMA). To the best of my knowledge, this is not true of GSM which requires special additional equipment to do this -- but I stand to be corrected.
"Currently, they are able to build list of phones that ... where switched on/off around time of crime..."
This is an interesting point. Most people rarely switch off their phones unless the battery is nearly flat, or if going into a theatre or restaurant. But otherwise it stays on all the time "in case I miss a call". In that case, people who switch off just before a crime occurs, and a little outside the area it occurs, are considerably more likely than average to be criminals who are a little bit smarter than average. Very clever, those Belarusian police. But now you've given the game away 8^(
According to this article on the BBC website, the microphone in any mobile phone can be remotely activated so it starts silently transmitting nearby conversation to the network:
"But today's spies are also able to convert conventional phones into
bugs without the owners' knowledge.
So provided it is switched on, a mobile sitting on the desk of a
politician or businessman can act as a powerful, undetectable bug. The technology also exists to convert land line telephones into covert
This is from the BBC, not a nutty conspiracy website...
Yes, it's possible! In Italy, where i live, police just use tracking cells ops to monitoring suspects. Consider that we have 1 cell x person, and...bye privacy!
The whole 'cell phone bug' thing is blown out of proportion. You can't just turn on the microphone of any cellphone using a special magic code; what the BBC article is actually talking about is that most mobile phones can have their ringers turned off and be set to automatically answer an incoming call, which makes bugging very easy. Just place the cellphone in the room you want to listen in to and call it. It will silently answer and allow you to listen in. Also, if you buy a 'pay as you go' phone with cash, it can't be traced to you, especially if you call it from another pay as you go phone.
I know you are trying to start a flame war. So do I: If you have nothing to hide, please never lock your house. Nor your car. And please, never ever wear clothes. (If you find these arguments silly, then look again at your single-sided Anger Management message).
I seem to recall at least one "alibis R us" service being marketed to relationship "cheaters", but it involved actually pairing up "newfound friends" to send cover messages or somesuch.
DNA evidence can certainly be abused, but it can also be challenged in court just as any other evidence can. Remember, "DNA evidence" is just shorthand for "forensic evidence whose attribution involves DNA-matching". AFAIK, even photographic "evidence" was never admissible in US courts "on its own merits"; It needs to be attested to, under oath, by a human witness. (I.e., "This image is a faithful representation of what I saw...") DNA evidence should be held to at least as much scrutiny.
Also, abuse-of-evidence issues have at least as much to do with the local regime's policies as they do with the nature of the evidence. Consider how long, and how badly, US cops have been corrupted by the so-called "War on Drugs".
Although no warramt m,ay be required, making the request to the telephone company requires authority from about 2 steps higher than god. There is oversight.
Don't forget enhanced 911 enabled handsets with GPS.
My LG VX6000 has as GPS receiver in it. It gives me the option to leave it on all the time (the factory configuration) or have it on only when 911 calls are made. Do I beleive that it is really off when I'm not calling 911... Not really.
You are sort of wrong, but not completely. GPS can be built in to a phone, but mostly isn't. More likely is "triangulation" based on the need of the network to know your exact distance for syncronisation reasons. This is better than signal strength based triangulation. Even better is a combined system, especially one which uses measurements sent by the mobile.
The other thing to add is that in any mobile network there needs to be information about where the subscriber is so that they can be paged. Your phone will actively contact the network whenever it moves from area to area.
Finally, due to the needs of "location based services", it's possible to actively contact the mobile to get it to send appropriate information. This may well be invisible to the user.
I know of a publishing house around here which uses these functions to track their sales staff (with their "written consent" (or else)). They require staff to keep their phone on at all times.
Some basic general coverage of the background is in Wikipedia:
Almost full details for GSM and WCDMA systems are online at
In general American systems will have at least as advanced systems since user location for "emergency services" has long been a much higher priority there.
Actually the manual is quite clear that the phone uses GPS...
"Menu for GPS (Global Positioning System: Satellite
assisted location information system)mode."
"NOTE: GPS satellite signals are not always
transmitted, especially under bad atmospheric
and environmental conditions, indoors or
The government has always limited the amount of encryption allowed on over the air transmissions.
We are contacting you with the aim of making some purchase from your company.
Send a return email to us with the following details:
If you can ship out of your country Shipping destination Abidjan, Ivory Coast with Fedex, UPS, Chronopost and DHL Do you have a minimum order.
Do you accepts credit card as a method of payment ( Visa, Master & Amex)
We are looking forward to hearing from you with regards to our request.
Mr. Sam Jombo
Abidjan, Ivory Coast.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.