Schneier on Security
A blog covering security and security technology.
« Dan Geer on Security, Monoculture, Metrics, Evolution, Etc. |
| Spray-On Explosive Detector »
May 27, 2008
Tracking People with their Mobile Phones
Not that we didn't think it was possible:
The surveillance mechanism works by monitoring the signals produced by mobile handsets and then locating the phone by triangulation measuring the phone’s distance from three receivers.
The Information Commissioner's Office (ICO) expressed cautious approval of the technology, which does not identify the owner of the phone but rather the handset's IMEI code -- a unique number given to every device so that the network can recognise it.
But an ICO spokesman said, "we would be very worried if this technology was used in connection with other systems that contain personal information, if the intention was to provide more detailed profiles about identifiable individuals and their shopping habits.”
Only the phone network can match a handset's IMEI number to the personal details of a customer.
Path Intelligence, the Portsmouth-based company which developed the technology, said its equipment was just a tool for market research. "There's absolutely no way we can link the information we gather back to the individual,” a spokeswoman said. “There's nothing personal in the data."
Liberty, the campaign group, said that although the data do not meet the legal definition of ‘personal information’, it "had the potential" to identify particular individuals' shopping habits by referencing information held by the phone networks.
Seems to me that the point of sale is a pretty obvious place to match the location of an anonymous person with an identity.
EDITED TO ADD (6/13): More info.
Posted on May 27, 2008 at 12:57 PM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Seems to me where people sleep is another pretty obvious place.
If there's no personal information included, how valid is your market research?
Cell phones don't go shopping, their owners do. A faceless data set would then only be of use in determining through-the-door numbers at a given store or location, and not actual demographics. Then again, if you can track me from a neighborhood to a mall, you *do* have some rather personal information.
On a side note, "Don't worry, it doesn't do x," is the kind of response that encourages worry.
As a non-security related example, we were set to switch to a new tape format here at the station for our evening newscast. The engineer in charge was walking about looking really chuffed with himself.
"Did you check the audio?" I asked.
"Don't worry, everything's fine," I was told.
I collared the audio board operator and loaded a tape. "Can you hear both channels?"
He couldn't hear a damned thing. Zero. Zilch. Nothing. Much panic ensues.
The problem got fixed before airtime, but if everyone had gone with the 'don't worry' line, we'd have crashed and burned.
(No one said, 'hey, thanks for catching that, Nick,' either.)
"Only the phone network can match a handset's IMEI number to the personal details of a customer."
How long before the phone companies see the profit potential in selling access to an IMEI indexed database? Will the information become personal then?
This doesn't surprise me in the least. I was on a research team working on multiple ways of tracking wireless (802.11) users. The basic same techniques we used for tracking wireless users are used here. These techniques have been around for quite awhile.
I can say from personal experience that replacement phones aren't automatically added to a users' credentials as I had trouble getting BS&S to acknowledge my replacement handset as my own, even with it in my hand calling them.
So, the company would have to be responsible for maintaining records of changed handsets for the above to be of any real issue.
What a case of bulls*it: They only need another receiver at the cashiers desk and can match the data with the credit card information.
I think users will soon be given the opportunity to register their cellular devices as part of consumer loyalty programs. Sort of a replacement for the cards they now issue at grocery stores, shoe stores, etc. They will make it easy to sign up, and most people will do so as it would be so convenient.
"A shopping mall could, for example, find out that 10,000 people were still in the store at 6pm ...."
That's a big store!
Whatever happened to digital cash, anyway? Did we as a society decide that that's a level of anonymity/security we don't need? Or was it one of those things like DRM that just can't work?
Looks like a job for the iRobot "Jamba" - when you enter the mall you put your cellphone in here and it makes a random path thru the mall til you hit your remote button and it brings it back to you.
Parking lots (license plate cameras, tpms, blah blah blah) are also a good place to do those matches.
The article points out that the cost for simply gathering the location data is roughly $500K a year. Double or quadruple that for the hardware, software and personnel to actually look at the data and start figuring out what it means' that is not the kind of money a mall spends simply to estimate how many customers are where at closing time, or which language the most common group of tourists speaks.
How accurate is this? My Blackberry, with Google maps on it, claims to tell me where I am by (I think) this method, to within 1700 meters. Sometimes my real location is within the 1700m circle, sometimes not. Usually it is close to the perimeter, and usually the claimed location is closer to the nearest tower than the real location.
I am upstate NY, probably not within range of 3 towers most of the time.
It bothers me that the company claims there's no way they can tie the information to a specific person. I can think of several ways.
Like Bruce said, you can track IMEI proximity to the register at the time a purchase is made.
You could also correlate the time and order purchases are placed with the time each IMEI leaves the store.
Or someone investigating you after the fact could find your face on a security camera and check the IMEI tracking records to see which number was in that spot at that time.
It's like advertising cookies on the internet, it's just an "anonymous" number until someone correlates the data and ties that information together.
The US government has decided there is not going to be be anonymous (real anonymity, psuedo anonymity is OK) digital cash. If anyone tried it they'd but shut down for enabling money laundering.
It bugs me when people assure people that they are completely anonymous, when it is clear that they aren't.
The latest example was where I work we were sent a survey and were told submissions were anonymous for a number of unverifiable technical reasons. I recommended that next time they just have a statement promising to not try to match people up with the surveys instead of trying to include technical statements about things that were unverifiable by the people filling out the surveys. (And in fact didn't take all of the ways you might track a survey back to the submitter.)
@David Mery: the second of those Spy Blog posts highlights some important extra information. It turns out the Times article was inaccurate in at least one respect: the system uses "Temporary Mobile Subscriber Identity" (TMSI) not IMEI numbers. This makes it more anonymous, though not enough to make me change my mind about its general creepiness! (My thoughts on the matter are here: http://www.richardskingdom.net/... ).
Strangely, what annoys me the most about these pitches is that now that we've acknowledged the existence of the IMEI information, the telcos still won't help track a stolen phone.
The large mobile carrier I used to work for routinely screwed up and sent way more data than was needed to third parties. I would not be surprised if lots of IMEI/ESN/MEID values are tied to, if not account holders or subscriber names, at least phone numbers.
OTOH, you don't have to worry totally, as very often the phone company is too stupid to know who the subscribers are. The sub id field is null, or populated with the account holder name. Might be your wife, the company you work for, or anything not /quite/ accurate.
Iirc, the gnu software radio project was doing something similar with a $500 piece of equipment...
At that price level, almost every store could afford a scanner. Given enough data points it would be fairly trivial to state that x set of people were in y store at z time and then keep on looking for overlaps in subsequent data. (Set theory I'd guess)
Also, given a known set of locations for a certain individual I'm sure you could do certain extrapolations to guess where they were heading based on their vectors. (Think predicting future locations based on their previous GPS track if you know the possible routes they may take.)
I'm sure we all can guess how accurate you could make these devices if you start using stuff like overlapping directional antennas. While you wouldn't be able to get a distance, you should be able to get bearings from known locations.
Personally, I think its a potentially frightening technology and its just going to make more people change their phones more often. Since any data collected can potentially be aquired by LEOs.
Question: How can a phone service comply with legal requirements to provide "911" localizability without including identifying information within the process?
Personally, I think this is more bellyaching about "technological intrusions on privacy". I think it just comes with the territory of cell phones and if you don't want to be subject to it, don't use a cell phone. If that's too inconvenient, sorry.
From what I know, most people are two-headed about this. Yes, they'll bemoan loss of privacy in the abstract, but if the hand over of information is accompanied by tangible payback, they'll give it up then.
If it's not cell phones, it'll be the little devices that'll be in everything with you soon, and you'll not know these are even there, let alone what they are doing.
Also, while collecting information for location of droves of people might seem pointless without ties to identifying information and shopping habits, there's lots of sociology that can be done using these trajectories, some of which informs marketing, some of which is just useful, some of which is ancillary. (Like being able to monitor vehicle traffic flow cheaply.)
There are other contexts where intrusive monitoring is done yet people don't balk, like casinos.
The phone OS has to know the IMEI number of the device and there are methods available on almost all devices for software to retrieve the IMEI number [ e.g. http://mobilepit.com/10/... ] and in some cases the built in web browser on the device _advertises_ the IMEI as part of the user agent string of the native browser [ http://blog.trasatti.it/2005/07/... ] so if you can get someone to either run an app of your choice or access a website of your choice then you can probably tag the IMEI number to other identifying information with ease.
I've built systems that used the relationship between IMEI numbers and a known user identity to provide a layer of access control for mobile services and as far as I'm concerned connecting the two is child's play. Anyone who claims otherwise is either too stupid to be making the claim or lying.
Yeah, it's pretty obvious that if you can track them at all, then you can track them to a place where they live. Even if you can't identify the exact house, it's still IMMENSELY useful to know what street, because that pretty much identifies their demographic.
As for this being useless without identifying information, I completely disagree. It's immensely valuable to know how people wander through the mall -- what displays they stop at, and what stores they go into, (what they stores they avoid), and how long they spend at each location.
"Question: How can a phone service comply with legal requirements to provide "911" localizability without including identifying information within the process?"
It can't. There's a difference, though, between the phone company providing identifying information about me when I ask them to, like when I dial 911, and doing so without my knowledge or consent.
To the extent that this system is simply tracking the movements of the phones without linking the phone to it's owner, it's possibly useful information that violates no one's privacy. The problem is the possibility of going beyond that, simply because it can be profitable. (Isn't capitalism inherently good?)
I'm reminded of a certain scene in the movie "Minority Report", where the shopping mall is tracking Tom Cruise and offering him personal advertisements based on some magical remote scanning of his irises.
Well, as we spend most of our time at home, it is not difficult to match a, cellphone owner with an address... Just check the position of the cellphone at night, around 4-5 AM.
Way back when, when the evil Republicans took control of Congress during the Clinton administration, didn't some anarchist hacker record and publish one of Newt Gingrich's mobile phone calls? Didn't Congress respond by passing a law prohibiting monitoring of mobile phone calls? Would that law stretch to prohibit something like this in the U.S.?
it seems like you could uniquely identify the person much more easily by figuring out where they live. That really shouldn't be that hard. You can also get a rough approximation of their age if they go to school, or a rough approximation of their income by where they work (in addition to where they live). Their hobbies should be easy to determine based on where they spend their time as well.
They seem to be saying that there's no personally identifying information there, but I'm going to have to disagree with them.
@ joe Mansfield,
"... so if you can get someone to either run an app of your choice or access a website of your choice then you can probably tag the IMEI"
Would you believe there are a number of companies proposing to use "mobile phone apps" to turn the phone into a "security token" for the likes of "online banking".
For some strange reason people who should know better think that tying up a phone user to an online bank system is not going to be a realistic possibility for fraudsters...
Personaly I give it about 4 years before "phone malware" is as prevelant as "PC malware". Then if a "mobile phone security token app" has acheived a sufficient user base I fully expect to see fraudsters exploit it.
"what street" is no problem, even with 2 cells, as is "what block".
"what house" is difficult with 2 cells only.
direction and strength of signal are evaluated for performance tweaking anyway.
i don't know anything about using timing information to locate a phone. (not like in "hey, that'd be cool to do!", but like in "read the values from the screen, calculate, done.")
@Amos Newcombe, Path Intelligence is installing receivers inside the mall, so they are probably quite accurate (i.e. wrong by a few inches/centimeters most of the time). Much more than the information that your telco provides.
As they are having those receivers inside the mall, they most likely can not track the phones back to peoples homes (except people living next to the mall).
Nevertheless, if somebody wants to track phones on a wider area, it is just a question of money and choosing the right places for the receivers.
Note that this tech is being pitched at shopping malls, not invididual small shops, because "within a couple of metres" is enough to say what shop a particular number is in, it's not accurate enough to say "This IMEI belongs to the person at the counter", which would allow a shop to correlate the IMEI with the credit card number, and hence an identity
Mobile phones are quite difficult to triangulate based on passive techniques, because
a) They constantly vary their signal strength, and
b) They only transmit at irregular intervals
@Leo: No they did not. It was unlawful to listen to (other peoples') cellphone calls since the Communications Privacy Act of 1986, way before the Newt Gingrich event.
In fact, it is against the law to ATTEMPT to listen to cellphone conversations even if you fall to successfully do so.
The cellphone industry spent $$$$$$$$ lobbying to get that law passed so they would not have to spend $$$ on technology encrypting cellphones. At the time it was being discussed the justice department said it was an unworkable law and they would make no attempt at enforcing it (similar to anti-marijuana laws in Holland).
Bob: while it may be illegal for civilians to monitor other's cell phone conversations, a 'National Security Letter' is all that is needed by the US government to coerce cell phone providers to cough up all the goods on anyone they're interested in, including real-time data on which cell they're currently connected to, and the triangulation data, and the call records of the phone's account.
And the cell phone provider, once coerced with a 'National Security Letter' cannot even disclose the fact that such a letter has been received, at penalty of law.
Remember the 'Patriot' Act?
I had thought that the FCC already required all mobile operators in the US to provide location tracking for emergency calls? Similar plans are being made by the EU for european based operators.
"There's absolutely no way we can link the information we gather back to the individual,” a spokeswoman said. “There's nothing personal in the data."
Every IMEI number is 100% unique to each phone. That means when I carry my phone, I'm the only one in the universe with that particular IMEI number... that sounds pretty personal to me. Even if it isn't directly attached to my name, address, and social security number, it COULD be, and that's only slightly less worrying.
"If there's no personal information included, how valid is your market research?"
I think a lot of times they can live without the detailed demographics. They like to know who you are with those store loyalty cards, but even knowing that people who buy X also buy Y is valuable.
In the tracking case, they're interested in what paths people take through the store. Do people who buy produce start there? Do people who linger in the wine section also buy cheese? Is that loss leader at the end of aisle 5 working?
I'm sure they'd love to know exactly who everyone is, including their income and education level and favorite color. But anything less than that is still 'useful'.
Wal-Mart has tera or peta-bytes of data that tell them what color of jello to stock when a hurricane is coming. And they don't have a customer loyalty system.
Why are 3 receivers required for triangulation? Surely 2 would be sufficient - maybe the third is as a double check?
Maybe 3 receivers are required because only the distance, and not the direction, are known when using 2 receivers as using 2 receivers could give 2 points of intersection - requiring a third receiver to identify the correct location?
My understanding is that the IMEI/IMSI is only sent by the phone when first turned on as part of authentication and creation of the encryption.
Once the encryption channel has been established the network assigns a temporary ID to the mobile, called the TMSI. The next time the user accesses the network, it uses the TMSI instead of the IMEI/IMSI. Because this is known only to the user and the GSM authentication centre, 3rd parties shouldn't be able to identify the mobile or associated user from this data.
Once that TMSI has been used the network creates a new one so that the user never uses the same TMSI twice. In theory that means it’s not possible to track the user without collusion of the network operator, the ability to break the encryption or the ability to spoof base station and request the IMEI.
In 3g that will be much more difficult, because encryption for control messages and mutual authentication of phone to network and vice-versa is mandatory. The encryption is also much stronger at 128 bits (often using Milinage, which is based in Rijndael)
In theory the tracking mechanism mentioned in Bruces post shouldn't be possible unless the network operator co-operates -which they do for an appropriate law enforcement warrant
"Only the phone network can match a handset's IMEI number to the personal details of a customer."
If you buy a handset at a retail store (bricks & mortar or online), the seller knows the IMEI, since it is printed (and barcoded for easy recording) on the outside of the box. They probably have your name, address, and credit card number too.
I can see large chains realizing that this is saleable information.
Just yesterday, I did a search for certain businesses on my Blackberry only to realize that the result set included distances to of the returned records. Apparently, the local browser has provided Google access to my location from the onboard GPS. Argghhh!
It's not just possible to do this, it's been used in Japan for years to track down criminals. I know of at least one event in 2005 in which a kidnapper was tracked by where he placed his calls from his phone.
"If you buy a handset at a retail store (bricks & mortar or online), the seller knows the IMEI, since it is printed (and barcoded for easy recording) on the outside of the box. They probably have your name, address, and credit card number too. I can see large chains realizing that this is saleable information."
In the European Union this would count as 'personal data' and the stores could not use it without your permission. You would have to opt in. I can understand that this is wide open to abuse in countries that don't have good data protection laws.
> Apparently, the local browser has provided Google access to my location from the onboard GPS.
I don't know about the BB's browser, but the first time you run Google Maps on the Blackberry, it will ask for permission to access the onboard GPS and transmit the information to Google. Is there any chance you did that and gave them permission already?
(I've never seen it give location in the regular browser, FYI, but I don't use it that much so it's possible I just missed it.)
@okcharlie: "Why are 3 receivers required for triangulation?"
Imagine you're drawing the triangulation lines on a map: if you have 2 then they'll intersect at a point. If you have three, then due to the inaccuracy of the measurements they'll probably not pass through a single point. You get a "triangle of error" which gives you some idea of the accuracy of measurement.
So yes, it's a double-check: if the triangle is small then your measurement is looking good. If it's large then something is awry.
Of course, repeated measurements will also give you an idea of error, especially if your target isn't moving.
I've heard an apocryphal story of an artillery unit which only used two measurements for triangulation. When asked why said that it's because it was "more accurate" -- if they used three then they got a triangle of error: with two they didn't...
@TES: '"within a couple of metres" is enough to say what shop a particular number is in, it's not accurate enough to say "This IMEI belongs to the person at the counter"'
It would be if you correlate multiple purchases. There maybe be several people "in range" of a given purchase, but if you're the only person within 2 metres of every transaction on a card, then either you're the card-holder, or at least you're shopping with them.
At that point all past data tracking data could be connected to you personally. Furthermore, even if the system is using TMSI rather than IMEI, different visits to the mall (with different TMSIs) could be connected provided you buy something on each visit.
I guess it might go wrong if you're handcuffed to the card-holder, who doesn't have their own phone, so my proposed system would mistake you for the cardholder. But most of the time it would work, and is certainly accurate enough for market research.
As often happens, the representative of the company behind the system has said "we can't connect this data" when what they mean is "we don't currently connect the data". It's not impossible given all the information available, although it does of course require co-operation between the store (which has the credit card data) and the mall (which has the tracking data).
Not only do you need a minimum of three the receivers need to be equidistant to each other to get a suitible degree of acuracy and the number realy needs to be odd.
Why three well with only two receivers if you draw a line between the two the closer the target transmitter is to this line the more inaccurate your results. Also a large number of antennas have a poor "back to front ratio" that is they have almost as much gain from behind as they do in front. This gives rise to a 180 degree ambiquity that can be difficult to resolve reliably which the odd antena resolves.
The three vs two argument misses a point.
These aren't directional. It's all time of arrival.
Three are needed when there's no information on azimuth. Accuracy is limited by SNR, and more than three is better. If the antennas were directional and steerable, they'd be pointed the wrong way most of the time...
// OT warning
On a more humorous note, there was a slashdot article some months ago when the first GPS tracking phones came out, where someone (presumably the bill payer) could see where the phone was. A reporter thought out loud about buying one and putting it in his wife's trunk for the obvious reasons.
Man, you're so busted for saying that in the paper.
"She doesn't read what I write"
Why hide it in the trunk, just give it to her -- she'll carry it everywhere like they all do, in constant use, even when out of the car, you'll get better data!
No, I don't subscribe to the sexist opinion that women are all addicted to their cel phones, or at least not more than men are addicted to their crackberries. Seen too much of both...I got rid of mine (all of the above), as I prefer to have ownership of myself and my time.
Now, I have an excellent new pickup line with these big screen phones "Wow, how can you see with your ears through all that beautiful hair?"
"How long before the phone companies see the profit potential in selling access to an IMEI indexed database? Will the information become personal then?"
Forget that - it's not needed. Personal identity can be cross-referenced easily by pinpointing yuor home address, or by stores adding timestamps to the lists they sell, or by a (trivially easy) security breach at a major cel provider, or by a (poorly-screened) employee selling info out the back door. Cellular security is and always has been a joke.
Or perhaps you weren't there when Sprint's extreme security vulnerabilities were demonstrated, including unauthorized activation of their GPS tracking systems?
Every privacy invading device ever installed, started off with innocent purposes. Who doesnt see this as just another spy tool for law enforcement to track the location of all citizens? Nobody would spend this kind of money for the limited purpose stated here. Some investigative reporter needs to follow the money trail here.
It would require the assistance of a phone company to match it up with the identity of a person? Wow! I guess they've never illegally provided information and access to anybody before. They appear likely to get away with it this time, so why wouldn't they do it again?
To mess with the tracking: a number of people purchase a pool of identical phones, keeping contact information in a separate notebook (a nuisance, yes). Phones are occasionally swapped and taken for "rides" to random places - of course, when going somewhere potentially "interesting", one either powers off the phone they're carrying or gives it to somebody else for misdirection. Inbound calls have to be managed somehow.
@David Alexander: my understanding is that TMSIs change relatively slowly in practice - perhaps once every couple of hours - so they exist for long enough to provide meaningful tracking data around a shopping centre, but can't be used to recognise the same person over multiple days (for example).
my mbial is alost samsang galixy how do it findplzzzzzzzzzz.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.