Tracking People Without GPS

Interesting research:

The trick in accurately tracking a person with this method is finding out what kind of activity they’re performing. Whether they’re walking, driving a car, or riding in a train or airplane, it’s pretty easy to figure out when you know what you’re looking for.

The sensors can determine how fast a person is traveling and what kind of movements they make. Moving at a slow pace in one direction indicates walking. Going a little bit quicker but turning at 90-degree angles means driving. Faster yet, we’re in train or airplane territory. Those are easy to figure out based on speed and air pressure.

After the app determines what you’re doing, it uses the information it collects from the sensors. The accelerometer relays your speed, the magnetometer tells your relation to true north, and the barometer offers up the air pressure around you and compares it to publicly available information. It checks in with The Weather Channel to compare air pressure data from the barometer to determine how far above sea level you are. Google Maps and data offered by the US Geological Survey Maps provide incredibly detailed elevation readings.

Once it has gathered all of this information and determined the mode of transportation you’re currently taking, it can then begin to narrow down where you are. For flights, four algorithms begin to estimate the target’s location and narrows down the possibilities until its error rate hits zero.

If you’re driving, it can be even easier. The app knows the time zone you’re in based on the information your phone has provided to it. It then accesses information from your barometer and magnetometer and compares it to information from publicly available maps and weather reports. After that, it keeps track of the turns you make. With each turn, the possible locations whittle down until it pinpoints exactly where you are.

To demonstrate how accurate it is, researchers did a test run in Philadelphia. It only took 12 turns before the app knew exactly where the car was.

This is a good example of how powerful synthesizing information from disparate data sources can be. We spend too much time worried about individual data collection systems, and not enough about analysis techniques of those systems.

Research paper.

Posted on December 15, 2017 at 6:18 AM58 Comments


Terence December 15, 2017 6:55 AM

I think I’m missing something about this hypothetical scenario. So, the attacker can receive streams of data from weather apps and a whole host of sensors from the phone’s hardware, but not a GPS signal? Plus, with Trump’s congressional resolution allowing ISPs to sell personal data as they wish, is this really worth the hassle (and error margins) when you can just open a corporate account with, say, AT&T and have the data nicely packaged and delivered straight to your marketing department with a pretty “thank you for your business” card?

me December 15, 2017 7:04 AM

i think speed is not needed. you just count how many times you turn left and right

yes, is possible: i block the “position” permission for every app except the gps navigator. but from what i know EVERY app has free access to accelerometer data.
there is no such permission.
i have read people that were worried about browser access to that data.

btw my CAR has a privacy policy (at the end of instruction manual) it say “car has accelerometers and other sensors that gather all sort of data but don’t worry! is not possible to reconstruct where you go.
and… what if i care not only about my location but also all other data that you gather?

me December 15, 2017 7:08 AM

and i was forgetting the most important one:
wifi networks!
i have coded an anti theft windows application that just mail me the list of availabel wifi (i have a notebook so it has wifi card).
from there i can find its location (google maps: show “my” location)

Piper December 15, 2017 7:37 AM

The way they’re pinpointing the location of your car based on the turns you’ve made reminds me of the pre-GPS in-car navigation system made by Etak in the 1980s.

It had map data on cassette tapes, and was able to find your location based on readings from a compass and wheel speed sensors. But it was just using that data to correct accumulated errors from dead-reckoning; just a “snap to the nearest actual road” kind of thing. It wasn’t able to find your position starting from nothing at all. You had to initialize the system with a known starting point.

Mc Doraemon December 15, 2017 7:48 AM


“btw my CAR has a privacy policy”

You might be interested in reading these old reports:

…and what you can do about it:

Notice that simply canceling your service is unlikely to solve the problem. You need to physically unplug the fuse to stop them from gathering data about you.

M December 15, 2017 9:04 AM

@Daily B,@me To get the list of wifi networks on Android (for the mozilla location services) you would still need the location services permission. Access to accelerometers don’t need any permissions

me December 15, 2017 9:38 AM

To get the list of wifi networks on Android you would still need the location services permission.
i’m not 100% sure, i know that there is a thing called “A-GPS” and in the location setting there is in fact, “AGPS” / “GPS ONLY” and yes, need a permission.
but if i check my apps and click “view all permissions” (that menu where you can see among others “internet access” normally not visible in the main permissions menu)
i see “view netwrork connections” and “view wifi network connections”. i think that the AGPS needs permission and gives you directly a position using a third party service provider.
while this one doesn’t need a permission, and gives you wifi info. but with that info you plus internet access you can contact the third party location provider yourself.
(not sure, android permissions are not clear)

“Access to accelerometers don’t need any permissions” correct, from what i have read.

Petre Peter December 15, 2017 9:41 AM

Remember! It’s metadata that machines need. Breakdown and correlate is the how for those who want me to protect my privacy by giving it away. If i
am not equal in the means of analysis, i am not equal in front of the law.

me December 15, 2017 9:41 AM

@Mc Doraemon
thanks for your interest but i don’t have “onstar” or more in general some kind of box that log things. it’s the car itself, not something third party i bought/installed.

and i don’t think i can optout it because it’s the car itself.

mb December 15, 2017 9:43 AM

a wiseman once said “please take taxes from us and spend it on surveillance, please”.

I am trying to imagine how much great result we would come up with if this money spent on surveillance was invested on healthcare. This piece of hardware or call it a sensor, would have been used further in serving the human good, but instead, it’s abused to collect info.


With no GPS how does it determine your speed?
A slight tilt might confuse the accelerometer.

Think of activity trackers. You don’t need GPS to track your activity or tell apps what you’re doing. Simply, the motion sensor and accelerometer will tell.

Clive Robinson December 15, 2017 9:51 AM

@ All who think so what,

Because Mozilla or other apps do it easier. Many of those apps have ways to be fooled / defeated.

What this provides is a “double check” for those who think you are not giving them the truth…

Even data thieves don’t trust those they steal from…

ShavedMyWhiskers December 15, 2017 10:01 AM

This is a lot like the early positional tricks used by submarines to know their location. Recall the iconic image of a sub surfacing at the north poll. Then taking a star shot ( yes includes the sun) to verify the location.
The difference is phones have a collection of better sensors than subs in 1960 sometimes had.
Add WiFi, Cell tower and Bluetooth data that was fixed by a different device with GPS on another device and Bob’s yer Uncle.

Grumpy Fahnenschwinger December 15, 2017 10:15 AM

Very interesting post, thank you very much.

Here in Swaziland (or: Sweden, if you want), it is even easier to track people (by courtesy of the government). If you got a half fare travel card, you can purchase all railway tickets for half the price. Obviously, most people got a half fare travel card, since it pays off with about three return journeys Zurich – Geneva. About three years ago, the Swiss Railways have replaced the physical half fare travel card (that was a separate piece of plastic, just like a credit card) with the Swisspass. So, most people now got a Swisspass in their wallet. The Swisspass incorporates two RFID transponders. Now, in Zurich, there are numerous vending machines located for purchase of tramway or railway tickets. In other cities it is similar. Most of those ticket vending machines incorporate an RFID reader. This means that if I walk past such a vending machine, Swiss Railways – and by extension the government – knows my location. The distance is o.k. for the reception. Sometimes, when they are lazy, the train attendants walk through the carriage without even holding the Swisspass to their device (which, they say, is necessary to read the Swisspass data), indicating again that distance for reception is long enough. It can be disputed but it happened in the past when people were in an M&S in the queue and their RFID / NFC enabled debit card got erroneously charged. I got an RFIC / NFC shield but still, it shows that tracking is – to use our pet word – ubiquitous. SwissPass – Neue Technologie mit Risiken

Mike Barno December 15, 2017 10:17 AM

@ me :

but i don’t have “onstar” or more in general some kind of box that log things. it’s the car itself, not something third party i bought/installed.

If your car was made by General Motors (such as a Chevrolet, Cadillac, or GMC truck), then it has the OnStar system built in from the factory, hardwired into not just a navigation system but the whole vehicle’s processors handling engine and transmission controls, diagnostics, collision avoidance, etc. This isn’t some third-party installed box.

Doigen December 15, 2017 10:22 AM

Stop being so paranoic. So they know where you are. So what? If you are not a criminal, and don’t do something you should be ashamed of, why should you care? What do you have to hide?
Do you walk in the street in disguise with your face covered?
You know they can also pinpoint you by face analysis on street cameras, right?

Iggy December 15, 2017 10:29 AM

Further to @Clive’s comment, people who have less than wholesome motives will be highly interested in this methodology. Those who think this is about the “good guys” just trying to help us from being lost, or to find a restaurant nearby in a strange town, are being naive.

Excuse me, I must go change the home time zone in my phone, make sure wifi is off and check if any auto-updates have countermanded my Off settings. Of course, I never put my actual name and address in my phone, nor do I use it to do my banking.

It’s not a Terminator bot that’s going to enslave us, it’s our own damn phones.

Grumpy Fahnenschwinger December 15, 2017 10:31 AM

@Doigen: Absolutely agree with you. If you are not a criminal you have nothing to hide, nothing to fear. Or, to quote my old friend Lavrenti Beria, Stalin’s notorious secret police chief: “Show me the man and I’ll find you the crime.”

bob December 15, 2017 10:42 AM


I’m impressed by the total faith you have in your government and police and security agencies. And the level of faith you have in your future governments, police and security agencies. And 3rd party contractors. And their cleaning staff. And the cleaning staff’s SOs.

Anyway, as you have nothing to hide, please can you respond with the following information:
. salary bracket
. address
. date of upcoming trips away from home

. Have you ever had an affair?
. Are you currently having an affair?
. Are any of your sexuality, gender, income, religion and/or politics non-mainstream for your location?
. What are your bank details?

And while we’re at it, please provide log in details to your social media.

Iggy December 15, 2017 10:45 AM

@Doigen • December 15, 2017 10:22 AM, said:

Stop being so paranoic. So they know where you are. So what? If you are not a criminal, and don’t do something you should be ashamed of, why should you care? What do you have to hide?

How much do you earn? Do you sleep naked? Do you own a gun? How much did you donate to a political candidate? Do you drink alcohol?

Perhaps you can’t think of how to use the answers to those questions against you and those near you, but I assure you, there are many who can and have and they are eager to keep on doing so without giving you a cut of what they make off of you without your opt-in.

Do you walk in the street in disguise with your face covered? You know they can also pinpoint you by face analysis on street cameras, right?

Depends on the city.

The glasses are the least bizarre while easy to use.

Jimbo December 15, 2017 1:01 PM

I may be missing something, but I don’t see how this is tracking a person. It’s just getting information from the smart phone, nothing from a human. Its just tracking the cell phone (which is easy to defeat).

There are and have been numerous tracking devices for decades that don’t use GPS. Inertial navigation was in place in the 1950’s and didn’t need external sources.

CallMeLateForSupper December 15, 2017 1:05 PM

“We spend too much time worried about individual data collection systems, and not enough about analysis techniques of those systems.”

Devil’s advocate says, eliminating/mitigating sensors starves data collection systems, rendering their analytics useless.

“Just say no” to accelerometer, barometer magnetometer.

Clive Robinson December 15, 2017 2:12 PM

@ CallMeLateForSupper,

“Just say no” to accelerometer, barometer magnetometer.

It’s not that easy these days, in fact it’s a “Hobson’s Choice”…

One of the problems with an electronic buffet, you don’t get to chose what gets shoved down your throat…

oh really December 15, 2017 2:34 PM

Finding apps that don’t allow access to unnecessary features (flashlight app with mic, for example)
is fast becoming the exception, not the rule. Some large, fat % of apps do this stuff.

If you’re running Android and counting on the device/app access permissions to save you, just lol.

oh really December 15, 2017 3:14 PM

Well those are FOSS, which is good, but how thoroughly are they vetting individual apps?

If you read their forums they’ve moved a ton of older, unmaintained apps to their archive in one big swoop.
That implies to me that there’s stuff in there that nobody is really paying close attention to,
in kind of an ongoing vet-and-revet-new-version modality. It’s a tall order, there are a lot of apps!

So by limiting the # of apps overall you’re improving your security cross section measurably.
The average user? Will install and run any damn thing from anywhere.

CallMeLateForSupper December 15, 2017 4:48 PM

“One of the problems with an electronic buffet, you don’t get to chose what gets shoved down your throat…”

“Shoved”. By phone manufacturers? (I love the X-phone; really wish accelerometer wasn’t standard.) By employers? (Here’s your company uPhone, through which you must be reachable 24/7/365, as a condition of employment.)

I understand that both situations abound in the wild. Some of my family are locked in one or the other. All of them had options; all of them made a choice.

The remaining three of us who don’t own a cellphone chose to be free of them. Two of us have turned down work that came with a cellphone mandate.

There are always options but never a guarantee that any are painless. (Can you hear me now, U.S. Congress?)

Winston Smith December 15, 2017 5:39 PM

This is one of the more interesting articles to make the point about:

“We spend too much time worried about individual data collection systems, and not enough about analysis techniques of those systems.”

Well done. I will use this in my conversations with the ‘Shiny Bauble’ Zombies I encounter daily. Thank you!

four72 December 15, 2017 10:00 PM

@bcs scotland yard rocks, glad to see another fan

and yeah, this story reminded me of that game, too

Wael December 15, 2017 10:12 PM

If you don’t wish to be tracked, then leave all electronic devices behind. Otherwise some schmuck will find ya. It could be cell towers, sensors, gps, IP address, silent SMS, email, etc…

justina colmena December 15, 2017 10:23 PM

@oh really

Well those are FOSS, which is good, but how thoroughly are they vetting individual apps?

I know. It’s difficult to charge excessive fees for FOSS… Free as in liberty, not as in beer? Sure, but when you overcharge for beer, people start brewing it at home, because the raw materials cost a lot less than that stein of “microbrew” served at the pub, depending on how much you drink. It’s just that when certain fellows start drinking too much beer, they tend to forget that I do not drink alcohol, because personally I do not care for alcoholic beverages.

If beer, wine, and all manner of hard liquor are legal for everyone of age, why do we have to speak so easy?

So by limiting the # of apps overall you’re improving your security cross section measurably.

No. You are just crippling end-user functionality. The dash clock doesn’t come on the base model. That’s a $150 option from the dealer.

The average user? Will install and run any damn thing from anywhere.

And why shouldn’t she? If the “permissions” are effectively enforced, and the app(lication) is duly cleaned up when it is uninstalled, no harm, right?

justina colmena December 15, 2017 10:33 PM

@oh really

More on this:

Well those are FOSS, which is good, but how thoroughly are they vetting individual apps?

Let’s ask ourselves this, instead: How thoroughly is the base O/S being vetted? If the apps are doing something malicious, then how are the permissions being overridden?

Methinks that SELinux “dontaudit” is coming back to bite us … the taxman cometh.

hmm December 15, 2017 11:17 PM

“No. You are just crippling end-user functionality. ”

Not all functions are necessary nor are all provided by a reliable and trustworthy vendor.

I draw a bright line before you do, that’s true.

The flashlight app does not need to record the camera/mic – and that’s the devil we know. Others?

“and the app(lication) is duly cleaned up when it is uninstalled”

The data lives on, for one. Second, why are they uninstalling if they’re oblivious of the threat model?
As long as the widget/screensaver/browser plugin/search helper does the shiny job, why remove it?

All the while it exists it is doing what it is actually meant to do – everything else.
Sure you can uninstall it, or harden your phone, or compile your own android FWIW.

The average user is the fat low lying fruit. What kills their privacy kills yours, with few exceptions.

tyr December 16, 2017 2:19 AM

Thoughtmaybe has a nice documentary titled
Stare Into The Lights My Pretties with a
nice cameo by Bruce.

The most hilarious part was the videoing
of random strangers who reacted badly since
the surveillance was obtrusive instead of
the ubiquitous cameras that follow them all
day. Once you accept that strangers with no
connection to you are entitled to follow you
everywhere and watch everything you do is
normal you have become clinically insane.

Jim Bob December 16, 2017 10:43 AM

I owned a dumb phone, went to a smart phone for about five years, went back to a dumb pone and never looked back. Don’t need all those apps anyway.

It seems to me that we give up too much of our privacy for a perceived need, not a real need.

Joshua Bowman December 16, 2017 12:22 PM

Don’t accelerometers reset to zero very quickly in planes, since they’re not actually accelerating for the vast majority of their trip? Maybe if you could measure the multiple-Gs at the beginning and end, that would indicate either a plane or a supercar.

Joshua Bowman December 16, 2017 12:28 PM


I know. It’s difficult to charge excessive fees for FOSS… Free as in liberty, not as in beer? Sure, but when you overcharge for beer, people start brewing it at home, because the raw materials cost a lot less than that stein of “microbrew” served at the pub, depending on how much you drink. It’s just that when certain fellows start drinking too much beer, they tend to forget that I do not drink alcohol, because personally I do not care for alcoholic beverages.

If beer, wine, and all manner of hard liquor are legal for everyone of age, why do we have to speak so easy?

I expect Bruce’s comments to be full of paranoid anti-authoritarian ramblings, not complete non-sequiturs. But maybe I speak too easy.

Henrique S December 16, 2017 12:51 PM

To be able to perform a wifi scan and get the readings, you would need to declare a permission access location (at least on android), this is why they are using all other types of sensors.
Another interesting one I saw a few days ago was the old school location tracking based on cell tower ids (almost obsolete since most people grant all permissions anyway)

Gordon December 16, 2017 12:52 PM

@Wael @Jim Bob

What about pagers? Should be pretty safe. Can relay phone calls via voicemail to a pager (notifications only, of course). I talk about the classical one-way POCSAG pagers and not the modern ones with GSM for dead man feature.

Wael December 16, 2017 2:18 PM

@Gordon, Jim Bob,

Certainly POCSAG pagers have an advantage at the cost of reduced usability. They suffer from two main weaknesses, though: The source and destination are traceable, and the message isn’t confidential unless other encoding is layered on top. If I were to use something that’s difficult to track, I would use a portable shortwave radio with burst transmissions (separate receiver and transmitter.) Or one could use line of site light or laser communications. Just make sure there is provisions for duress situations, where a code is sent to take evading actions, for example: Once a transmission / reception is concluded, the transmitter and receiver may change their pointing directions. Other things can be doe too.

Gordon December 16, 2017 2:40 PM


That the message – typically – would not be encrypted is correct.

However, whilst the destination, i.e. the “receiver” (by default, since he has subscribed a pager plan) is traceable (or rather: his particulars are known [traceable is a different word]), the receiver’s location at any time – even when getting a message – is not traceable. A pager works like a radio and it gets the message with the RIC number. So, my suggestion: Get a feature “dumb” cell, keep it in a cell blocker pouch (switched off obviously or there will be a severe battery drain) and only – if at all – take it out of the pouch to make phone calls. The pouch costs some $2. I think about 10 years or more that was discussed on this blog.

The key advantage is that if I carry a pager with me my location – at any given time – cannot be traced (again: except if you got an ultra-modern pager terminal that combines paging, GPS and cellular technology in one device). In the States, they are used by the various fire brigades only.

Gordon December 16, 2017 4:52 PM


Q: But what would one do with such a limited setup?

A: Privacy, obviously.

Limited: Why?

You will reach a person faster by paging him as opposed to making a phone call. Many paging networks have built-in redundancies, e.g. a page may be repeated twice if the pager is out of range momentarily. If a cell network in a certain area is congested, e.g. because of an accident, a pager message still will get through whereas the cell towers won’t transmit anymore. Happened in the past & will happen again.

And above all: You decide when to call back. You are in charge. Or, as Warren Buffett’s Chief of Staff Devon Spurgeon’s business card read: “Telephone: You don’t call me. I call you.”

Wael December 16, 2017 8:11 PM


A: Privacy, obviously.

So you are at large, at some unknown location and don’t want anyone to know where you are. then this happens:

t1: You receive a page, perhaps with a message or a phone number to call back. The number to call back could be a predetermined number that’s not shown in the text you got.

t2: You, being the important person you are ‘don’t get called’: you call them!’ and decide that you want to call back. Or there was no need to call back. The text was just an instruction or an update to some event you were interested in.

t3: You don’t do any thing — the message isn’t worth your while.

When you say privacy, which step are you referring to? Maybe it’s obvious, but I like it when people prove it to me 😉

Clive Robinson December 16, 2017 11:22 PM

@ Wael, Gordon, Jim Bob,

Certainly POCSAG pagers have an advantage at the cost of reduced usability.

Yes their use as a “cut out” or covert “control channel” has been discussed on this blog before between @Nick P and myself initially if my brain remembers correctly in regards remotely turning on a WiFi or Bluetooth node concealed in a public place in a similar way to the “Fake Rock” in a Moscow Park that supposadly was put there by British Secret Service Operatives.

So to go through it again,

The UK “Post Office Code Standardization Advisory Group” code 1, is a “one way broadcast system” often with transmitters using “Simul-Cast” across entire geograpic regions of seceral hundred square miles. With individual VHF transmitters having a 20-50mile radius depending on terrain. VHF POCSAG has around a 10-15db advantage over the 6400bps/3200baud UHF FLEX system which is often used in smaller coverage areas with much increased traffic such as towns or business districts and in smaller areas still including private organisations like hospitals, university campuses and factories etc. The general idea is that pagers act as a control channel for other communications such as the POTS / landline telephones.

Thus whilst slower at 1200bps/baud POCSAG has significant covert advantages over the faster FLEX system in terms of “area covered” at upto 64times, which a Find Fix and Finish (FFF) team would have to cover to find a receiver. Further as the number of receivers that can be on at any one time is large and EMC radiation small these days old / traditional HufDuf direction finding on the IF frequency is going to be largely ineffective except over the last few yards.

As for “traceability” via the subscription there are various ways this can be avoided with pagers. There is the administrative and technical ways.

The Administrative way is via “shell financing” etc for a “subscription” and honestly it is not recommend for use except by experts as it’s easy for even the likes of Mossad, CIA and NSA to make mistakes with, that become “Red Flag” issues down the line as we have seen. Primarily because financial records are realy “collect it all” and very actively monitored in many ways for many reasons. The other way used to be to buy with cash a “life time” system, you used to find them in the likes of Radio Shack, but they appear to have died out from retail outlets now. Further they have become “dodgy technology” much like new “Burner phones” became. Unlike used mobiles there never was a “street corner” used sales market for pagers.

On the technical side, the first thing to realise is that as both POCSAG and Flex are “open protocol broadcasts” on known frequencies you can use a cheap SDR dongle and PC/Computer “test” decoder software to view any and all messages sent. Importantly there are versions for cheap RTL dongles and small Single Board Computers like the Raspberry Pi abd Adrueno for instance.

Importantly for covert usage most pager systems do not do message sender authentication, only valid recipient subscription checking. In effect security wise they are wide open… Thus hijacking one or more valid subscriptions is not at all difficult, in fact it’s in effect trivial if you can get an account to service ID mapping. Which tends to be easy to do for quite a few services. Further users who get an occasional “false bleep” tend to treat it like a “wrong number” so the user report back of false bleeps are next to non existent if kept both sparse and during normal “office hours”. Which is a “social engineering” point to remember.

I’ve also mentioned that the pager message can be processed by the Single Board Computer the SDR dongle is connected to, and this can be used as a remote switching device. To turn on/off the likes of a “Mobile Phone Shield” that are less thsn 50USD if you shop around. Likewise WiFi or Bluetooth shields and even good old POTS modem dialup via old serial modems and the Hays AT command set.

Thus setting up a “digital cut out” for very low bandwidth use is technically quite simple, and often practicaly so as well. If you want to go down the HF Covert or LPI route as @Figureitout has mentioned in the past the likes of PSK31 exist as do other more interesting Amature Radio Protocols designed to help produce HF Propagation information. The only problems generaly being transnitter frequency stability and setting up a covert antenna. For the antenna can I suggest having a look at the The “Directional Discontinuity Ring Radiator (DDRR) described in CQ Magazine back in June 1964, or in ARRL/RSGB HF and VHF antenna books and similar[1] or a modification of the idea givrn in a now long expired US Patent[2]. In effect it’s a combination of a bottom fed high Q tranmission line used as a form of slot radiator, therefore even though low doen ~1/10th of a wavelength and horizontal it radiates verticaly polarised and omnidirectionally. Because the DDRR is effectively a quaterwave or longer loop a very short distance above a ground plane it’s very inconspicuous and to most including many electronics and radio engineers does not look like an HF antenna. Thus it can be made easily with wooden fence posts and two inch scaffolding pipe to look just like a lot of low cost but robust fences found in public parking areas as such it works well in the top half of the HF band ~15-40MHz (it also works supprisingly to many on the roofs of tower blocks and high rise carparks). However iron scaff poles do have a high radiation resistance which may be a bit problematical thus if out of the way 22mm copper water pipe drops the radiation resistance but the decrease in conductor diameter ups the Q making it more narrow band.

Whilst HF 10meter QRP transmitter designs are ten a penny on the internet, few have the sort of long term frequency stability you need for systems with a bandwidth of less than 100hz. There are various ways around this but they are quite technically involved such as home designed frequency standards or TCXOs (real or computer compensated). Another way around it is to use a quite complex PC based SDR at the RX end that listens in to all transmissons in a 10-100KHz bandwidth and finds your specific transmission by call sign etc. This keeps the high cost equipment at the covert receiver end of the cut out where it is far less likeky to get burned if you have appropriate alarm systems at the TX end of the cut out.

Getting back to the pager transmisson as for “secrecy” it has non built in at all, and getting “five letter code groups” of random text sent not at all practical and would raise alarm bells. However as I’ve mentioned befor the use of One Time Phrases that are plain english goes back to atleast WWII[3] and provided they are used correctly raise no alarm with operators or automated systems and give no information to an observer other than that a “broadcast communication” has been made, which can not be told apart from “circuit keep alives / padding” and “action messages”, thus rendering traffic analysis moot as well.

Thus you have the control channel using the One Time Phrase and a controled communications channel.

The most important thing about using such One Time Phrase systems is to decouple the the control channel from the communications channel as much as possible. That is not just “content from action in time” but also from the controled communication channel to prevent or reduce traffic analysis.

That is you do not do anything immediately on receiving a phrase, you wait untill the next schedualed “time slot” for the controled communications channel, or if you miss it the one after that. Further you also randomly use time slots independently of the One Time Phrase System channel for “Call mother” or “routine admin” messages.

Thus the only “Flash Traffic” / “immediate action” sent is a “close down” / “bug out” / “Final action” message after which that particular message system is considered “burned” (as is the operative often).

This is all fairly standard “Tradecraft” adapted from ages old “fieldcraft” using “route flags” and “dead letter boxes”.



[3] During WWII the BBC used to transmit “And now some messages for our friends” in it’s overseas broadcasts followed by random sentences. Most were “padding / keep alive” some were “action messages” to SOE and others for administration or other “time delayed actions”. Similar messages were also sent more covertly via the “Black Propaganda” broadcasts sent from the Aspidistra transmitter in Crowborough in SE England that poped up on main German broadcast frequencies that got cleared when allied bombers were detected heading for Germany etc (to stop them being used as DF beacons by the allied bombers).

Wael December 17, 2017 2:15 AM


traceable is a different word…

Traceable is synonymous with attributable. Unless you follow some of the suggestions that you or @Clive Robinson listed, traceability will be achievable.

But perhaps ‘attributable’ is a less overloaded word in this context.

VinnyG December 17, 2017 2:26 PM

@iggy – Survivopedia article noted and duly archived – thanks! Other similar and potential useful resources (YMWV):
These 22¢ Glasses Will Help You Fool Facial Recognition Software

Camouflage from face detection

Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition

How to Hide from Machines

My, agents, or more likely, fanboi wannabes, of the deep state security apparatus seem to be proliferating on this blog. I wonder about the attraction.


Dan H December 18, 2017 6:54 AM

How much do you earn? $105,000
Do you sleep naked? No.
Do you own a gun? No.
How much did you donate to a political candidate? $0
Do you drink alcohol? No.

Clive Robinson December 18, 2017 7:14 AM

@ Gordon,

Hmm “F9” financial reporting from within Lotus “add on” that takes me back a long way. I liked 1-2-3 when I used to use it, because it did things in sensible ways. Then it got replaced with a Microsoft product that did things “The Micro$haft way” which every one just hated…

As for the P8GR it’s like one of those old jokes “When’s a pager not a pager?” … “When it’s a TETRA data terminal”… And that’s the most fun you will get out of it.

There is some kind of perversion to put “all the eggs in one basket” which in the case of TETRA is “an old and rotten basket that could not hold it’s own weight when new”. In order to sell TETRA you need the “War on Terror” marketing of Fear, Uncertainty and Down right lies, and the vague promises of it working when all the other networks have been shut down because mad bombers are using cellphones/pagers/etc as remote detonators…

Oh and there’s those other vague promises of “inter operability with security” and the saving of spectrum and base stations etc… The TETRA sales people make the Software industry marketers look honest and truthfull by comparison.

In the UK “First line responders” like TETRA so much they carry two sometimes three mobile phones. Because not only are mobile phones light, small and have a better battery life, they also work where they are supposed to oh and don’t break if you drop them, unlike the TETRA gear… The only good comment any one had to say about one after hefting it a few times was “you could derail a train with this”.

As for the supposed “security” of TETRA, the sage piece of advice is said in a voice like the “Don’t go into the water” line in a bad B movie horror film, and it’s “Don’t what ever you do turn it on” with he rider of “Unless you need a world filled with pain”.

The clue that P8GR is not so GR8 is the docking station with the integral quater wave whip, which not only will have somebodies eye out, it also tells you the P8GR is deafer than the proverbial door post like TETRA in general won’t work in buildings… Oh then there is the price of 700euros each –might be cheaper now– said with a straight face at a PMR show. All without mentioning the billion dollar infrastructure you have to put in three times over to get it to work only half as well as the old analog systems. Then there is the fact that an idiot could hack it or screw it up by plugging in a USB lead connected to a computer with a little bit of software…

The thing about TETRA was it was a “Paramilitary for Civilians” idea. The military had their “Soldier 2000” idea in the 1980’s to replace their old Battlefield Comms with something better that would integrate digital comms that could be encrypted. To sell it it had to be grandiose and it was promising all sorts of “integrated services” gps, IR cameras digital maps with colo troops etc. Thus other Guard Labour was given it’s “Me To Moment” with the likes of TETRA… Well the Mil have kind of given up on S2K as it was two decades late. Thus TETRA did not get the expected “spin offs” whilst the GSM mobile phone got everything whith bells whistles and extra nobs on apart from encryption. So even soldiers go to war with their iPhones in pocket. Thus the Mil are looking at troop level stuff being mobile phone based as “COTS is now King”. TETRA however is now “Cinders after the ball”, without the glass footware…

Anyone who buys into TETRA anew these days probably needs some serious help as it won’t just be their sanity that gets called into question…

Gordon December 18, 2017 11:40 AM

@Clive Robinson

I have never seen a Tetra-Pager with my eyes. The Airbus one looks a bit chunky. Terrifying, really. A nasty piece of work but then again, it is from mainland Europe.

Nothing beat the good old Hutchison Paging pagers. We all carried them. I remember when I sat in a seminar and kept my Hutchison pager in my shirt pocket. It was on silent and I fell asleep. When I got a page, it started vibrating and I almost got a heart attack. Their Euromessage service covered the U.K. and if you choose the overseas option, it covered about seven countries on the mainland.

Unfortunately, 456 MHz is used in two European countries on a countrywide basis only (France and Germany). In those two countries, they are also available for private individuals.

Also, quite often, local fire brigades set up their own paging networks. It seems to be very popular in Germany and also in the States. The eMessage website is quite interesting. .

Re Lotus 1-2-3: Version 9.8 (SmartSuite 9.8) works on Win 10, just like the unbeatable Lotus Organizer 6.1! Alternatively, Quattro Pro X6 allows you to switch the layout so you get Lotus 1-2-3 commands. It even reads the new 1-2-3 extension which is “.123” (as opposed to the old “.wk4”). Helps, if you want to avoid Excel.

Maybe Bruce could tell us why IBM killed Lotus 1-2-3 and Lotus Organizer. Still so many users around, just like Win XP.

Sarah January 11, 2018 3:46 AM

Is this what you mean by tracking people’s meta-data?

It seems like it be difficult to really protect against it. Unless one never went outside, or use burner phones. And that in itself has its own tells.

Rene Wijaya July 15, 2019 8:12 PM

Do you guys know that we can used SIM CARD on every mobile phone to track the owners location??

I have read about this on reverse phone lookup : Cocospy site >> and it goes beyond my expectation. I could not get very accurate location for some phone number. But specifically for some I really want to spy on, this is a great tool.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.