How the FBI Gets Location Information

Vice has a detailed article about how the FBI gets data from cell phone providers like AT&T, T-Mobile, and Verizon, based on a leaked (I think) 2019 139-page presentation.

EDITED TO ADD (11/12): My mistake. It was not a leak:

Ryan Shapiro, executive director of nonprofit organization Property of the People, shared the document with Motherboard after obtaining it through a public record act request. Property of the People focuses on obtaining and publishing government records.

Posted on October 27, 2021 at 9:01 AM26 Comments


Randy October 27, 2021 9:44 AM

That 139-page presentation is interesting. Esp. on page 15 where it shows “examples of cell towers disguised to blend into landscape”.

Also it says that it takes 500 hours of training to become CAST certified. So apparently it is not very straight-forward to get a users location if that much stuff is involved?

echo October 27, 2021 9:49 AM

Thanks to GCHQ poking its nose in the UK didn’t push forward with a policy to make network sharing mandatory so we’re still stuck with less than optimal coverage and blackspots in some areas. Why? No idea because “national security” mutter mutter.

It may sound frivolous but I’m on the watch for pen pusher security and law enforcement types with bad tailoring. It’s completely unscientific and mockingly snarky but a way in my mind for putting these types of people in their place. Now there will be those with impeccable tailoring but then they would be accused of slick careerism so I have them covered that way too.

One thing I would like to see though is UK media do better analysis and be much more firmly objective. This secret squirrel and nonsense with personalities and who is on with who and such like is a load of flannel. It’s constantly shifting churnalism where public policy discussion is always in a state of flux and nobody is held accountable because wriggly reasons. Even on just one single area like court reporting you have to hold their feet to the fire to provide a link to the court judgment so you can make your own mind up and seperate good critical analysis from careerist waffle.

There is some good independent media in the UK but it’s small and completely drowned out by the US. Blink and you wouldn’t know it’s there.

Sofa October 27, 2021 9:56 AM


Not a leak, from the article:

Ryan Shapiro, executive director of nonprofit organization Property of the People, shared the document with Motherboard after obtaining it through a public record act request. Property of the People focuses on obtaining and publishing government records.

  • Sofa

Peter October 27, 2021 10:30 AM


The 500 hours was to be allowed to testify in court (ie. how to explain the system without making it look blatantly unconstitutional).

They didn’t specify how much training was needed to use the system.

Hellios October 27, 2021 11:01 AM


Seems like a complete waste of time. 500 hours of training to learn how to wave hands in mysterious and mystical manner? The problem isn’t the language. The problem is a judicial system that is a third branch in name only and caves into the executive at the mere batting of an eyelash or a twinkle in the eye.

Our system has evolved into one where our freedoms have come to depend on the actions of armed gangs with only a high school education (LEO) overseen by a cabal of lawyers.

65535sec October 27, 2021 11:12 AM

If you look at the entry, the FBI c-a-n find out anything about anybody. What this means is they could target any politician, high or low, without necessarily answering for it.

But are they using this to help Citizens who face the compromises brought on by adversaries who have access to the same data?

The democratic system depends on a lack of self censorship, free exchange of information, and privacy. Diplomacy may not be possible without spies, but discretion is not possible if the compromise is too complete.

Ted October 27, 2021 1:02 PM

@SpaceLifeForm, All

Did you see the cell tower drive testing details on page 27 of this report? In regards to our “lost” hiker in Colorado, do you think that the “Lake County Search and Rescue” outfit has previously worked with the FBI to map out a radio frequency footprint of the area?

I wonder how quickly they will contact the FBI when a person cannot be located.

Jon October 27, 2021 2:36 PM

Seems to me that 139 pages is an awful lot to ask nicely for that information, and then if they say no, ask “Are you sure all your permits are in order?”. Done…? J.

Clive Robinson October 27, 2021 4:56 PM

@ ALL,

A look at page 16 of the PDF shows some important information…

The celular system “assumes” signal strength is the way to decide which cell you are in or should be “handed off to”.

That model assumes that the mobile radiates more or less omnidirectionaly. To prevent base station receiver “de-sense” in that cell and other adjacent cells the base the mobile is connected to, tells the mobile to turn it’s power down if the signal strength is high.

If you disable GPS in your phone then location data is based on,

1, Assumed cell you are in (signal strength).
2, Which sector you appear in (which base antenna you are strongest on).
3, What your time delay is as a crude measure of distance.

Because the above can be crappy they take several readings including those from adjacent cells to get an aproximate location the accuracy of which is inversely proportional to the distance from the mobile to the base (assuming omnidirectional radiation).

Ask yourself the question,

“What happens when the mobile does not radiate omnidirectionaly?”

That is you take the phone appart, identify where the internal antenna is, remove it and replace it with an external high gain directional antenna… Especially one with few or no effective side lobes (corner reflector or trough / dish).

Your location uncertainty becomes rather dependent on which way your high gain antenna is pointing, and at what…

I’ve talked about “back to back” antennas to be used as passive relays in the past. Such things can be usefull if you live in a basment. One antenna is just outside your main room window which feeds low loss coax to another antenna up on the side of the building ten or more feet above ground level.

You can use “back-fire” antennas that have good back to front ratio with five to ten directors back to back and cross polarised both mounted on a pole on a high building. If you use a similar antenna to point into one of the antennas on the roof your signal in effect “dog legs” which means your path length measured by time delay is off and you can point the other roof based antenna at a more distant cell site…

You also get issues with buildings acting as reflectors, if you can get the maps, of cars driving down a main road, they can all appear to jump a distance off of the road.

It’s why the cell site surveys are so very very important, because such anomalies although they don’t effect your ability to use the service, do effect your location sometimes significantly.

Oh whilst I see they have to get a “warrant” to get at “voicemails” I have not seen anything about getting the “call records” of what numbers were used to “call the voicemail service”.

So a question arises, if you just leave a dirt cheap burner phone on in a box, that triggers a Raspberry Pi or some such when it rings, and the Pi then “pages you”[1], you can go to a phone box landline or borrow somebody elses mobile to call the VoiceMail and pick up a message. The question then is do the FBI get the information about which number called the VM service and thus be able to get it’s location?…

Also there are “emergancy button phones” you can get really dirt cheap (less than $20 for GSM 2G service) as they have real “keyboards” it’s not to difficult to program it to call the voice mail service, as “single key dialing” and get the audio messages into a computer then squirt them off via Tor as audio files to a “drop box” server, where having been “paged” you can then pick them up via Tor from an Internet Cafe etc.

Not impossible to be traced but requires sufficiently technically competent staff. Which is certainly way beyond what this ~1/4year training will get them…

But then if you are technically competent there are all sorts of other tricks you can pull with just a Raspberry Pi and a network socket including having a little VoIP PABX… Tucked away by WiFi under a floor or in a loft, all you need is to get power to it… Go to a flat via Airbnb / Gumtree / etc that is over looking a coffee shop or travel interchange or backs onto a large store car park and install $100 of kit under the floor and there you go…

These things are not difficult if you can think laterally in technical ways. Or know that whilst “chains” do monitor WiFi little independent cafes, coffee shops, etc don’t and mostly they do not change their WiFi passwords if they even have them…

[1] The thing about “national paging” services is you don’t need a “pager” a Software Defined Radio (SDR) and a little software and you can receive everybodies pager signalls and by writting a bit of software get the data off of it. There are Ham Radio Projects that do exactly this, to control systems remotely…

SpaceLifeForm October 28, 2021 3:02 AM


Connect dots.

Call Records are SS7 data mostly. Exceptions are PBX, and some DID.

Why should you have to get a warrant for Call Records when you can just set up an ongoing business deal with Syniverse and Sinch where they just dump that info to you?

The Metadata. Calling number, called number, timestamp, duration.

Actual content is where a warrant comes in.

But, the Metadata is pretty rich without the content.

SpaceLifeForm October 28, 2021 3:28 AM


Location, location, location

If you read closely, you may discern something.

Stealth calls, stealth SMS.

You, as a ‘Smart Cell Phone User’ (parse that carefully) may or may not notice that a Stealth call or text has occurred. Maybe you notice something, but when you look, there is no new text or no new missed call.

Why would that happen, you may wonder.

Because it is a cell tower communication. It is a way to geolocate your phone, at random hours.

Winter October 28, 2021 3:49 AM

“Because it is a cell tower communication. It is a way to geolocate your phone, at random hours.”

Is knowing where you are not a prerequisite of being able to use a mobile phone? If you are called, the Telco has to know which tower should send you the call signal, and if you are moving to which tower to hand over the call.

Given the profit-maximizing nature of telco’s, I cannot imagine they would invest in all this gear to follow you if it was not absolutely necessary.

Clive Robinson October 28, 2021 6:14 AM

@ SpaceLifeForm, Winter,

Because it is a cell tower communication. It is a way to geolocate your phone, at random hours.

Sometimes called SMS Type Zero, I’ve mentioned them before. They are used as part of the mechanism for “Over The Air Updates”. AND they came in as a legacy “health&Safety” from various people “finessing” on various “national” standards bodies…

In theory, they are “to the SIM, not the Phone”. That is the phone gets a notification but it ignores the SMS content.

People tend to forget the “privileged nature” of the SIM.

SpaceLifeForm October 28, 2021 8:11 PM

@ Winter, Clive

Standby. Handover.

the Telco has to know which tower should send you the call signal

True. SS7 only has to track which cell your phone is in, but does not have to track exact location constantly.

Imagine the overload of data that constant geotracking would require if you took a walk with your Handy. Imagine your battery life quickly disappearing due to the radio traffic.

Then multiply that dataload by orders of magnitude because your phone is not the only one in the cell area.

Cell towers do not geotrack every phone visible in it’s sector.

But, when a tower connection is made (out of Standby), that is when more fine grained location information can be dumped. Which is where a Stingray can be handy.

Clive Robinson October 28, 2021 9:34 PM

@ Winter, SpaceLifeForm,

Is knowing where you are not a prerequisite of being able to use a mobile phone? If you are called, the Telco has to know which tower should send you the call signal, and if you are moving to which tower to hand over the call.

Err not exactly… I’m going to use IT networking names to describe how it worked, and over simplify the process of tree walking used.

To keep undesirable traffic down on the “back hauls” a hierarchy is used. With a central node at the top and several layers untill you get to the leaf nodes that are the actual cells. Each node has a historical database of mobiles registered.

So simplisticaly the hierarchy is, from the central node you have a regional node layer, then below that a local node layer and then below that an actuall cell.

So it is not a prerequisite for the central node of the network to know where a mobile is. All that it needs to know is that the phone was “registered” as connected with the network at some point in the recent past and that it has not been wilfully turned off in some way since. If you turn off or battery goes too low your mobile tells the network it is disconnecting, if the base station carrier signal goes below ~70db then the mobile goes into “hand-off mode” which is unknesseceraly complicated for an over view description.

When a call comes into the network for a given mobile the central node looks in the main database there to see if the mobile is in theory connected to the neywork. If not the call gets diverted to VM or some other service to convert it to a profitable call connected. If the DB shows the phone registered as connected it quearies the last reported leaf node (the reported node may well be out of date, as you move only the lowest layers know where you’ve moved to, as you move through from one layer to the next the DBs in involved higher layers get updated, not the layers above or central DB.

If the mobile is in the leaf nodes DB –the most likely case– the leaf attempts to move the mobile from the control channel to an available call channel. If it succeeds the call is connected.

If not the leaf node passes it up back up a layer and a search is made of adjacent local leaf nodes. The search pattern is generally not a round robin but statistically weighted based on handover statistics (as mobiles follow roads etc thus have “normal traversal patterns”). If the mobile is found in another adjacent leaf then that leaf attempts to move it from the control channel to a call channel. If it’s not found in any of the adjacent leafs it goes up a layer and so on.

It is why you get a pause of several seconds… Interestingly it is the mobile that dictates the ring tone the person trying to make the call hears not the network. So it is possible to have a customized ring tone on some networks (many don’t as this enables the user to change the tone so that the inbound caller can receive information without the call being connected for charging happening).

Anyway whilst one of many historical network databases knows where you were most have quite old information and searching has to be done if you have moved.

The fun stuff is when you go out of range without handing off as the signal drops below the threshold. This can happen with vehicals in built up areas or with tunnels etc. It’s why statistical searching is used because the chances are you follow a normal pattern.

Then there is “ping pong” you can be in a position where you are marginal in two cells and you do not switch cleanly but go back and forth (quite normal behaviour when actually moving). Obviously this creates a heck of a load of traffic unless algorithms are used to suppress it (which there are).

It’s why in reality the location signalling is hellishly complicated and should always be challenged in court because it is far from accurate most of the time…

Mr Clueless October 29, 2021 10:10 AM

Hi all!

On the subject of cell phones, does anyone of you geniuses know if GSM cards can run a form of Java code, if that Java code can interface with the rest of the phone, and if such code can be sent to the phone “over the air”..?

1&1~=Umm October 29, 2021 12:42 PM



Motorola made a GSM module called the G24. One varient of it alows you to write a significant amount of Java in the J2E environment. It was devrloped in Israel and became part of Motorola “Machine to Machine or M2M division.

It has been mentioned on the site in the past and a quick web search on “Motorola G24 Java” brings up several links including,

However back in 2011 Motorola M2M was sold of to Telit Wireless,

Not sure what has happened since. Try looking at,

anon October 29, 2021 3:52 PM

The best part of that presenation is the actual crime scenes that you can find by googling the lattitude/longitudes from their examples… dummies.

SpaceLifeForm October 29, 2021 4:28 PM

@ Bruce

Probably not leak, but FOIA.


SpaceLifeForm October 29, 2021 5:43 PM

@ Mr Clueless

Silicon Turtles

The answers to your questions are Yes, Yes, and Yes.

Your Cell Radio and SIM are cpus that run at high privilege. Java is just a feature.


someone October 31, 2021 11:33 AM

@Clive re: shoeboxing phone & Rasberry & checking VM from borrowed phone. That seems complicated to me, ntm creates the need for implicit trust in the owner of the borrowed phone. I can still buy a cheap prepaid TracFone for cash at Walmart and register it using phony id info and an anonymous email account. Does your solution have important advantages over using that phone to call into VM for a phone registered to my real identity?
Also, thanks for the reminder about signal manipulation via antenna configurations. I was just about to ask what phone mods might mess with location info without killing the sending and receiving calls when I saw your post.

Clive Robinson October 31, 2021 1:27 PM

@ someone,

Think a little bit further beyond the tech.

What I suggest if done in your own property does not actually break any US laws currently.

When you say,

and register it using phony id info and an anonymous email account.

Breaks atleast three US federal laws that I am aware of and probably more… So could have you locked up for quite some time, even though to most people you have done nothing criminal.

But onto your question,

Does your solution have important advantages over using that phone to call into VM for a phone registered to my real identity?

There is an unknown in the documentation so all I can say is that,

“If the phone company logs the inbound number then it will be kept for anything upto seven years by the looks of it. Which means that potentially it is available and as it’s registered to you would be covered ubder any existing warrants or paperwork anyway so no advantage. But if not registered to you, then the FBI would have to go further legaly to get location data”.

The point is not to stop the FBI dead, but just make their journy down the road have more pot holes, thus maybe deter them from driving down that particular road.

If I wanted to have my location hidden from LEO’s and many National agencies then I could I know of ways it can be done. But we know that even the more well funded and intrusive agencies have limitations, that when they try to reach past certain points they will unavoidably trip alarms and that can cause several cut outs to drop out. Could they get beyond those now open cut outs, well that’s an open question, but I suspect that it would be easier to find me other ways.

One such way is to “create an emergancy” that in effect forces you to nolonger use comms you control but they control or have advantage in…

It’s one of a number of “flush the game out” tactics. The solution is in effect “not to play”. That is by preprepared mitigation or drop comms altogether.

Why do they do this? Well by and large they are creatures of habit… That is history shows inexperienced or incautious kidnappers, blackmailers and ransomers can be strung out and thus get lured into a trap which is generally what they authorities try to do.

However if the criminals just cease comms etc at the first sign leaving a dead end then the authorities get stymied their preprepared stratagem has failed.

Whilst they might eventually pick up a thread other ways, by then the clock has stopped. Also any half way sensible criminal is going to mitigate those other avenues anyway. Ultimately black swans exist, so the criminas might not be successful because of later changes in technology etc. Like when DNA analysis came to the fore and old cases got re-examined with it, but a lot of cases especially lower profile ones go unsolved indefinately as resources are limited.

It’s this last point that some criminals realised the internt had advantages in. Whilst say a $5000 crime clears a bar fifty $100 crimes do not get close as many will not get reported or recorded anyway.

Whilst in some what questionable theory all physical crimes can be solved by “forensics”, reality is somewhat different. That is the longer a physical crime remains uninvestgated the lower the probability will be that there is anything to investigate.

The same is unfortunately not true for non physical information crimes. It’s one of the reasons for “collect it all” you can in effect build a virtual time machine and go back as far as the data goes and rerun history over and over till you spot something.

For example back untill the 1990’s field craft worked because those following a suspect did not see the world through the suspects eyes. Thus covert signals by a handler to an agent would not get remembered by those following. These days with CCTV and video cameras 1/10th the size of a matchbox and with high resolution images they can be automatically searched, and if the handler uses the signal more than a couple of times then it can be surfaced by correlation and the handler then watched for and apprehended.

We don’t know what the phone companies actually log, likewise we don’t know what the authorities will put resources into now or in the future. We can however realise what is currently recordable and make assumptions and mitigate them as best we can.

Speaking of which, how to break correlation attacks… Lets say you the agent go to the same bus stop every work day. So your handler aranges for some sort of signal like a used soft drinks can on the ground next to the rubbish/trash bin. If it always means the same thing then correlarion will pull it up. If however it means different things on different days then the correlation becomes hard if not impossible to establish. In essence that is the proof of security behind the “One Time Pad”(OTP), the message could mean any and all messages including no message. Thus if you the agent know that if you see a can, and you check it against your secret “bit stream” you will know if it means “go to the dead drop” or not, or maybe check for second signal at lunch time etc.

To the agent and handler it is both deternanistic and purposefull as they share the secret. However to an observer it is at best random and probably not noticable.

There is a lot of degrees of freedom between what the first and second parties in an arrangement know, and what a third party observer of one of them can only guess at…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.