Identifying People Using Cell Phone Location Data

The two people who shut down four Washington power stations in December were arrested. This is the interesting part:

Investigators identified Greenwood and Crahan almost immediately after the attacks took place by using cell phone data that allegedly showed both men in the vicinity of all four substations, according to court documents.

Nowadays, it seems like an obvious thing to do—although the search is probably unconstitutional. But way back in 2012, the Canadian CSEC—that’s their NSA—did some top-secret work on this kind of thing. The document is part of the Snowden archive, and I wrote about it:

The second application suggested is to identify a particular person whom you know visited a particular geographical area on a series of dates/times. The example in the presentation is a kidnapper. He is based in a rural area, so he can’t risk making his ransom calls from that area. Instead, he drives to an urban area to make those calls. He either uses a burner phone or a pay phone, so he can’t be identified that way. But if you assume that he has some sort of smart phone in his pocket that identifies itself over the Internet, you might be able to find him in that dataset. That is, he might be the only ID that appears in that geographical location around the same time as the ransom calls and at no other times.

There’s a whole lot of surveillance you can do if you can follow everyone, everywhere, all the time. I don’t even think turning your cell phone off would help in this instance. How many people in the Washington area turned their phones off during exactly the times of the Washington power station attacks? Probably a small enough number to investigate them all.

Posted on January 9, 2023 at 7:14 AM76 Comments


Peter A. January 9, 2023 7:50 AM

The trick is not to bring any phone or transmission device to your chosen crime scene, leaving whatever devices you own at home, turned on. Also do not bring your car etc. Before you start going out committing crime, go out frequently for long walks or jogs without any device – it will both normalize leaving your phone at home and make you fit to run from justice.

Untitled January 9, 2023 7:52 AM

I don’t see where the cops in this case were “following everyone, everywhere, all the time”. They didn’t follow anyone. They just did some correlation: get the numbers of all phones that were at any of those four locations at the times of the attacks, and see if any of them appear more than once. Aha! Some of them do. Check out those phones, find the bad guys, delete all the rest of the data because it’s of no further interest. Seems a smart piece of detective work to me, though I’m not qualified to comment on the constitutionality.

Q January 9, 2023 8:42 AM

I doubt it needs to be a smart phone, tracking doesn’t need Internet IDs. Any mobile phone will suffice. Dumb phones ping the cell towers also.

Turning the phone off is a signal also. Stands out just fine in the data of everyone else leaving theirs on.

Leaving the phone turned on at home seems like a good option. Or perhaps travel to a woodland area with no coverage and turn it off there, do your dastardly deeds, then return there before turning it on again.

Wear a disguise and take public transport, or ride a bike, or something, but whatever you do don’t drive a motorised vehicle with a license plate. Automated license plate readers are a thing.

Firefly January 9, 2023 8:49 AM


No one said, that they were “following everyone, everywhere, all the time”.
But they have the capability to do so. Of course not personally. But from all the data they get they still know where your phone (and hence most likely you) was and they theoretically can follow you in real time.
Difference to 50 years ago is they can “follow” you and everyone else from their desk.

“delete all the rest of the data because it’s of no further interest”

Why? Maybe something else is of interest.
No one in advance knew there would be a murder. They still had the data. Just in case.

Bjorn J. January 9, 2023 9:05 AM

The prerequisite for a correlation is that everything and everyone is permanently stored in a database. Data will not be deleted since it is needed to create correlation.
If you consider this to be smart detective work, then a librarian who can look up where a book is, is also doing smart detective work…

John Tillotson January 9, 2023 9:12 AM

On one hand, I’m sure that anyone who got their stolen property back because the popo had access to the IMEI locations or license plate data are quite happy that data was available and usable to the cops.

On the other hand, I’m also sure that that same data can be abused in many ways by shady elements within law enforcement to do malevolent acts.

On the gripping hand, I’m sure that all kinds of “other entities” have access to the SAME data including the vendors of the systems, the cell companies and ISPs, and whichever hackers and nation-state spying agencies have an interest in that data for profit, espionage, crime or whatever.

Privacy laws and controls may limit the access to this information by the “overt” law enforcement agencies, but those same laws and controls will have NO effect on “other entities” and what they do.

The fact is that the “expectation of privacy” touted by laws and regulation is far out of sync with the technological reality.

Stand Out Criminals January 9, 2023 9:18 AM

These criminals didn’t do their homework; why bother go out to commit a crime with a cellphone or in an area you are not normally associated with: that made them stick out like a sore thumb.

The Idaho murder suspect, despite being a PhD student in criminology was also identified through cellphone metadata.What a bunch of losers. Crime is not worth the bother.

Steve January 9, 2023 9:53 AM

Bruce: As we know cops can use license plate data from cams too. But now all recently produced cars harvest GPS data and store in on chips, which the cops can then access with or without a search warrant under various pretenses. Not sure, but I believe my 2007 Nissan does not have such chips in it. Likely though US Gov’t will start requiring automakers to insert chips in manufacturing of cars which “give up” data anywhere there is internet access or Wi-Fi.

When you see guys wearing ponchos and ski masks riding bicycles carry large golf bags to hide their long guns, then you will know it’s been implemented.

Phillip January 9, 2023 10:07 AM

I do like this forum, and… getting this “PHP Markdown.. ” interrupt wasting my original answer. I might go otherwise silly posting with another forum. Because I’ve experienced it multiple times here, Joe Schmo. Sorry, Schneier. Every little difference is wasting me.

Phillip January 9, 2023 10:23 AM

Maybe “PHP Markdown Extra” is my healthy pedophile problem with spoken participating here. I have a right to remain objectionable when a stupid web problem is hounding me with a brand new Pixel 6A. Reasonably, this is category your problem with the azm.

Ted January 9, 2023 10:40 AM

Disrupting four electrical substations on Dec 25 wouldn’t draw attention, would it? Oh my.

For a cash register burglary?

And $3m in damages.

Phone numbers xxx-xxx-7608 and xxx-xxx-9660 were in proximity of all these substations at all the times of the attacks. Probabilistically, this could indicate some connection.

Court records show that investigators also pulled the phones’ subscriber info and their associated Google (gmail) accounts.

Clive Robinson January 9, 2023 10:55 AM

@ Bruce, ALL,

” I don’t even think turning your cell phone off would help in this instance.”

It could an no doubt would be used as a sign of “pre-meditation”.

Oh and do not think that “turning the phone off” actually works, it does not, the phone remains powered up but supposadly in some quiescent mode.

The fact is your phone can be turned on again remotely by the network as long as it has both power and is in range.

It’s why as I’ve said in the past you need to develop “habits” long long before you commit or even intend to commit a crime.

Putting your phone “on charge” or “turning it off for the subway” are a couple of reasonable reasons for not having your mobile on or in your pocket.

Likewise locking it in your desk draw during work hours is a reasonable reason. As is turning it off when getting to work. Then not turning it on again when leaving work or leaving it in the desk draw over night are not unreasonable things to do.

The thing is to generate anti-patterns or inverse-patterns months if not years before you do something criminal.

But remember whilst “a crime” might be a reason to change “phone habits” so are a number of other reasons, like “hunting for a new job”, trying to organise a family or social event. Joining a club, or getting a new love interest.

Prosecutors will use anything they can to make you look guilty, the best defence to that is do anything you can to refute it preferably by making them look stupid / reaching so that it looks to a jury like their case has no merit.

As I’ve mentioned a few times, most criminal cases were solved because the criminals “flapped their gums” and effectively boasted their way into jail.

The use of anything that is tracable like a car, mobile phone, fitness band, even CCTV will be used against you one way or another.

The trick is realising you can not avoid it 100% so you have to make it work for you instead[1].

Something “street teenagers” in London have been doing for some years now.

The thing to remember is that at the end of the day, law enforcment are human beings, with all the failings of human beings, lazyness being just one. So if you know they use a certain method, the chances are they don’t use other methods, so poisoning their methods of choice has certain advantages.

[1] I’ve yet to try using a drone to carry a mobile into/onto the back of a truck… Or similar ideas 😉

burt January 9, 2023 11:33 AM

… cops likely asked the cellfone companies for a full list of all active cellfones
near the targeted power station at the period of attack

that’s an illegal blanket search under 4th Amendment, but cops routinely do it.

Andy January 9, 2023 11:45 AM

@ Clive Robinson,

I’ve yet to try using a drone to carry a mobile into/onto the back of a truck…

Interesting, but overly complicated. And who knows what logs are being kept by the drone or its manufacturer? Better to just do what the cops do, and use a strong magnet to attach your electronic device to the patsy’s vehicle while parked. Or stick it in a padded “go bag” and drop it into the cargo bed from a bridge.

AL January 9, 2023 12:00 PM

So far, we’ve heard nothing about a car’s telematics, but those contact the cell network as well. So, for radio silence, the car’s telematics, if it has one needs to be shut down as well.

echo January 9, 2023 12:26 PM

It’s all about the “survivability onion”.

Step 1: Don’t be there.

“Joooonesie. What yer up to this weekend?”

Step 2: Don’t be detected…

“Dunno mate. Could ‘ave been anyone.”

Step 3: Don’t be targeted.

“Not me guv.”

Step 4: Don’t be arrested.

“Oi. Mind the cloth”.

Step 4: Don’t go to court.

“No comment. Where’s my lawyer?”

Step 5: Don’t go to jail.

“Ere, I have ooman rights too! Psst. Oi, mate. It was a right gas it was. Stupid plod did me for that job and eff me if they didn’t spot the wagon full of gear right next to ’em. lol”

PaulN January 9, 2023 2:16 PM

It’s very interesting looking at the Affidavit for the Idaho4 case from a privacy perspective. Here’s a link to the court filing. Much of the affidavit is a cell phone analysis combined with a surveillance camera analysis.

Note that there are many opsec fails with this specific suspect: used his own car, did stakeouts with his cell phone turned on, turned his phone off at the specific time of crime… it shows how serious opsec has to be a lifecycle. Anyway.

I don’t know the burdens of a proof that permit getting warrants for this information; certainly its stemming from a legitimate investigation.

higgs boson January 9, 2023 3:10 PM

@ Clive Robinson,

Oh and do not think that “turning the phone off” actually works, it does not, the phone remains powered up but supposadly [sic] in some quiescent mode.

The fact is your phone can be turned on again remotely by the network as long as it has both power and is in range.

Would you have any sources to back these statements up? Genuine question. I’ve heard these sorts of things asserted but have found no independent verification.

SpaceLifeForm January 9, 2023 3:39 PM

@ Ted

The burglary story is cover for DomTerr.

There would be only one substation to target, not four.

Ted January 9, 2023 3:57 PM


The burglary story is cover for DomTerr.

Hmm, I was researching a little more (see below). Yes, one substation is almost plausible for a burglary. But four, with a fifth scouted? It’s sus.

@SLF, All

“Just desperate”

As a father to be, Matthew Greenwood made a perplexing choice to commit an act of domestic terrorism.

Both he and his pregnant girlfriend face substance abuse issues. She says that she recently started treatment. Officials have recommended inpatient treatment for Matthew’s meth use.

Greenwood is also coming off a felony car theft charge from last year. To add to his woes, he is recently unemployed and without stable housing.

Greenwood reported that he and Crahan were inspired by TV news coverage of recent attacks on electrical infrastructure.

Officials believe that poverty and drug use were greater contributors to his actions than an alignment with domestic extremist groups.

Still… “The federal prosecutor said he expects upcoming searches of the defendants’ cell phones to be “illuminating.””

echo January 9, 2023 4:43 PM

Step 1 of the survivability onion. “Don’t be there”.

You won’t find the likes of Murdoch and his ilk anywhere near the scene. All the data exists to prove a link between a rabid journalist or rabid politician mouthing off and a hothead gunning down people in nightclubs, or attacking power infrastructure. I’ve seen the data. Read none legacy media reporting on the data. In the UK I’ve seen the official statistics on the rise of crime and hate crime.

Yet their phones will show nothing other than calls to various job titles, their accountant, golf club, and manner of mundane stuff. Their location history may include sailing off the coast in their yacht. Maybe even dinner with the local police chief.

The police even refuse to call it terrorism but for strict liability statute and even then there are backflips and twisting.

I’m sure they’re all feeling “as cool as der cucumber”.

Key words:

Stochotastic terrorism.



Tony January 9, 2023 4:59 PM

Even better than turning your phone off, or leaving it at home, would be to have a co-conspirator take it with them to somewhere far from the crime scene to help establish your alibi.

echo January 9, 2023 5:35 PM

Georgia Republican Representative Marjorie Taylor Greene was widely mocked online after she claimed the internet is to blame for why she had gotten “sucked into” QAnon conspiracy theories.

The survivability onion.

Step 2: Don’t be detected.

Step 3: Don’t be targeted.

Brazil’s former president Jair Bolsonaro admitted to hospital in Florida with abdominal pain, reports say

Step 4: Don’t be arrested.

Bolsonaro has a 30 day limit on a diplomatic or head of state visa, or his immigration status changes. Brazil is asking for extradition.

Clive Robinson January 9, 2023 5:54 PM

@ ALL,

Apparently shooting up local infrastructure is something that happens in the US rather more than we might expect (and no it’s not terroism).

Apparently shooting holes in “water towers”, “railroad switches” and traffic signs is quite common.

Whilst not quite as common as people playing “drive by baseball” with peoples post boxes it tends not to make the news unless the “T-Word” gets used then everyone payed from the public purse gets their five minutes on TV. Not of course the accused who maybe get to court and tell their side, probably not though… as they are looking at spending what time they have left in solitary confinement.

After all who want’s the public finding out these people are not terrorists but people who are in need of health care / support for conditions that are effectively dealt with in most other countries so they can lead near normal lives…

echo January 9, 2023 7:21 PM

Step 5: “Don’t go to jail”.

The new House rules would:

  • Enable the GOP to defund a criminal investigation into you know who.
  • Defund Office of Congressional Ethics.
  • Enable a Republican being investigated by the FBI to investigate the investigators investigating him.

MarkH January 9, 2023 8:03 PM


The view from here in the U.S. is rather different.

The other kinds of vandalism you listed have been going on for generations … multiple synchronized attacks on substations are a recent development.

Far-right white supremacist movements — the kind associated with the destruction of an Federal office building in Oklahoma city — have long been preparing for a “war” they imagine will dispose of their imaginary enemies.

For decades, U.S. domestic terror groups have circulated “handbooks” with information to facilitate attacks. The newer versions of some of these explain how to attack electrical substations.

There are other indications that more than one of these attacks are politically motivated.

lurker January 9, 2023 8:33 PM

@higgs boson, Clive Robinson

My phone is dual SIM. It has software switches to dis/enable one or both SIMs. I don’t have the equipment or enthusiasm to prove it …

Clive Robinson January 9, 2023 11:03 PM

@ MarkH,

“For decades, U.S. domestic terror groups have circulated “handbooks” with information to facilitate attacks. The newer versions of some of these explain how to attack electrical substations.”

Those same “handbooks” have been “made available” in quite a few places in Europe, and I assume from comments made by others in other forum in other parts of the world as well.

But there is a palatable difference in the way it’s playing out in the USA compared to other places.

It is somewhite trite to say that in the US “paranoia has been politicized” but it is certainly clear that there are more “far edge” beyond “fringe” people gathering together and forming groups via social media and similar. Worse they are attracting those considered “down right crazies” from Europe and apparently not just “normalizing” them but “lording them up” as well.

Their groupthink behaviour is such that to hold rank they have to be more extream or say things that excuse extreamism. Such “truths” are never questioned in the group, and any who do question are not just attacked they are met by phoney arguments or claims of superior knowledge by those attacking.

The clasic example was in “Pizza Gate” or what ever it now gets named of secret passages and chambers beneath a single story pizza emporium. The fact it could be shown that no such underground works existed was not accepted by the groupthinkers…

To say that such people were deluded is kind of missing the point. These people believed because they wanted it to be true. The question is why?

Looking at the socioeconomic profiles and emotional development of those involved reveals quite a bit about them as well as a clear distinction between the group leaders, the group celebrities, and the followers. They are effectively “cults” using rituals, secret knowledge holders, proficiency levels and similar basic mind control techniques.

Whilst this is also true in other places it is rather more starkly polarized in the US.

Thus the question of “Why?” comes up. Is it simply a “leading edge effect” where the US is just first and others will follow in time, or is it something else.

If it’s a case of “leading edge effect” then we only need look back nearly a century to see where this is likely to go, and that’s not somewhere that most of us want to go.

JonKnowsNothing January 10, 2023 12:19 AM

@Clive, @MarkH, All

re: DIY handbooks, pamphlets, documents, images containing Topics of LEA Interest

In the USA, all of these sorts of handbooks contain tracking watermarks. They are all known by every LEA in the country. They are all trackable, traceable and can land you in jail PDQ.

While in theory, a USA citizen has the right to look at all sorts of things without crossing illegal thresholds, there are carve outs to the rules. LEAs make a point to monitor and collect information on anyone even doing a “google” on these types of documents. Bells go off, and you end up On The List.

While, curiosity might be enough to wonder “What’s in the Beef?”, the adage about curiosity killing the cat should be in the forefront before typing anything in or pressing the Q.

Those documents now are Honey Pots, looking for a Sting.

MarkH January 10, 2023 1:38 AM

@Clive, all:

Domestic terrorism — or as the Justice Department prefers to say, Domestic Violent Extremism — has appeared at the extremes of both right and left.

But the great majority of U.S. killings attributed to DVE are by individuals or groups associated with white supremacy and the extreme right.

Sadly, this goes back at least 150 years.

Attributed to federal law enforcement:

“Power companies in Oregon and Washington have reported physical attacks on substations using hand tools, arson, firearms and metal chains possibly in response to an online call for attacks on critical infrastructure … In recent attacks, criminal actors bypassed security by cutting the fence links, lighting nearby fires, shooting equipment from a distance or throwing objects over the fence and onto equipment.”

MarkH January 10, 2023 1:41 AM


The chains are, of course, intended to cause short circuits.

The U.S. recorded attacks on electric power distribution infrastructure at twelve distinct sites in four or five weeks (from late November to late December of 2022).

These caused several large-scale outages.

John January 10, 2023 6:04 AM

Very important to recognise the possibility of a false positive.

This is very close to taking a correlation, namely a particular pattern of locations for some John Doe matching some assumed activity and then concluding an actual connection, namely that John Doe was in fact the person sought.

iAPX January 10, 2023 7:09 AM


Many devices, smartphone and computers, support Bluetooth and this one might not get entirely disabled when “deactivated” from the interface, nor when the device is put in the “off” mode (that is no more a full shutdown), and still communicate with other nearby devices.

This is how Apple’s “Find My” enable to follow some devices and there’s no way to fully disable the bluetooth except a Faraday’s Cage or device destruction.
And the “off” mode is only shutting down parts of the device, no more the full device.

As the behaviour in the “off” mode is software-controlled, it could not be trusted anymore to protect our privacy, thus you’d better keep your smartphone at home if you engage in legal activities that might get identified and sold.
For example buying cigarettes, or alcohol…

Eve January 10, 2023 9:07 AM

@lurker; A swap of sim cards won’t help much as cellphone service providers also track cellphone imei number.

This would be like the suspect murderer of the Idaho 4 who changed his car’s number plates.

There is a tonne of metadata being broadcasted that in the hands of skilled investigator escaping identification of potential suspects is getting easier and easier over time and evading detection by culprits is getting harder and harder over time.

Winter January 10, 2023 9:24 AM


Sadly, this goes back at least 150 years.

It can be argued quite convincingly that this behavior associated with white supremacy has been active since the discovery of the Americas.

Violent and bloody terror against non-white people by white supremacists has been widespread in the Americas since 1500. The difference is that it was just legal until 150 years ago.

Modern day white supremacist are the rightful heirs of slavers, slave owners, and scalp hunters of previous centuries.

lurker January 10, 2023 12:07 PM


While a phone with SIM removed can still broadcast IMEI, can we rely on a software switch that “disables” the SIM to do the same?

echo January 10, 2023 1:18 PM

I’m glad someone picked up on Clive trivialising everything then he recovers and casts himself as the all seeing expert again. The thing is he is not the one effected nor has he ever posted critical information on the subject area or shown any interest in taking it seriously.

It’s not always about bombs or shooting up nightclubs. It’s sometimes about policy, or captured institutions, or executive decisions. It can be about race but isn’t all about race. It can be about misogyny too, or attacking LGBT people, or attacking disabled people, or anyone who doesn’t support the will to power narrative.

I was sexually harassed and threatened with violence around a month ago. The perp is now in jail for his sins. There’s a lot more I could discuss about tardy police and their attitudes but that would fill a page on its own. The perp was a mental case but it’s fairly obvious he had picked up things especially from online which I know for a fact are coming from a very nasty place. And yes we all know who they are. All the bad actors pushing it don’t care whether it’s a hothead or a mental case who do something as long as its an aggressive act and doesn’t stick to them. but for domestic UK radicalisation it’s doubtful this incident would have happened and, yes, some of general area is covered by the Counter-Terrorism and Security Act 2015 and, yes, this has been used in the UK. It’s not just for show.

All the data has been gathered and all the affiliations documented. I know the person who did the legwork before it was taken up by others and found its way into media. There’s others who documented US based domestic terrorists (Yes, Clive they are a thing) which expanded the picture.

It’s all pretty much a known thing but you won’t find a thing about this in the British media even though it wormed its way through to the top of government and is spilling out of the dark money operation in Tufton street. Yes, they’ve been caught with their hands in the cookie jar and people are taking a closer look at them too with potential litigation pending to dig deeper not that you will be reading about it in the mainstream press. That doesn’t even count the far right in mainland Europe. America tends to be a bit more black and white, and you can see them coming but the overall threat exists elsewhere too. All of these bad actors feed off each other and learn off each other. Some use violence. Some use litigation. Some use lobbying. Some bide their time and infiltrate organisations. Some exploit social media and the internet in general to radicalise and expand support and, yes, get elected. Again, there’s reports published from authoritative source covering all this. I mentioned one of those in the past too with Clive going “they won’t do anything”. Then they do and Clive goes quiet. And like I have already said it’s not just America. A fair bit of initiative or jollying along can be found in other places too. There’s plenty in Europe, Latin America, and Russia, and the Middle-East. We can see some of that spilling out in Brazil.

Clive also assumes the US is the first. No it’s not. Americans just have bigger gobs. I can assure Clive things kicked off in Europe and the UK long before the US got started both in historical terms and during the present visible actions. Again, the Counter-Terrorism and Security Act 2015 kicks in at times. Yes won’t read about this in the media especially the right wing media because it doesn’t suit their agenda unless they can scream “political correctness gone mad”. They just make too much money off hate for clicks not that they have it all their own way. The “Hope Not Hate” campaign has with some success persuaded some advertisers to take their money elsewhere and this is something else, surprise surprise, you won’t read about in the media.

I’m not naming names or posting links to any data in here because nobody takes anything seriously or doesn’t have the emotional maturity to deal with the topics. I tried it once and got my fingers burned so I’m not doing it again.

Clive Robinson January 10, 2023 7:33 PM

@ echo,

“I’m glad someone picked up on Clive trivialising everything then he recovers and casts himself as the all seeing expert again.”

What planet are you on today?

I think most people who have been here for a while are aware of your behaviours, in particular those that are legally regarded as stalking and harassment.

But then this would not be the second, third, or other increasing count you’ve been told this in the past…

As for your other behaviours you talk a lot yet never say anything that is verifiable in any way. When this has been pointed out to you in the past you witter on about how you can not for XXX reasons.

Has it ever occued to you that others have many things they can not talk about, but unlike you just have the good sense not to mention them at all.

Also, others have said the same thing over and over, and are tired of repeating it. Yet there is always that “new handle” poping up requiring that it be told yet again. When all they have to do is use a little common sense and a search engine.

But no, none of this fits in with your fixed and strange view point on life and so you are unlikely to change.

So do your “Violet Elizabeth Bott”[1] routine.

[1] Violet Elizabeth Bott is a made up character in the Just William series of books. She was a nemis of William brown who was rightly horified by her faux behaviours and terible dress sense. She is the very bossy and spoiled daughter of the local nouveau riche family that William’s parents hold in regard. Amongst many anoying character traits she has an effected lisp which has turned her foot stamping phrase into “I shall thcweam and thcweam and thcweam until I’m thick.-I can”.

hiigs boson January 10, 2023 9:20 PM

@ Clive,

Since you’re still involved in this thread, may I repeat my request for sources on the whole “Phone is still on even after you’ve powered it off” thing? (previous comment above). Again, I am genuinely interested in the answer, as I have a bunch of people I want to argue with….


JonKnowsNothing January 10, 2023 9:59 PM

@hiigs boson, @Clive

re: Off is not OFF

I would suggest you pick up some manuals on networking, telecom, cellular protocols. E911, bluetooth, bluetoothLE, various internet protocols. You will have to drill down towards the hardware layer to find what you are looking for in the way of “how it really works”.

You won’t find much at the higher end user interface unless you understand how those features can even exist without the under laying protocols.

It’s not always obvious, like, I discovered to my surprise, that there are 3 microphones in an iPhone. Only 1 of which has partial user control. The other 2 are controlled by the iOS or Apple Apps. The one with partial user control isn’t off, even when you turn it off.

How do I know?

Because I turned The One off. The assigned app is not active. The indicator for the microphone is also off (as in does not display). All features that would use a microphone are disabled and there are no other apps. Yet, some random magic button sequence or screen touch, the microphone recorder appears. It also appears to have recorded something. You know, the wave form indicates there is some audio there.

While you can discover about the 3 microphones via DDG, you won’t have too much luck really disabling them.

OFF does not mean OFF. Off is a status light, which may or may not actually represent the current state of the device. If there is a battery, it is not off, until the battery drains to zero and then some, because zero is not ZERO for the same reason off is not OFF.

Your query reminds me about the time I discovered RAND() was not really random. At best it is Pseudo Random. That certainly did not line up with information from my CS University Education. It took me a good long while to accept that years and years of coding was 1234-56 because no one ever said Rand() was actually predictable.

Peter A. January 11, 2023 8:13 AM

@Clive Robinson @hiigs boson @JonKnowsNothing

With full respect, I support the kind request of showing an authoritative and competent source on how a cellular network can “wake up” terminal equipment when it is in the OFF state (not meaning it has no electrical power to some or most of its parts – it’s a completely separate discussion).

I have been developing cellular systems software before and I used to know the protocols almost by heart and I cannot point to such a feature, both in the standard documents and in the base station software. But it was a generation or two ago, maybe they do it differently today – or there was a special top secret group of developers within a large international company who covertly added extra features after we’ve released the code.

A separate problem with a similar effect would be having your device infected with some kind of malware which would covertly fire up the whole radio path, attach to the network and send some info, without showing it on the user interface.

Eriadilos January 11, 2023 8:53 AM

@hiigs boson

This research paper might be a good start :
ht tps://

iOS devices allow you to use your phone as credit card, and car keys, and allows find my device even after the iPhone is powered off. This means that (at least) NFC and BLE/UWB communications are posible. With the phone’s secure element being powered.
It doesn’t seem like such a stretch that cellular communications are in some sleep mode and not completely turned off.

fib January 11, 2023 10:30 AM

@ Clive Robinson, All

Looking at the socioeconomic profiles and emotional development of those involved reveals quite a bit about them as well as a clear distinction between the group leaders, the group celebrities, and the followers. They are effectively “cults” using rituals, secret knowledge holders, proficiency levels and similar basic mind control techniques.

As you know, here in Brazil there is also an appreciable segment of the population that has become radicalized. From where I stand I can’t help noticing that most of the radicalized in these parts are thrill-seeking elderly people. You will hardly find anyone younger than 35 years old. They are people who could have been hippies and feminists in the 60s and 70s [and many actually were] and now find themselves in the twilight of their years, trying to recover the time of excitement they lost when forming their families and competing in the job market. The easy thrills of social media are an irrepressible boost.

The playful, “ludic”, aspects – suggested by the magical thinking approach, incompetence, aimlessness, of the “activists”[1] – of these movements and their effects on these emotionally deprived masses should not be overlooked. Due to the demographic profile – at least here in Brazil – the problem of online radicalism is self-limiting, and will be resolved by nature itself in a few more years.

As for social media, the ultimate facilitators of the expansion of this problem across borders, I am of the opinion that they should be regulated with regard to the participation of constituted authorities. As we saw in the US and Brazil cases, the masses were directly manipulated by the perpetrators. There needs to be a body of law, or at least ethical mechanisms, to lessen the impact of the powerful presence of charismatic elected leaders in unofficial – hence promiscuous – contact with their followers.

[1] Ross Douthat has an excellent piece on this topic today on the NYT


MarkH January 11, 2023 10:44 AM


From a quick search, I found that as of a few weeks ago, it’s possible to buy new smartphones made by Samsung, Motorola, and Nokia with removable batteries.

I can pop the battery out of my aged LG in a few seconds.

If you’re committed to the Apple ecosystem, well, Good Luck!

Quantry January 11, 2023 10:47 AM

My main objection to

“[They just] …get the numbers of all phones that were at any of those four locations at the times of the attacks”

is that this IS mass surveillance, and this requires that mind readers who peer into that morass don’t have significant motivational bias at the outset, which is NEVER the case with law enforcement.

Ordinary responsible people get completely and incessantly crucified, on purpose. There is NO justice possible for this. AKA: Get your thugs off our backs.

Edits to remove expletives.

JonKnowsNothing January 11, 2023 11:04 AM


re: I can pop the battery out …

When removing a battery best to be sure you have removed all “backup” battery sources before presuming that the battery you took out, is the only one in the system.

A common problem with some systems is the tiny Li battery that runs the clock and keeps the internals going. Some capacitors can hold a fair bit of backup time which is used to let you change out the Li battery without losing the clock.

Yep the system is OFF but it isn’t OFF until all sources of power have expired.

With the newer phones, Long Life Battery Time is a big tout. That means for those who cannot remove a battery or those that did remove it, the battery is not D E A D for a long while.

There are different aspects to consider:

  • Device is un-powered
  • Battery is D E A D or Dormant

JonKnowsNothing January 11, 2023 11:43 AM

@ Peter A., @Clive , @hiigs boson, ALL

re: showing an authoritative and competent source on how a cellular network can “wake up” terminal equipment when it is in the OFF state

I cannot point you to a specific document because there are a lot of them. Mostly when you get down to the device driver level and on the hardware level. Along with specific FTC and BELL telephony protocols (USA). Those documents haven’t changed in eons and cost a packet to purchase IF you can get them.

Any state that is registered, can display any selected indicator. A LED is just an LED. At the hardware and device driver level, a command is issued to turn on/off the LED. It really has nothing to do with the real state of the machine. LED can produce different colors, depending on the ones selected for the device I can turn on/off any of them. I can turn on/off RED or ORANGE or BLUE or GREEN or NONE. The spec may say Turn On RED for Fault but that does not mean I will do that. The reason it might not be displayed is the FAULT indicator is handled at a different layer, perhaps at a UI/Console level.

So, when determining the state of things, it is difficult for the user or anyone to really know what the state is. We depend on specs for defining what the behavior is supposed to be and hopefully the system gets close to the defined spec. Some specs are more public than others and not every engineer in a ginormous corporation is going to know what other engineers are actually doing unless it directly impacts their own device.

Without a specific spec or device or chip datasheet, one possible method of figuring out what the true state of the machine is, at the lowest level is:

  • Start with an initial power source, first time, power on. Plug in the electrical cord, or battery. What happens next? What has to happen? What is the boot cycle. Which subsystem gets “woken up” first?
  • Sometimes a circuit board pathway can give you a hint as to which items are getting power first. Often times power is First On Last Off.

Knowing when, how and in what order my device is being woken up was important. Responding to lower level calls and upper level commands all depends on what state the power on sequence is in. Normally upper level commands are ignored until lower level commands are received and device local startup routines and connections are completed.

My device may be active a long time before any upper level commands are accepted. It can be On even though the End User has no control over the device. It could be the device is part of a bigger subsystem or the End User has not purchased access to the device even though that hardware is included or the End User doesn’t use the device which is still waiting for Change of State message.

MarkH January 11, 2023 1:54 PM


I’d be rather surprised if a mobile phone contained either a tiny battery or a supercap. Even if it did, this component would be far too large to go unnoticed in a teardown (there are a lot of geeks who take new products apart and publish their findings: you can search online).

Phones don’t need to retain a time model: they get current time whenever they connect to the mobile network.

Even if a phone did have such energy storage, mobile network connection needs a respectable amount of power. It would drain a backup energy store in short order.

echo January 11, 2023 3:45 PM


I post what I post. Don’t like it, don’t read it. You may not like my sense of humour or writing style, or calling you out when you drop a clanger but that’s you’re problem. I’m also not you so have my own interests and proclivities.

I have posted links in the past. Actually a fair few times. Nobody bothered reading them nor engaged with discussion about them, and some related or indirectly related issues were met with problematic attitudes. You’re not the ones impacted by it. You’re not the ones who have read the material. You’re no deeper than what you read this week in the newspapers. I’m not going to spend any time writing much up if the traction isn’t there. Put it this way – you’re dishing the criticism but when was the last time you spontaneously posted anything within the topic areas you know or suspect may interest me? Like, never so pull the other one. In fact one topic I was really looking forward attracted at best a handful of backslapping lazy men and died a death. Gee, thanks.

As for your other comments I will treat them as the spiteful framing and escalating character assassination they are. Your claims of “secret knowledge you can’t share mutter mutter”? Well aren’t you the lucky one. There’s already enough OSINT kicking around (which I am familiar with) so the Secret Squirrel act on the specific issues mentioned doesn’t play in spite of the bluster. I also note you couldn’t find anything wrong with my post, or anything else I posted in this topic but, hey, you carry on having one…

Assuming a meeting with a police Superintendant comes through I’ll bookmark this topic. I’m perfectly happy to discuss the harassment act, and other statute and case law. More than happy as well as anything else which springs to mind… Personally, I have better things to discuss and for reasons I’m not disclosing to you tah very much.

Nobody else will remember but there was that time when you said the maximum number of bits you can store on a cigarette paper was so much. So in thought okay, I’ll try that. I can’t remember what the numbers are now but I pretty much doubled it and explained my method. Pencil. Cigarette paper. Flat surface. No artificial assistance (i.e. naked eye only and no magnifying equipment). Bonus smartypants move using hex as a data compression method. Having TOLD YOU you went into denial and started denying it was possible and ranting about someone in the field doing it without special equipment blah blah. YOU HAD BEEN TOLD. Jesus wept…

Oh, and your insulting coders… You could NOT stand being called out for that and that’s when you started getting nasty.

So pick another victim Clive and get over yourself.

And no I don’t use you as a touchstone (or anyone else in here for that matter). I can make up my own mind about things tah.

lurker January 11, 2023 4:09 PM

@MarkH, JonKnowsNothing
re power for network connection

Modern network connections can be very fast (that they are’nt always is another problem), and a device would need to power on its RF chip only a few tens of milliseconds once every few tens of seconds to achieve a latchable base-station controlled switch on.

Are Emergency Mobile Broadcasts (aka Presidential Messages) received while the phone is “off”? Please remind me to turn mine off next time one is expected, and I’ll report results …

JonKnowsNothing January 11, 2023 4:17 PM

@MarkH, @Clive, All

re: smartphones connect to mobile network

Modern smartphones may connect to more than 1 network. There are a lot of networks included in your handset.

The problem is:

  • What is the definition of OFF

OFF varies from user perception, to network disconnection, to device disabled in software, to device disabled in hardware, to device disable completely.

So using “OFF” isn’t really advancing the topic.

  • A user powering off the device thinks it’s off
  • A user turning off BT / BT-LE thinks it’s off
  • A user turns off an embedded hardware item by software controller thinks it’s off
  • A user drills through the camera port thinks it’s off
  • A user tosses their handset under a steam roller thinks it’s off.

For all of the above except the last one, the system is not “off”. Some items might not be functioning in the normal expected way but the software is still running even if the hardware camera component cannot capture images.

Clive Robinson January 11, 2023 6:14 PM

@ echo, (to all others my apologies).

Back to the gaslighting I see.

As for,

“Put it this way – you’re dishing the criticism but when was the last time you spontaneously posted anything within the topic areas”

Well two things to observe,

1, “Nobody bothered reading them nor engaged with discussion about them, and some related or indirectly related issues were met with problematic attitudes.”

2, “I’m not going to spend any time writing much up if the traction isn’t there.”

Your words yes?

What do your own words actually tell you about what you claim I should somehow “know or suspect may interest me?”

I know nothing about you as an individual nor to be honest do I particularly care to. Why? as much of what you post by it’s lack of response is irrelevant to anyone other than your self. Then when you get bored of being ignored you start trouble and then when your commets start getting deleted you go away again. Than after a while you turn up again, after being ignored you insult the host… Then start trying to pick a fight with me, it’s not exactly behaviour that is going to attract people to what you have to say is it?

By the way look up “Napoleon Syndrome”[1] sometimes called “small person syndrome”. Basically it was at one point suggested that people suffering from what they see a difference between them and others –ie lack of stature– believe that they are treated differently by others because of it and so over compensate and over react just because they see someone who has what they see as lacking in themselves.

Various tests were carried out on very small groups and these gave rise to the idea that the syndrome was a myth with regards stature.

But other research suggests that in the more general case Napoleon syndrome exists (ie moving back toward Alfred Adler’s theory of inferiority complex). For instance work carried out at Groningen University by Prof. Abraham Buunk a professor found that when it comes to envy and jealousy in people of shorter stature were 50% more likely. Other research has found similar enyy / jealosy issues with things like perceived popularity and other emotional inteligence rankings. Similar work has come out from Cambridge University Press.

But even the US Governnent via it’s own research scientists conducted investigations and found that people who feel to be less endowed in a characteristic tend to be at risk of doing or committing more abnormal compensatory actions, including violent acts. Thus US government scientists argue that Napoleon Syndrome does exist.

But it’s wider than just “physical” staure, other theories explaining the typical behaviours of Napoleon Syndrome are for instance a fact that not just people of shorter stature that may have a lot of general difficulties in getting attention and therfore may, develop louder behavior to enable attention seeking from others (as in Online Troll Syndrome). Further there is very probably a positive reinforcement cycle in the development of the syndrome. That is, if positive rewards were realized for the individual, this would in effect condition them to behave repeatedly in that pattern. Thus behaviors of Napoleon syndrome may be perceived as stemming from the individuals insecurities and become a spiral due to self perceived victories that others actually see as abnormal or bad behaviour / social functioning.

Which of course brings us onto,

“Personally, I have better things to discuss and for reasons I’m not disclosing to you tah very much.”

Yet you say of others,

“Your claims of “secret knowledge you can’t share mutter mutter”? Well aren’t you the lucky one.”

Actually go back and read what I wrote, not what you think I wrote.

I said,

“As for your other behaviours you talk a lot yet never say anything that is verifiable in any way. When this has been pointed out to you in the past you witter on about how you can not for XXX reasons.”

Well here you are again…

But I further went on and said,

“Has it ever occued to you that others have many things they can not talk about, but unlike you just have the good sense not to mention them at all.”

Something that does not appear to have got into your head for some reason, even though there are many well publicized reasons.

On the technical side and of relevance maybe you should look up the history of A5/1 and A5/2 and how one chip set did both, but those for whom A5/2 was developed were not told, nor was it put in the formal standards, specifications and certification test procedures.

You might just learn something about the way certain people think and behave…

But as for,

“I also note you couldn’t find anything wrong with my post, or anything else I posted in this topic but, hey, you carry on having one…”

As normal you never said anything of substance in that post just some nonsense blurb of,

“I’m glad someone picked up on Clive trivialising everything then he recovers and casts himself as the all seeing expert again.”

Trivialising what?

You go on and then bring up a whole list of things,

“about misogyny too, or attacking LGBT people, or attacking disabled people, or anyone who doesn’t support the will to power narrative”

Not previously mentioned by anyone else on the topic of this thread…


I guess if you don’t like, then rest of the world has to bow and scrape to your whims or face one of your turgid diatribes… Just keep stamping your foot Ms Bott.


echo January 11, 2023 6:41 PM

I read the original paper yonks ago and thought the finding a needle in a haystack thing was clever. Then there’s all the other stuff we already know and have chewed over a million times plus all the obvious what if’s and hypotheticals. I’m really not picking up on any original thought or advancing the state of the art. I know some people find it fun but I’m stabbing myself to stay awake.

Personally, I found it the least interesting bit of the story. It was just one event in a long number of very sorry events. I’m disappointed nobody finds the human rights abuses or far right networks hiding behind that interesting at all. It’s like the shinanigans happening in the UK. There wasn’t widespread outrage until it effected them. “Oh someone shot up a nightclub mutter mutter handwring”, and that’s it at most. Can you imagine if a bunch of gun enthusiasts pointed out they used a .38 (or whatever) and began discussing the ballistics and blood splatter?

It’s like all those million and one other security stories where everyone focuses on the tech or the oh so savvy social engineering, and absolutely nothing on creating a humane environment with good working relations and high trust.

Dunno. It feels like I’ve walked into some man cave here at times.

SpaceLifeForm January 11, 2023 7:18 PM

@ MarkH, JonKnowsNothing

It is not OFF until you pull the battery and put it in a faraday bag for a day.

My testing shows that that it takes at least 12 hours for the clock to lose track after pulling battery.

Hidden battery or cap, not sure.

JonKnowsNothing January 11, 2023 7:55 PM

@SpaceLifeForm, MarkH, All

re: placed in a faraday bag for a day.

This is great point because many end users buy these remote battery chargers where you just set the device on or near a charging pad.

So a dead iPhone with non-removable battery, may appear to be dead but if (accidentally) placed within the charging area, it could auto-charge.

It would be hard to know how many places deploy these charging pads. The only indicator is a Z-battery strength icon at best. (1)

Having auto charges could be a good draw to a *$ type store where people come in to use the Free WiFi and can charge their phone by setting it on the table top.

One common movement that people do with their handset is to set it down on a table or counter. We used to have to worry about CCs getting near the magnetic plate at a check out stand, which is used to deactivate the RFID in the purchase. Now it could be charging your phone while you fish around for plastic to pay for your stuff.


1) Not too long ago Apple was caught or discovered to be using GPS targeting even when that was turned off at the Settings Level.

There is a little paper-plane icon that appears when it is active. Some folks noticed it was there when it should not have been. Someone down in the Apple Code Developer Department forgot to turn OFF the LED when they issued the hidden call to the device driver to pull telemetry. GET Telemetry (LED OFF)

Now you get a purple version that shows up intermittently when Apple pulls their telemetry.

OFF is not OFF

Clive Robinson January 11, 2023 8:34 PM

@ SpaceLifeForm, JonKnowsNothing, MarkH,

Re : Clock power.

“My testing shows that that it takes at least 12 hours for the clock to lose track after pulling battery.”

I’ve not timed it by exact experiment, but I’ve known low power microcontrollers to keep running off of nano-amps or less that either got through the reverse leakage of a semi-conductor designed to switch it off or was held on silver-mica decoupling capacitors[1].

It got pulled up as a “production stop” on an FMCE production line which can be eye wateringly expensive.

It happened because someboby had tried to get clever genetating random numbers[2] for the required product 40bit ID field, and was shocked that they only got a little under 8bits equivalent on the production line….

[1] Why silver-mica decoupling capacitors? Well it was an RF board, and they were used quite a bit in other parts of the circuit. So as they were in the BOM they got used elsewhere as part of the “parts minimalisation” process to reduce pick-n-place, even though individually more expensive.

[2] There is an idea, I’ve no idea where it comes from but it has some popularity with designers in Far East IoT and similar design shops. The assumption is that when you power up a microcontroller the RAM is somehow “random” in nature and thus can be used as a TRNG or equivalent. The thing is when it comes to production and all the chips are from the same batch, they tend not to be as random as expected…

Wannabe techguy January 11, 2023 9:57 PM

@higgs boson
I read it in Glenn Greenwald’s book “No place to Hide” and he got it from Ed Snowden.

MarkH January 11, 2023 10:32 PM


Yes, but how much data can a circuit exchange with a cell tower via such minute currents?

Clive Robinson January 12, 2023 4:19 AM

@ MarkH,

Re : Energy per bit range

“Yes, but how much data can a circuit exchange with a cell tower via such minute currents?”

In theory very little energy per bit with the energy going up as the square of the distance increase once out of the near field.

In practice you can quite close to the theoretical limit. Which is what Apple and Co do with very low power bluetooth lasting months off of a single coin cell.

But whilst it works well with other phones and ground level beacons, cell towers are realy not good for such things. Due to their hight they are not just further away but their much increased radio horizon means they pick up a lot of background interferance you can not hear at ground level. Trying to manage the signal sstrengths at the cell antenna is quite a dance for the cell tower control systems.

But… also remember the earliest of home radio sets often called a crystal set, was powered by the signal it was receiving. This idea got flipped over with “Radio Frequency ID”(RFID) tags where the transmitted becon signal is sufficient to power up the RFID receiver, logic/CPU and it’s coresponding transmitter. Some RFID’s that are in shipping labels have a significant range.

If all that is being sent back is a couple of bits then very little current is needed.

One way is to use a “half-wave” resonant antenna and a FET as a switch half way along it. Simply turning the FET on or off is sufficient to “re-modulate” any signal in the antenna out to quite a distance (it’s the principle some “RADAR-bugs” use). The energy required is simply that to charge and discharge the gate capacitance of the FET which is generally less than 20pF. With a secondary resonant circuit acting as an energy recovery circuit for the gate, tone modulation can be quite efficient…

Whilst things “could” work that way I suspect they “wouldn’t” or don’t, as there are better ways to do things that I know of. As others have pointed out some phone manufacturers have been “caught out” because they “becon” every so often. However any system that requires an “interrogator signal” with the correct ID before it responds whilst theoretically possible to spot as with RFIDs[1] is actually near impossible unless you “catch it in the act”. And even then it may be impossible to be even close to certain[2].

The point is though you have three choices,

1, Rule them all out.
2, Put the phone in a metal box.
3, Don’t take the phone with you.

As indicated “ruling them all out” is going to be difficult even with a full bench of test equipment. Metal boxes are never perfect Faraday shields and as for the bags, they won’t stop magnetic fields. So we get back to the “easy option” if –and only if– you plan properly which is to have the phone not with you.

[1] From time to time I mention the “Grid Dip Oscillator”(GDO) test instrument. All it realy is is a low energy oscillator which can be accurately tuned, part of the oscillator is outside the GDO box and there is a meter which shows how much energy there is in the oscillator tuned circuit. If you bring a GDO near another tuned circuit they will mutually couple and energy will get transfered from one to the other, this can be seen on the meter. Well an RFID is effectively a resonant circuit and as you increase the field strength the RFID rectifier will turn on changing the impedence thus the mutual coupling. Likewise as the RFID logic/CPU starts up it to can be seen in the energy transfer. This signal will be there even if the CPU does not actively respond. It’s been shown that you can idetify not just the, chip manufactirer but in smoe cases the step or revision version, just from the startup charecteristics seen in the mutual coupling. Many would think “so what” till you realise it will identify not just the fact you have your pasport in your pocket but very likely which country it is from and aproximately when it was issued, similar with other ID cards, oh and of course most modern bank/credit cards and now “tap-n-go” phones for payments and tickets etc.

[2] Do you remember those gimmicky external antennas that had an LED in them that used to light up? Do you remember why they got banned? Yup they emmited a whole load of RFI even though they had no battery or “active” circuit… Any circuit close to an RF circuit will effect it in some way, moving either circuit physically will end up modulating the RF signals be they receive or transmit. Even mechanical vibration will modulate via “microphonics”. So sorting out what is intentional but designed to look unintentional is a hard task, if you even spot it…

Marian Aldenhövel January 12, 2023 4:28 AM

It is propably sensible to equate a person with their device today. But I still take exception to this data being actual proof of a person having been on location.

In the limit all it proves is that their phone was on location.

Has this ever been argued in court?

Ted January 12, 2023 9:06 AM

@Marian Aldenhövel

I still take exception to this data being actual proof of a person having been on location.

That makes sense. You have a valid point.

Although the cell records initially focused the search, officials performed further investigations and discovered additional evidence to support the mounting legal case.

At one of the substations Tacoma Power captured an image of one of the suspects and his truck. Law enforcement received search warrants for the suspects’ homes.

Greenwood has admitted to the attacks at this point. He said it was to aid a burglary.

Both defendants waived a preliminary hearing where the judge would rule if there was probable cause to proceed to trial. I believe the grand jury indictment may be moved to March 16 to allow for ongoing investigations.

JonKnowsNothing January 12, 2023 11:12 AM

@Marian Aldenhövel, @Ted

re: data being actual proof of a person having been on location

LEAs and 3Ls are often reluctant to divulge their true data and data sources. They use parallel construction by finding legally acceptable information from alternative sources as their supplied evidence.

They might have tracked you with a STINGRAY-DRTBX, in which case they know you are you, but they are going to submit images of you passing through signal lights captured by the cameras installed at local intersections. They will use the video images of you going through fueling stations or parking lots.

All modern cellphones contain a plethora of Apps, especially those targeted as Health Apps, that will prove you were the one with the phone. A bonus is that some of those Apps can also determine if you had friends with you, a by product of some Health Apps. (1)

If for some reason, LEAs do not want to divulge their sources, LEAs can request an EX PARTE meeting with the judge where only the prosecution is present. Anything exchanged during the EX PARTE hearing is part of the case but cannot be challenged because the defense does not know what was presented or what arguments were made to the court.

  • Like the FBI where they often have special arrangements with local LEAs. The FBI providing the local cops with tacitly illegal tracking systems on condition that the local cops never divulge the existence of these devices and must “lie to the court” when questioned about them.
  • Like when the FBI presented a document EX PARTE to the judge which could not be challenged. The data on that document was used in a many years long court case where the person was convicted based on the contents of the document. Since the person could not see the document or question anything about it, it was pretty much Game Over. It took @10 years of legal battles to unlock the document, which turned out to be a check list. One box was checked and that box was enough to convict the person. Another round of legal battles ensued about how that box was checked in the first place. Once they got the original FBI Agent on the stand, in court, the Agent said
    • The document was a mistake and it should not have been checked
    • No one at the FBI had ever asked This Agent, over the decades long legal battle, about the document or the reason The Agent had put the mark in the check box.
  • Not to get too excited about the outcome, a short while later the FBI found another reason to use instead. It was Kafkaesque. (2)

So they pretty much know you are the one.


1) The new fun LEA Open Access evidence pool are the popular Genealogy Sites. People tracing their family histories. Some submit DNA to find long lost family members or determine geographic region of origin. LEAs mine all these sites, especially the DNA open access ones. A minimal subscription cost will give them access to the whole enchilada.

2) Search Terms

Standford University
PhD Candidate, PhD Professor
Standford University Representative at Overseas Conference
No Fly List
Wrong Check Box

Ted January 12, 2023 11:44 AM

@JonKnowsNothing, Marian Aldenhövel

LEAs and 3Ls are often reluctant to divulge their true data and data sources.

I just don’t know if that applies in this case. Maybe it does. They said they used cell phone records to rapidly scan for potential suspects. Bruce brought up some additional thoughts on constitutionality.

I believe this was a recent ruling he linked to. Do you have any thoughts on this?

“Cellphone dragnet used to find bank robbery suspect was unconstitutional, judge says”

”A federal judge’s ruling that geofence warrants violate the Fourth Amendment could slow the use of surveillance tools based on Google location data.”

iron sharpens iron January 12, 2023 11:59 AM

@evryone-that-matters. A Commenting Policy refresher:

… /blog/archives/2017/03/commenting_poli.html

…This is my blog. I consider the comments section as analogous to a gathering at my home…

…please… Stay on topic…

…discussion groups descend into toxicity…

…I’m not going to let that happen here.

Quantry January 12, 2023 1:36 PM

@ higgs boson Re: any sources to back these statements up

Examples come to mind:

re: “the phone remains powered up”

Beacons like apple air tag signals are repeated to their mesh subnet reportedly even by an iPhone that is “OFF”. You can easily verify this in any ‘barely’ remote location. You can also find-my-iPhone, apparently when it is off, because it too is a BLE beacon.


re: “phone can be turned on again remotely”

Considering the enormous budgets pursuing just that sort of capability, and the huge investments by people like Harris Corporation to make it happen… and

“Snowden replied… “They can absolutely turn them on with the power turned off to the device.” … on a targeted basis” Might be in this book ‘


“Judge Lewis Kaplan… said that the eavesdropping technique “functioned whether the phone was powered on or off.” ‘…blog/archives/2006/12/remotely_eavesd_1.html
(Notice many of those links are dead now.)

Want conversational security? Use a faraday cage, and One Time Encrypted data channel.

I think the key point here is that “turned off” might not be “absolutely off”.

JonKnowsNothing January 12, 2023 5:08 PM

@Ted, @Marian Aldenhövel, All

re: Evidence and Conviction


There are 2 things LEAs attempt to achieve in courts:

  • Convictions
  • Extend the Boundaries of Evidence

LEAs are not in the business of proving you innocent, they are in the business of proving you guilty. A Judge + Jury (1) decides if the LEAs are correct or not.

In the USA, there are many types of courts and court systems: Local, County, Regional, State, Federal, Regulatory Agency, plus Military Courts and Tribunals. Each type of court, and depending on the charge, have rules of what is permitted as evidence. The USA is divided into regional Federal Districts with Regional Federal Courts.

LEAs, like the FBI, would like to prove you guilty with the least amount of effort possible for the longest jail sentence allowed. (2) Within each district, there are commonly accepted items of evidence, which may or may not be accurate but are accepted anyway (see Junk Science). One of the goals of LEAS is to extend what is allowed and to extend the boundaries of what is allowed. Rules change all the time, things that were once OK are no longer OK, and the same goes the other way too.

Even when things get to SCOTUS, it is not certain that any ruling will be upheld. It normally takes SCOTUS a long time to decide things should be different, so recent cases changing rules of 50yrs duration is a hiccup in SCOTUS court history. Sometimes the change takes 100-150yrs.

So LEAs are always on the lookout for a faster path to their goal: CONVICT YOU.

One district might find something OK and another rejects a similar presentation. That’s what sets up the appeals as they move up the channel. Appeals are particularly nasty aspects of US Laws because of the constraints on what gets included or more accurately what gets excluded. They are not New Trials, they are reviews of a previous trial’s history.

It may be apparent that something is “off” but until the entire chain of legal links are traversed, it’s Open Season.

Not too many years ago, people used to think that a great number of common actions done today, were illegal. They may have been 50yrs ago. They are no longer illegal today.

THIS is also what LEAs focus on: changing what is allowed to be presented in order to CONVICT YOU.


1) There are many types of courts and many different rules for presenting cases. There may or may not be a Jury, there may or may not be a Defense. The type of decision maker is commonly thought of as a Judge but there are different types of Judges who have different rules depending on the proceedings.

2) Consider: A hypothetical End of Year Review for LEA Agent XZY

  • How many convictions did you get?
  • How many people did you prove were not guilty?

Which one do you think leads to promotions, salary bump ups and elected office?

Local District Attorneys go through the same Body Counts at election time. Their campaign brochures print the number of convictions, the number of people convicted of serious crimes or murders, the number of those sentenced as harshly as possible, the number of jail years allocated during their tenure.

2 Leg Dog January 12, 2023 7:43 PM

Its amazing how few here seem to understand the availability of brokered cell phone data. ESRI uses it. They supply the gov’t heaps of geospatial data. One can buy enormous databases of cellphone positional data from brokers. Anyone in security should at least have a modicum of understanding of this.

This is why 2000 Mules is so disturbing. Many, many trips of the same 2000 cell phones arriving at the same dropboxes correlated to video cameras. Crime after crime after crime. But you aren’t allowed to talk about it.

MarkH January 12, 2023 9:49 PM

1] There might be removable-battery phones with coin cells; if they exist, I would take them as proof that the engineering design team was incompetent.

2] As far as I can work out, a mobile must send at least 5 messages — and await and process responses — in order to register itself to a cell station, requiring transmit signal power perhaps in excess of 100 mW. Who thinks this can be done by an on-board cap, with enough energy left for useful data exfiltration?

3] This evening, I took the battery out of my old phone for less than 2 minutes; when it awoke in airplane mode it assured me that it was a little after midnight on a spring morning of last year.

limit of theoretical possibility ≠ practical attack

Clive Robinson January 13, 2023 12:37 AM

@ JonKnowsNothing, ALL,

You correctly say that the prosecutorial process is,

“There are 2 things LEAs attempt to achieve in courts:”

And give,

1, Convictions
2, Extend the Boundaries of Evidence

Whilst the first is certainly true, the second needs to be qualified a bit more…

That is yes, they do want to change the “boundaries of evidence” but not to just “extend” them.

They actually fight as hard to reduce the boundaries of evidence, when they in any way favour the defence, and this includes what they are required to hand the defence and when.

What they want is for prosecuters to have free run, but defenders chained up and thrown in a pit.

Part of this is the way many in the judicial process get their jobs by election (not qualification or experience).

I guess I’m not “revealing state secrets” when I say in the US especially “politics is a very dirty and corupt game”.

Do US Citizens want their fate decided by people with a political agenda that is most certainly not about justice but their looking good come election time?…

And before people ask, I’m not particularly keen on the UK system either. For instance two related court cases have revealed just how English and Scottish legal systems have been “politically interfered with” by the then encumberents leading the respective national parliments.

echo January 13, 2023 7:26 AM

This is what happens when people insist this is a tECHnoLoGY bLoG. Trivialising, dehumanising, and context and fact free bothsiding. Wrong focus and technocratic framing do rather squeeze what is essential out of discussions. It sounds important but really is just another form of misdirection and dumbing down. As I have commented before it is not what is said which is important but what is not said.

I don’t expect a multi-millionaire fit and healthy white male who can pick up the phone and have an essay published in the Washington Post (or variations thereof) has much expertise or applied knowledge or lived experience of the field. Therefore a lot is lacking…

The worldviews of the TeCHnOloGY world and its collective EQ leave a lot to be desired.

For instance two related court cases have revealed just how English and Scottish legal systems have been “politically interfered with” by the then encumberents leading the respective national parliments.

Citation please?

The egregious behaviour from the current UK Tory government from the top down including but not limited unlawful statements by the Tory appointed Attorney General, Home Secretary, stuffing regulators and influencing media with party appointees, arbitrary rewriting of standards, self-enrichment, destruction of evidence, civil service staff bullied and expert advisory bodies ignored, and so on put anything the Scottish government may or may not have done into the shade. It is, to put it bluntly, corruption and corruption of the system on an industrial scale pushing democidal policies for the enrichment of those on the inside and their backers. I don’t think you’re find Scotland is anything like this.

While people are opining about tEchNoLoGy and banging shoes on desks to a niche audience the villains of the piece are laughing and getting on with it.

dontbenebby January 15, 2023 6:47 AM

There’s a whole lot of surveillance you can do if you can follow everyone, everywhere, all the time. I don’t even think turning your cell phone off would help in this instance. How many people in the Washington area turned their phones off during exactly the times of the Washington power station attacks? Probably a small enough number to investigate them all.

I’d bet that turning your phon off when not using it frustrates this.

I’ve done this since childhood – having your first handheld be a Game Gear teaches you the value of battery conservation lest you run out of juice justtttr as you hit snarled traffic nearing Presque Isle coming up from 412

Ryan T January 17, 2023 7:43 PM

I’m highly curious why cell phone geolocation hasn’t already been used to identify the Jan 5/6 RNC/DNC Pipe bomber. Released CCTV footage of the suspect clearly shows them using a cell phone while seated on the bench. What’s really odd is that the FBI didn’t really start getting serious about investigating this case until almost exactly 2 years had passed. Incidentally this is the length of time Verizon and several other carriers maintain geolocation records…

MarkH January 18, 2023 4:53 AM

@Ryan T:

Federal law enforcement investigations are mostly kept as confidential as possible up to the time of indictment and trial (if any).

We don’t know what investigative steps were already taken, or when. I’d be very surprised if mobile location data was not solicited soon after discovery of the bombs.

The information available from mobile provider records has position uncertainty of dozens of meters at best, and can be much worse than that. Many phones could have been in range.

Also, SIM cards can be obtained anonymously in the U.S. with little difficulty. Identification of the suspect IMEI doesn’t necessarily lead to the person who was using it.

SpaceLifeForm January 19, 2023 12:16 AM

@ Ryan T

I’m pretty sure they know who the perp is, and that person has been in jail since Jan 6. The DOJ/FBI has had no reason to even mention it up to this point. I think they want the perp to flip on the higher ups.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.