Monday, March 04, 2013

Cell phone location tracking by government: How it's done

Thanks so much to readers who contributed funds for Grits to attend a conference at the Yale Law School hosted by their Information and Society Project on "Location Tracking and Biometrics." Thanks also to the organizers for putting together this extraordinary event.  This is the first installment of a series of Grits writeups from the conference.

Christopher Soghoian, an electronic privacy researcher and activist, opened the one-day conference with a quote from Supreme Court Justice Louis Brandeis from 1928 in Olmstead vs. United States in which he opined, "The progress of science in furnishing the Government with means of espionage is not likely to stop with wiretapping." Boy, was that a prescient observation! Unfortunately, he made that comment in a dissent and SCOTUS would not actually require a warrant for the government to wiretap phones until 1967, by which time not just law enforcement but numerous private entities engaged in rampant wiretapping, according to Prof. Susan Freiwald from the University of San Francisco. Then, in Katz v. United States, the high court finally, belatedly issued a warrant requirement and the following year Congress banned the practice for private entities as well.

The debate over wiretapping finds many parallels in the internet era. Today, not just government but numerous private entities engage in all sorts of surveillance activities, many of which people either passively or voluntarily opt into by using smart phones and other modern gadgets. A recurring theme throughout the event, which I'll expound upon in a later post, was that the ability of private companies to invade privacy in many ways exceeds that of the government. Often, though, government can access that personal information without a warrant because it's considered a third-party business record.

Soghoian opened the event with an enlightening overview of how cell phone signals operate and the government's means of using them for location tracking. There are two types of data involved - your historical location and present location - though increasingly that's becoming a moot distinction. If your smart phone is pinging the nearest cell phone tower(s) every minute or two to check for your email, your current location data becomes "historic" as soon as it's stored on a server by your cell service provider.

Soghoian explained that your cell phone is connected to multiple cell towers at any time. It can tell which towers are nearby and which signals are strongest, so your phone automatically sends information either through the nearest tower, or to the next if the first one is at capacity.

Cell  towers have a defined range of coverage and each tower has three faces. From the information they gather, your cell-service provider  (or through them,  the government) can tell not just where the tower is but the signal strength when it reaches your phone and which of the three faces of the tower was used, allowing them to triangulate. The rise of smart phones, said Soghoian, has meant increasingly more towers had to be built to handle the crushing load of data those instruments use. Especially in dense cities, that effectively shrank each tower's coverage area and in recent years has made location tracking by cell phones much, much more precise.

Increasing the accuracy of location data even further, in response to poor coverage in certain areas, cell carriers now routinely send consumers a small cell "tower" for their own homes called Femtocells. Their area of coverage is typically just one house, so when your call goes through one of those, the privacy implications even of knowing which "tower" a call was made through still provides very precise location information. Today, said Soghoian, there are more Femtocells in the United States than actual cell towers.

There are two kinds of historical requests for location data, he continued. The first is for information about a single person: E.g., "Where has John Smtih been the last X days." Government can also ask the cell companies, "Tell us every phone that was near place X at time Y." These are called "tower dumps," and in that case the vast majority of people whose information is acquired are not targets.

Of course, the only information available is whatever the phone company actually saved, so one reform recurringly suggested throughout the event was that companies should limit the data they gather and delete it from their records as soon as possible.

Government can also get real time data by “pinging” a phone. He compared this to playing the game Marco Polo: The cell tower asks your phone, “Where are you?” and it answers, “I'm over here.” The FCC requires phone companies allow pinging because of the need for 911 services, but the agency didn't require a specific technology. T--Mobile and ATT use triangulation. Sprint and Verizon use GPS. Under FCC regulations, 67% of calls must be identifiable in 100 meters, 90% at 300 meters. These days, customer location can frequently be calculated much more closely than that.

At first, phone companies handled law enforcement requests for information manually, having employees process each request. Now, much of this has  been automated so that police can use an electronic interface to gather information. ATT charges $100 in setup costs and $25 per day for historical location tracking data. T-Mobile charges $100 per day. Sprint charges $30 per month for "all you can eat," said Soghoian.

Increasingly, government can also directly access customer information because the underlying tech standards for cell phones do not require authentification. Your phone doesn't know if it's talking to a legitimate tower, so several companies have developed technology that lie to your phone and convince it to send its signal through a fake "tower" controlled by law enforcement. The most common version used by law enforcement goes by the trade name of "Stingray," developed by the Harris Corporation, though Boeing and several foreign companies also make similar devices. They run around $60,000 a pop. (Readers may recall Fort Worth PD bought one.) Most local police and sheriff's departments that have bought one purchased them with grants from either the DOJ or the Department of Homeland Security, though many federal agencies now have them as well.

These fake towers trick your phone to get it to identify themselves and could also be used to access content, though that in theory should require a warrant. The tech is essentially based on a fraud: The Stingray device says “I'm an ATT tower, send me your data,” and because there's no authentification required by your phone, it automatically does.

Such devices are now small enough to use from a patrol car. There's a version of the Stingray that can be worn covertly as a vest. That way, police can walk through a protest, for example, and pick up cell-phone registration numbers from everyone there, identifying them later through the companies' business records. These devices actually send out signals, they're not just passive. Signals penetrate walls, vehicles, clothes, you name it - a fact that may have implications after the ruling in US v. Jones by the Supreme Court revitalizing "trespass" as a standard by which to judge Fourth Amendment violations.

Next up: A discussion of legal frameworks surrounding government access to cell-phone location data.


Gideon said...

Next time you're in CT, let me know!

Anonymous said...

Great stuff, Grits.

Payoneer said...

Awesome post. I always wanted to know more about phone tracking. Thank you for enlightening me.