Original URL: http://www.theregister.co.uk/2007/11/04/location_information/

Mobile networks: the state's new bloodhounds?

Dial L for location

By Bill Ray

Posted in Mobile, 4th November 2007 09:02 GMT

So, you're a master criminal, or perhaps a cheating spouse, but either way you've covered your tracks and have a high court judge ready to confirm your alibi - you were eating dinner in a club when the deed occurred. Tickets paid in cash, and a hoodie to hide from the CCTV, your story is safe - except your mobile phone network knows exactly where you were, and when. But they're not going to tell anyone, are they?

Except they might. Network operators are bound by the Regulation of Investigatory Powers Act (RIPA), which requires them to store not only the details of every call you make and receive, but also where you were at the time. They keep this information for 12 months and make it available to the authorities on demand.

Of course, unless your spouse is very well placed they're unlikely to be able to call upon the RIPA to help, but if they suspect you in advance, your location might not be as secret as you think.

What does the network know?

When switched on, your mobile phone is logged onto the nearest cell site, which is recorded on servers at the network operator's data centre. The cell might not be the nearest physically, though in general it will be. What's important is the strength of signal from the handset's perspective.

In town the cell might cover an area as small as 100 yards across, but in the countryside they can easily cover ten miles. The deciding factor is generally the capacity of the cell, rather than range of the radio - so if you want to stay hidden keep away from places where people use their mobiles a lot, so cells will be dispersed.

In addition to the cell your phone is logged onto, the network operator can record your rough distance and the direction from it.

If you have signed up, or been signed up, to any kind of commercial tracking service, then external systems can connect to the network operator's computers and get that information.

According to the industry code of practice you should be getting random SMS messages reminding you that you could be tracked at any time, but those aren't always as frequent as they're supposed to be.

The networks make great play of the difference between where you are and where you were. They are perfectly happy to tell commercial services where you are, on demand, but they're not going to disclose your previous whereabouts without a RIPA request and accompanying purchase order.

To be sure your network isn't sharing your location data, change your privacy settings, which should protect you from the majority of commercial tracking solutions.

And what about the handset?

If the handset is a smartphone, it could be using GPS to record your location, along with the time, and sending it off to who-knows-where over a data connection without the network operator, or you, being any the wiser.

Of course, getting the GPS to work when the phone is in your pocket won't be easy, so that's not a big concern unless your phone is labelled i-Kids in large friendly letters.

The handset does know the name of the local cell tower, which in Germany is usefully set to the tower's longitude and latitude (at least on O2's network), but elsewhere the spy will need to convert tower name to location , though that's not difficult.

A smartphone application which logs cell towers and sends that data over the mobile network wouldn't be too hard to write, and could easily be invisible to the user once installed.

Turning the handset off will prevent any information being created or logged, assuming the handset isn't just pretending to be turned off. Such handsets are available from various spy supply stores. Though these are generally used for recording and transmitting voice, they would work equally well tracking people.

The art of tracking

All network operators store where you've been for at least 12 months, but getting at that information costs money.

If you fall into the master criminal category a police officer might want to know if you really were in that club at that time, and can make a request to his SPOC (Single Point Of Contact, nothing to do with rubber ears or silly accents) to get the data out of your service provider.

The SPOC is responsible for dealing with all aspects of the RIPA, but location requests on mobile phones are pretty commonplace, with a large force handling hundreds a day. This number has been going up over the last couple of years as coppers get familiar with what they can, and can't, find out.

The requests are supposed to be pretty detailed: "Where was this phone at this time", rather than "What were the movements of this person over the period of a month or two", and it's up to the SPOC to ensure requests are necessary, proportionate, and lawful (as specified by RIPA). Any additional information that turns up, outside what was requested, is supposed to be discarded.

This isn't to say that any copper can just call up the SPOC when they feel like it. A typical request must be authorised by an inspector and will take a couple of days to complete. When the data is needed urgently, such as tracking an at-risk missing person, a Superintendent can give verbal permission and the data turns up faster, but that costs a lot more.

Mobile operators are only supposed to charge enough to cover their expenses, but as each network has different systems they all charge different amounts and have different ideas about how important the information is. Certainly, they charge enough to make police think twice before making an information request, which is no bad thing, but some operators also refuse to provide data they can't deliver within a few days - so you might get lucky if you choose a network operator with particularly errant computer systems.

Pinning you to the crime scene

The information the police get from your network operator might be enough to place you far from the club and get your judge-friend-alibi into trouble, but it may well not be good enough to place you at the scene. If the crime warrants a big enough budget, the boys in blue might then turn to a mobile phone forensics company to find out more.

A whole industry has sprung up around getting information off mobile phones - a far cry from the days when a drug dealer was picked up with a Psion II full of contacts. These days, professional mobile phone forensics is big business, though interestingly it's one in which anyone can set themselves up and offer their services to the local cop-shop, without so much as an ISO certification. As companies are frequently selected on basis of recommendations from other coppers, once you've got your foot in the door no one is ever likely to check your credentials.

The biggest UK player is Forensic Telecommunication Services Ltd, a company based in Sevenoaks - we can't say where, as they operate out of a number of Post Office boxes. FTS was broken into in August, though its data seems to have remained secure.

A company like FTS will take a handset, of the same model as yours if they can't get the actual handset off you, and place it where the police think you might have been. That way they can compare the exact signal strength with that recorded by the network operator at the time of the crime, allowing a little for atmospherics, or repeating the experiment if necessary. They can lock your phone down to an exact location with a good degree of accuracy - good enough to present to a jury, anyway.

It might not prove you committed the crime, but it could easily strain your alibi to breaking point.

Getting away with it

A pre-paid SIM, paid for in cash, should be standard-issue for anyone planning a crime spree, though few criminals have the foresight for such an investment, and forwarding your old number to it would be something of a giveaway.

Turning off your mobile, and removing the battery for the properly paranoid, should be good enough to ensure you're not being tracked.

If it's already too late, your only hope is that your crime doesn't warrant enough budget to track you down, or that no one notices it for the 12 months the network operators are hanging onto their data.

If you can do that, you'll be free to spend your ill-gotten gains, perhaps on a new mobile, or something rather grander, depending on the crime. ®