Triangulation of cellphones - an integrity problem

Today it was disclosed, for example on Computer Sweden (in Swedish) that a new service provided by Eniro made it possible to see the position of any cellphone. Also SvD write about it. The idea of the service was to find services close to your own position (such as a restaurant), but bugs made it possible to see the location of any cellphone as long as you knew the number.

This kind of triangulation is not anything new. We did develop such services at Tele2 many years ago, but they relied from the beginning in special SIM features, that an SMS was sent to the phone, and that the phone responded on that request. What happened was that the phone reported the signal strength to the base stations it could see, and a geo database on the server side made it possible to use that data from the phone to calculate the approximate position.

Newer phones and base station made it possible to do the calculations completely on the server side, by communicating with the base stations. The GIS data was still needed of course. Services that use this service exists both for private persons, like Telia Friend Finder, and for commercial companies like for fleet services. The Google Maps service for the iPhone has similar features, so it is pretty clear to me that the needed geo information does exist. Not only within the telco networks, but also as a product on the market. I doubt Google (for example) have reverse engineered this data by running around recording the signal strengths. I think they have bought the data from the telcos.

And there is a requirement on the telcos to have a service like this. A requirement set by the regulator so that it can be used by the 112/911 services. The operator that respond to a call can request that the location is calculated if the call is coming from a cellphone. So the features exists. But who should be able to use it, and under what circumstances?

We all know that Eniro (and competitors to Eniro) buys the information about cellphone numbers from the telcos. The telcos are in fact required to sell the data. But we only talk about white pages information. Not the geographical information. But, we also know companies like Visibilly exists that claim that We can locate any mobile phone user as long as the phone is switched on. There is no need for a client in the phone, no GPS device needed. We find the phone by using cell data from the operators. To protect privacy, the service needs to get the end users consent to be able to access the data.. And a comment to the article in IDG claim Eniro has bought the service from Visibilly. An offspring from Mobilaris AB. This Eniro service did though not require any opt-in…so technically that seems to not be a requirement.

Who else can then trace our location?

I must point out that the work in the IETF regarding Geo location of things, the Geopriv working group, has very explicitly divided the problem in two: How the device get the location and how the data is controlled by the user that could be located. From the charter:


As more and more resources become available on the Internet, some
applications need to acquire geographic location information about
certain resources or entities. These applications include navigation,
emergency services, management of equipment in the field, and other
location-based services.

But while the formatting and transfer of such information is in some
sense a straightforward process, the implications of doing it,
especially in regards to privacy and security, are anything but.

The primary task of this working group will be to assess the the
authorization, integrity and privacy requirements that must be met in
order to transfer such information, or authorize the release or
representation of such information through an agent.

One of the operators, Telenor, have in their agreement that one must sign before becoming a customer the following text: Kunduppgifter kan komma att utlämnas till närstående eller samarbetande bolag samt till myndigheter, och även utanför EU. (Information about customers might be given to close or cooperating companies and agencies, including outside of the EU).

The question is how much of the Swedish implementation of the Electronic Communications Directive a telco can waive in an agreement. The directive talk about the fact certain data is not to be disclosed, if not request is coming from the police. Such as wiretap-like scenarios.

One thing is clear, with FRA, and now this, we are moving to a new world. Where people have woken up and understand what is possible, what is nice, and what is not so nice… 1984 – here we come.

Updated: A clarification, it was not the text in the article in IDG that claimed Visibilly and Eniro did business with each other, it was a comment to the article.