TL;DR - A German man got all the data his cell company had collected on him, correlated it to his other public data on the web (Twitter, etc) and made an online, animated map of his life. Illustrates how much can be known about someone from these two sources and argues for restricting what carriers collect and what governments can get from them.
This makes me want to get a tinfoil hat. Now do I give up one of my most vital tools because someone knows where I am at almost all of the time? Do I trust the government to make sure this data is not misused? Or do just go all in and make sure the google, fb, twitter etc have it too and continue to whistle through the graveyard? There has to be a realistic middle ground to protect privacy but with the global data cloud surrounding us I have no idea what that would be.
It's a tough question and I think there is a drought of answers, even from those who think about the subject quite a bit. I'm not sure it's the best idea to go all in, but that's certainly an approach. I suspect one of the mid term answers (in general) may involve creating a ton of contradictory noise on your behalf, but I'm not even sure if that could be applied to mobile location. Privacy is clearly not winning the match so far.
While it's not quite on topic, this presentation by moxie marlinspike last year at defcon europe has some interesting thoughts on how we voluntarily surrender our privacy. It's definitely worth a watch if you're thinking about the subject.
You can get a pay-go phone, sometimes with cheaper unlimited rates than AT&T and Verizon, although they won't subsidize the purchase of a nice smart phone. (And I'm not too happy with the data transfer speed on Boost.)
This obviously wouldn't prevent against a targeted attack. If the phone company or the government wanted to track YOU specifically, they could probably figure out your phone number by looking at the calls your family and friends have made and finding the union, and retrieve the info from there.
But if someone wants blanket info, i.e. a list off all the people at a G-20 protest or whatever, a computer won't be able to instantly figure out who you are. Someone would have to start investing real man-hours to accomplish this. This hopefully gets too cost-prohibitive for large scale tracking of the general population.
> But why are carriers storing this tracking information for more than 24 hours, unless of course it's by government demand.
This information can be invaluable in crime investigations. Think if you're abducted and manage to keep your phone with you and on - they can track it.
It's a situation where the data can be valuable, but someone needs to watch the watchers.
There's actually a very controversial new EU doctrine that mandates telcos of all member countries to store "connection data" (I only know it by the German word "Verbindungsdaten", which encompasses when you called whom, which websites you visit, who you send email to etc, but not the actual data contained in those transactions) for at least 6 months.
While some countries (like, surprisingly, my native Austria) where actively against the new law for along time, in the end they caved to pressure from the EU (very unsurprisingly). Interestingly, the telcos themselves were against it, since they have to bear most of the costs themselves.
So yes, they do record everything you do, all the time, for everyone in Europe.
Edit: reading up on it again just now (I stopped keeping up on this stuff since it's just so damn infuriating/depressing), the EU doctrine is still much more contested than I thought, lots of countries still refusing to abide by the law. Though I fear they'll all cave eventually...
I imagine it would make sense to keep records for a few billing cycles. It wouldn't be unreasonable to have to deal with a customer dispute 3-6 months in the future. But I imagine it's also just plain easier to truncate the logs every six months or every year.
Well I guess roaming charges are getting a bit passe these days, but I could still see someone arguing they were never in Niagara Falls, or that they were on the American Side (normal rate) and not the Canadian Side (crazy rate.)
But in principal, I can see why a company would think any and all info they have might be useful in a dispute.
You could still keep a record of all calls made, and the tower(s) used to make each call, without getting down to this level of granularity. I might be wrong here, but it seems that they're storing a stream of triangulated location data for a given handset, regardless of the actual network activity like calling.
Let's say that the carriers only stored call records with tower IDs for each call. If there was a dispute every so often because a call was made on a close-by tower that itself happened to be located in a different toll bracket (resulting in an incorrect overcharge to the customer), I'm sure the carrier would happily write off that charge if you disputed them about it, which is probably what they'd do right now anyway.
There must be another reason they're keeping it, even if it's just a case of it being super-cheap to store, and they think that they might figure out something to do with it later.
The discussion included that they use it for modeling traffic patterns and areas to help them plan capacity and new towers. I'm sure they use it for other things as well.
The information here is inconclusive ( https://www.eff.org/issues/cell-tracking ), but I'm surprised I've not heard of a case where this sort of data was presented as evidence?
I'd also like to know whether this information can be or has ever been used in court as evidence. "Where were you on the night of such and such...?" may become a question of the past. Frightening.
Oh yeah, it does get used in court in the US. I paid attention to a murder trial of a neighbor that happened nearly a decade ago, and they presented evidence of his cell tower connections contradicting his story of whether he was in a certain state at the time. It was by no means a substantial part of their case though, they were just piling things on. But yes, it's definitely admissible, I assume it happens all the time.
Falls under the category of circumstantial evidence, which can certainly tip the balance beyond the "reasonable doubt" criteria if there is enough of it.
Don't forget that it's not actually your position that is being tracked - it is the position of your mobile phone device, which could be carried by someone else. As such, that limits its value in court.
I guess I don't have a big problem with this, law enforcement would need a warrant to get the information, and in most cases it would only confirm or repudiate what they already know or suspect. It's just a more convenient way to surveil a suspect, and for the suspect it's easier to counter: turn off your phone, or better yet leave it somewhere where you're not.
The NSA isn't a law enforcement agency. Rightly or wrongly, US intelligence agencies seem to have a rather different set of rules these days than the rest of us are following, including most law enforcement. Bottom line is if they're wanting to use it to convict you of a crime they'll need a warrant for it (before most judges, at least).
If you're worried about NSA (llegal) spying in general, presumably the carriers retaining the data only makes it a bit easier for them. Since the info will need to be traveling around the network while you're active, they could easily just intercept that like they intercepted the voice calls.
Neighbouring Denmark (where you'd track me down) put a law into effect some years back saying that all telcos must log basically everything all the time about everyone.
This makes me wonder if I could request to see these full logs from my cell and Internet provider. Would make some interesting data for mining.
Plus I'm sure they'd hate handing it over, which makes this that much sweeter !
For those interested, http://veriplace.com/ allows you to do this kind of serverside phone location tracking yourself.
They say they give people good privacy controls, but it is very unclear if it works on an opt-in or opt-out basis (they claim to track 180 million phones in the US)
It's opt-in--definitely no way to get a locate without a device owner providing permission to do so. It's kind of like a Facebook app, if you're using a service that uses Veriplace to get location information, any end user can log in and modify (or deny) what information that service can access. Location data is only stored as specified by your Veriplace settings and otherwise isn't kept around.
Veriplace is a location aggregator (for details, see http://developer.sprint.com/site/global/go_to_market/aggrega...). Essentially, every carrier has a disparate location infrastructure that would require significant development and customization to integrate with. Simply too much work for most developers. Veriplace and other aggregators provide a much simpler, singular API for accessing location data across multiple carriers.
To be clear--these companies are tightly regulated and strictly watched over by both the government and the carriers. It's not these services that should be the concern, it's more so data retention policies and what not of carriers where the data originates.
You may be right about it being opt-in - although the "We locate 180 million [phones]" makes that unclear. I don't see how they can claim that if it is opt-in.
definitely no way to get a locate without a device owner providing permission to do so.
It's not clear to me what you are saying here. The carriers know where every phone is (by the cell being used), which is the location used for non-GPS enabled phones. Veriplace may not let you as a developer see this, but given that veriplace seems to get access to your location without permission, I think it is misleading to say there is no way to get access to your location.
these companies are tightly regulated and strictly watched over by both the government and the carriers. It's not these services that should be the concern, it's more so data retention policies and what not of carriers where the data originates.
See, I disagree. I think if Veriplace can get this data then it isn't beyond imagination for other companies to get access to the data from the carriers too.
I actually met him at the start of this (Erlangen), it feels even more weird if you think about how much data you can correlate if you have more than one persons data. This could be big - you will probably get millions of funding even pre launch.
On the other hand... I actually have Google Latitude turned on all the time, which gives me (and whoever's spying on me) data like http://goo.gl/23iBj all the time.
Quite cool, even though it is indeed scary.