Scary thought: governments will secretly track our locations via smartphones

Civil libertarians aren’t thrilled with the government’s ability to track our locations, even after the U.S. Supreme Court put limits on the ability for law enforcement to track car locations without search warrants.

Scary anti-government talks are the norm at Defcon, the hacker conference in Las Vegas. This year is no different, as leading-edge technology continues to race ahead of society’s laws and government policies.

In the U.S. vs Antoine Jones case, the Supreme Court concluded that placing a GPS device on a nightclub owner’s car constituted a search, and that that such an action requires a search warrant — under the Fourth Amendment of the U.S. Constitution that governs illegal search and seizures. But the court specifically did not rule that tracking cell phone usage — including location information — without a warrant was illegal. The recent CarrierIQ scandal, where a company was caught tracking the clicks of mobile users without telling them,  illustrated what can happen when tracking goes on without being questioned.

“We are in a constitutional moment,” said Ben Wizner, director of the Speech, Privacy & Technology project for the American Civil Liberties Union, on a panel at Defcon, which is expected to draw more than 8,000 people.

The ACLU’s concerns range from the ability to do “wholesale dragnets” in areas within range of a single cell phone tower to the circumvention of cell phone encryption.

Chris Soghoian, who has been tracking the government’s surveillance activities for six years and who will soon be the principal technologist for the ACLU, said that the ACLU and others have had to file Freedom of Information Act requests in all 50 states to collect information on tracking by police departments and other government entities. He went to a surveillance industry convention, nicknamed the Wiretapper’s Ball, and hung out with corporate lawyers in bars. He said that carriers are getting 1.5 million requests a year from law enforcement for location data.

Sprint reports that it gets tens of thousands of requests related to handing over location data on individuals. It used to cost $150 per ping for this tracking information, but now law enforcers can get the “all-you-can-eat” data for just $30 a month via portals on the web.

Ashkan Soltani, another tracking activist and independent security researcher, said that phones have become mini-computers, which carry lots of information about who you are and where you go, thanks to the built-in Wi-Fi or GPS tracking technology in them.The carriers began tracking location in every phone thanks to the requirement that they have the data for emergency 911 (E911) services.

There are five different kinds of entities that could be collecting location data.That include hardware companies, platform owners, carriers, application creators, and the ad networks/analytics companies. That represents a broad attack surface for hackers, but also for the government to approach if it wants to find information about your activities.

In most cases, it isn’t easy for users to opt out of being tracked. You can try to encrypt your cell phone communications using
different apps, and the civil libertarians suggested you do so. But platform owners can often decrypt the data and law enforcement can get that data from the platform owners.

Soltani said that police tracking technology can copy the contents of a phone in two minutes.The degree to which your data is treated as private varies. Android apps have the ability to copy photos on your phone.

“The problem is there is no incentive not to track,” Soghoian said. “The ability to do wholesale dragnets is scary.There are some very sketchy things happening.”

It is not clear the good the Supreme Court did with tracking cars will extend to tracking cell phones, she said.

Soghoian said that government lawyers have said single-tower tracking is so inaccurate that they don’t need a warrant to get the data. But as consumers use data-hungry smart phones, carriers have to put more towers in cities and shrink the coverage area for each tower. That reduces the area and makes the tracking information more accurate. If you use a Femtocell, or cell signal booster, to boost your cell phone signal in your home, that information can be very accurate, Soghoian said.

“There are some real anomalies in the law and it hasn’t kept pace with technology,” said Wizner of the ACLU.

“The carriers could do a lot more to help us understand how much information about our location they are giving away,” said Catherine Crump, a staff attorney for the ACLU. “The Jones decision doesn’t go far enough.”

The ACLU had to use Freedom of Information Act requests to get the carriers to say for how long they keep location data. The answer is six months to years, depending on the carrier. AT&T logs location data for seven years, Soghoian said.

One American fugitive was on the run, logged in from Sri Lanka via Skype, and the federal government was able to locate the fugitive. When Twitter receives requests for information, the company notifies users of the request so they can contest it.

[Photo credit: Mia Judkins]