Hacker News new | past | comments | ask | show | jobs | submit login
Student Lets Thief Steal His Phone, Spies on Him for Documentary [video] (boredpanda.com)
292 points by dragonbonheur on Dec 18, 2016 | hide | past | web | favorite | 142 comments

My guess is the 'new owner' was involved in trafficking people for sex exploitation (the overnight journey to the shelter in France - somewhere vulnerable people could be easily tricked with a work offer and easily moved within the EU due to the lack of internal borders).

Meeting the 'Russian' woman and going along with her irrational story and the suggestion of drugs being supplied and her 'loving' him all sounds like an exploitative relationship. Consistent with a sex trafficker.

Swapping SIMs (to change phone identity - albeit poorly) and only using for a few weeks indicates someone used to taking steps to avoiding tracking/identification. Not someone new to criminal activity nor evading detection.

Being overnight at homeless shelters suggests he was more likely exploiting women at these shelters rather than him being homeless and sleeping there (I'm astonished the filmmaker started for feel sorry for him at the idea he was homeless - that's just naive; this was someone already demonstrated to be heavily involved in criminality).

Trying to confront him at the property and finding an aggressive person with a strong smell of drugs at least gave a reality check. This is a dangerous criminal and it was reckless to go near him.

It's easy for you to make these assumptions the way the story was told, but your points are all completely unfounded.

An older homeless man fits the profile just as easily.

> I'm astonished the filmmaker started for feel sorry for him.. that's just naive; this was someone already demonstrated to be heavily involved in criminality

I think you should spend more time in society of this astonishes you. We're an incredibly empathetic species, often going out of our way to connect with people and help them out. Especially when they are members of our communities.

Developing a connection with people you are viewing isn't even uncommon. Media and entertainment exploit this (and we love that they do) by getting us to connect with characters in TV shows and movies. Analyst and investigators are often encouraged and evaluated to ensure their emotions aren't effecting their performance, and victims of kidnapping often learn to love their captors. A young student feeling a connection with a man who appears to be on the outs is anything but astonishing, it's called being a human.

And you should spend more time around criminals to know that when patterns emerge there is a high likelihood of the same outcome.

Please, a significant portion of my job involves understanding criminals and their interactions with everyday people. For every criminal, there is a never ending line of good hearted people who are willing to have faith in their fellow humans.

Of all of my short-comings, understanding this is not one of them.

Human minds are heavily tuned to spot spurious patterns. 'Spotting a pattern' is very often misleading evidence because of this bias. Generally patterns that jump out at us really fit a large spectrum of possible scenarios, including that the seeming pattern is just an illusion of randomness.

That may apply to you right now. Perhaps the poster you are replying to actually knows more than you, but you are biased to see the pattern of someone mistaking randomness for signal.

into the rabbit hole..

> Being overnight at homeless shelters suggests he was more likely exploiting women at these shelters rather than him being homeless and sleeping there

How does his staying overnight at a shelter suggest this at all? If anything suggests that, it's his other behavior (which seems quite like circumstantial evidence, to me).

Nah, I am pretty sure he was a Russian spy smuggling uranium in to build a smartbomb.

The russian woman was just one of his contacts, and they keep cover because they expect to be observed at all times. Constant contact with small amounts of uranium often makes people confused and irrational.

And it is very common for spies to smuggle in small amounts of uranium among refugees, and this gets picked up from homeless shelters.

They also often use the cover of drugs to hide the unique smell of uranium.

I don't know if this was sarcasm or not, but the story is enjoyable. I'd watch the movie.

Person who stole phone and then used it for months(without reset) is not a spy!

megablast was not being serious

Sounds legit. Someone should look into this.

And this is why surveillance is scary: devoid of context, a bunch of data points can be used to craft a damning narrative from innocent and unrelated speech and behavior.

> If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

Is this a Reddit style conspiracy theory we all know is not true but play along with cause it's fun thing?

I did like the Finland never existed meme for instance, but I don't think it's really a HN thing.

Sex trafficker steals phone to stay off the radar or just a general homeless person steals phone, what's more plausible?

A sex trafficker that can't afford bus fare let alone a car? I feel like you need a car to be a plausible sex trafficker.

Or was that code?

The 'sex trafficking' angle has become a straw-man for the anti-prostitution crusaders. Does it exist? Of course. But most non-biased studies show that it is not involved in the vast majority of prostitution related transactions. Period.

What's interesting is that the same Girl-Power groups that push the trafficking narrative the loudest, are the exact same ones who will scream that it's 'her body, her choice' for pretty much any other situation including custody, abortion and reproductive rights, etc.

So the solution to the problem is to continue to maintain prostitution's illegality, or at least moral stigma, but just penalize and shame the men, while asserting that the women are just victims.

Which non-biased studies are you talking about? It's the first time I've heard this narrative and seriously have trouble thinking about a non sexual-exploitation related cause for human trafficking in the western world.

Thats not what he said. He said that most prostitution does not use sex trafficked persons. He also said that sex trafficking is a topic used by groups to rail against prostitution. Neither of these points argue against your point that the majority of human trafficking is for sex exploitation.

Hum... Where you parsed "most prostitution does not use sex trafficked persons", I understood "prostitution and human traffic do not have much correlation". I will have to agree that your interpretation is more charitable, and probably closer to what the GP meant, but I still want to see those studies.

I couldn't find them in a google search, that is not surprising as is quite a topic, but a quick search brings that there are 40 million people involved in prostitution, and 4.5 million have been victim of sex trafficking. That gives a rough estimate of 1/10 prostitution related transactions directly involved with human trafficking, so the use of "vast majority" is called into question.

I'm just realizing, though, that what really irks me is that the GP is using himself some kind of straw-manning himself. I've never found an prostitution abolitionist that pointed to sex-trafficking as the "big problem" in prostitution. The big problem is always women who are drawn into it involuntary, or more precisely, would very much rather do any other thing in the world. Sex-traffic is not an straw-man, but an global expression of the worst face of prostitution, and some people would say that an incidence of 10% is enough reason for pushing for the complete banning.

The reason I didn't address the second point, or the rest of the comment, is that I'm not really interested in discussing what other people discuss on such a flamewar-baity topic.

IMHO the most interesting aspect of this is the FAQ, specifically Q4:

4. Why did you feel sorry for the thief?

I started to feel sorry for the thief because I interpreted all of the data I got in a way which made me feel sorry for him. What if I wanted to see him as a criminal? Or a terrorist? The data would allow me to do that because some of his behaviour can be found suspicious. In the end I was actually shocked when I saw the guy in real life. He didn't look as lonely, sad and old as I thought he looked in the footage I took. Instead he looked pretty fit, smelled like drugs and came very aggressive and suspicious towards me. I saw this man every day, two weeks long so I thought I knew him. The para-social band I had with him (a one-sided band trough a screen) fooled me.

I enjoyed that. I was in a free ranging discussion back around the time Snowden made his move and we talked about constructing a laptop with a cellphone embedded inside of it such that it would record things that went on around it. We figured we could remove the hard drive and replace it with the guts of a cell phone and an SSD equivalent storage. Then use the existing laptop's Wifi antenna as a (likely not great) cell phone antenna. The idea being that you could download analytics from it if it was seized at border crossings or searched.

No, I never had the courage to actually try something like that. This phone hack seems like a modest equivalent with the exception that the phone could be unhacked by a forced OS wipe.

That said, the effectiveness of this as a surveillance tool was pretty eye opening. It seems possible that the criminal in this story steals phones every couple of weeks and puts their sim card into it, use it for a while, and then resell it. Which is pretty good operational security when you think about it (caveat keeping the same sim card) Mapping the meta data and contacts for this person then lets you know who else is in their community.

So with law enforcement powers you could presumably "seed" the stolen phone market with pre-compromised phones and develop a pretty quick understanding of who the criminals were, their infrastructure for moving phones around, etc. Which would make it pretty straight forward to roll up these criminal networks. Of course when it became known that the police were seeding the stolen phone market with 'mark' phones it would probably cut down on the number of phones stolen. But if you have prepared for that and are now supplying a line of cheap "new" burner phones in the shops that you have compromised. Well it is scary how effective that might be.

Now you tie that analysis with the fact that the Paris attackers all had burner phones and you start to see how such actions by the authorities would be justified to law makers.

the fbi/nsa does a similar program where they supply a large number of tor exit nodes

They do a similar program where they tap and track a large number of Americans, as well.

I remember a similary story, though not creepy, where journalist gave out free credit cards, and then tracked their usage.


That was quite a difficult story to read. While there is an expectation of accountability for gifts/donations, it was still a little discouraging to find out that this expectation was not clarified beforehand. This was in no way empirical and the reporting feels anecdotal, even the repeatedly suggestive mentions of the liquor store purchases (can't the poor get drunk too...). But I find it difficult to accept that researchers are the only ones encumbered with ethical responsibilities.

However, it is worthwhile to know that he did disclose that he is a reporter, although the fact that he gave them free credit cards, but could not bring self to find further assistance leaves a bitter taste in the mouth.

That said, OP reminds me of two interesting DEFCON talks [1] [2] [3] re similar issues. In the contexts delivered in the talks, it seems permissible to say that the crooks were fair game.

1- DEF CON 18 - Zoz - Pwned By The Owner: What Happens When You Steal A Hacker's Computer (https://www.youtube.com/watch?v=Jwpg-AwJ0Jc)

2- DEF CON 23: Confessions of a Professional Cyber Stalker (https://www.youtube.com/watch?v=zVJGY2bZ-Ko)

3- bonus resource on how to set up something similar to Zoz's Inspired by the defcon hacker who found his stolen laptop... how to update for present day routers? (https://www.reddit.com/r/Defcon/comments/2428pf/inspired_by_...)

Thanks for the DEF CON links! They are very useful.

Seems creepy to me, given that he didn't disclose that he would look at what was purchased later. He did disclose that he wanted the card back after they used it, which I suppose is halfway there.

Edit: LCBO, in the article, is apparently the state-run liquor stores in Ontario.

Note to self: Continue never buying used mobile phones.

I bought one and have been using it just fine. Just depends on who you buy it from (e.g. is the guy a student? a CEO? a homeless guy?). If you know their true identity then they'd have to be really stupid to have done something nasty to it and sold it to you... and if you know who they are, all you have to do is ask how they obtained it.

Note to self: NEVER assume privacy when using ANY phone with a camera or a mic.

I'd go so far as to say, these days, to just NEVER assume privacy. With ANY tech. Ever. Doesn't matter where it's manufactured, nor where it's sold. Everything is data mined, one way or another. The "cloud" (really "someone else's machine") opposes privacy by definition. If the leak isn't in the hardware, it's in the software, and if not there it's in the pipe. There's no feasible way to control every point along the line.

I mean if you manufactured it yourself, I think you can be fairly certain that it isn't sending your stuff to the cloud.

Do you trust the tools you used to manufacture it?

Depends on the complexity of the tools.

Looks like you can't assume it when you're not using it either.

> Note to self: Continue never buying used Android phones.


They tried recording video of the theft to have proof that they didn't provoke it, and then conveniently it gets stolen after they stop filming...

I misread Thief as Thiel. Now, THAT would have been a great story.

Thank god I'm not the only one who did this on a first read.

The ending is a bit of a twist. I thought the student would encounter a broken man--most of the homeless I see are broken individuals--but not so.

I was disappointed in the ending. The dutch student had managed to find some empathy for the thief. He seemed to be getting an understanding of how tough it is to live as an immigrant with so much less - in terms of belongings and prospects - than he himself has. But then a brief glimpse of someone that had an "aggressive attitude" and smelled of hash, completely reversed this. It turns out that his prejudice, based on superficial stereotypes, wins after all.

Aggression and drug abuse are not superficial, man.

It's the impression that is superficial. The dutch guy obviously didn't have a real interaction with the egyptian man, so I get the feeling that the notion he gets that the man is "aggressive" stems more from a superficial reading of him based on prejudices he has for people of the arab community. Also, smoking hash is hardly drug abuse... The notion that hash is associated with people of lower class or aggressive behaviour is another superficial stereotype.

Towards the end of movie I felt sorry for everybody involved. Including me for watching :P

Odd. I never did. I always waited for the moment he confronted him.

Yeah, me neither. I'm hoping that this becomes easy to do and hard to detect. Poison the stolen phone market.

it would poison the used phone market in general. I'm currently using a Nexus 5 that I got via a craigslist transaction. Even if the phone came from the original buyer, how do I know the college-aged seller didn't put on the spy software for the lulz?

How do you know that right now?

Interesting development of the narrative - how the author began to feel guilty once he noticed the thief had to buy extra call credits since the spyware was depleting his data faster than normal. I kind of felt bad watching as well. Here is a man who is driven to steal, sleeps in homeless shelters, gets ditched by friends when he's unable to pay for a bus. . . And he prays to God every hour on Fridays, so that all his prayers will be answered.

see above comments, but it is just as likley he was a sex traffiker who picked up women at the homeless shelter

Includes remote video of the thief watching porn on the phone while, er, entertaining himself. Ouch.

This would be illegal in some US states. What are the EU laws regarding covert video and audio surveillance?

I asked Dutch IT lawyer Arnoud Engelfriet about the legal status of the movie. He wrote about it today on his blog. His viewpoint is that as it was made here, this movie is legal: http://blog.iusmentis.com/2016/12/21/legaliteit-find-my-phon...

I'm low on time right now and if I were to comment on it I am afraid I would omit important details. But the gist of it is that the student carefully made sure that privacy was kept intact, and that he carefully avoids a witch hunt.

It depends.

In some countries, it is illegal for the police to do entrapment as part of their job. In some places its legal, but the fact that the accused got entrapped means that intentions are harder to prove, which then impacted the verdict.

Surveillance laws in turn generally don't cover this situation. If we ask our self if the thief has an reasonable expectation of privacy when stealing a phone, I would say no. If we ask if the thief has an reasonable expectation of privacy from a stolen phone, again I would say no. This leaves specific video video and audio surveillance laws, and I would say its quite unclear, through I suspect that commercial aspects could likely have some influence over it.

"Reasonable expectation of privacy" is a constitutional consideration. Some states in the US make covert recording illegal even if the participants are in public. E.g. http://www.dmlp.org/legal-guide/massachusetts-recording-law

It's also illegal to steal phones. The proximate cause of the surveillance was itself a criminal act, thus it would be rather hard to prosecute. If I have my phone set to record and someone steals my phone and thus they are recorded, the thief himself is the one that 'caused' himself to be surveilled.

At least in Germany, you can't retaliate an illegal act with another illegal act. I'd expect that this was the rule in any civilized state.

Considering it was still the film makers phone, and he was recording through his phone (and the person holding the phone knew it wasn't his phone, and that the phone had a camera that could record when the user wanted), what would the illegal part be? Just curious as to what specific law covers this.

Not all recordings are legal even if it is my phone. I am not saying that this is case here. But it may not be as clear-cut as it may seem.

Owning a phone doesn't trump all the thief's rights - if the thief were underage, all the usual laws would still apply.

The recording might not be the biggest problem here. I'd say publishing it could get the filmmaker in trouble. But probably only if the thief sues.

At least around here, you don't need to sue, just to send a complaint to the appropriate State agency.

The film seems to imply that there is a way to circumvent iCloud account protection on iOS. Is this really the case? I know there are services which promise that, but as long the phone is on the latest firmware I cannot imagine how anyone could reset the iCloud lock. So these services are either hoaxes or work only for certain phones (with old, vulnerable OS versions). Or maybe I'm missing something?

How does the film imply that? The phone that was setup to be stolen was an HTC Android phone, not an iphone...

It says so from 2:14 to 2:23.

I bought an iPad three years ago. I played with it for a couple of months before packing it in storage for a renovation. Forgot about it and found it again last week.

Apple has since deleted the account that my iPad synced with. I am completely unable to use the iPad after upgrading it to the latest iOS, as my account simply doesn't exist. I even tried registering an account with the same username/password combo. It registered, but the iPad won't have it.

If there is a way to circumvent iCloud protection, I'd love to know.

Call support?

Don't know how they do it, but i know you can go to one of those small phone stores, that are located everywhere in European countries. They have tricks in their sleeves.

I gave my only iPhone 5 to my father, i had forgotten to disconnect it from my account and it was looked to a carrier. They "fixed" it in an hour.

It's possible they have access to internal apple tools.

I know there are paid tools for phone cellular network unlocking which do work, and I assume those have some kind of internal access. Don't have experience with icloud though.

It's usually just a specialized phishing service.

Generally, no.

Very creepy thing to do.

Yeah I really don't understand the point... Obviously thieves have sad lives for the most part. No reason to put this man's shame on display, especially when you baited them in the first place.

If anything, stories like this being out in the wild are a good deterrent.

I don't get the feeling that the thief here had all the wonderful opportunities that the student or most readers of HN have. I'm sure he's making the best of a bad situation and making choices that many of us would if we were in his position, given the deterrents or not.

To be fair, I've known a fair number of people with serious problems in their life and a large percentage of them started out life in an advantageous position. I don't doubt that there are people who would consider that just being born in the US is advantage enough. Advantage is a relative term.

People often make bad choices in their life. Sometimes it is easy to understand why, other times it is really obscure. It is my experience that even when someone makes such a bad choice, they rarely understand how bad it is. People are strangely optimistic in this way. People weigh alternatives based on the best case outcome. If an alternative does not give them what they want, they will disregard it out of hand -- even if it turns out to be the best course of action. Ironically they will consider it stupid to pursue something that has no chance of leading to what they desire. Instead they will dig themselves a pit they can't get out of.

Having done so, they will often remark, "It is so unfair. All I wanted was X, which should be everyone's right. Society has let me down so badly, why should I care about anyone else?" I remember being taught in high school that a tragedy is a type of story where the main character's own actions lead to their downfall. In that way, I have witnessed many tragic stories. I have, indeed, been party to my own personal tragedies.

I also believe that deterrents are not particularly effective in these cases (because people optimistically believe that the deterrent will not apply to them). I don't, however, believe that most people will make the same choices in the same circumstances. Neither do I believe that most people's situations are hopeless from the beginning.

Having said all that, I am powerless to act because I have no idea how to help people who make bad choices. I have a hard enough time doing it when people decide to choose some ridiculous framework rather than to write code. I hope, over time, we as a society will be able to help people like this more effectively, though.

Why not? The thief deserves it. It wasn't like they sold the phone to feed starving kids.

That was well done for what was available to him. I could see how you could feel bad eventually if you dangle a fancy phone in front of a junkie or homeless person and watch their every move for weeks but this could also be a great tactic for infiltrating real theft based organizations.

So, how do I root my phone similar to that guy so I will have access to it for the rest of my life?

You don't have to root your phone to use Cerberus. However if you want to keep Cerberus running even after a factory reset you have to do this (from Cerberus FAQ):

The easiest way to install Cerberus as a system app is with the "Convert to system app" feature of Link2SD: install the app, open it, long-press on Cerberus in the list of installed apps and select "Convert to system app".

I had Cerberus installed for several years. I converted it to be a system app after watching the video. Now I secretly hope to be able to record something similar if it gets stolen.

You can also flash a disguised version (the app will have the name "System Framework" and a stock Android icon)[1].

[1] https://www.cerberusapp.com/get

After that you can set it to be run only with a specific number entered in the phone dialer, so the shortcut isn't visible in the app drawer.

You have to really know about Cerberus to find it, or be knowledgeable to re-flash the device when you steal it. That's what it makes it a very good anti-theft app.

Just follow standard instructions from XDA to root your Android phone and then buy Cerberus pro and install it.

I'm not familiar with Cerberus but what's stopping Cerberus from being hacked and having every phone be snooped on?

Cerberus gets pretty bad reviews recently on the Play Store. Seems like the developer reneged on a load of lifetime licences and locks people out of the app because "you're not using it properly" [©Apple]... also, quite a few people say it doesn't work very reliably anyway

The dev had a giveaway of lifetime licenses then changed his mind because of fallen revenue and set those licenses to expire after a year. Nothing was taken from customers who bought the app. I rather did see this happening then service shutting down or implementing a subscription fee instead.

Lifetime license otherwise costs 3$ for up to 5 active devices at the same time, so it's quite cheap. I bought it 4 years ago and used in on about 5 different Android phones, you can remove older unused devices to keep the limit down.

The main difference between this and other solutions or Android Device Manager is functionality to control the device over SMS commands. Because ADM is useless when the device doesn't have internet connectivity. Even when someone takes out your SIM and inserts another, Cerberus notifies you about the new SIM and sends you the number of it, so you can control the device over the new number.

So, no updates for you?

Is this not a serious crime of illegal wiretapping in Holland? Doesn't usually matter that it's his phone.

Does he address it in the video?

Can you illegally wiretap your own device? It would seem to me the criminal implicitly invited the student into his life by using the internet connected property of the Student without permission.

In all cases, the criminal, not the student, determined where the phone was and whether it was in use or not (without permission). The student simply used his property where it was located, which is clearly his right to do. The property still belongs to the student. He has reasonable discretion to use it as he wills.

In the battle of "rights" it seems the student would be within his rights under the circumstances. This is not to say the student is within his legal rights: legally recognized rights have a long history of not correlating to any reasonable definition of individual rights. So the law may very well be in the wrong on this matter.

I'm very much for rights of privacy and the like, and a person should not be subject to search or eavesdropping without due process and probable cause. But this case seems very straight forward in terms of a criminal losing a right of privacy due to inviting another into his life. Wages of theft you could call it.

It seems like the answer would be, of course you can, in the same way that you can illegally wiretap a bathroom by leaving your own cameras in it.

As with all these things, the issue probably comes mostly down to intent.

Your bathroom example ignores the most important contextual point at play in the case at hand and therefore must be discarded as a criticism. Ignore the essentials and you can make a case for any action one way or the other: a silly, nonsensical case, but a case.

My comments where in context dealing with criminal and a victim. I made clear that the voluntary actions of the criminal are what made the subsequent actions of the victim justifiable as the victim didn't relinquish rights to his property. In your example the phone owner is the voluntary actor and the unwitting person coming after is the involuntary victim. Naturally the cases aren't on par.

In the bathroom video example, even if a criminal breaks into your house and uses your bathroom, you can't just upload the video to YouTube.

Are you sure about that? Do you have an example of someone getting prosecuted for posting security footage of someone breaking into their own home? Not a chance, whe there the footage is the front porch or the bathroom.

It's all about expectation of privacy. You are not protected from invasion of privacy in a public place, because there is no expectation of privacy there. And I expect a jury would also find that there is no expectation of privacy when you break into someones home and use the bathroom or steal their phone/camera and take it to your own home.

Expectation of privacy is an US concept, not universal law. It doesn't apply in the EU. Here you are protected from invasion of privacy in a public place.

The fact that you lump the EU into one statement seems to indicate that you don't really know what you are talking about. In the UK it is explicitly legal to take photographs of people in public places without their permission as long as the act can not be construed as harassment (which is similar here). But I don't know about the many other countries in the EU, I suspect they all have their own laws as well.

I'm talking about the EU Data Protection directives and the subsequence CJEU rulings (like [1]). Last time I checked, the UK was still part of the EU.

And I'm not saying you can't take photographs in public places. What I'm saying is that the binary concept of "expectation of privacy" doesn't apply in the EU. Even in the street there are some protections, such as from CCTVs [2]:

This means that cameras attached to a private individual’s home may, in certain circumstances, no longer be exempt from the requirements of the DPA under section 36. Those circumstances are likely to include where the camera monitors any area beyond the interior and exterior limits of that individual’s home. This would include any camera to the extent that it covered, even partially, a public space such as the pavement or street. (...)

If you have set up a live streaming camera available to the public so that they can, for example, assess which route to take on their journey to work based on the level of congestion, you should ensure that it is appropriately zoomed out so that individuals cannot be identified. If individuals can be identified then this will need to be justified and shown to be necessary and proportionate.

[1] http://eulawanalysis.blogspot.pt/2014/12/bringing-data-prote...

[2] https://ico.org.uk/media/1542/cctv-code-of-practice.pdf

Generally, being yourself victimized by a criminal does not entitle you to turn around and victimize that criminal. If you use your phone's surveillance features to attempt to locate the criminal and facilitate its return, you're almost certainly fine. But if it's clear that your intention was not to recover your phone or identify the criminal, but instead to persistently invade that person's privacy, it's less clear to me that you're safe.

It may depend a lot on what state you're in. There are states with stronger statutes about camera surveillance and invasion of privacy than others.

(I'm talking about the US; I don't know what the situation is in other countries --- or rather, I know even less about it).

The difference you and I have is that you seem to be arguing law and I'm arguing right and wrong. The two have a disappointing degree of correlation in many jurisdictions.

In some culturally regressive countries, the law is used to prosecute the victims of rape. Such law is wrong and immoral... but in those countries it's the law and as a real victim on a moral level you are not "safe" from the law as you say.

My argument about what is right and wrong comes from the fact that I do not lose the right to use my property when it is stolen and the criminal loses certain rights when they voluntarily commit a theft. Of course the likely most sensible case is to use tracking, monitoring, etc as you suggest to bring the criminal to justice. But, if you steal a device that can be remotely controlled and monitor you: you lose the right to privacy because part of your theft was to invite me (by way of my property) into your life. The victim didn't ask to be invited, but the criminal made sure the victim was there. By the way, there's a lot worse the criminal gives up at the moment of theft: the right not to be assaulted by me is lost... take my phone a start to run away, I may well cause you to trip and injure yourself to protect my property: I exercise retaliatory force to defend my property, and because you initiated force to take the phone (not necessarily direct violence) you loose the right to be protected from such action. Again: this is moral argument, not necessarily legal... there are plenty of laws around the world more willing to make a victim the criminal and the criminal the victim on criteria going well beyond any willful act (social status, group identity, etc.).

Can you illegally wiretap your own device?

I'm not a lawyer, but it seems to me yes. The thief's right to privacy is being invaded. It's not because he broke the law that he suddenly no longer has any rights. Just like you can't shoot somebody just because he broke into your house (in Europe; I'm aware of the castle doctrine).

Also, you don't get to mete out the punishment if you're wronged, that's the role of the judiciary.

>The thief's right to privacy is being invaded.

This seems to imply the owner's right to "access" their device ends at the moment of theft (or loss of physical retention of the device). I don't think that's clear. I'm not aware of any case law that deals with this, however, and it could be something we see in the future as, say, self driving cars get stolen and someone can remotely access the dashcam.

(I am also not a lawyer, so if there are any actual lawyers reading please chime in as I think this is a super interesting topic.)

This seems to imply the owner's right to "access" their device ends at the moment of theft.

I don't think it implies that. But the two rights are in conflict and need to be balanced. One does not automatically override the other in all circumstances. It would probably ok to access the phone to locate it, but spying on the thief like in the video seems to clearly cross the line of legality. Of course, this also depends on the jurisdiction...

The owner's right to record stuff is not absolute even if he was in possession of the device. You can't freely install a CCTV outside your home, for example.

> You can't install a CCTV outside your home, for example.

Interesting. I wonder where on the spectrum things like trail cameras fall - those have become ubiquitous with hunters as motion sensors, flash storage and digital and IR camera technology has gotten cheap.

The author doesn't address this.

However, the author doesn't want viewers to try similar projects, and also did the project to inform people of the massive privacy issues concerning smartphones. From his FAQ:

"5. Why won't you teach us how to install the app like you did? Besides theft, I wanted to make a point and start a discussion about privacy on smartphones without actually making a film that even mentions the word privacy. This is why the project should not be reproduced. I think the film makes the point, doing it again would be for entertainment purposes which I didn't. I hope people who see the film will realize the risk of getting hacked on smartphones, by hackers and governments. On computers, most people use virus scans, install updates and some people even put tape on their webcams while almost nobody even considers how vulnerable a smartphone is, and what the implications of getting hacked mean. I think the film already created a lot of awareness and started discussions about it."

Also, quoting from his YouTube page:

"Anthony is a director, researcher and concept developer. In June 2015 he graduated from the Willem de Kooning Academy with his film Find my Phone. Anthony uses technology to tell stories in his work and has special interest in software and hardware development, hacking and privacy. He is currently working on developing a new documentary series and several other projects."

The above suggests this was just an art project. That doesn't mean it is exempt from law (personally, I believe he broke the law, and if you're interested wether this is true or not in NL I can highly recommend a lawyer, Arnoud Engelfriet, who might address the question on his blog), but it does show his intentions.

Why is it wiretapping? He's not trying to get the guy convicted. He's merely recording what someone else is doing with his phone. If you take my phone from the table and snap a few nude selfies with it, should I respect your privacy?

Because he's recording someone in their home, where that person has an expectation of privacy.

Say I build a camera that has a practically infinite battery and records all the time and streams to Twitch. I keep this camera in my house facing a wall. You steal my camera and put it in your bedroom. It follows from what you're saying that I'm now invading your privacy. That doesn't pass the common sense test for me, sorry.

If that's what the law says, then the law is broken.

Intent counts, not just the action itself.

He was just adding data to the owner's data that was already on the phone. If I upload my private movies to your hard drive, you are the one that needs to respect my privacy? Or should I stop using your harddrive?

False dilemma. In the EU, the answer is "both".

That person had a stolen phone. Their expectation of privacy is irrelevant. The person who owned the phone has an expectation that their property wouldn't get stolen. Why are people here actually feeling sorry for the thief? It's bizarre. The thief created his own problem.

I doubt anyone here is feeling sorry for the thief (I could be wrong). It's more of an ethical / legal thing: Does one crime erode your rights (without the law / justice / trial) ?

It's possible to feel sorry for someone while simultaneously prosecuting them with great zeal.

Wiretapping your own phone should be legal.

The concern is how it got stolen... It is illegal to leave your car running while walking into a shop and coming back a minute later. Not sure about a good English translation, but you are urging someone to steal your car.

Depending on how his phone got stolen (it was a setup), he could be charged with something similar.

Fantastic. Let's arrest the victims of crimes and give the thieves a medal.

People are responsible for their own actions. Theft is still a crime no matter how easy the theft might be.

That only counts if you're the police or something similar. You can't leave a car running as bait.

Are you sure? In which country? Because in Hungary we had a team of guys who regularly left bicycles out in the street (with GPS) and then waited for them to get stolen and then called the police with the GPS data. And it worked, the bike owner guys didn't get into trouble for leaving a "bait" out there. If someone steals it, they committed a crime and get caught by the police.

But that's civilians. The police can't do that. At least in the countries I know of, Hungary can be different.

Correct, there's no restriction against a private citizen baiting you into committing a crime by simply leaving the means available. And it's still a crime, even if they intended you to take the bait.

If they try to talk you into it on the other hand...

Really? You're concerned of the privacy rights of a thief?

The card/account owner clearly has a right to know the activity on their card. The usage information are facts. They can't be copyrighted by either the issuer or the account holder. I don't see where any privacy rights for the thief come into play, they definitely did not agree to be bound the the account terms and conditions.

What could be true is if the account holder violated the terms and conditions by knowingly allowing someone else to use the card. I'm actually not even sure what my license agreement allows, but it wouldn't surprise me if technically I can't give my card to a spouse or child to use, instead the issuer wants additional cards issued to make sure anyone using the card is bound to the account contract.

> You're concerned of the privacy rights of a thief?

These rights must apply to everyone. If you catch an intruder in your home, you can't tie him up and beat him with a crowbar, either. If someone attempts to mug you in the street, and you overpower them, you're not allowed to take money out of their wallet.

The 'invasion' of privacy was caused by the thief's own actions. He could have avoided it by not taking people's things!

It's like feeling sorry for a rapist because he caught a venereal disease from his victim.

The question was whether it's legal.

how do you know he is the theif, and where do you draw the line on who can have privacy and not ?

That was my thought as well -- it could well be that the actual thief who stole the phone sold it to some innocent third party for a great discount.

So find and hold the real thief accountable for the theft and the invasion of the innocent person's privacy. It was after all, the thief's fault.

That doesn't make sense as the thief would be unaware of the spyware - no mens rea

Spoilers: thief is a 40-something Egyptian, appears to live in a French migrant shelter in Mulhouse and work as some kind of a pimp in Amsterdam, very religious but also watches porn and smokes a lot of hash.

Director develops sympathy for him, even sends him free credits because the spyware is eating his bandwidth. Later goes to one of the thief's hangouts and realizes that in fact, the thief is a weird scary guy and not lovable at all.

Sequel hook: phone has been reactivated in Romania. Stay tuned for next episode. "Diversiteit is onze kracht."

Here's the post to the original content: https://news.ycombinator.com/item?id=13201134

Reddit is leaking again.

That was a very redditesque comment.

Couldn't get too far into this before feeling like a total voyeur. I'm uncomfortable with the tacit assumption that the guy would've stolen someone else's phone if not this guy's planted phone, and that the theft justifies covert surveillance, like two wrongs make a right.

The question I have is, without watching the video, is this the ACTUAL thief? or someone who bought a "used" phone?

I had a co-worker who had his iPhone stolen... and it ended up in some other country. He locked the phone (standard iPhone capability) and then got contacted by the new "owner". That person obviously didn't steal it (east coast US -> somewhere far away).

I'd worry about recording someone who simply bought a "used" phone on ebay - and the legal ramifications of such a move.

> The question I have is, without watching the video, is this the ACTUAL thief?

If you watched the video, you'd know. Also, from the FAQ:

"1. How do you know the guy in the pictures is the thief? Please watch the film again, we were witnesses of the theft and filled a police report which described the person we later saw in the pictures. Besides that, there is a lot of supporting evidence for the fact the thief didn't sell the phone the fist few days. I won't go into to much detail now. If you don't believe that there is an other argument: The person who used the phone must have known the phone was stolen because it had all my pictures and accounts still on it for a whole week. If he bought it, which he didn't he at least could have known the phone was stolen because of that."

I didn't have 20+ minutes to watch it initially (although I've watch most of it now) - and I didn't notice anything that said "FAQ".

Personally? I can't agree that they "must have known"... I know PLENTY of people who have smart-phones and wouldn't know how to find pictures or be able to tell which accounts a phone was connected too...

Looking at the story (now that I've seen it), the phone also went offline for the first 4? days... that's enough time for someone to sell it and a "clueless" person to start using it.

While I assume it's illegal to buy stolen merchandise - knowingly or unknowingly... my basic question is still to the legality of recording someone using stolen merchandise to this length of time and level of detail.

> Khazackastan (or somewhere out there, however you spell those names)

You know this "Google" thing? You can look up the spelling there, if you don't remember countries names from school.

Poster obviously remembers the name of the country - just not how to spell it. Did you not understand what the poster was trying to say?

It's faster to cmd + l, start typing Kaza..., autocomplete, copy, paste, than the dismissive comment inside parens.

> I'd worry about recording someone who simply bought a "used" phone on ebay - and the legal ramifications of such a move.

Under Dutch law you'd have to return the phone to the legal owner, there are a couple of very specific exemptions that would make you the new owner. So don't buy stuff that is too cheap, ask for the original receipt/invoice, check the serial number in the police database, etc. to make sure you are not knowingly buying stolen goods. You could get punished for that too.

Uh, no, under Dutch law, as long as you a) paid for the good and b) were acting in good faith (ie didn't reasonably know the person you bought from wasn't the owner), you become the owner.

I think this is incorrect. The stolen good will be returned to the original owner, and - if the good was purchased in good faith - the buyer can try to get compensation for damages from the seller.

If you could reasonably have known it was stolen (i.e. because of the low price) you can also be fined or criminally punished.


I think the real question got snowed under the brevity of the last few answers, but I'll admit that my answer was worded clumsily and only makes sense in the context of the original question "I'd worry about recording someone who simply bought a "used" phone on ebay - and the legal ramifications of such a move."

An unwitting buyer in good faith becomes owner of that phone, because the transfer of the good is, briefly put, valid (articles 3:84 and 3:86 sub 1 of the Dutch civil code). Now it's true that the original owner can revindicate (that is, 'claim back') the phone from the buyer (within 3 years and within some other small boundary conditions). This follows from the exception to 3:86 sub 1 in 3:86 sub 3.

I'm saying however that this right to revindication is irrelevant here. My point was (but again I'll freely admit upon rereading it that my wording didn't actually make this point), that the phone at the time of the spying was the fully, legal property of the buyer; and as such, that they have the full legal protection any owner has or would have. So you can't make a legal claim 'oh but that guy who bought it wasn't the owner so we could do with the phone as we pleased'. (Which is what I read as the worries about recording someone who bought a phone off ebay - the worry that the guy who did this could be legally committing the same 'thing' anyone else would be doing when abusing someone else's phone to spy on them).

(While I'm not technically a lawyer, I do have a Dutch law degree, although of course that doesn't make me all-knowing and I've often been wrong before)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact