Hacker News new | comments | ask | show | jobs | submit login
U.S. Telcos Sold Highly Sensitive Customer GPS Data Typically Used for 911 Calls (vice.com)
198 points by walterbell 7 days ago | hide | past | web | favorite | 62 comments





Why is anyone surprised at this point? These companies manipulate legislature; in what world don't they, at the very least, exploit the data that they gather from you to empower themselves? Selling your data off is a far easier moral leap to make.

The only thing that surprises me is that I thought T-Mobile were the good guys. Apparently their stance on net neutrality was empty fan service.

Nothing digital has any semblance of privacy. If you want to take nudies with your significant other, buy a Polaroid camera. If you want to shake hands on a shady deal, do it in person. If it's not the company who develops your product screwing you, it's the people pwning them: just look at what happened to the bastion of privacy, Apple (the iCloud leak).

Stop trusting your digital devices, or, alternatively accept that you have no privacy (which is a completely valid choice).


I don't like this fatalistic attitude. Privacy is not black and white. I switched to signal, duck duck go, and Firefox. And since then, no one knows how to target ads to me anymore. That's a privacy win, even if there's a long ways to go.

The only way to address GPS and cellular tracking is to avoid any device with a baseband. So in fact it is either-or in this case.

The upcoming Librem 5 phone has a hardware killswitch disconnecting the baseband completely. It's not a mInstream device though.

Alternatively airplane mode might work too on regular phones, but personally I wouldn't trust it 100%.


The problem is doing that ensures your mobile device is useless as, well, a real-time communications device. No immediate calls, no SMS, no internet and associated apps without wifi around - how many people are going to enable this? The answer is none, even for the very customers Purism wishes to attract. Because people already wishing to do so can put their phone, any phone, in a Faraday cage, but that seemingly hasn't taken off.

Secondly, my concern would be the cellular network automatically flagging you for suspicious activity, especially in an area know to have good coverage. It would certainly look suspect for a device to periodically pop up, send some traffic, then disappear once again.


Yes and it's not even malicious basebands, it's any at all. If you want to participate in the cell network in any way, even if you write your own baseband, the network will still be able to report your approximate position using UTDOA, CGI or CGI-TA, ECID, etc. The network needs to gather at least your id/plan ($) and CGI (which antenna and what power) as part of its normal process to give you service.

You can also switch the baseband radio on and off. Only turning it on when you really need it minimizes your exposure to tracking.

That is only until you use your bank card online or connect your Google phone to your WiFi. Both card and phone number disclose your identity and allow to link your IP address with you. Phone's IMEI is also a good identifier you cannot change once leaked.

It's not fatalistic. Your digital Life is optional, which is my point. You can have privacy, or you can have a device: and both are fine.

Do you use you DNSSEC on your phone?


>Your digital Life is optional,

I feel like you are not arguing in good faith with that.


Does DNSSEC contribute to privacy (which is what I think this question implies)? If so, how?

No -- you'd need DNSCrypt for that.

Digital life is increasingly becoming non optional. E.g. Try finding and booking a hotel at a metropolitan city other than your own without using a laptop or a smartphone.

Landlines and phone books still exist...

DNSSEC isn't a privacy protocol and doesn't have any impact on what an ISP can and can't see about your traffic.

Honestly, if we're all going to die anyway, we might as well not get out of bed in the morning. All of these people around me lift the fork to their mouths every day, and not one of them has managed to live forever. Avoiding death is impossible, and yet these doctors want me to maintain a healthy diet, exercise, and visit them occasionally. It's a crazy world I tell you.

Why is it when people are upset, there is always a guy asking why people are surprised?

Also TMobile has always explicitly been against net neutrality, which is orthogonal to selling customer gps data anyway.


> If it's not the company who develops your product screwing you, it's the people pwning them: just look at what happened to the bastion of privacy, Apple (the iCloud leak).

People pwning you. The iCloud leak was spear phishing.


Apple has their own replacement for A-GPS, I wonder if it’s more secure or not https://www.idownloadblog.com/2018/01/08/apple-helo-technolo...

Edit: Looks like apple uses a 3rd party clearinghouse to pass the information go 911, so the carriers don’t get it. https://cdn.ymaws.com/www.nena.org/resource/resmgr/docs/Appl...


I'm confused, how does GPS data get gathered by the telco? Wouldn't that need a backdoor in the OS's GPS software/driver?

I'm greatly simplifying here, but basically there is an API between the telco network and the chipset on the UE (User Equipment). This API is primarily a control interface for general telco signalling, roaming between towers, receiving an SMS, etc.

As part of this API, is an endpoint that can be made by 911 operators in order to request the position of the phone. It's meant to be part of the E911 services, and is generally linked into the E911 system, but I think can also operate independently.

One of my regrets for the brief period I was working on these systems, is to trigger this API outside of a 911 call, and see if it still works, and whether it would operate without notifying a user. So that's the part I'm missing, I don't know if the API I'm describing can be activated silently from the UE perspective.

As others have pointed out, there are a class of location based services that use non-GPS methods for assisting device location, that may also be at play here, and can be mistaken as GPS by someone who isn't intimately familiar with the technology.

As for a backdoor into the OS, this is totally unnecessary, generally things like GPS and radio's are all wired through the baseband processor, so it's possible for the baseband to process requests without OS involvement. It's a CPU and code for all the network communications, that's runs independent of the rest of the phone, that is doing all the complicated wireless protocols. It depends on the way the standards are written, on what information the OS gets to see from the baseband, and then the way the OS is written on whether that information is actually displayed.

Sorry, I'm also a bit rusty on my telco standards, it's been a few years since I've been working in the telco industry. If you want to dig in and research, I believe LPP (LTE Positioning Protocol) is the spec/standards to dig into.


Thank you!!

Cell networks can just ask the device for it. It’s used for legitimate purposes then the not so legitimate purposes

In the UK, the Telco responsible for emergency call handling worked with Google to get a mechanism built in to Android that sends a SMS of your location as soon as you dial the emergency number.

http://home.bt.com/tech-gadgets/tech-news/google-has-created...


There is a mandated function for it in all phones that's intended for locating people making 911 calls.

Cell networks triangulate a pretty accurate device location in order to connect you to the best cell towers for where you are.

Also, the baseband processor in most phones runs its own code out of the control of the OS and has access to a ton of surprising stuff.


GPS != cell networks, and I'm asking what is actually happening, not for a hypothetical guess (which I can make too).

Not a hypothetical guess. Carriers have access to location data from multiple sources and have been selling it. Some of those sources are combined with GPS in this particular case.

Also you asked if carriers need a backdoor, which I answered: "Wouldn't that need a backdoor in the OS's GPS software/driver?"

PS asking a question and berating any answer you don't like is not exactly optimal strategy for getting people to answer your future questions.


The article mentions it's aGPS which uses tower triangulation. But this would be requiring a data link back to the network provider I'd assume.

In airplane mode it _shouldn't_ be sending that data.

https://en.m.wikipedia.org/wiki/Assisted_GPS


aGPS has nothing to do with cell tower triangulation.

With aGPS, the cell phones can download up to date GPS almanac from the tower instead of having to lock to GPS satellites to get it.


Read the wikipedia page before downvoting the parent commenter, who was correct: "A-GPS augments that by using cell tower data to enhance quality and precision when in poor satellite signal conditions."

Feel free to point out where the Wikipedia says that it helps with triangulation. (Hint: it does not.)

The parent commenter explicitly write "A-GPS which uses triangulation".

That is simply not true.



They obviously can calculate position, but it's not required for GSM handover.

The BTS (cell tower) will broadcast the connection info about neighbouring towers and your device will report back the signal strength for each. The network can then make a decision if it needs to move you. This is known as Mobile Assisted Hand Over.

The aim of the game here is maximising signal quality, which is not necessary the same as minimising position to a tower.


The reason for US' paranoia about Huawei is a scenario where the network (built with Huawei gear) could not only triangulate locations in real time, but also transmit voice and data via backdoors to China.

And people in the US still oppose telecom regulations like those we have in the EU.

Amazing.


Puts device manufacturers in a tough spot. They can fix the problem because sometimes the carriers/police/whoever need the A-GPS data

Third parties do need access to this information. There should be prominent alerts on the device when tracking is occurring, including information on where that information is going.

Apple could add an option to disable A-GPS, leaving the device relying only on satellite GPS.

Carriers would still have cell tower location.


I'm sure apple could, but this might be an easier said than done item.

A-GPS certainly shouldn't be disabled at all times, as it is a mandate as part of E911, which has the express purpose of closing the gap on emergency services being able to find a caller in an emergency.

The difficulty is, I don't think A-GPS is OS controlled, I think it largely lives in the baseband, which Apple may have a much more limited control over, optionally enabling and disabling features that for all intensive purposes are built into the hardware. Ideally, a user should get a notification when not in a 911 call, but without spending a good deal of time hunting in the standards, it's possible this isn't exposed either.

I think in the CDMA2000 day's when I looked at this, the OS call for GPS positions couldn't even say don't use assisted GPS. The baseband if it had a network connection, would just contact the location server, and use that when locating the device to give back to the OS. That's old technology though, I'm not intimately familiar with the current standards.


Can you opt out of location service for 911 calls ? One the one occasion I had to call 911 from my cell phone, I had to laboriously go over my address. There was more friction than ordering pizza since there was a lot of back and forth over the address. So I don't know what this back channel for gps data for 911 does anyway. And ultimately, it seems like a reasonable tradeoff for people to make on their own if they don't want enhanced 911. Cell phone operators will still get other auxiliary and approximate data from towers, but I don't want an API for them to request more precise location.

It appears that you will be able to opt out of Apple's new Enhanced Emergency Data. However, that part is device-initiated anyway. The traditional Network-Initiated Location Requests probably cannot be opted out of.

Kind of surprised no one has started a petition for each tel co (maybe there is one and it;s viral on fbook which I hardly see any of) and demanded privacy legislation to stop other carriers collecting and transferring location data at this point.

I have personally called and written my carriers. I think if more did they might take notice.

Does anybody have an explanation about A-GPS? How does it work? I thought it was available to end users, I don't understand why carriers have such data.

Devices marketed as "GPS" are not always full fledged GPS.

I realized that fact because I purchased a tablet, and once I went out with it using the GPS, my position became unavailable or very inaccurate, very quickly.

AGPS means assisted GPS. Essentially, it means that you need some kind of list of satellites, or some kind of "init" data for GPS to boot up, and I think I heard this list is streamed by satellites, but with AGPS, you won't receive this list from satellites, but from some network thing.

To be honest I'm not sure 100% sure of the things I just said (I'm repeating some answer I got on stackexchange), but I can deduct that AGPS devices are not autonomous, they need a little bit of networking in order to calculate an accurate position.

Although there are many real GPS devices out there, I'm almost certain my new smartphone is full GPS because I have no SIM and no data plan and it guided me for a 50km trip, but I don't know what are the capabilities of other devices.

To be really honest, intelligence agencies might have pushed for such and such throttled GPS featured chip, that forces those to use networking, again, for allowing a third party to track the position and avoid autonomous positioning. It would be a conspiracy theory at this point, but by listening to Snowden, it would make sense.


Wikipedia has a great article on it https://en.m.wikipedia.org/wiki/Enhanced_9-1-1

I do not understand. That carriers have my cell location data, that seems ok. But do they get my own phone GPS data along with it? The article seems to imply that such data is sent only when dialing certain emergency numbers... Not always!

Pinpointing a phone requires three satellites. With A-GPS, it can be accomplished with two satellites and cell tower data and/or WiFi info.

Official Apple statement:

Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple. https://www.businesswire.com/news/home/20110427005749/en/App...

Also worth reading: https://transition.fcc.gov/pshs/911/Apps%20Wrkshp%202015/911...


> With A-GPS, it can be accomplished with two satellites and cell tower data and/or WiFi info.

I think you might be confusing 2 separate things:

* aGPS uses the cell tower to download data that helps with locking on to GPS satellites much faster. It basically tells the GPS receiver: here are the satellites you need to be looking for.

* cell tower triangulation is used when you have no GPS reception at all. It’s inaccurate, but it’s better than nothing.

If you know your location roughy with triangulation, you can improve your location estimate if you add 2 satellites to the mix (more data is usually better than not), but even then it has nothing to do with aGPS.


Thank you. I went back and did some additional reading. From what I read it appears aGPS has different options available.

Standalone - Your handset has no connection to the network, and uses only the GPS satellite signals it can currently receive to try and establish a location.

MS Based - Your handset is connected to the network, and uses the GPS signals + a location signal from the network.

MS Assisted - Your handset is connected to the network, uses GPS signals + a location signal then relays its 'fix' to the server, which then uses the signal strength from your phone to the network towers to further plot your position.

> If you know your location roughy with triangulation, you can improve your location estimate if you add 2 satellites to the mix (more data is usually better than not), but even then it has nothing to do with aGPS.

Isn't this exactly what aGPS is? One or more data points outside of satellite data? If you have an additional resource I'd love to take a look. Just a quick search of the topic did reveal some contradicting statements.

https://www.windowscentral.com/gps-vs-agps-quick-tutorial


> Isn't this exactly what aGPS is? One or more data points outside of satellite data?

I don’t think that’s what it is: with aGPS, the phone downloads data of where the satellites are. That allows the phone to accelerate its ability to lock onto GPS satellites.

Triangulation based on cell phone tower location is orthogonal to aGPS. The original iPhone didn’t have a GPS receiver and didn’t use aGPS, so it used the location of the towers as a crude way to figure out its location.

The triangulation + 2 satellites examples could be (but doesn’t have to be) a hybrid of the 2:

Use old school triangularion as one of the location estimates and use 2 satellites as further location estimates.

And then, orthogonally and optionally, you could use aGPS to accelerate finding additional satellites.


I understand a-gps from an end user pov. I don't understand how and when such data is retransmitted to the carrier. Carriers shouldn't have access to my gps data.

A cell tower receives a request from a particular phone in range and sends the nearest GPS sattelites for the phone to try first, cutting down the first GPS fix to seconds. The carrier has a list of IMEI that requested AGPS data for each tower, it's only metadata, the phone doesn't get the data.

This is my understanding, I'm not entirely sure about the first part.


IIRC, it's not exactly like the device detects you're in an emergency call, finds its GPS coordinates, and then sends the GPS coordinates along with the call initiation. You want to initiate the call, regardless of the status of finding the GPS location.

I'm greatly simplifying, but you can think of it like I'm making any phone call, it's just I dial 911. This does set some special in-band signalling, that I'm dialling sos, and set's bits that say this is an emergency connection, so retain it over non-emergency calls.

There is then some special routing that takes place, so that based on general location, you get routed to the correct 911 center.

Then, the network has a sort of API, that lets the 911 center make an API call, requesting the current GPS coordinates. This can take time, as you might not be able to pick up satellites, or use other sources. then think of something like a kidnapping, you might need to be able to track a moving target, so this process can be repeated and updated or more accurate coordinates can be received.


And that special signalling is part of what allows the emergency call to be routed over a different provider? Sometimes I have no network strength and my phone displays "emergency calls only".

And how is that API call performed? To whom? To my device, via a specially exposed service? Or is it part of gsm/umts/lte specs, and every packet I send back to my carrier contains my gps data?

It's just GPS, but cell towers are used to help it get a satellite fix faster.

Forgive me if this seems obtuse but honestly seriously in each of our phones is an antenna, over that antenna is sent radiowaves, encoded in those radiowaves is information that must be decoded by the other side of the transmission.

Each layer of that has a specification, in that specification each side has implementations of that specification. To me, I fundamentally don't care what an individual corporation "can or can't do". I care what the spec says, because that's what the corporation can and can't do unless they have something completely 100% proprietary.

Speculation is worthless, show me the spec of what function calls enable the collection of this data, and what the structure of the message looks like over the wire.

Beyond that, on a rooted device that I have full control over, I should be able to work out the details of how that's happening and whether or not I want to fiddle with it to allow my carry around computer to do so or not.

If the implicit assumption that root access to my pocket computer makes it unable to turn off such a thing, then that's news. The rest are layers and layers of complexity as to what the defaults of the systems involved are allowed to do via permissions systems. We're either cool with those defaults, or we aren't.

So, imo. Start with the specs, if it's possible via them then it's surely happening whether or not it's "legal" to do so. My apologies if this comes across as harsh, but what else did we expect? We're fortunate enough to live in the cusp of the information age, but the first 50/100/200 years of this are bound to be messy before it either goes full dystopian forever, or enough outrage affects those defaults.


This isn't just about software capabilities. The telcos don't need to have remote code execution on the device. Their huge network of receivers has to identify your device for routing, and that reveals your location. Simply connecting to the towers implies that you're within a few miles of them. In areas with denser coverage, triangulating you within a few meters is trivial, and I suspect that every network is storing your location in perpetuity from this method alone. It isn't a issue of software freedom, it's an issue of having a radio signal emitting from your pocket to a huge network of receivers with known positions.

Only way to guarantee you aren't being tracked is to turn the signal off, which isn't feasible for most.


I hear ya, and I personally understand that that's the case, thus if just the "connection" of my antenna to the tower reveals information I personally don't care to share then the natural next question is: "can I toggle the antenna off on my own device except when I want to reveal my location, or is that beyond my control as long as the antenna has power?"

I personally don't know that I mind it, but some people do and that's the question that is either allowed by some spec or isn't.

edit: furthermore, just connecting to the towers at all would give approximate information, unless it's connecting to multiples wherein they can triangulate. the other question would be "can I compromise and force my antenna into 'one tower at a time' mode" via some spec. Would I then affect my ability to do tower handoffs upon movement without having multiple tower connections? If so, do I care that my antenna is forced into single tower "approximate location" mode with drops upon new tower acquisition or not? What spec controls that and can I control it via root access to my device? See what I mean?


This is probably between the baseband firmware and the SIM card, so rooting wouldn't help. And it's using A-GPS (probably in MSA mode, where the location is derived on the servers, not the phones), not just cell tower triangulation.



Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: