Hacker News new | past | comments | ask | show | jobs | submit login
Norway: Soldiers' location history found in data sold by Tamoco (nrk.no)
315 points by santamarias on May 18, 2020 | hide | past | favorite | 73 comments



We have nothing but respect for Norway, but HN is an English-language site, so articles here need to be in English.

I'm sorry, but we have enough trouble getting this audience to read the articles as it is.


point taken, thanks :)


A bit of context for non-Norwegians: The government owned media NRK bought location data from Tamoco worth approximately 3,400 USD.

The NRK subsidiary NRKbeta has "connected the dots" from that data set. In this article they present how they could track down military personnel visiting restricted military sites in Norway, including the disputed radar installation in Vardø, close to the Russian border.


This reminds me of this rumour about how someone used tinder to triangulate opponent units during an exercise and arty them to shit. Supposedly Finns outwitting Norwegians, but is a anon text so who knows: https://imgur.com/gallery/bySUH


Reminds me of a story I heard: In a conflict, Russia sent SMS to the mothers of Ukrainian(?) soldiers, informing them of their son’s death (pretending to be the Ukrainian government/military). The mothers, distraught, called their son’s cellphone. The increased, clustered cellphone activity near the frontline gave away the unit positions. Shortly after, Russian bombs dropped.



That's some next level evil genius. Pretty scary.


Russian intelligence was also able to counterfeit an app used by Ukrainian artillery forces to track them: https://www.google.com/amp/s/fortune.com/2016/12/22/russia-u...



If the russians could get the mother's phone numbers, why not the sons? If you're able to identify the location of call activity, why aren't you able to identify the cell while not on a call, when as far as I am aware there is still communication?


Maybe they couldn’t and just sent the SMS to a lot of random numbers. Those that belonged to mothers at the frontline naturally tried to call their sons.


Right. Still curious about monitoring cell activity only during calls. Thinking if you can monitor the cells, just look at the front line cells for comms.


They didn't know where the front line was?


You're involved in a conflict and you don't know where the front line is?


They knew where the front line was, they were trying to learn where the Ukrainian forces were positioned along that front line.


Right, so back to the question - why not just monitor front line cells for activity, which i think can be done without making calls?


I'm guessing: they needed a way to distinguish the troops from the civilians living in the area. By triggering a mass amount of calls to frontline soldiers, they made their positions light up in front of the overall background.


This is sinister genius. Do you have a citation link? I’d love to read more.


[flagged]


Sure why not? The US does that same thing so what is the problem?


Is it typical that soldiers carry mobile phones? It seems like it would open them up to all kinds of possible problems, and I can't think of a reason you would need a cell phone in a conflict when you have a radio, right?


From the volume of photos and videos from US, UK, etc that were based in Afganistan, Iraq etc you can deduce a smartphone is quite normal in those forces, so I would assume the same in Ukrainian forces.

They might not wear them out on patrol or manoeuvres, but back at their tents/barracks, I would assume some if not all have their personal phones. You only need a couple to track them.

I also read once Strave/Fitbit type trackers was rife at army bases and used to work out patrol routes.


"Hot missile silos in your area are waiting for you"


There have been alot of stories about stuff like this. One of the public ones I remember was if you were looking for US forces in unusual places, you'd find their running paths on Strava.



Yeah that'd be Finns and Exercise Trident Juncture 2018


Got any details? The story is plausible, but it is also only told by a imageboard greentext as far as I can tell.


A bit context on NRKbeta from their website.

"NRKbeta is NRKs sandbox for technology and media. We write about media, the internet and new technology with a focus on you as the user, and what we at NRK do in this field. We call it a sandbox because we want to test things out, be curious and find out how things change. And bring you, the users, with us on this journey."

https://nrkbeta.no/

EDIT:

I also think it's important to contextualize this journalism with the current debate around the Norwegian contact tracing application.

The application has been heavily criticized for the collection of GPS data for research usage and track behaviour when new guidelines are announced. They claim this data is going to be "anonymized", but alter clarified it would only be "pseudonomized".

It is also unclear if the data collected is going to be deleted in December, when the app is set for deletion by the current regulation from Stortinget.


They picked a dumb name. As a Norwegian, I was under the impression that they've actually got a beta version of some supposed new site functionality for the longest time.


Is december a realistic end date for the epidemic control it is supposed to provide? Herd immunity by vaccination at that point is extremely unlikely...


If you are using it for data instead of control, well, that's months of data about how people move around with varying restrictions. It is enough to refine policies and note how different sorts of restrictions change people's behavior. For example, if no one really follows x mandate, well, you either drop the mandate, change it, or come in with some fairly heavy-duty force.

Now, other uses might require more time. If you really need to see where the person has infected others and this is your tool, it might not be enough time. It is too early to tell, though, and I'm not sure how well phone inspections would go here in Norway nor how many people would download the app. It would make me more likely to leave my phone at home if, you know, I had much life outside of home.


It is surprising that this is not illegal. It should be illegal under GDPR as sufficient anonymized data should not allow you to connect the dots to do anything like tracking military personnel. Transporting sensitive military information over the Norwegian border sounds also very illegal under Norwegian law.

Back when Wikileaks released the Afghan War Diary, I wonder what would have happened if rather than a whistleblowers we would have people buying data collected from soldiers smartphones in order to reconstruct the material. It should be pretty easy to identify colaborators by which smartphone gets into contact with someones else smartphone thus reconstruct who is working with who.


perhaps useful to replace the wording "track down" with "identify"?


This reminds me of an experiment I'd like someone to run on Strava. They had this big scandal some time ago where People identified US military bases simply by having a lot of activity in an otherwise empty area.

Now they've added some mojo to prevent this but still sell location data.

So how about running the same attack but instead of using the browser and their own website just use the bought location data.

I suspect they didn't fix that as I've disabled appreaing on their heatmap but they still sold my location data when I forgot to disable my vpn during a run some time ago.


It wasn't just the US military. There were plenty of jogging circuits around strange desert installations in Syria by joggers who had recently jogged around military bases in Russia, at a time when Russia was claiming no deployments and only observers and things.

There were also armchair people wondering about other tracks in various places in the world.


If anyone's interested in how this data can be used, this article breaks it down quite nicely.

https://www.bellingcat.com/resources/how-tos/2018/01/29/stra...


Not only could you see bases because of activity around an otherwise empty area. You could almost pinpoint the exact shape of the bases perimeter because soldiers would prefer to jog along the inside of the perimeter. Smartphones and location based apps and services are a security nightmare.


Seems to me the scandal is that US military bases allowed people in protected areas to upload GPS traces of their activities, more so than strava showing these along with millions of other traces in their activity maps...


Or that soldiers aren't trained well enough in SECOPS that they won't give away base details just to track their own fitness.

What's the punishment for having GPS tracking devices on a military base?

Bet they all love their free USB drives sent from a friend they forgot they had, too.

Hope they're epoxying the USB connections on their Win95 nuclear submarines.


Well, yes, but also that Strava takes this hands-off approach like they're not responsible for the data they collate


What should strava do? Ask each country in the world which areas they want censored?(nuclear power plants, parliament buildings, boarding schools for rich kids, ...?)


Pretty sure that’s how it will end up being, eventually, in the same way GoogleMaps had to buckle.

I can see the smartest countries providing a standard webservice: you-private-company-using-geolocation will have to query a certain area, and get back a shape that you must blur or otherwise suppress. Access to the service should be heavily logged / throttled to avoid mass-scanning, and obviously “customers” will be vetted and forced to sign onerous NDAs. You don’t like the service constraints? Tough shit, here is a law that says use it or be fucked.


How about a "dont record where you shouldn't" clause in TOS... probably there already is one...


Or, you know, they could not make it public by default :)


You can add privacy zones around locations so when people look at your activities your line just disappears inside the radius of your privacy zones.

I have ones around my home and where I work. No idea if that affects whatever data they sell (I doubt it, since you can still the full activity yourself even with a privacy zone), but stops people finding where you live/work and nicking your bike


The fact that an area is made private is also a piece of information. I was thinking that you could use that to track down sensitive areas.


Unless I'm missing something you can easily triangulate the center point of the private area.


That’s effective on an individual level, but tricky to enforce at an organizational level. It’s not like it would be wise for the DoD to log into Strava and setup a privacy fence around every sensitive location.


you're essentially telling strava that the privacy area is very important to you (ie your home, work, etc) and they are probably selling that fact.


What a great signal for thieves too - this user has enough disposal income to have a fitness device, and is worried about being tracked, they must have good stuff.

Presumably you could filter by average speed and only get people with expensive bikes too.


You could also tell who from the public data has a private area, how long they are in it and when they leave it. You could do graph analysis to find folks on 20k bikes (correlate by zipcode) traveling at > 20mph with other folks that also have privacy areas.

If you find that > 3 of folks in that clique are close together and somewhere else, probably having a group event, many of them may not be in their "privacy area".

Anything that collects your location data is a shtshow when it comes to operational security. Even having one friend with poor GNSS hygiene can expose an entire network of relationships.


> Now they've added some mojo to prevent this but still sell location data.

Strava publish a "heat map" that shows aggregated activity of all their users. It's useful for finding common running/biking routes in areas you don't know well. That's how the military bases were found.

https://www.strava.com/heatmap#7.00/-120.90000/38.36000/hot/...

EDIT: I forgot that Strava do sell heatmap data to government transportation departments and such so I fixed the comment.


"On average app publishers make $10,000 a month with Tamoco data monetization."

https://www.tamoco.com/blog/best-app-revenue-calculator/


Google translate: https://translate.google.com/translate?sl=auto&tl=en&u=https...

Original article is in Norwegian.


It would be interesting to know which ``apps'' were responsible for leaking the data.


check the settings on your phone, the ones with location data access are selling it.


All of them? How do you know this?


The vast majority. You have to go out of your way to find apps that don't scoop up all the data they can. Why not? It's not like consumers penalize it.


You don't but you could make the point that since they are not open source, you will never be sure about it.

Even if GDPR should protect against it.


its makes them alot of money, they would be fools not to


Don't allow soldiers to have mobile on restricted ground...


Traffic Analysis.

A lot of British intelligence during WW2 was gleamed not from the contents of the messages they intercepted, but rather from tracking who was where and communicating with whom.

And if you stop soldiers from using mobile phones on restricted ground, you are just going to have lots of tracks stopping abruptly at the gates and secure facilities identifiable by their lack of emissions.

Patterns.

There have been great examples of correctly identifying the crews of nuclear submarines by their predictable periods of time offline.


It was giving that away in his book, rather than any of the other activities at Bletchley Park, that got Gordon Welchman into trouble. Even without any detail as to the techniques used, the fact that he and his group had basically worked out the German operational structure and deployment situation entirely from traffic analysis before the improved Enigma was reliably broken revealed a lot that was meant to be kept secret.


Yes the hut six story was an excellent and eye opening book. We are quick to idolize Turing - and he was an amazing man - but there are others such as Welchman and Tutte who sadly get less attention.


In fact, if I were running strategy, I would want my opponent to think I used a computer of speed x or storage system of size k, spending lots of resources chasing a false solution.


Just make the exclusion region a bit bigger than the grounds itself?

In any case, the attack here was to identify personnel based on known locations, not finding new locations in the first place. Big bases can't be hidden anyway, the best you can do is conceal what happens indoor in them so it seems silly to let foreign intelligence track personnel movement inside a base...


That is akin to not letting them have guns in modern warfare. Or a field shovel.


Nonsense. I agree, the soldiers should not be permitted to have cellphones in critical areas unless exception is given for some other reason. There are ways to communicate using encrypted communication bands used by police etc. They could be using small handheld devices for 2 way radio and basic messaging.


How is that nonsense? Have you never considered what a smartphone can do as a weapon of war? Mobile radios have not been modern for a long time.


Sure, but I think this was largely around their own personal cellular phones. Is that necessary on an army base?


No, it's more like requiring them to use their issued equipment, over bringing their own guns.


I did not say anything about using their own mobiles.


Reminded me of this New York Times article where they got hold of location data from 12 million americans. I think NRK found some inspiration from that.

https://www.nytimes.com/interactive/2019/12/19/opinion/locat...


Something similar has happened before: https://news.ycombinator.com/item?id=16249955




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: