Advanced Mobile Location when calling emergency services

Probably so.

However in my experience mobile phones tend to prefer to send data via WiFi (as compared with via the cellular modem) so the HTTPS alternative may well go via WiFi if WiFi is hardware on and an accessible Wireless Access Point is available.

My point was not that “this can’t be done” but rather that there is lots to think about.

(Since a user may have global roaming enabled and be overseas, ideally the phone would understand the AML rules for all countries all of the time and select the appropriate rule based on where the phone is.)

Except that let’s say some country says “no AML, no mobile phone” and let’s say that AML is not working today on the Librem 5 then AML does have a problematic impact on privacy - because you are sacrificing privacy during the 99.9999% of the time that you are not calling emergency services for the perhaps once in a lifetime that you call emergency services.

Fortunately there’s no AML yet in my country, as far as I can tell, so that’s one obstacle that I don’t have to contend with.

(The original post suggests that it is only required in the EU from 2022 so perhaps Purism / someone has a bit of time to get this sorted out.)

Common phones (Android and iOS, and most others) use WiFi if available, since that’s usually the cheaper option and users tend to prefer it - that’s why they turn on WiFi and connect to a WiFi network.
Of course, if WiFi is available, and the emergency services as well as the phone support AML messages via HTTPS, it will be used.
Again, likely the same data will be sent, though HTTPS could be used to transfer more data more easily. This remains simply an implementation detail.

Of course any legislature can require you to have AML support and forbid the sale and or use of devices without it.
If AML was required for all sales, this is again a non-issue, since Purism could ship all phones with AML and the user could simply chose to disable it.
If AML was required for use of the device, you don’t have any choice anyway - either use it or break the law and deal with the (possible) consequences.

The mere existence of the AML feature remains a non-issue as long as the user is in control.
Also, AML remains a positive feature in any sense, since it could save your life at no cost monetarily or in a privacy sense.
If it is implemented in open source software and running on the application processor you can verify that it is only used when you initiate an emergency call, and even disable it at any point.

It would certainly be worse if the feature wasn’t at all available due to unfounded privacy concerns, since its absence cannot improve privacy beyond what is available, and could cause much worse help in case of an emergency.

I would much rather live in a country that enables its emergency services to have the possibility to gain useful location information, as long as it is the users choice, than in one where the only choice would be not to have it at all.

I had a really quick look at the Regulation mentioned above and it appears that it is demanding a “capability” i.e. “support” for AML, rather than use of same.

I couldn’t see whether it is retrospective but I would guess not i.e. if your current phone does not have the capability, you can continue to use that phone.

HTTPS is also a guarantee of either immediate delivery or immediate knowledge of failure. When things are going badly I have seen SMSs turn up many hours after being sent, which might not contribute much to an emergency situation.

(I don’t know whether these particular SMSs can be “expedited” within the cellular network. That might be a “nice to have” for those countries that implement AML but that is outside the scope of what the mobile phone can control.)

HTTPS is also secure (not subject to failures of confidentiality or integrity during transmission from original source to ultimate destination).

This is indeed a common problem, owing to the fact that SMS is delivered in signalling channels and deemed non-critical, which means in overload-scenarios they will basically be the last services to be delivered.

However, there are priority services, as used for emergency services, where SMS is delivered almost instantly and very reliably. Usually it will be delivered before a TLS handshake could be established.

the emergency operator is trained to ask for the location - but that sometimes backfires if the victim is incapacitated or if another person who is unfamiliar with the area is speaking. geo-location is a fallback.

I think AML is certainly a good feature to have. I would probably want to use it if I was making an emergency call.

Using Wi-Fi to determine location is potentially problematic, because that relies upon having a way of querying a regularly-updated dataset mapping Wi-FI SSIDs (or BSSIDS) to geographic locations.

I highly doubt that Purism has the resources to create a database of Wi-Fi network locations, so in practice Wi-Fi geolocation means querying someone else’s database through a web service API. The user’s location and IP address are inherently shared with the web service whenever it is queried.

If we’re using a geolocation web API, then someone probably has to pay for access to the API. Who pays, and how is it funded? Really you need per-device API keys, otherwise users could simply extract the API key from the software and use it for their own purposes, potentially creating high costs for whoever is being billed for usage under that key.

If a suitable Wi-Fi geolocation database, available under a Libre license, can be stored on the phone itself and queried locally, it will take up a lot of storage space. The Mylnikov Geo database is over 600MB, and it’s not even the largest one. Mozilla has a database that it chooses not to distribute, because, it says, doing so could be considered a privacy violation against operators of Wi-Fi networks.

On the other hand, I suppose the regulation C(2018)8383 linked in the edited original post doesn’t appear to specify in what way Wi-Fi should be used for determining location, so perhaps it could be as simple as allowing the user to program in a list of SSIDs which should be associated with specific location coordinates. Or, perhaps, the phone could build its own offline database of WiFi network locations in the locality as it is moved around. (Though, clearly users have the right to disable such data gathering, even if it is only held on the device.)

The regulation says that “Smartphone manufacturers face negligible costs as the solution is software driven,” but it seems to me that this statement can only reasonably be applied to the existing, big players in the market, who already have costly, privacy-violating infrastructure in place that can determine location for other purposes. For Purism, it is clearly going to be disproportionately costly to put in place something equivalent just to facilitate AML for emergency calls.

That is assuming that the Librem 5 isn’t exempt from the regulation on a technicality (e.g. perhaps only the radio modules are classified as radio equipment, and the entire device is simply a portable computer).

Alternatively, couldn’t the database of hotspots be stored on the receiving end and the phone just send the information of what’s around it?

Do you mean the AML standard should be amended so that the recipient of the location data should perform the database lookup/API call? Yes, that would be a good solution, if sufficient influence could be applied to get it implemented. (Mind you, SMS messages have limited length, so it might not be entirely practical.)

AML is a very benevolent specification.
It does not require handset providers to deliver very specific information, it only requires them to deliver the best location information available to the handset.
This is GNSS if it already has a fix, a WiFi location database if no GNSS coordinates are available, or a Cell-ID database.
If neither is available, a “null”-SMS should be sent to signal this to emergency-services.

This means, that the AML standard specifically gives the phone (and for a user-controlled phone therefore the user) full control over the procedure.

While privacy-friendly non-GNSS location services might be tricky for Purism, the user can be given a choice to use the freely-available location services of for example Mozilla for an emergency-only, if the user wishes not to transmit his location to said service providers in other situations.

All in all, this means, that this is a non-issue. AML is purely benevolent in any sense and can be implemented in full support of the specification without any privacy concerns.

Hence, as noted above, HTTPS is a better alternative, in that regard, where it is available (seemingly currently only Austria).

It was not clear to me whether a solution based on WiFi would be using the SSID (maximum length 32 bytes) or the underlying MAC address (BSSID) (length 6 bytes). The MAC address is in general going to be shorter than the SSID. The SSID will in any case be potentially highly non-unique. (Too many idiots don’t change the default.) So I would assume MAC addresses.

You can fit a bunch of MAC addresses in an SMS.

Scanning for WAPs could be a bit slow, particularly if the user has overridden the default beacon interval.

The carrier should take care of providing any information relating to, or based on, the tower (cell).

I have my suspicions that solutions based on WiFi could be horribly inaccurate. Let’s say Google drives past your house, records your SSID and MAC address from the beacon frame, puts it into its database. Then you move house to a location that either Google has not subsequently scanned or cannot detect the WAP from the street. You are at home and an emergency arises and you are unable to give your location. Your phone of course can see the WAP (whether or not it is associated with the WAP) and reports the WiFi details. So the cell info must override the WiFi-derived location when the two are wildly inconsistent.

In my view if such databases are to be created, they should be public (not secret) and you should be able to delete yourself and/or update yourself. However that is a problem for another day. (It is not obvious how you would prove your entitlement to maintain the database item.)

In the short term it might be good enough for the user of the phone to be allowed to configure the phone not to transmit WiFi info as part of the AML info. So the phone is compliant (has the “capability”) and the user is happy.

let’s look at this from another perspective … if emergency location information IS collected then how usefull is that information - it’s not likely you’ll have the same almost-fatal car accident in the same place each time of the year … unless you enjoy having your face smash into the frontal-airbag

I get a bit edgy when I see things like the following in the EU Directive

Member States may adopt specific provisions to entitle providers of electronic communications services to provide access to location data to emergency services without the prior consent of the user or subscriber concerned.

and the following from the spec

2.3 SMS invisibility

The AML SMS should not be seen by the caller and therefore should not appear in the SMS “sentbox” of the smartphone. This is to avoid … making the format of the message widely known.

Yeah right. If it is relying on security through obscurity then that is no comfort at all. (Possibly there are some major problems of potential abuse with the whole implementation.) I would ask for the exact opposite - please show me the SMS that was sent. If I am not completely incapacitated, it may be psychologically good to see that the SMS has been sent. It may inform me about the next course of action e.g. if I can see that the SMS was not sent or was sent but did not include position info.

I know that the whole thing is well motivated but governments also need to consider how much damage they have done to public trust.

Reading more of the spec, at the time it was written, AML doesn’t work with global roaming and should be disabled(!) when roamed. That seems to relate only to sending location info via SMS though i.e. maybe it is OK to keep enabled when roamed if in a country that supports location info via HTTPS, which I hope is a growing number of countries.

I get that, but it seems the EU regulation eventually requiring this functionality in new phones is a little more prescriptive than AML itself.

Some databases record both SSID and BSSID, others just BSSID. The AML Specifications & Requirements document makes note of the problems of relying on just one BSSID:

Some ‘Wifi to location’ services require that multiple Wifi MAC addresses be supplied. This is important as it can help to eliminate situations where an incorrect location is given because a Wifi router has been moved and its location has not been updated on the location server. This approach should be adopted for all AML locations based on Wifi.

On first reading, I saw that “Mozilla is currently evaluating its MLS service and terms and is not currently distributing API keys.”, and assumed this meant the Librem 5 was shut out of using it, but actually it looks like it could just use the GeoClue D-Bus service, which already has access to the Mozilla Location Service, so perhaps it’s not so difficult after all. Though, it doesn’t appear to support contributing data back to the database, and users are advised to install an Android app in order to contribute data if their location can’t be found.

I totally agree. I want to see any time my mobile sends a SMS. Would be funny seeing silent SMS or IMSI Catcher action at some time, but I guess that would be implemented in the non-free part of the phone

It is important to note, that AML does not use silent SMS, it uses standard SMS.
The standard however asks handset and OS producers to hide the SMS from users (i. e. not show them in the outbox), and gives 2 reasons for that:

1. Don’t confuse the user in the stress situation of an emergency
2. Don’t make the message format widely known to avoid abuse

I think both are somewhat valid reasons, even though I disagree with both.
Knowing an SMS has been sent won’t likely confuse or stress the user.
The message format is already widely known, and security by obscurity is a silly concept, that has rarely worked.

That said, since this are user SMS and originated by software running on the application processor, it is trivially possible to show them to the user; the obligation to hide them is a weak one and can be safely and legally bypassed.

Apart from that, the emergency centers already know your approximate location, because in almost all countries, network carriers are required by law to provide cell location data to emergency centers.
Since you originate a call, a silent SMS is not needed to gain said location information; it is by design available as soon as you hit the dial button when the phone starts sending data to the network.

The aspect for me that was truly ridiculous is that the very document that talked about keeping the format a secret actually documented the format.

In any case, you can’t expect phone providers (which Purism will hopefully soon be) to implement AML while keeping the format a secret from them, and once an open source provider implements it then the format is public and quasi-documented, whether “they” like it or not.

It occurs to me that maybe a better approach to AML via WiFi is to enhance the WiFi standard to include location information, either in the beacon frame or in another existing frame or in a frame specifically for location information. (I dare say that vendors can already do that by including proprietary Information Elements but that is exactly the solution that we don’t want.) The operator of the Access Point would have the option of disabling the transmission of location information.

The privacy implications would be less severe, as no massive database is needed, either secret or public, and you can opt out easily enough, and updates are handled more cheaply when an AP is moved.

I note in passing that a network of Cisco Access Points is capable of locating a given wireless client using triangulation on the Received Signal Strength Indication (RSSI) i.e. works the same as multiple cellular towers doing it but more accurately. I don’t know whether other vendors have the same functionality.

Doesn’t help if you are at home as I would guess that most people don’t have multiple Access Points (and if they do, the APs might be different makes/models that are not capable of cooperating in that way).

Edited the fist post.
Court of Justice of the EU rules that SIM-less calls to 112 should be located.
Also on EENA website.

Sorry that I missed this one, as you pointed out and as chronology is important, just because I even rarely look in my back mirror, certainly less than 50%.
All mentioned here above is all right with me, but anyway i don’t want to rely on WiFi/triangulation only by knowing there is separate GNSS receiver that can be and maybe should be used as standalone unit when executing 112 or 911 call. What I purely suggested in my relatively poor English is that for partial privacy myself, and maybe some others, want to have Teseo-LIV3F {(supporting one of two frequencies that are utilized; one at 1575.42 MHz (10.23 MHz × 154) and second at 1227.60 MHz (10.23 MHz × 120)}, only capable of locating my position just by having emergency telephone call (either 112 or 911) when help needed or just lost somewhere in the desert or wood, for example, but still way away from any neighboring town, like in the middle of nowhere. I posted some of my AML thoughts here as well:

Maybe I am pushing too far, but this might be another strong difference that may count with/for Librem 5, because if you just count on WiFi, without saying here that this is not important option as well (just not my preferred approach to privacy), location advantages as such, as known and common system within cities, someone might be lost forever, as I see this when someone calls because of serious distress situation. Here is very recent video how only Galileo GNSS location system may save someone life even without neighboring tower to execute here discussed emergency call (at the first place), and without WiFi network for sure:

Again, I am just saying loud my wish/idea in which direction some developers might move towards with usage of Teseo-LIV3F (and future dual-frequency TeseoAPP family) module on Linux and not saying this is reachable as I don’t know.

NOTE: United States: Info to be included soon.