Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure

I found a report from Citizen Lab that caught my interest, so I figured it was worth sharing it with the Purism community considering its themes’ relevance.

Here is an introductory quote I reformatted which summarizes it:

I have not gotten around to fully reading the entire report, but after doing so I will join in the discussion in this thread, if any.

1 Like

Definitely looks relevant. Unfortunately at 40 pages, I don’t have time right now.

While your local authorities may themselves like to exploit these kinds of weaknesses, hopefully they are also paying attention that it is exploited by, sometimes hostile, foreign authorities.

At least on the Librem 5 you can use the kill switch to suppress tracking of any intermediate locations (i.e. intermediate between the times when you “choose” to “broadcast” your location).

I downloaded the PDF copy as that is more convenient for future reading.

1 Like

This report has been far more eye-opening than expected, and immensely dense. It will require me multiple days to simplify it into written actionable steps for everyone to benefit and protect themselves, so while I continue to formulate this in the background, here are some important quotes worthy of discussion and my immediate interest:

  • Part 1


  • Part 5

My interests in this report are centered towards creating anti-surveillance and anti-censorship solutions broken down into manageable steps.


Looking forward to further comments Frankly.

1 Like

And if you are in a country where human rights protections are fairly SUCI :slight_smile: … whether the government in that country allows telecommunications operators to take advantage of available security features.

1 Like

My current line of thinking is that I should make an entirely separate thread to address all of these issues within the report. It makes more sense to write up a practical guide, similar to the EFF’s Surveillance Self-Defense, but more effective than their proposed solutions. It will take many weeks to complete.

In the meantime, this thread can be used for discussion for any of the points in the report, for those who value it. My current focus is defeating cell-site simulators/IMSI catchers, but I am also fine discussing anything else relating to street-level surveillance.

Well I started writing the guide, and it will probably not take as long as I thought because I am going to omit explaining all of the technical details and jargon behind it, in favour of focusing on actionable steps against mobile geolocation surveillance. Anyone interested can simply read the report on their own time and do further research on their own if desired.

I will mention that Figure 7 of the report had additional redactions on November 8th, 2023, but it can be easily reverted using the Wayback Machine, either by using the initial report, or this “direct” image link.


Awesome, thanks dude.

1 Like

After some serious deliberation, I have decided to not finish this guide, as mobile geolocation surveillance is not part of my threat model, among other reasons, so writing about it is not relevant to me. However, I have done some work already, so I will share it in a spoiler below:

Guide (Unfinished)

This thread is a guide addressing mobile geolocation surveillance, and is based on this 40-page report from Citizen Lab in this thread. Thus, it will be significantly consensed and comparatively accessible for the reader, at the expense of explaining technical details and jargon. For convenience, I have defined a clear threat model.


  • Mobile geolocation surveillance (surreptitious and/or unlawful)


  • Behaviours
  • Demographic details
  • Social communities
  • Shopping habits
  • Sleeping patterns
  • Travel history
  • Where you live and work


  • Foreign intelligence agencies
  • Law enforcement
  • Private intelligence firms
  • Security services


  • Varies depending on which actor(s)

(e)SIM cards are provisioned a few globally unique values to enables roaming services:

  • ICCID (global)
  • IMSI/SUPI (domestic)
  • MSISDN (phone number)

The IMSI can be exposed by locating its Cell ID or an IMSI catcher within close physical proximity. Metadata surrounding the MSISDN, including the IMSI, can be exposed with an HLR lookup service.

When using roaming services, malicious signaling messages from actors/adversaries connected to the IP Exchange can be directed towards the device with the effect of exposing its geolocation.

I will add a few important practices off the top of my head for those who are concerned about mobile geolocation surveillance:

  • Do not roam on other networks.
  • Before travelling, prepare your Librem 5 with the appropriate modem and associated SIM card for the destination country.
    • Keep the cellular hardware kill switch on to prevent malicious signaling messaging attacks against them until you arrive at the destination country.
  • After travelling, switch back to the original modem and SIM card.

Reading the report was enlightening/fascinating, but I was being too altruistic writing up a guide that does not affect me, instead of focusing on something that does.

Also, I am confident that IMSI catchers can be jammed or at least overwhelmed with a stronger signal, but I have not thoroughly explored that subject enough.