The NSA has published new warnings for military and intelligence personnel about the threats from location data that is captured constantly on modern cellphones (originally reported by the Wall Street Journal). While privacy advocates (including us at Purism) have long warned about these risks, having the NSA publish an official document on the subject helps demonstrate that cellphone tracking is a real privacy and security problem for everyone.
We have been thinking about the danger of location data on cellphones for a long time at Purism and have designed the Librem 5 from scratch specifically to address this risk. The NSA document describes and confirms a number of the threats I wrote about almost a year and a half ago when I introduced our “lockdown mode” feature on the Librem 5–a feature that disables all sensors on the Librem 5. In this post I’ll describe the threats the NSA presents in their document and how we address them with the Librem 5.
It seems the NSA understands the issues well enough. It seems the NSA understands that on Android and Apple phones, workarounds are only ever partial.
At the pointy end - where military and intelligence personnel operate - partial workarounds and known design weaknesses (or even lack-of-privacy by design) shouldn’t be acceptable.
The only irony is that the NSA is part of the problem. They may make the distinction between good tracking and bad tracking. I don’t.
I don’t agree. There is a proud history of government contracts for gold-plated equipment. Seriously, I think that at the really pointy end, you can justify spending that amount. If you can’t trust your phone, in that kind of scenario, then you shouldn’t have a phone at all.
However this was a relatively hypothetical digression for which I apologize. Whether the NSA buys Librem 5 phones or not, the NSA’s general warnings about the privacy and security risks in today’s world are valid.
All tracking is bad tracking unless there is probable cause to believe that a crime has been committed and as a result of the investigation of that specific crime, a judge issues a warrant to snoop on a specific suspect.
in the former soviet block they would “issue warrants” based on weather they would deem a simple public conversation to be a threat to the current acting regime …
nowadays it’s mostly stalking vociferous orthodox priests at the church entrance …
i’ve read about one such case in a book but it seemed semi SF to my mind … how a three-letter security agent was undercover disguised as a homeless-person being the shadow of a priest for over 20 years … and when they talked he said “you better watch it - i can make you disappear anytime i want - i am still active !”
Just out of curiosity, there is a lot of talk about “on/off” solutions to this… challenge… to live with any networked devices and connected systems, but would it be technically possible to alter the location data given by the sensors? I mean, it’s good to have the option to be absolutely sure, but it would also be nice to have risk-mitigating options when you eventually do have to use networked services.
Adding noise or randomizing it a selected amount or some such - depending on user preference, if they want it to appear that they are always at home, in the same general area, same country, next continent or 4th planet or constantly moving. As it was discussed in the NSA paper, as well as here in other threads, there are several methods to get location data, at varying accuracies. Single data points can give a rough location but combining several sources can be used to pinpoint (which is often forgotten). But, forgetting that device and it’s displayed info can be compromised, could it be possible to manage the accuracy and related aspects of location info and what would that need?
Could this be a first for PureOS, as other mobile OSs haven had the possibitity or incentive to do anything like this before, or is there enough reasons not to do this?
The main hardware that would be important here is the cellular modem and the way that it associates with towers naturally ends up meaning that cellular providers know where you are. This is by design because the cellular provider needs to know which tower to use to direct an incoming call to you, and if you are moving (like when driving in a car) it needs to know when to change the primary tower you are associated with, with a new one.
yes and this also raises concerns about signal-strenght … there is a point at the middle of the distance between the two-towers that the RF radiation is at it’s maximum or it could happen if the signal is degraded due to some obstacles … this is probably controlled automatically by the proprietary firmware in the modem … but since we don’t see the code we don’t know what rules are set in order for it to keep the signal at a “preset-level” …
on another note the L5 battery is not that large … just 3600 mah
in comparison if i can use a TASER that has a similar if not lower batter capacity to INCAPACITATE a living target … makes me highly suspicious about the power of a short burst of concentrated RF pulse … they say it’s not the size but how you use it that counts
That is true. The basic rule is, the network you are connected to is connected to you and knows something. What @reC suggested - altering signal strength of the modem - sounds like it could be used to cause some ambiguity there. But cellphone system (and location info based on it) is probably too much of a challenge because its design requires known connection.
But cell connection is only one culprit, so why should it be used as a reason not to also take into account the others: GPS/GNSS, wi-fi, BT and even gyroscope (movement)? Since we can kill cell modem in L5, we’d be in a unique and good position, where the location could be more controlled (since we have to use connections and services, at least occasionally, to actually use the device and some services). IP and network based location could be taken care of with VPNs. Metadata (language settings, used units etc.) and info given to services are given by the user. Which pretty much only leaves what the sensors tell - and the systems use to assign location - and that is the location data I was referring to.
Can those sensor outputs be made more user controlled, could location data actually be managed (as in: only give out my homecountry, show me at the gym when I’m out, jump my location around randomly in a 75km radius, increase error margin by 30%, add ghost signals from random hotspots, always show me moving etc.)? And there is a difference in not giving any location info (which seems impossible and sometimes blocks services) and giving false or less accurate info (which is for protection but also possibly enough for the service to work).