Possible privacy enhancement?


#1

This will sound really paranoid, but it’s an idea I haven’t heard around reducing location tracking accuracy.

The Librem 5 can turn off wifi, GPS, and the cellular antenna/modem, but anytime you actually make a call or are in a location and want to be able to receive a call, you have to have the modem turned on. Thus, your location is fairly known to the carriers. As I understand it, their ability to identify your location depends on how many cellular towers are within range. Generally If the phone only communicates with a single tower or is only within range of a single tower, all they know is that you are within the radius of the tower. They don’t have or have limited directional identification per tower.

So the idea… Is there any database/map of all cell towers? Is there any information on their elevation and strength like there is for radio/TV antennas? Couldn’t that cell tower data be put into an app and used so the user could identify where they are on a map and reduce the broadcast strength so the phone would only be within range of a single tower? I doubt this would be possible with an Android or iOS phone because the control over the components like the modem are not available to app developers. That’s not as true with the Librem5.

Even better would be if there is information on the frequencies of the various cell towers that would allow a user to define the tower they want to connect to at the exclusion of all others. Even if the information on the towers is not shared by the cell companies and/or government, isn’t that information something that could be crowdsourced? Wouldn’t it be ironic if someone wrote an application for Android/iOS that allowed millions of privacy-unaware folks to gather information for the more savvy, Librem5 users to improve their own privacy by reducing cellular-carrier location tracking?

By forcing the phone to only communicate with a single tower before turning on the modem, users could greatly reduce accuracy of any entity looking to track them.

Is this a feasible idea? Has it already been discussed/dismissed?

Thanks.


#2

Yes, although I don’t remember what it was called.

This depends on being able to control the modem accurately. We’re operating under the assumption that the moder is owned by the carrier and not the user, so there’s no guarantee that it would obey any user’s commands to reduce transmission power, or restrict the tower list.

Nevertheless, in order for a modem to use as little power as possible, the modem manufacturer is already incentivized to use as little transmission power as possible, so to connect to as few towers as necessary.


#3

Five basic geo location methods:

  1. IP based via databases, the usual way when you are browsing online
    – accuracy: a bit rough, usually town or area (see database link for variance percentages)
    – general technical countermeasure: as everything has and IP online, a VPN can be used to change location (but you always seem to be somewhere)
  2. cell tower databases, A: device provides data for app, or B: service provider sees who is connected
    – accuracy: rough estimate from single tower, area or city block (depending on elevation, signal strength, interference etc. which are different with countryside and city)
    – general technical countermeasure, A: either app is denied access to data or app is denied to send data forward to network (depends on usecase)
    – general technical countermeasure, B: kill connection without allowing possibility of remote commands (shutdown & remove battery or hardware kill switch)
  3. wifi-network databases and scanning [also BT], A: device provides data for app, or B: hotspot sees who is in the area broadcasting [connection not needed]
    – accuracy: short wifi range makes them more accurate, for one about a city block but a network can do “pinpoint”, and are used indoors to track
    – general technical countermeasure: disable wifi and bluetooth (kill switch is better but software switch too)
  4. cell tower triangulation, needs several towers/connections, A: device provides data for app, or B: service provider sees who is connected [to my understanding, not a preferred method as slowish and more controlled]
    – accuracy: depends on number of towers and interference, about city block or better
    – general technical countermeasure, A: either app is denied access to data or app is denied to send data forward to network (depends on usecase)
    – general technical countermeasure, B: kill connection without allowing possibility of remote commands (shutdown & remove battery or hardware kill switch)
  5. satellite positioning, GPS/Glonas/Beidou/Galileo, device provides data for app
    – accuracy: depending on number of satellites and interference, about a city block or better when outside, but authorities and paying customers have better and civilian free use is getting more accurate and dependable (especially if positioning uses several constellations)
    – general technical countermeasure: either app is denied access to data or app is denied to send data forward to network (depends on usecase)

And 1: giving away your location via language selection (system, browser, app, etc.), timezone selection, tagging locations, posting pictures of identifiable locations, geo tagging images etc.

And 2: combination systems that use several sources (like A-GPS that uses cell tower info and GPS - probably also IP and wifi databases combined with a map [especially in the country side] can be used to questimate location well to a road/route or building with just a couple of fuzzy datapoints) to make much more accurate positioning.

Rehash of general countermeasures to limit leaking location data:

  • deny apps the access to location/sensor data if not needed
  • deny apps access to network to send data if not needed
  • kill all connections (Wifi, BT - maybe even GSM) when you are not using them
  • use a VPN

[at this point I apologize for TL post about comparing all positioning challenges that veered away from the original]

… sooo, although I like the idea, full tower data for @erich’s more extended idea does not seem to be available (only the open collected databases), is not fully updated regularly and some of those measurements are not precise and can change frequently (weather for instance). Maybe there is a commercial db? If the “one tower policy” could work… wouldn’t it kill the basic functionality of user roaming/moving, as it wouldn’t be able to make sure connection is not lost and change tower?


#4

Even if this worked perfectly, as soon as you moved enough distance to hand off from one Tower to the next your location both before and after handoff becomes much easier to estimate because the handoff could only happen in so many places as so many speeds. Add this to dcz pointing out that there’s already incentive to be at as low of power as possible and I’m not sure how much effort makes sense down this rabbit hole.

Neat thought though.


#5

This depends on being able to control the modem accurately. We’re operating under the assumption that the moder is owned by the carrier and not the user, so there’s no guarantee that it would obey any user’s commands to reduce transmission power, or restrict the tower list.

I’m confused. I thought the modem was part of the phone and we (via Pure OS) do control it.

The power savings makes sense though. I suppose the only option then would be to restrict connection to a single tower (which would only work for that area).


#6

Given that it includes a blob (all modems do) and runs probably its own OS it isn’t trustworthy. That’s e.g. why there is a separate GPS chip on the L5 despite the modem having one.


#7

OK, I have a stupid question (perhaps I am showing my ignorance here)

If a phone can transmit and receive…what is the cell tower for? I mean, If you are in range of the other person or perhaps even in range of somebody who is in range of somebody, then can’t you just make a call? And if you make that call can’t you use an overseas frequency to do it?


#8

The modem is a black box, in that we cannot audit or fully predict its behaviour. Apart from not sending it data and removing power, there are no guarantees on what it does. In the worst case, it can completely ignore a command from PureOS, or do things unasked.


#9

That’s a good point. The limitations comes from the protocols (some of physical, data, network layers), which have been designed this way. Kind of like WiFi, if we didn’t have Ad-Hoc mode (which is already quite useless), or like HTTP is client-server even though TCP it’s built on is perfectly capable of peer-to-peer communication.


#10

Not a stupid question (topic is interesting), it’s just a bit “big” and to answer fully (or better than on a forum) is about a few study credits worth of network basics. Its a combination of several different technologies. But lets see…

On the first part of that question: Mobile phone device is a transmitter, like any handheld radio. It can only transmit so far, so to make the network reach further (as well as more manageable, but more on that later) a cell tower acts as an entrypoint to “everywhere”. A cell tower takes the signal, that is used to transmit datapackets the voice call or anything else has been turned into in the phone, and transfers those packets further via fibre-optic cables (usually). This is good, this is fast. It’s packets because you get a lot more data moved that way in a signal and otherwise there would need to be a constant (analog) line open to the other end. If you have a lot of them, it takes resources - so, reserving one of the few frequencies (there are limited number usable) just for one is a bad idea for the network. Anyway, the packets come out at another tower and are transmitted to a phone.

Since there are a lot of phones and they are constantly moving, a system is needed to keep track who is around which tower and whose network (roaming, at some other country for instance) and of course, as the service is not free, how much this costs to everyone. Phone companies usually frown at an idea that someone would skip their service and talk to each other directly (face-to-face or direct connected - like analog radios do). But to simplify a lot, for the GSM network to function (calls to connect and functionality to be controlled), centralized control is needed - or that’s how it was designed back then.

This is for civilians and GSM type tech, thought up in the 80’s, when usecases and networks were limited. Then came different technologies however, like TETRA-networks, which are used by many authorities around the world. It’s basically a combination of a digital handheld radio and and GSM-phone, and the system is designed so, that you normally use it even in radio mode via tower. But it does have the option for direct radio communication from one handheld to another. It’s not perfect (tech is from the 90’s) but it’s relatively secure and controllable - not much data transfer capability (yet) though.

So, this type kinda exists, but it’s not something the GSM network tech was build for. And to change/update it now, is a huuuge task. Kinda like adding 5G. That being said, 5G does have some features that resemble more direct connectivity (haven’t looked at those too closely yet though) and I think I remember some special feature phones that had additional radio build in for direct transmission (only to similar device) - additional, because it couldn’t use the same modem, signal and antenna than GMS/phone. Very much like the TETRA-devices.

Edit: If you only want “talk to many” kind of behaviour from GSM phone, there is a feature called POC or iPPT - I remember this feature was in some phones around early 2000’s but did not catch on. Still alive though.

"… and for next week, read about OSI-model of networks, there will be a quiz…"

BTW. the wikipedia article isn’t a bad starting point for more info, if interested.


#11

That’s OK, as long as they know that I am frowning just as hard!

But seriously, In my severely ignorant state the problem would seem to break down like this:
Step 1: use GPS to determine location
Step 2: use database to determine unused local frequency
Step 3: determine if phone number is in range.
Step 4: do whatever unfathomable thing a tower does.


#12

Frequencies (this may vary in other countries) are not quite free to use. Governments regulate them. There is a lot happening in the airwaves and they frown even more when someone does something unlicensed and non-standard, because it’s very easy to cause problems to others. Just recently some houses near an airport got visited by our version of airspace authority as the cheap TV-signal enhancers they we sold were causing some airplane nav equipment interference in some situations unintentionally (cold weather, condensed water, circuit not designed for it). There are a plethora of different equipment coming and going form different areas, so it’s not possible to be certain if any freq is unused. There are several bands that are reserved for different uses (specific standarded equiment and systems with specific design and limits - like GSM) and you could look up some emptiness there, but usually those are left blank intentionally, so as not to cause interference or to be sold/rented for ridiculous amounts of money.

Then, the “is the number in range” happens with the cell towers and the operators systems. That’s what they are designer for. The “unfathomable” part also includes some securing the connection, so direct connection would not take that easily. Unless, you get Stingray tech and create your own false tower. Not very convenient to carry or cheap… and if you could do that, you wouldn’t be asking this here, you’d be listening other users and overthrowing regimes.

If it’s just you and your friend (or a limited amount of them, only frequenting a certain area) I’ve got good news: digital walkie-talkies exist and you can use those to communicate without towers (there are even repeater stations to enlarge the area - those would be off the net as well, but you’d be creating your own tower network). Expensive models even have encryption. I know radio enthusiasts have developed ways to send TCP packets via these radios, so data can be transferred too (a bit slowly). But, unfortunately, they are not compatible with GSM-networks (voice or wireless data - although there are switching systems to connect anything to anyhting if you have the servers and money) and I haven’t seen any with linux or any “smart” OS in them.

(Edit to add: one more related tech is to have your own private network - your own cell tower or few, that you keep offline. Not cheap but for a limited area. Some businesses get these for themselves. You can use normal “smart” phones and roam between normal networks.)

What @dcz said about Wifi and ad hoc stands. There are apps that are “wifi-walkie-talkies”. I suppose you could use those similarly to your idea. Range is limited, but no need to try to use the GSM towers. It’s been a while, but I haven’t seen one that’s worked well or seen any made for linux. Also, if an app is used, the implementation could be with mesh networks, but that is another thing.


#13

In addition to the comments that have already been made …

  • Yes there is such a database but the answer depends on the country in question. Which country were you assuming?

  • If the database is not the official database, who is keeping it up to date? Is it up to date?

  • As others have said, Purism doesn’t control the functionality within the modem. Maybe one day but …

  • It may not actually be possible to reduce the broadcast strength so that the phone is only within range of a single tower. For example, you may be close enough to equidistant.

  • Choice of tower is not solely a function of distance. Other factors include variation in local topography, local obstacles (e.g. buildings), reflections.

  • Handoff may not necessarily occur at the earliest available opportunity, which I think is an assumption of your idea. (There are algorithms for this.) Handoff does however have to be seamless (if you are on a voice call at the time). In the process of doing the handoff, you couldn’t really avoid violating the assumption of only communicating with one tower.

  • Carriers do typically have directional identification, because the use of sectors on the tower increases the total available capacity.

  • While your specific idea may not have been discussed before in this forum, there are some similar discussions and one such discussion also raised the idea of ‘hidden’, receive-only towers (really devices) - which effectively triangulate you even if you never know about the device or never communicate with it. So to some extent you should view the use of the mobile phone network as an unavoidable “here I am!”. (Note that this is different from the fake-tower Stingray devices.)


#14

BTW saw this on another thread and got me really stoked about the future:

Leaving the mobile networks behind is a conceivable and likely idea.


LoRa mesh networks
#15

Some decades ago I had to study little bit of 3GPP specs.

Fun topic :slight_smile: - because now I get to try to memorize why this idea does NOT work.

Modem:
Modem needs to function according 3GPP specification. Otherwise operators might not accept that mobile into their networks.
One example about bad behavior was Iphone 2,3 and 4(?). Especially in Asia network those phones did not work well. They did not follow 3GPP specifications and went into state/channel where they did not listen to Radio Base Stations anymore and no calls were not possible to make or receive. European Network manufactures did loads of tricks and hacks to get them back to network after Iphone managed to disappeared itself from the network. Modem needs to follow specification to work properly.

Operators and networks optimization - Follow the money
Operators care about ROI. It is really expensive to put up an Radio Base Station and operate it. Hence Operators want to put as few as them as possible and cover as large area as possible.
Problem is that in the city area there are big buildings so you have to use directional antennas (around 120 degree beam or less) to cover streets and blind spots. you cannot use 360 degree antenna in the cities. 360 degree antennas are used mostly on country side where there are few structures to block the signal. Also bandwith of radio channel is limited so one cannot use them in the city as those can handle only “limited” number of users.

Best practices of network optimization is to have as small handover places as possible. If you have phone which is covered by 2 base-stations it will take radio capacity and transport bandwidth resources from both of them. It gets even worse if one is connected to 3 or 4 or 5 cell tower. Staying connected to 2 or more will cost money.
!So basically operators already want one to be connected only to one cell!

Mobile Phone - triangulation
Phones modem listens all surrounding base-station Cell signals - similar way as your like laptop listens different Wifi networks.
Phone basically monitors all the cells it can hear and it reports it back to Basestation. So even when you are connected to one cell it will report back all those weak signals also and there by triangulation can be made.
It is actually Network which makes decision to add new active cell or remove active cell in which your phone is connected to.

You would need manipulate the modem behavior in a way that it only reports the cell you are connected to.
And in practice it does not help because cell sizes in the city are so small so you can be found. In country side you are probably connected to one large cell and phone can not hear another anyway.

Uplink power
Basestation controls your phones uplink power dynamically according all the users in that cell. This because it tries to minimize power all the mobiles are using and it tries to hear each and every single one of them. Downlink power is something around 10-100? Wats. Uplink power is calculated in milliWats. You can not control uplink power by yourself.

So if you do manipulate your uplink power:
- Too little uplink power and you lose your uplink connection because basestation can not hear you anymore and at somepoint you most likely wont be able to make or receive phone calls. Phone indicator bar will show full coverage because it shows downlink power and quality.
- if too much power: your phone becomes Jammer (and do not act according 3GPP specification) which will interfere all the traffic(=users) in this cell and will cause attention and at some point someone will start investigating why.

Summary:

  • Operators want you to be connected to one cell because money
  • Basestation controls your uplink power dynamically according all the users in that cell
  • If you manipulate your uplink power:
    • Too little uplink power -> wont be able to make or receive phone calls
    • if too much power: your phone becomes radio Jammer -> someone at some point will start investigating why.
  • manipulating list of monitored cells is pretty much pointless

#16

Your understanding is not quite correct, that carrier actually does not track you via multiple towers (generally), and the reason for this is simple: doing this would cost them resources and they have no interest in doing so.

The only reason the carrier has to know the handsets location is to save resources by only broadcasting in the serving cell.

That would be pointless, as only the active (serving) cell measures your power.
Instead what the network does is simply to ask the handset which towers it can see, which the handset (modem) will reply.
Thus is it not at all relevant which transmit power the handset uses, as only the transmit power of the network cells is used for location.

Not, it is not a feasible idea, as you have no control over what the modem does, which is as true for the Librem as it is for any other phone.

Even if someone would build a open modem where it could be implemented that it does not report neighbor cells to the network (which seems highly unlikely), it would likely quickly be blacklisted by all networks because of its impact on service quality.


#17

and that is why when you decide to flip the cellular kill-switch in the ON position you are on your own (or rather the option to TRUST the network is the ONLY one PERMITTED by the carrier)

are there any open-hardware based encrypted-by-default walkie-talkie ? less than 8km range at low signal is sub-optimal imo …


#18

There are better radio forums to dive into that topic, but you might want to include frequency hopping feature too. Handhelds don’t have power to transmit more than a few km on flat land (and buildings etc. can cut that), but it’s much more about elevation: either get a long antenna or get on top of a hill.