Security Team Discovers Threat Affecting 99% of Android Mobile Devices
Hellmann's Recipe Shopping Carts. A Good Program?

Geolocation Data. What They Know And Collect About You Via Your Mobile Devices

Most of us have mobile devices: smartphones and/or tablets. At May 2013, 91% of American adults have cell phones and 56% have smartphones. We all know that our telecommunications service providers collect data about our phone calls (e.g., inbound and outbound) and where we are (e.g., where our devices are) - and where our children are. What exactly is the data collected?

A couple sources highlight the scope and detail of the data collection; in particular the geolocation data, or where you are physically in the world. First, a report by Business Insider Intelligence documents the types of geolocation data collected in decreasing levels of precision:

  1. Fine GPS coordinates: the global positioning coordinates reported by your mobile device (even when your device is turned off). Only 19% of cell phone users have turned off the geolocation tracking features on their devices. When this data is not available, see items #2 through #5
  2. Cellular tower data: the cellular tower your mobile device communicates with. It's not as accurate, but companies and governments use it.
  3. WiFi hotspot: when you use your mobile device in WiFi mode, this location data is collected. By providing "free" WiFi hotspots, retailers can serve to you more and more precise mobile advertisements. (You didn't think that free WiFi hotspot was really free, did you?)
  4. IP address: the Internet address where you connect to the Internet
  5. User reported locations: when you "check in" at a social networking service and tell your friends (and effectively companies and the government) where you are. I have some friends on Facebook who seem to think it's cute to post status messages such as, "At Carl's bed" (name changed to protect an identity). Facebook already knows where you are since your mobile device probably blasted out your GPS coordinates.

Attached to that mobile location data is metadata about that location:

  • The unique identifier of your device(s) (e.g., UDID)
  • The date and time you arrived (or your device first pinged that cellular tower or WiFi server)
  • How long you stayed at that location
  • Any phone calls you made (or received) at that location (e.g., date, time, phone number, call duration) and the location the call ended (if different)
  • Any text messages you made (or received) at that location (e.g., date, time, phone number)
  • Any websites you visited while at that location
  • Any emails you received or sent at that location
  • Any video games or mobile apps you used at that location (assuming the apps communicate and send data to the developer, as most do)
  • Any videos or photos you recorded at that location (e.g., your device saves geo-location data automatically to the metadata with your videos/photos, unless you turn off that feature -- but, social networking websites can re-add this geolocation data often without notice)

Remember, many consumers use their personal mobile devices also for work (e.g., check business email), so the tracking and data collection are even more extensive than simply the collection of personal data.

This should help consumers better understand what companies, marketers, retailers, and the government know about you and your children's physical movements in the world, since most people keep their mobile device with them 24/7/365.

A second source are legal documents, often filed with warrant-less government tracking and/or class-action lawsuits. The American Civil Liberties Union (ACLU), the ACLU of Maryland, the Center for Democracy & Technology, the Electronic Frontier Foundation, and National Association of Criminal Defense Lawyers, filed an amicus brief about United States v. Graham. The amicus brief argued that the Fourth Amendment requires the government to get a warrant first. This case also illustrates both the staggering amount of geolocation data collected, and the data collection methods.

The amicus brief described the data collection methods:

"Most cell sites consist of three directional antennas that divide the cell site into sectors (usually of 120 degrees each). Service providers automatically retain sector information too, which reveals even more precise information about the user’s location. In addition to cell site and sector, some carriers also calculate and log the caller’s distance from the cell site... The availability of historical cell site location information and the length of time it is stored depends on the policies of individual wireless carriers. Sprint/Nextel stores data for 18–24 months; other carriers vary from one year of storage (T-Mobile) to indefinite retention... The precision of a user’s location revealed by the cell site identifier in the carrier’s records depends on the size of the sector. The coverage area for a cell site is reduced in areas with greater density of cell towers, with the greatest cell site density and thus smallest coverage areas in urban areas... the number of cell sites in the United States has more than doubled in the last decade, with 285,561 as of June 2012”

The industry refers this as cell site density. It refers to cell tower data collection as CSLI: Cell Site Location Information. So, as telecommunications providers install more cellular towers, they will be able to collect more precise geolocation data. Perhaps more importantly, your smartphone communicates differently than cell phones:

"... smartphone that communicates with the carrier’s network (and thus generates location data) every few minutes, or a traditional feature phone that communicates less frequently. Knowing periodic information about which cell sites a phone connects to over time can be used to interpolate the path the phone user traveled..."

In this lawsuit, local law enforcement had obtained without a warrant 221 days of the defendant's geolocation data. That's about 7.5 months of data. The privacy implications:

"Location surveillance, particularly over a long period of time, can reveal a great deal about a person. 'A person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups—and not just one such fact about a person, but all such facts.' "

How does your mobile activity reveal so much detail. Keep reading:

"Mr. Graham’s data include 14,805 separate call records for which CSLI was logged, comprising 29,659 cell site location data points. (JA 2668–3224.) Mr. Jordan’s records reveal 14,208 calls for which location information was logged, comprising 28,410 cell site location data points. Mr. Graham and Mr. Jordan respectively placed or received an average of 67 and 73.8 calls per day for which location data was recorded and later obtained by the government... For example, Mr. Graham’s calls include location records from 167 towers and 369 separate sectors, and over the course of a typical day his records chart his movements between multiple sectors. On November 4, 2010, for example (a randomly selected day), he made and received 69 calls in 36 unique cell site sectors. Even more revealing, during one 38-hour period in October 2010, Mr. Graham made and received 209 calls (an average of 5.5 calls per hour) while located in 55 different cell site sectors. Even records of individual calls provide information about movement: 2,212 of his calls were initiated within one cell site sector and terminated in another, suggesting that he was not stationary during the call... during the period for which records were obtained Mr. Graham’s wife was pregnant, and he often accompanied her to appointments with her OB/GYN.25 Twenty-nine calls during business hours began or ended in the sector where the OB/GYN’s office is located, allowing the inference that they were at the doctor’s office at those times... By sorting the data for the first and last calls of each day, one can infer whether a person slept at home or elsewhere..."

Perhaps, more importantly the brief stated:

"The Supreme Court has made clear that when the government engages in prolonged location tracking, or when tracking reveals information about a private space that could not otherwise be observed, that tracking violates a reasonable expectation of privacy and therefore constitutes a search within the meaning of the Fourth Amendment. Acquisition of Defendants’ cell phone location information is a search for both of these reasons."

Given this, I take seriously geolocation surveillance and the resulting loss of privacy. I hope that you do, too. Basically, a government can't just walk away from the Fourth Amendment of the U.S. Constitution:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.