What kind of data is your cell phone company collecting? Malte Spitz wasn’t too worried when he asked his operator in Germany to share information stored about him. Multiple unanswered requests and a lawsuit later, Spitz received 35,830 lines of code — a detailed, nearly minute-by-minute account of half a year of his life.
Malte Spitz asked his cell phone carrier what it knew about him–and mapped what he found out.
More at Reddit.
If you think your iPhone is secure because you locked your phone with a passcode, don’t be so sure. Law enforcement is using a program called XRY, developed by Micro Systemation, to jailbreak pascoded iPhones and Android devices.
XRY works by first jailbreaking the handset. According to Micro Systemation, no ‘backdoors’ created by Apple used, but instead it makes use of security flaws in the operating system the same way that regular jailbreakers do.
Once the iPhone has been jailbroken, the tool then goes on to ‘brute-force’ the passcode, trying every possible four digit combination until the correct password has been found. Given the limited number of possible combinations for a four-digit passcode — 10,000, ranging from 0000 to 9999 — this doesn’t take long.
Once the handset has been jailbroken and the passcode guessed, all the data on the handset, including call logs, messages, contacts, GPS data and even keystrokes, can be accessed and examined.
”One of the morals is to use an eight-digit passcode.”
The eight digit code with letters only would take a few days to crack. This is significant if the person who has your device only has access for a few minutes. If they, somehow, have permanent possession, then it doesn’t matter how long it takes to crack. Your phone will be hacked.
The fact is, cell phones are no longer just devices used to make telephone calls. They are computers and one would be wise to take the necessary precautions to ensure the phone’s security by keeping it out of the hands of an attacker.
In the past few years, police departments have become obsessed with the ability to warrantlessly track cell phones. Cell phone companies have also been complicit in helping police departments with data dumps at set prices. All that is needed for the police to ask for the information. The ACLU has obtained documents detailing how widespread the surveillance is and how they are trying to silence officers from talking about it.
The documents were revealed by an ambitious ACLU project to use open-records laws to obtain a deeper understanding of police department practices with regard to cell phone surveillance around the country. ACLU affiliates submitted information requests to dozens of law enforcement agencies; while many refused to provide documents, the ACLU was able to assemble more than 5,500 pages of documents from numerous state and local agencies.
The documents paint a picture of a surveillance free-for-all.
Cato Institute privacy researcher (and Ars Technica alum) Julian Sanchez wrote on Monday that, until he read these documents, he had been aware of only one instance in which “tower dumps” had been used in an investigation. But the fact that all the major wireless companies have standard list prices for the service suggests that it has become a relatively routine investigative technique.
It’s not clear if the “activity” disclosed in a “tower dump” is limited to phone calls placed through that tower or whether it includes all phones that merely came within range of the tower during the requested time period. Either way, the practice raises serious constitutional issues.
A Nevada manual, for instance, states that cell phone tracing without a warrant “is only authorized for life-threatening emergencies!!” while others (such as those in Iowa) say to simply keep the matter hush-hush and out of police reports, whether it is warrantless or not.
The legal standards used for cell phone tracking requests vary widely by police department. Some law enforcement agencies do not track cell phones, or have concluded that the Fourth Amendment requires them to obtain a warrant in order to track user locations. But many more reported obtaining location information with a simple subpeona—which is available without meeting the Fourth Amendment’s “probable cause” standard. The ACLU says that “a number of law enforcement agencies report relying on cell phone providers to tell them what legal process is necessary to obtain location records.”
A New York Times report on the documents says that many departments keep their use of cell phone tracking capabilities secret, fearing the backlash that could be generated if the public learned how often they are used. For example, a document published by the Iowa City police department admonishes police officers not to “mention to the public or media the use of cell phone technology or equipment used to locate the targeted subject.” Officers are advised not to include “details of the methods and equipment used to locate the subject” in police reports.
The police are public servants. While it is not necessary to provide complete details as to their methods of tracking cell phone information, they should not be hiding the fact that they are, indeed doing it
The documents the ACLU obtained are quite telling.
Some specific examples from the internal documents include Gilbert, Arizona, which spent $244,000 on its own tracking equipment; Ogden, Utah, where the Sheriff’s Department leaves it up to the cell carrier to collect information on a cell phone; California, where state prosecutors suggested that local police get carriers to duplicate a phone and download the test messages when it is turned off, and certain cities in states like Nevada and North Carolina have managed to get carriers to track cell phone signals back to cell towers in non-emergency situations in an effort to determine which callers are using a specific tower.
“Some jurisdictions were forthcoming about the fact that they don’t seek warrants to track cell phone location,” said the ACLU. “Take for example, police in Lincoln, Neb., who obtain even GPS location data (which is more precise than cell tower location information) without demonstrating probable cause. Or police in Wilson County, N.C.who obtain historical cell tracking data where it is “relevant” to an ongoing investigation — a standard lower than probable cause.
Weber County, Utah, for example, informed us that “Each provider has a different system for authorizing police use of location information and we comply with whatever that cell phone provider requests.” I don’t know about you, but I don’t trust my cell phone provider to insist on a probable cause warrant — and with good reason: the cell phone companies’ manuals we received indicate that they don’t always demand a warrant.”
In many instances, the police and cell phone companies rely on the old adage of “think of the children.”
Some police departments have said that cell phone tracking is very valuable because it aids in finding a child that has been kidnapped or murder cases. However, the ACLU is concerned that the use of cell phone tracking has the potential to be abused, especially when police act without court consent. For instance, a Supreme Court ruling this past January found that a GPS device used on the car of a drug suspect violated Fourth Amendment rights. The ACLU worries that cell phone tracking could fall under that same violation against unreasonable searches.
While not all police departments are tracking in this manner, the fact that many are should be of concern. Individuals should also be worried that cell phone companies are so ready to give away their personal details with so much ease.
Some police departments have taken obtaining the data even further by erecting their own fake towers.
The stingray, made by Harris Wireless Products Group of Melbourne, Fla., lets users set up what amounts to a fake cellphone tower and trick all phones nearby into connecting with it. That data can then be used to track the physical location of anyone nearby carrying a powered-on cellphone — even if the citizen isn’t on a phone call. A stingray can also register other data, such as the phone numbers dialed by all phones while connected to it. The device reportedly cannot record or intercept the content of a phone call, so it does not act like a wiretap.
“I think when law enforcement starts purchasing technology that allows them to track cellphones in that manner, it raises a whole host of questions about how that technology is being used that are even more serious when they track people through carriers,” Crump said. “At least when a carrier is involved, there’s a third party that may raise concerns if the request is of questionable legality. But when a law enforcement agency can do on its own surveillance, that raises even more serious questions about whether there is appropriate oversight.”
No one in the ACLU report stated it used the Stingray and it appears as if the Gilbert, Arizona police department is the only one currently using the technology.
Still, privacy researcher Chris Soghoian – who has written extensively on law enforcement use of cellphone technology for surveillance – said police use of the stingray device is among the most troubling privacy developments in years. Some phone companies allow police officers to use a website to download customers’ GPS location data easily, “from the comfort of their own desks,” he said, and charge as little as $5 for the information. With phone company record access that easy and inexpensive, there’s no need for stingray, he argued
“The real issue is that this device is about allowing police to perform surveillance when the phone company would say no,” said Soghoian, who is Graduate Fellow at the Center for Applied Cybersecurity Research at Indiana University. “This is not about saving time and money … it’s about the fact that there’s no one to insist that the law be followed when a stingray is used.”
With little oversight, there’s no telling how far the police will push the constitutionality of monitoring cell phone data. It will, ultimately, take a lawsuit to reign in police powers because, historically, they have never erred on the side of caution. One thing we do know is that, if a law can be bent or stretched to the benefit of law enforcement, they will use it to the detriment of citizens’ rights.