MobileActive.org

Mobile Surveillance Basics

Mobiles can be useful tools for collecting, planning, coordinating and recording activities of NGO staff and activists. But did you know that whenever your phone is on, your location is known to the network operator? Or that each phone and SIM card transmits a unique identifying code, which, unless you are very careful about how you acquire the phone and SIM, can be traced uniquely to you?

With cameras, GPS, mobile Internet come ever more dangerous surveillance possibilities, allowing an observer, once they have succeeded in gaining control of the phone, to turn it into a sophisticated recording device. However, even a simple phone can be tracked whenever it is on the network, and calls and text messages are far from private. Where surveillance is undertaken in collusion with the network operator, both the content of the communication and the identities of the parties involved is able to be discovered, sometimes even retrospectively. It is also possible to surreptitiously install software on phones on the network, potentially gaining access to any records stored on the phone.

This is understandably disquieting to activists involved in sensitive work.

Obviously, the most secure way to use a phone is not to use one at all. Even so, most organisations, even if they understand the risks involved, find that phones are too useful to discard completely. The best approach then becomes one of harm reduction: identifying and understanding the risks involved, and taking appropriate steps to limit exposure. In this article, we try to identify these risks, and to offer some suggestions for securing your mobile communications.

Information transmitted by phones on the network

For every phone currently on the network (receiving a signal, regardless of whether the phone has been used to call or send messages) the network operator has the following information:

• The IMEI number – a number that uniquely identifies the phone hardware

• The IMSI number – a number that uniquely identifies the SIM card

• The TMSI number, a temporary number that is re-assigned regularly according to location or coverage changes but can be tracked by commercially available eavesdropping systems

• The network cell in which the phone is currently located. Cells can cover any area from a few meters to several kilometers, with much smaller cells in urban areas and even small cells in buildings that use a repeater aerial to improve signal indoors.

• The location of the subscriber within that cell, determined by triangulating the signal from nearby masts. Again, location accuracy depends on the size of the cell - the more masts in the area, the more accurate the positioning.

In addition, phones in most American and Canadian states are designed to broadcast their position on the so-called E911 service for emergency use. The service uses signal triangulation as well as the phone's built-in GPS (if available), and is enabled by default for all new phones. In fact, the E911 service may track the phone even when it appears to be switched off. Although this is unlikely, there is nothing to stop the phone software simulating being powered down while in fact remaining on the network. To be sure your phone is actually offline, you need to removed the battery or use a signal-blocking bag - more on this later.

Of course, location determination services like E911 do place a restriction on who can access location information for a particular phone. For E911, emergency services are automatically granted access, but in law enforcement agencies need to obtain a court order to track a phone. In theory, third parties can only access location information with the permission of the owner of the phone, but mechanisms for granting such permission are often simplistic - replying to a tracking opt-in SMS from a target's unattended phone can be enough allow you to track them continuously. Essentially, you need to decide whether you trust your network operator to keep your location information secret. If not, leave the phone at home, take the battery out, or read on for tips on how you can use a phone anonymously to avoid its location being linked to your identity.

Information stored on the phone

All mobile phones have a small amount of storage space on the SIM card. This is used to store:

• Your phone book - contact names and telephone number
• Your call history - who you called, who called you, and what time the call was placed
• SMS you have sent or received
• Data from any applications you use, such as a calendar or to-do list
• Photos you have taken using the phone camera, if available. Most phones store the time the photo was taken, and may also include location information.

For phones that allow web browsing, you should also consider how much of your browsing history is stored on the phone. Also, does your browser store passwords for sites you have accessed from the phone? Emails are a further potential danger should an attacker obtain access to the SIM card or phone memory.

Like the hard drive in a computer, the SIM memory of your mobile phone keeps data ever saved on it until it is full, when old data gets written over. This means that even deleted SMS, call records and contacts can potentially be recovered from the SIM.  (There is a free application to do this using a smartcard reader). The same applies to phones that have additional memory, either built into the phone or using a memory card. As a rule, the more storage a phone has, the longer deleted items will be retrievable.

Can SMS be intercepted?

Standard SMS are sent in plain text, include location, phone and SIM card identifiers, and are visible to the network operator. Interception by third parties without the assistance of the operator is less likely, but over the last few years there have been various loopholes related to phone cloning that have allowed more than one phone to register to the same number and receive SMS sent to that number. So, even though some networks assure that SMS are not stored beyond the time needed to deliver them (and many make no such guarantees), it is worth thinking about who might be able to access messages during that time.

According to a recent paper discussing the role of SMS as a carrier for political jokes in China, the Chinese government has an established SMS monitoring programme:

"As deviant ideas spread rapidly through SMS, the government started to establish mechanisms to monitor and censor textual messages, with 2,800 SMS surveillance centers around the country. In June 2004, a Chinese firm, Venus Info Tech Ltd., announced that it had received the Ministry of Public Security's first permit to sell a real-time content monitoring and filtering system for SMS. The system uses the Chinese Academy of Science's tests of information content as the basis of its filtering algorithm, which covers a wide range of "politically sensitive" combination of characters."

In addition to searching for keywords in message content, monitoring systems may also flag messages based on suspicion attached to the sender or receiver. Plain text SMS should not be considered secure, particularly when it is possible that the sender or receiver of the message may have been identified for surveillance.

Can mobile calls be eavesdropped?

The idea of someone 'listening in' to sensitive phone calls is a familiar legacy of the era of analogue phone systems. Eavesdropping in digital systems is technically complicated, although entirely possible using commercially-available equipment. However, a much simpler way to listen in to phone call is to capture the conversation on the phone, and transmit a recording to the eavesdropper. This can be done with small software applications surreptitiously installed, or with a bugging device attached to the phone.

It has also emerged that the network operator is able to remotely activate a phone as a recording device, independent of calls or SMS or even of whether the phone is switched on. This report from wombles.org.uk confirms that remote surveillance functionality is available on US networks.

Essentially, network operators have always been able to send undetectable control messages to phones on the network. This capability exists to allow operators to update software stored on the SIM card, but could also be used to transform the phone into a tracking device, or to access messages or contact information stored on the SIM card. Once surveillance is being conducted with the co-operation of the network operator, there is very little that can be done to prevent this.

Mobile Viruses, spyware and keyloggers

Modern high-end phones are essentially scaled-down PCs, with the processing power, memory and connectivity to run all kinds of applications - including malicious ones. Thankfully, mobile viruses are still rare, and affect mostly high-end phones. However, security experts predict that malicious mobile applications will become increasingly common. This includes not only viruses, but also mobile spyware and keyloggers, which could secretly spy on your mobile activities to glean passwords and other sensitive data.

To protect yourself, consider buying a very simple phone, perhaps even one that does not allow third party applications to be installed. If you do need to use a smartphone, install only trusted applications - many viruses masquerade as a useful little application, but wreak havoc when installed (or worse, compomise the data stored on your phone). Bluetooth in particular has proven a popular way for mobile viruses to spread, and should be turned off when not in use. You could also consider installing antivirus software on your phone. Most of the major antivirus vendors, including Norton, Kapersky and F-Secure have recently brought out mobile security products.

Aggregate data can be dangerous too

So far, surveillance has been discussed in terms of individuals. But with sophisticated network analysis software, it is also possible to detect patterns from large quantities of cellular network data - call records, messaging records, message content - potentially leading to the identification of dissident groups. An ICT4Peace post quotes Daniel Soar in the London Review of Books describing how this might work:

"[..] companies like ThorpeGlen (and VASTech and Kommlabs and Aqsacom) sell systems that carry out ‘passive probing’, analysing vast quantities of communications data to detect subjects of potential interest to security services, thereby doing their expensive legwork for them. ThorpeGlen’s VP of sales and marketing showed off one of these tools in a ‘Webinar’ broadcast to the ISS community on 13 May. He used as an example the data from ‘a mobile network we have access to’ – since he chose not to obscure the numbers we know it’s Indonesia-based – and explained that calls from the entire network of 50 million subscribers had been processed, over a period of two weeks, to produce a database of eight billion or so ‘events’. Everyone on a network, he said, is part of a group; most groups talk to other groups, creating a spider’s web of interactions.

Tools and precautions

First, you need to decide what risks are unacceptable. Is your main concern being identified as the sender or receiver of calls and messages, or is there sensitive information stored on your phone that you need to protect? You may also require encryption for your SMS messages, or for emails sent from the phone.

We've published some general suggestions on phone security for nonprofits before. To recap:

• Use a pre-paid SIM card
• Buy a SIM card just for the specific project and dispose of it afterwards.
• Make it routine to delete the information on your phone. Check the settings on the phone to see if can be set to not store call logs and outgoing SMS.
• If your conversation is sensitive, don’t discuss it on the phone and consider taking the battery out of any phones in your vicinity.
• Consider turning the phone off at certain times in your journey. Move the phone to places that it can be established you are not at so that all activity on the phone is not linked to you.
• If you suspect that messages are monitored use agreed innocuous words in your message

Avoiding being identified by your phone

If you are particularly worried about being identified as the owner of a specific phone or SIM card (remember, both have a unique identifier that is transmitted when the phone is on the network) you need to be careful not be be identified when buying or using the phone. FreeB.E.A.G.L.E.S has some suggestions for safe purchasing of phone and credit, and we've added some to their list.

• Make your purchase in a shop away from where you live so that the seller is unable to identify you, so consider the trail you leave and don't use a credit card or a traceable email address.
• Avoid places that are likely to have CCTV - town centres, malls and larger chain stores are obvious examples
• Do not giving your real details if asked. Many shop do ask for your details, but not proof of ID. Check whether you have a legal obligation to provide any details at all.
• Get the simplest phone you need, avoiding extra features unless necessary. For calls and SMS only, get a bottom of the range phone. If you want to use additional encryption software though, consider a Java-enabled phone, which is able to run encryption software provided by third parties.
• Do not buy a phone in a deal that locks you into a contract with a particular operator. Always ask for the phone on pay-as-you-go, even if this is much more expensive.
• Do not register the phone – in many countries there is no legal obligation to do so (though some countries require SIM registration or track identification when you buy a SIM card)
• Buy top-up vouchers to load credit onto the phone. When buying the vouchers, follow the same rules as for buying the phone: avoid CCTV, pay cash, don't give out your details. Do not buy a top-up card, if available - this allows all the topups to be traced to a single user.

In addition, it's a good idea to change the SIM card and phone regularly. Also, recognise that the location of each call or message you send or receive is know, as is the phone and SIM card involved. If your location gives away your identity (for example, if you call or message from your home or place of work, or are captured on CCTV making or receiving a call, or sending or receiving a message) then you should dispose of the phone and SIM card you have used and start again with a new phone and SIM.

Preventing location tracking

If your phone is receiving a signal, your location is known to the network operator. This information can be used to track you in real time. If an observer is tracking one or several people over a period of time, it could also be analysed to identify meeting places or regular routes. If your location is sensitive, you should avoid using a phone at all - Wombles.org.uk suggests taking the battery out during sensitive meetings, as well as while travelling there and back. You could also try making a signal blocking bag for you phone out of three layers of foil, which should prevent the phone from registering on the network.

The E911 service in the US is a particularly powerful location tracking system. While all phones sold in the US must be E911 enabled, some models allow the service to be turned of (here] is an incomplete list). You may also be able to find information on the Internet for specific models - try searching for 'E911' and the phone's make and model.

Finally, remember that your phone may still be registering on the network when it is switched off - 'off' is in fact only a software mode. Location tracking, as well as the E911 service, can potentially be activated on a phone that is switched off. To be sure, take the battery out or use a signal blocking bag. You should also make sure your phone cannot be linked to your identity by following the advice above, taking particular care to change your SIM card and handset often.

Preventing bugging

Bugging of a phone undertaken, especially if undertaken with the cooperation with the network operator may be very difficult to detect, especially if software is installed on the phone using the command mode. The same general advice applies - change both your handset and SIM card often, and consider using a new, 'clean' phone and SIM for sensitive operations. Recognize that all the information stored on your SIM or in phone memory can be remotely accessed by the network operator, or by a third party if they have managed to install bugging software on your phone. Do not store sensitive contacts, and consider using encrypted SMS, MMS and email messages both to prevent unauthorised viewing of messages in transit, and to stop saved messages from being readable should someone gain access to the information stored on your phone or SIM.

SMS Encryption applications for Java-enabled phones

Most phones available today (excepting some very basic models) allow users to download and install Java applications written by third parties. In general, you should avoid installing anything additional on a phone that is used for sensitive communications. The one exception to this may be encryption applications, which allow for securely encrypted communication once installed on the phone of both sender and receiver. SMS encryption applications allow short encrypted messages to be sent and received, using either a standard SMS (which is charged as normal but is scrambled so as to be indecipherable in the records of the network operator) or a data service such as GPRS as the message bearer.

Most SMS encryption applications work by asking the sender to choose a password (or 'key') which is used to encrypt the message. The sender discloses the password to the desired recipient, who then be uses it to decrypt the message. The obvious weakness in this system is that anyone who manages to acquire the password (perhaps by eavesdropping on the conversation in which it is disclosed) is able to decrypt the message. A more secure form of encryption, called public key encryption, uses two keys, uniquely identifying the sender and receiver. You can read more about this type of encryption on this wikipedia page.

There are many commercially developed SMS encryption applications, but some offer a free trial version. There is also an open source SMS encryption application, CryptoSMS, which carries no license fees. The advantage of using an open source application is that all source code is freely available, and can be scrutinised for security flaws. In commercial proprietary applications, the source code is not made available, potentially allowing malicious code to be included undetected.

This isn't a full review of SMS encryption applications but here are some Java-based encryption applications that you could look into:

• CryptoSMS offers public key encryption and, as an Open Source application, does not require the purchase of a license. It does not anonymise the message sender and receiver of the encrypted message.

• SMS 007 is a commercial application that uses password encryption, but has the added advantage of anonymising the sender and receiver of encrypted messages by creating its own encrypted contacts list. It can be bought online for around €35.

• Kryptext is another commercial product, available online at £5.99 per month for up to 10 licences according to the product webpage. It uses password encryption, but does not advertise additional features such as contact list encryption.

Although it does not advertise encryption, Feedelix is a Java SMS application that allows users with the FeedelSMS software installed on GPRS and Java phones to send cheap text messages. It has versions for Hindi and Ethiopic. It supports bulk messaging and does not use the network's SMS service, making it useful for information dissemination in situations were this may have been disabled.

Applications for Smartphones (Symbian and Windows Mobile)

Smartphones, many of which use the Windows Mobile or Symbian operating systems, have more memory, more processing power, better peripheral devices such as cameras and more connectivity options. Many can run scaled-down mobile versions of PC communication applications, such as email, Voice-over-IP (VOIP) calling and instant messaging (IM). But, given that more sophisticated phones inevitably offer more sophisticated surveillance possibilities, which of the applications can be used safely to communicate sensitive information?

Email, VOIP and instant messaging applications for mobile phones could all be designed to provide secure communication. Several applications already claim to do this, including Skype, the popular VOIP and instant messaging system. Skype is peer-to-peer, making it harder to intercept communication as there is no central server. It also uses several layers of encryption. The weakness of the system is that it is closed source and proprietary, meaning that no-one is allowed to review the source code of the Skype client for potential security vulnerabilities. More worrying is the discovery of surveillance code in a Chinese skype client, which logged the content of messages containing specific keywords, presumably for use by Chinese authorities. This kind of vulnerability (called a 'backdoor') could be built into any closed-source application, even one that promises secure communication. Open source software solves this problem, but as far as we can tell there are no mature open source mobile VOIP or IM applications that also offer encryption. This is definitely something to look out for, but for now both are probably best avoided for sensitive work.

Mobile email can be encrypted either by using a peer-to-peer system that requires generation and sharing of a key or keys, as described for SMS encryption, or by making use of an encrypted email service where this is managed on a central server. In the first case, the responsibility for key generation and sharing of keys is entirely with the sender and receiver of the message, involving no third party. In the second, a third party email encryption service handles part of the process, for example, key management or storage of encrypted messages on a secure server. Hushmail is one email encryption services that has released a mobile client. As demonstrated by a case not long ago involving the service, however, it is important to remember that encryption services are still subject to the laws of the country in which they are based. This means that they could be forced to hand over information to law enforcement. As with VOIP and IM, you should also consider whether you are willing to trust the proprietary email clients are not inadvertently or secretly passing on information through a software backdoor.

Managing your own email encryption, for example by using an OpenPGP or S/MIME capable email client, avoids reliance on any third party. This can be technically challenging, but if you do have expertise and/or time to try things out, a peer-to-peer email encryption system can be a good way to communicate securely from a sophisticated phone. All the same, given the benefits of changing your handset regularly and the high cost of smartphones, it is worth considering whether the few secure communication options available are not better executed from a basic, low-spec PC.

Conclusion

This article has highlighted some of the potential surveillance risks posed by the use of mobiles, particularly for activists working in sensitive areas or under hostile regimes. It is the nature of mobile cellular systems that the network operator knows the approximate location of all phones currently on the network, as well as maintaining extensive call and messaging records. Once this information is available, there is always a risk of it falling into the wrong hands. However, taking basic precautions about the phone you choose and how you use it can help to reduce your risk of surveillance, and encryption applications can make the phone an effective tool for secure communication.