Wasn't Kevin Mitnick tracked down by triangulating the location of his cell phone? If the feds (or whoever) want to find someone's signal, it
Yes, but it was a very time-consuming manual process. *Any* radio signal can be located in this way. As a sport, radio hams have long conducted "fox hunts", aka "hidden transmitter hunts", where somebody hides with a transmitter and the rest try to find him. Mitnick was found with classic ham-style fox-hunting techniques. His level of activity was so high that he made it relatively easy. Nothing really can thwart this method, other than never using your phone. Its saving grace for our purposes is that it is so labor intensive that it cannot be done routinely.
If someone wanted to passively track everyone's position all the time, there would need to be at least two direction-sensitive cell towers
Almost. In CDMA, the mobile station locks its timing to the base station. This lets the base station easily measure the round trip time through the mobile and back and thereby the radial distance. With just one base station, you can locate the user to a circle around the base station. Defeating this is what I had in mind yesterday when I talked about dithering the mobile timebase a la Selective Availability. Somebody then pointed out in private email that dithering wouldn't defeat a differential timing measurement made by two or more base stations. This is true, but these measurements are easily made only when the mobile is in soft handoff (talking to two base stations at once). In CDMA, as in other digital cellular systems, handoffs are "mobile assisted". That is, the base station relies on "pilot strength measurement" reports from the mobile as to which neighboring cells it can hear so handoffs can be set up. If you hack the phone software to lie about these measurements, you can keep handoffs from being set up. Your service quality will definitely suffer, especially in the border regions between adjacent cells, but you will make it much harder (but still not impossible) for them to locate you. In analog, handoffs during calls are performed entirely by special scanners in each base station. The mobiles do not assist the process. Having only one receiver channel, they cannot look for adjacent base stations while in a call. CDMA receivers can do this because they have a "searcher" channel whose sole function is to look for pilot energy from any base station in range. While it would still be possible for CDMA base stations to cooperate as analog stations now do in locating an "uncooperative" mobile, this is not something that could be done routinely. There are also near-far considerations because every cell transmits on the same forward channel and every mobile transmits on the same reverse channel, and tight power control is used on both links to minimize co-channel interference. Phil