Meet the ‘Keyzer Soze’ of Global Phone-Tracking

[Eugen Leitl]

http://www.wired.com/dangerroom/2011/07/global-phone-tracking/all/1/

Meet the bKeyzer Sozeb of Global Phone-Tracking

By Spencer Ackerman July 18, 2011  | 7:00 am  | 

Categories: Crime and Homeland Security


Chances are youbve never heard of TruePosition. If youbre an AT&T or T-Mobile
customer, though, TruePosition may have heard of you. When youbre in danger,
the company can tell the cops where you are, all without you knowing. And
now, itbs starting to let governments around the world in on the search.

The Pennsylvania company, a holding of the Liberty Media giant that owns
Sirius XM and the Atlanta Braves, provides location technology to those
soon-to-be-merged carriers, so police, firefighters and medics can know where
youbre at in an emergency. In the U.S., it locates over 60 million 911 calls
annually. But very quietly, over the last four years, TruePosition has moved
into the homeland security business b worldwide.

Around the world, TruePosition markets something it calls blocation
intelligence,b or LOCINT, to intelligence and law enforcement agencies. As a
homeland security tool, itbs enticing. Imagine an binvisible barrier around
sensitive sites like critical infrastructure,b such as oil refineries or
power plants, TruePositionbs director of marketing, Brian Varano, tells
Danger Room. The barrier contains a list of known phones belonging to people
who work there, allowing them to pass freely through the covered radius. bIf
any phone enters that is not on the authorized list, [authorities] are
immediately notified.b

TruePosition calls that bgeofencing.b As a company white paper explains, its
location tech bcollects, analyzes, stores and displays real-time and
historical wireless events and locations of targeted mobile users.b

bThe capability of doing mass tracking is possible.b

It can also work other ways: pinging authorities when a phone used by a
suspected terrorist or criminal enters an airport terminal, bus station or
other potential target. And it works just as well in monitoring the locations
of phones the suspectbs phone calls b and who they call and text, and so on.

For the past four years, TruePosition has quietly taken that tracking
technology global. In the U.S., Varano says, TruePosition sells to mobile
carriers b though itbs cagey about whether the U.S. government uses its
products. But abroad, it sells to governments, which it wonbt name. Ever
since it came out with LOCINT in 2008, he says, bMinistries of Defense and
Interior from around the world began beating down our door.b

Thatbs got some surveillance experts and mobile activists worried. Keeping
suspected terrorists away from nuclear power plants and discovering their
networks of contacts is well and good. But in the hands of foreign
governments b not all of whom respect human rights b TruePosition tech can
just as easily identify and monitor networks of dissidents.

For a company that can do so much to find out where a mobile user is, few
outside of the surveillance industry know much about TruePosition. Thatbs a
deliberate strategy on the companybs part, to keep a blow profile from jump,b
Varano says. It grants few interviews b a little-noticed Fox News story from
2009 is a rare exception b and discloses little about its foreign clients.
Several surveillance experts contacted for this story were unfamiliar with
the company.

The result, says Christopher Soghoian, a graduate fellow at Indiana
Universitybs Center for Applied Cybersecurity Research, is to make
TruePosition the most important global geolocation company youbve never heard
of. bItbs like that line about Keyser Soze from The Usual Suspects b the
greatest trick the devil ever pulled was convincing the world he didnbt
exist,b Soghoian says. bTheybve done the same thing. Staying entirely below
the radar.b

Except TruePosition is hardly satanic. Its bEnhanced 911,b or bE-911,b
services save lives. In one case the company cites, a corrections officer in
Ohiobs Hamilton County was abducted by a recent parolee and stuffed into the
trunk of his car. Her family had no idea where she was. But because her
cellphone was turned on and her carrier used TruePositionbs location tech,
police were able to locate the phone along a Kentucky highway. They set up a
roadblock, freed the officer and arrested her captor.

Herebs how it works. TruePositionbs location tool, known as Uplink Time
Difference of Arrival or U-TDOA, calculates the time it takes a signal
travelling from a mobile device to reach sensitive receivers installed in the
transceiver station of a cell tower. (The receiver itself is said to resemble
a pizza box.) Determining the difference in time it takes for the signal to
reach receivers in different towers, determined by servers called Wireless
Location Processors, calculates the phonebs location. The company says it has
receivers installed in about 75,000 cell towers around the country.

Notice that the location tech here has nothing to do with GPS. Itbs
network-based, rather than dependent on a GPS receiver inside a handset. Itbs
not reliant on any line of sight to a satellite. Thatbs a point of pride
within TruePosition. GPS has accuracy and precision woes in dense urban areas
and the indoors. Or inside the trunk of a car.

For the better part of the decade, TruePosition has had contracts to provide
E-911 services with AT&T (signed originally with Cingular in 2001, which AT&T
acquired) and T-Mobile (2003). As more and more 911 calls came from mobile
phones b by definition not linked to a fixed address b the Federal
Communications Commission required wireless providers provide precise
location data to emergency call centers. The accuracy requirements for E-911
top out at 300 meters. TruePosition says U-TDOA is accurate to within 50
meters. (The FCC met on Monday to consider changing the standard b the
reason, Varano says, he granted me an interview.) bWe can figure out which
phone disappeared at the time of the detonation. We can find the triggerman.b

But TruePosition soon saw a growth market in a field where U-TDOA had
relevance: the expanding, globalized field of homeland security. bIt really
was recession-proof,b Varano explains, bbecause in many parts of the world,
the defense and security budgets have either maintained where they were or
increased by a large percentage.b

That realization led the company to explore U-TDOAbs potential for as a
security tool, as itbs the rare terrorist or criminal who doesnbt have a
mobile device. LOCINT was born in October 2008. Imagine, a LOCINT primer on
TruePositionbs website explains, bAn explosion destroys an oil refinery b
who, exactly, was inside the facility prior to the explosion?b If theybve got
a mobile device, U-TDOA-enabled geofences can answer the question.

Or consider the value that U-TDOA could have for finding networks that build
and detonate homemade bombs. If the bomb is detonated with a cellphone b as
Iraqbs bombs were, before jamming tech neutralized them b bwe can go back
into the cellular network and figure out which phone disappeared at the time
of the detonation,b Varano says. bWe find which phone called that phone b
thatbs our triggerman. Then we find which phones they called b the initial
suspects. If they held onto that phone, webd be able to see who that phone
contacted.b And where they are now, in real time.

This isnbt something TruePosition does itself. It had nothing to do with the
blocation-gateb scandals that plagued Apple and Google earlier this year,
when both companies conceded they collected and stored geodata from iPhone
and Android phone customers. All the company does is enable a geolocation
security system for its clients to use. How they use it is up to them b and
the relevant laws of the countries that employ it.

But geofences might be legally problematic inside the United States. Law
enforcement canbt just set up blanket location surveillance of mobile phones
around a particular area; courts have to sanction surveillance around
specific phones. The fences, however, would approve specific authorized
phones; but any unauthorized phone that enters the fence triggers an alert.

bIt would be hard for the companybs tool to distinguish the terrorist from
the tourist,b says Greg Nojeim, a senior counsel with the Center for
Democracy and Technology in Washington.

And what if the governments using TruePositionbs gear arenbt so scrupulous
about following laws, or respecting the civil liberties of their citizens? In
the U.S., even after the Patriot Act and the FISA Amendments Act, law
enforcement and intelligence agencies still donbt have unfettered abilities
to turn a cellphone into a homing device, or to trace a web of connections
between callers or SMS recipients. If, say, Syriabs Bashar Assad had
TruePositionbs technology, could he use it to determine whobs participating
in anti-government protests?

bCorrect,b Varano says, bif it was deployed in that region.b He adds,
however, bwebve never run into anything like that.b

Varano wonbt specify which governments use TruePositionbs LOCINT tools. bI
have to be nebulous about where itbs actually being deployed,b he says. That
includes inside the United States. bWe do not disclose who is currently using
TruePosition LOCINT,b Varano says, but adds, bU.S. government [agencies] have
not bought anything from us, and donbt write a check to us.b But, he says,
the companybs various outposts (London, Dubai, Miami) pitch LOCINT solutions
to countries from Europe to the Middle East to Latin America to the
Carribean.

And if some repressive governments are in that mix, TruePositionbs position
is that what they do with LOCINT is on them.

bWebre providing this tool to governments and itbs the governmentsb onus to
adhere to laws on its use,b Varano says. In western countries, he says,
warrants, court orders and other safeguards prevent LOCINT abuse. But
surveillance works differently elsewhere: bItbs not being used like that in
the U.S. or western societies, but in other parts of the world, the
capability of doing mass tracking is possible.b bIt would be hard for
TruePositionbs tool to distinguish the terrorist from the tourist.b

Thatbs what worries advocates for foreign dissidents. bThis seems to be
integrated a little bit deeper and the operator is fully complicit in the
situation. It makes it more difficult for activists, for sure,b says Nathan
Freitas of the Guardian Project, which designs anonymity tools for mobile
users. bVodaphone Egypt would only go so far to violate the rights of the
Egyptian people b it shut the network down, but beyond that, they donbt have
a fire hose out of a data center. U-TDOA could be a firehose-type product.b
Again, Varano says the companybs never encountered such a situation.

An FBI spokesman, Christopher Allen, was unfamiliar with TruePosition, and
invited Danger Room to file out a Freedom of Information Act request.
Department of Homeland Security officials didnbt respond to repeated requests
for comment. AT&T didnbt respond to an inquiry. T-Mobile USAbs director of
external communications, Hernan Daguerre, confirmed the companybs
relationship with TruePosition but wouldnbt comment beyond saying, bWebll
continue to monitor and evaluate advances in all E-911 location solutions to
ensure the safety of our customers.b

Federal contractor databases donbt show any contracts between TruePosition
and government agencies, with the exception of a 2006 deal with the General
Services Administration (cancelled in 2009) for computer services that
appears never to have been actualized. Varano, initially unfamiliar with the
contract, explains, bWe originally signed up to be part of the GSA in 2006,
but nothing ever came from it.b Joining the GSA Schedule is what allows
companies to compete for federal contracts.

Varano didnbt directly answer whether TruePosition intends to seek U.S.
government contracts or is content to peddle LOCINT abroad while remaining an
e-911 company at home.

At home, the courts are currently deciding whether geolocation tracking by
law enforcement requires a warrant, and therebs legislation moving on Capitol
Hill to settle the question in the affirmative. Should U.S. homeland security
or intelligence officials make use of TruePositionbs LOCINT, they may have to
go through a judge first.

But for this global geolocation company, the worldwide interest is piling up.

bWe do go to a lot of defense and security trade shows,b Varano says. bOnce
people hear about the capabilities b they know cellphones are being used by
bad guys doing bad things b their eyes widen and jaws drop. Typically, the
deals grow in terms of the geographical area they wanna cover and the number
of government agencies that want access to this type of intelligence.b

Photo: Flickr/al-Jazeera English; Flickr/Seattle Municipal Archives;
Flickr/William Hook