Tracking Protesters

2020-06-28

Just this week we learned of the company Mobilewalla collecting the location and device data of protesters and then using that information to determine their demographics, which were summarized in a slidedeck online (you can find it by digging in the links below, I did not want to share this myself). The way this surveillance works is by embedding tracking software inside phone applications. These do not have to be applications that stand out as obviously shady, but just your everyday applications: social networks, games, even presumably innocuous applications to turn on the flashlight. These applications are constantly monitoring everything on the device, regardless of whether you are actually running the application or not (they will sit in the background). The end goal is to then sell this information to a combination of government, data brokers and advertisers.

The reality is that phones give you away the moment they attempt to connect to a cell tower, no application needed. The IMSI is an identifier that uniquely identifies your SIM card, and this ID is exchanged with cell towers when connecting to them. This information is typically augmented with the person's location, which can be estimated from the cell communication itself -- no GPS needed -- and in the past has been sold by cell providers like T-Mobile, AT&T and Sprint. Mainstream phones like iPhones and Androids do not have kill switches and do nothing to protect you in this respect.

Cell protocols -- which as far as I see it, are flawed by design -- allow eavedroppers to do a number of things. The eavesdroppers are usually the police, and the things they do are:

Police do this using cell site simulators (CSS) like Stingrays. These are expensive devices that are typically mounted inside a normal-looking van, which you then drive around the city to do all of the things mentioned above.

When the police is not able to anticipate a situation and are working on a case retroactively, they will typically knock on Google's and others' doors with a warrant asking for the list of all devices (people) at a particular time and place. But being at a particular time and place is no evidence of a crime, it is only evidence that you were at the crime site at the time of the crime, and this has led to wrongful arrests in the past (there is a shooting, somebody happened to just be walking by, they get arrested). And to my knowledge, there is little to no accountability when these wrongful arrests are made; nobody is keeping score of how often these technologies help fight crime and how often they result in wrongdoing.

It does not take much effort to realize why all of this protester surveillance is undesirable: it undermines people's freedom, and more specifically, their consitutional right to free and peaceful assembly. Some will argue that it does not matter if the person is doing nothing wrong. But it does matter: the knowledge of being watched leads to self-censorship. This happens all the time when publishing books, for example, or even when keeping up a blog or making simple comments on social media. If people know they are being watched, they subconsciously censor themselves to blend in. This is, essentially, an assault on their freedom of speech. If the protesters hesitate to express themselves out of fear of retaliation, we have already lost.

So, while police running around with Stingrays may be warranted in certain situations and provided there is accountability, the mass surveillance run by corporations on people's phones without people's knowledge and consent and for the insidious and simple goal of making profit through advertising to me is loathsome and a major source of disturbance, especially when their servers are later hacked and the information leaked with no further implications for the company. And the worst part of it all is the sheer ignorance and disrespect for society with which corporations do this:

"Datta said Mobilewalla didn’t prepare the report for law enforcement or a public agency, but rather to satisfy its own employees' curiosity about what its vast trove of unregulated data could reveal about the demonstrators. [...] “It’s hard to tell you a specific reason as to why we did this,” Datta said"

References & Further Reading

BuzzFeed News / Almost 17,000 Protesters Had No Idea A Tech Company Was Tracing Their Location

Edward Snowden: How Your Cell Phone Spies on You

EFF / Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks

Phoenix New Times / Avondale Man Sues After Google Data Leads to Wrongful Arrest for Murder

Reclaim The Net / Phoenix man sues when Google data causes wrongful arrest in murder case

USA Today / Verizon, AT&T, T-Mobile, Sprint face $200 million in fines from FCC for sharing user data

Vice / I Gave a Bounty Hunter $300. Then He Located Our Phone