1
00:00:00,165 --> 00:00:13,330
music
2
00:00:13,330 --> 00:00:22,570
Herald: so the NSA is spying, and was
spying, and we had Snowden, we have a lot
3
00:00:22,570 --> 00:00:31,669
of documents to look at, and there is some
new research on how they used geolocation
4
00:00:31,669 --> 00:00:38,570
methods in mobile networks. It is done by
the University of Hamburg and we have here
5
00:00:38,570 --> 00:00:46,890
Erik who will present this research to you
and he has done this for the German
6
00:00:46,890 --> 00:00:52,080
government and for the NSA
Untersuchungsausschuss which we call "NS
7
00:00:52,080 --> 00:01:03,160
Aua", which means "NS Ouch", kind of. He
is a PhD student and holds a master's in
8
00:01:03,160 --> 00:01:06,430
physics so give him a warm applause
9
00:01:06,450 --> 00:01:14,710
applause
10
00:01:16,470 --> 00:01:18,280
Herald: And for those coming later please
11
00:01:18,280 --> 00:01:22,550
go to your seats and try to be quiet. Yep,
thank you.
12
00:01:22,550 --> 00:01:26,340
Erik Sy: Hello. I'm really happy to have
13
00:01:26,340 --> 00:01:32,030
you all here and I welcome you to my talk
about geolocation methods in mobile
14
00:01:32,030 --> 00:01:39,680
networks. My name is Eric Sy and I'm a PhD
student at the University of Hamburg. So,
15
00:01:39,680 --> 00:01:47,229
at the beginning I want to point out why
I'm giving this talk. So the German
16
00:01:47,229 --> 00:01:53,299
parliamentary investigative committee
wanted to find out about the German
17
00:01:53,299 --> 00:01:59,909
involvement in US drone strikes and then
the German government officials claimed
18
00:01:59,909 --> 00:02:05,729
that they do not know anything or they do
not know any possibility how to use a
19
00:02:05,729 --> 00:02:11,120
phone number for targeting drone strikes
and the investigative committee did not
20
00:02:11,120 --> 00:02:15,850
really believe this statement and so they
asked our research group at the University
21
00:02:15,850 --> 00:02:26,250
of Hamburg to prepare a report and we
handed in that report to the Bundestag and
22
00:02:26,250 --> 00:02:31,070
it was very soon after what's also
published by netzpolitik.org
23
00:02:31,070 --> 00:02:32,570
thank you for that
24
00:02:33,800 --> 00:02:39,080
Applause
25
00:02:39,080 --> 00:02:45,519
E: And it contains like technical
methods and approximates the accuracy to
26
00:02:45,519 --> 00:02:51,739
localise mobile phones and it also points
out which technical identifiers are
27
00:02:51,739 --> 00:03:01,530
required to conduct such geolocation. Now
I give you my agenda for today. First I
28
00:03:01,530 --> 00:03:05,769
will speak about the purpose of
geolocation data and then we are looking
29
00:03:05,769 --> 00:03:11,900
into a broad variety of different
approaches to conduct such a geolocation
30
00:03:11,900 --> 00:03:19,269
in mobile networks, and then we specify on
drones and look into the technical methods
31
00:03:19,269 --> 00:03:26,260
which can be conducted with drones, and
and then I'm going to point out which
32
00:03:26,260 --> 00:03:34,930
technical identifiers we can use for such
a geolocation. And lastly I'm going to sum
33
00:03:34,930 --> 00:03:42,900
up. So, the purpose of geolocation data:
it is a neutral technology, so we can use
34
00:03:42,900 --> 00:03:49,080
it for rescue missions, for example if
somebody got lost in the forest or in the
35
00:03:49,080 --> 00:03:53,940
mountains, we can use geolocation data to
find that person and rescue the person.
36
00:03:53,940 --> 00:04:03,129
Or, if you ever used Google Traffic, there
you you can profit from monitoring traffic
37
00:04:03,129 --> 00:04:12,269
conditions. But we can also use it to
invade the privacy of persons, for example
38
00:04:12,269 --> 00:04:16,519
if we identify people on surveillance
footage, or if
39
00:04:16,519 --> 00:04:23,960
we track the location of a certain
individual over a longer period, and
40
00:04:23,960 --> 00:04:32,160
certainly we can use this data for
targeting drone strikes. However I want to
41
00:04:32,160 --> 00:04:41,190
point out that this data, that they are
not suitable to prove the identity of a
42
00:04:41,190 --> 00:04:46,740
person. So if somebody is conducting a
drone strike based on this data, then he
43
00:04:46,740 --> 00:04:54,180
is actually not knowing who he is going to
kill. So, on the right side you see an
44
00:04:54,180 --> 00:04:59,360
image of an explosion site from a Hellfire
missile. A Hellfire missile is usually
45
00:04:59,360 --> 00:05:06,280
used by these drones and you can
approximate that the blast radius is
46
00:05:06,280 --> 00:05:14,340
around 20 meters. So we would consider a
targeted drone strike if we have a
47
00:05:14,340 --> 00:05:21,970
geolocation method which can determine the
position of a person more precise than 20
48
00:05:21,970 --> 00:05:29,820
meters in radius. So, the first approach
which I want to present are time
49
00:05:29,820 --> 00:05:36,280
measurements and the symbol which you will
see down there it's a base station, for
50
00:05:36,280 --> 00:05:43,449
for the next couple of slides. And a base
station... this is the point in a mobile
51
00:05:43,449 --> 00:05:50,759
network where your phone connects to. On
the slides you can certainly interchange
52
00:05:50,759 --> 00:05:57,569
this base station with an IMSI-catcher.
IMSI-catcher is something like a fake base
53
00:05:57,569 --> 00:06:04,861
station from a third party and you could
even build it yourself. So, the method
54
00:06:04,861 --> 00:06:11,880
used to calculate the position of a phone
is for time measurements trilateration.
55
00:06:11,880 --> 00:06:19,020
You have to know that that signal is
usually traveling with the speed of light,
56
00:06:19,020 --> 00:06:25,160
so when you measure the time you can also
measure the distance. And here there are
57
00:06:25,160 --> 00:06:33,800
three methods presented. There are "Time
of Arrival", where the signal moves from
58
00:06:33,800 --> 00:06:42,120
the hand phone to the three base stations
and the accuracy is between 50 and 200
59
00:06:42,120 --> 00:06:47,690
meters. This really depends on the cell
size and they can be more precise or less
60
00:06:47,690 --> 00:06:55,240
precise. So, then we have "Time Difference
of Arrival," which is like a round-trip
61
00:06:55,240 --> 00:07:02,699
measurement, and we have an "Enhanced
Observed Time Difference," where the
62
00:07:02,699 --> 00:07:09,759
mobile phone actually computes the
location within the cell, and the accuracy
63
00:07:09,759 --> 00:07:17,930
is between 50 to 125 meters.
So, and the next method which I want to
64
00:07:17,930 --> 00:07:25,030
present are angular measurements. When you
conduct angular measurements, then you
65
00:07:25,030 --> 00:07:30,410
determine the direction of arrival from
the signal and afterwards you do a
66
00:07:30,410 --> 00:07:35,930
calculation which is called triangulation
and therefore you have to know the
67
00:07:35,930 --> 00:07:42,280
position of the base station, but also the
alignment of your antenna and for this
68
00:07:42,280 --> 00:07:48,199
method there's certainly two base stations
or IMSI-catchers sufficient to determine
69
00:07:48,199 --> 00:07:55,539
the position of the mobile phone. The
accuracy is usually in field experiments
70
00:07:55,539 --> 00:08:01,530
between 100 and 200 meters and the
challenge for this method but also for the
71
00:08:01,530 --> 00:08:11,909
ones on the previous slides is that on the
normal mobile cells you don't have a line
72
00:08:11,909 --> 00:08:18,550
of sight to each base station from your
mobile phone and so the signal gets
73
00:08:18,550 --> 00:08:27,800
disturbed by buildings in the way and then
the accuracy becomes worse. So the next
74
00:08:27,800 --> 00:08:33,175
method I want to show you, I think most of
you will know a little bit about GPS and
75
00:08:33,175 --> 00:08:41,210
how it's calculated. So satellites, GPS
satellites, broadcast their time and their
76
00:08:41,210 --> 00:08:48,220
position, and the mobile phone uses again
trilateration to calculate its position
77
00:08:48,220 --> 00:08:53,650
and the accuracy is usually below 10
meters, but it depends a little bit on the
78
00:08:53,650 --> 00:09:02,440
chipset within the mobile phone, and then
the base station can request the position
79
00:09:02,440 --> 00:09:09,340
of the phone by issuing a radio... or by
issuing a request with the radio resource
80
00:09:09,340 --> 00:09:16,700
location service protocol. So another
method which I want to present is the
81
00:09:16,700 --> 00:09:21,860
mining of Internet traffic. Some
smartphones send GPS coordinates or the
82
00:09:21,860 --> 00:09:29,580
names of nearby Wi-Fi networks, which are
also called SSIDs, to online services, and
83
00:09:29,580 --> 00:09:36,910
usually these allow the determination of
the position around or below 10 meters,
84
00:09:36,910 --> 00:09:44,600
and it is certainly possible to intercept
this traffic and evaluate the geolocation.
85
00:09:44,600 --> 00:09:51,200
So here I have two quotes for you, and the
first one it effectively means that anyone
86
00:09:51,200 --> 00:09:57,375
using Google Maps on a smartphone is
working in support of a GCHQ system. This
87
00:09:57,375 --> 00:10:05,183
quote comes from the Snowden archive and
was issued in the year 2008. So we
88
00:10:05,183 --> 00:10:10,113
certainly see that there's
some proof that at least at those days,
89
00:10:10,113 --> 00:10:16,900
that they enter, some third parties
intercepted those traffic and use it for
90
00:10:16,900 --> 00:10:27,150
determining the geolocation, and if you
want to work with, or determine the
91
00:10:27,150 --> 00:10:34,480
location with the SSIDs, it is necessary
that you have a map where a certain Wi-Fi
92
00:10:34,480 --> 00:10:40,260
access points are located. And therefore
we have also something like... like a
93
00:10:40,260 --> 00:10:47,400
proof that this has been done by the NSA
and this is the mission victory dance,
94
00:10:47,400 --> 00:10:53,390
where they are mapping the Wi-Fi
fingerprint in every major town in Yemen,
95
00:10:53,390 --> 00:10:59,130
and in Yemen also a lot of drone strikes
are conducted. So, let's go to next
96
00:10:59,130 --> 00:11:07,210
method. Signalling System No. 7 is a
protocol which is used for communication
97
00:11:07,210 --> 00:11:15,520
between network providers, and network
providers need to know where, in which
98
00:11:15,520 --> 00:11:21,570
cell, a mobile phone is located to... to
enable the communication, and these
99
00:11:21,570 --> 00:11:27,880
informations are saved in location
registers, and a third party can easily
100
00:11:27,880 --> 00:11:35,777
request these location informations. I
want to refer to the talk by Tobias Engel,
101
00:11:35,777 --> 00:11:40,707
which... he gave a talk two years ago
which really goes into the details of this
102
00:11:40,707 --> 00:11:48,310
method, and maybe if you like to, there
are also commercial services available to
103
00:11:48,310 --> 00:11:58,430
access this data. So, let's talk about
drones. We do not have very solid proofs
104
00:11:58,430 --> 00:12:05,980
that geolocation methods are conducted by
drones, but we have certainly hints. A
105
00:12:05,980 --> 00:12:15,000
hint is this GILGAMESH system, which is
based on the PREDATOR drones, and is a
106
00:12:15,000 --> 00:12:22,090
method for active geolocation, which
describes an IMSI-catcher so... but if
107
00:12:22,090 --> 00:12:28,590
anybody of you has access to more
documents... yeah it would be nice to have
108
00:12:28,590 --> 00:12:37,170
a look. So...
applause
109
00:12:39,283 --> 00:12:45,580
E: So, the easiest method would be
certainly to request for GPS coordinates,
110
00:12:45,580 --> 00:12:54,030
and there you just replace the base
station with a drone. But the method which
111
00:12:54,030 --> 00:13:01,054
is better, or which I think is the
preferred one: Angular measurements.
112
00:13:02,196 --> 00:13:08,680
Angular measurements, if you have a look
in our report, there we approximated that
113
00:13:08,680 --> 00:13:14,430
the accuracy of these methods are between
five and thirty five meters in radius from
114
00:13:14,430 --> 00:13:20,830
an altitude of two kilometers, and if you
get closer to the mobile phone it becomes
115
00:13:20,830 --> 00:13:28,360
more accurate. So, it would be, to some
extent, sufficient to conduct a targeted
116
00:13:28,360 --> 00:13:35,550
drone strike on this data, and in the
meantime, since this report was handed
117
00:13:35,550 --> 00:13:42,250
over to the Bundestag, I also found other
work which described that they are able to
118
00:13:42,250 --> 00:13:47,910
achieve an accuracy of one meter from
three kilometers altitude for small
119
00:13:47,910 --> 00:13:55,980
airplanes. You have to know that those
sensors to measure the angle of arrival,
120
00:13:55,980 --> 00:14:03,320
that they are usually located within the
wings and within the front of the plane,
121
00:14:03,320 --> 00:14:07,416
and when the plane becomes larger it's
also easier to have a more accurate
122
00:14:07,416 --> 00:14:16,435
measurement. Then I want to point out that
a single measurement can be sufficient to
123
00:14:16,435 --> 00:14:22,290
determine the location of a mobile phone.
If we can assume that the target is on the
124
00:14:22,290 --> 00:14:28,210
ground. So if you assume that the target
is maybe in a building in Yemen, so a
125
00:14:28,210 --> 00:14:34,160
single measurement would be sufficient on
a low building in Yemen. And a sky scraper
126
00:14:34,160 --> 00:14:42,180
would be more difficult. So, and the big
advantage of these methods is that
127
00:14:42,180 --> 00:14:48,290
environmental parameters have a very low
influence, since we can have a almost line
128
00:14:48,290 --> 00:14:59,670
of sight, which allows a better accuracy.
So now I'm going to talk about the
129
00:14:59,670 --> 00:15:06,770
identifiers which can be used for
geolocation. Certainly the phone number
130
00:15:06,770 --> 00:15:13,810
and each IMSI-catcher or base station can
request, can issue an identity request to
131
00:15:13,810 --> 00:15:22,510
a mobile phone, and then receive the IMSI
or EMI. The IMSI is something like a
132
00:15:22,510 --> 00:15:31,350
unique description for a certain customer
in the the mobile network and the EMI is
133
00:15:31,350 --> 00:15:41,080
like a unique serial number for an device.
So, when we include those methods of
134
00:15:41,080 --> 00:15:51,020
mining Internet traffic, then we can also
add a lot of more identifiers, for example
135
00:15:51,020 --> 00:15:59,746
an Apple ID or Android ID, MAC address,
even cookies or user names. If you are
136
00:15:59,746 --> 00:16:06,126
interested in this, you can have a look at
the link I provided there. That there's a
137
00:16:06,126 --> 00:16:14,490
very interesting paper about this. So I
come to my last slide, my summary. I
138
00:16:14,490 --> 00:16:21,701
showed you multiple, or a lot of different
methods to localize a mobile phone, and I
139
00:16:21,701 --> 00:16:27,180
pointed out that a single drone can
localize a mobile phone with accuracy
140
00:16:27,180 --> 00:16:33,180
which is sufficient to conduct a targeted
drone strike. Since this document was
141
00:16:33,180 --> 00:16:39,350
handed over to the Bundestag, they also
never denied that these methods can be
142
00:16:39,350 --> 00:16:51,000
used for... or that the accuracy of these
methods... is true. So then I pointed out
143
00:16:51,000 --> 00:16:58,410
that as an identifier the phone number,
the IMSI, and the EMI each can be used for
144
00:16:58,410 --> 00:17:05,720
the geolocation of a mobile phone, and the
last information which I want to give you
145
00:17:05,720 --> 00:17:11,760
is that geolocation methods cannot prove
the identity of a person, and this is
146
00:17:11,760 --> 00:17:21,281
really important to know, that we are
not... yeah. That when we conduct, or when
147
00:17:21,281 --> 00:17:25,880
somebody is conducting these drone
strikes, that they are not aware who is
148
00:17:25,880 --> 00:17:30,920
actually using the phone, and so and I can
happen that they are killing the wrong
149
00:17:30,920 --> 00:17:39,920
person. So I thank you very much, I thank
my colleagues and my family and everybody.
150
00:17:39,920 --> 00:17:41,740
applause
151
00:17:41,740 --> 00:17:49,930
Herald: Thank you.
applause
152
00:17:49,930 --> 00:17:54,430
H: That's great. Thank you very much. It's
the first talk we have here today where we
153
00:17:54,430 --> 00:18:00,540
can have a lot of questions. So come on.
You have the microphones, number 1, number
154
00:18:00,540 --> 00:18:07,080
2, number 3, number 4, and ask your
questions. It's the only chance to have
155
00:18:07,080 --> 00:18:19,606
this man answering them. No questions?
Here's someone. No. Yeah. Sorry!
156
00:18:19,606 --> 00:18:22,252
Microphone: No problem.
H: Number 4.
157
00:18:22,252 --> 00:18:28,190
Microphone 4: Hello. Do you know why we
are located in London right now when we
158
00:18:28,190 --> 00:18:32,680
use Google Maps here?
H: "Do you know", can you ask me again,
159
00:18:32,680 --> 00:18:34,590
"do you know why we are located in
London?"
160
00:18:34,590 --> 00:18:35,500
M4: Yes.
H: Here?
161
00:18:35,500 --> 00:18:38,990
M4: When we use Google Maps, we are
located in London.
162
00:18:41,330 --> 00:18:47,430
H: Do you know that? The Congress is
located in London. Do you know why?
163
00:18:47,430 --> 00:18:51,350
E: I'm not aware.
M4: Okay, I thought this was on plan.
164
00:18:51,350 --> 00:18:53,370
H: Okay.
M4: Thank you
165
00:18:53,370 --> 00:18:57,950
H: Number 1.
Microphone 1: Okay, so on slide 12 you
166
00:18:57,950 --> 00:19:01,610
showed this angle of arrival-
H: Can you please be quiet, we can't
167
00:19:01,610 --> 00:19:04,450
understand the questions unless you're
quiet. Sorry.
168
00:19:04,450 --> 00:19:11,340
M1: Okay, so, on slide 12 you showed the
angle of arrival method executed by a
169
00:19:11,340 --> 00:19:18,350
drone. Is this a passive method or does it
require some cooperation by either the
170
00:19:18,350 --> 00:19:21,040
phone company or by the targeted mobile
phone?
171
00:19:21,040 --> 00:19:26,170
E: It can be conducted passively. Like, if
you call the phone or page the phone
172
00:19:26,170 --> 00:19:33,751
multiple times and you see which phone is
answering this paging... okay, it needs to
173
00:19:33,751 --> 00:19:39,620
be active in a way that you contact the
phone, but you don't need an active IMSI-
174
00:19:39,620 --> 00:19:45,000
catcher for it. You just phone or call the
phone, and then you see which phone is
175
00:19:45,000 --> 00:19:51,690
answering, and then you know where the
phone is situated.
176
00:19:51,690 --> 00:19:53,690
M1: Thanks.
E: Yeah.
177
00:19:53,690 --> 00:19:58,660
H: I see that we have a question over
there so can you just ask your question
178
00:19:58,660 --> 00:20:00,660
please?
M8: Here?
179
00:20:00,660 --> 00:20:04,520
H: Yes, number 8, please.
M8: Thank you for the talk. I'd like to
180
00:20:04,520 --> 00:20:11,080
ask a question about tracking unpowered
mobile phones: I mean you mentioned lots
181
00:20:11,080 --> 00:20:16,300
of methods for phones which are both...
with both have their batteries inserted
182
00:20:16,300 --> 00:20:21,290
and are actively operating. Could you
elaborate a bit about the methods of
183
00:20:21,290 --> 00:20:26,880
tracking phones, which seem to be off
turned off from the users point of view,
184
00:20:26,880 --> 00:20:30,418
and maybe also something about those who
have their batteries removed?
185
00:20:34,310 --> 00:20:39,058
E: Actually, if you really turn off your
phone over a long period, let's say a
186
00:20:39,060 --> 00:20:45,010
couple of months, I think you are safe,
but... laughter Buf if you...
187
00:20:45,010 --> 00:20:52,530
M8: That's good to know.
E: But, actually, like if you have a base
188
00:20:52,530 --> 00:20:57,490
station and somebody is switching off his
phone and maybe he is meeting somebody
189
00:20:57,490 --> 00:21:02,980
else at that point and somebody else is
also switching off his phone, then it can
190
00:21:02,980 --> 00:21:09,470
be suspicious, but it really depends
whether somebody is looking into this data
191
00:21:09,470 --> 00:21:15,200
or not.
H: Thank you. Number 8 again.
192
00:21:15,200 --> 00:21:24,560
M8: I had a short question: As you
described, we are somehow dependent on the
193
00:21:24,560 --> 00:21:33,220
good winning of the NSA, for instance, and
I wanted to ask if there's some way to
194
00:21:33,220 --> 00:21:40,230
avoid geolocation or use Google Maps
without sending identity to location
195
00:21:40,230 --> 00:21:45,420
services.
E: That is fairly difficult. I would
196
00:21:45,420 --> 00:21:51,600
assume that GPS phones are a little bit
better to avoid geo-locationing,
197
00:21:51,600 --> 00:21:58,180
especially if you add additional GPS
spoofing, because they are... The network
198
00:21:58,180 --> 00:22:04,050
cells are really large and so it's more
difficult to track you within the network
199
00:22:04,050 --> 00:22:10,620
cell, but if you have a drone right above
you and you emit a physical signal, then
200
00:22:10,620 --> 00:22:17,640
the drone will always be able to localize
where the signal came from. So it's
201
00:22:17,640 --> 00:22:19,820
difficult, because it's physically
difficult.
202
00:22:19,820 --> 00:22:23,390
M8: Okay.
H: Thanks. Number 1, please.
203
00:22:23,390 --> 00:22:28,691
M1: So, I have a question about the
physicalities of receiving a... or
204
00:22:28,691 --> 00:22:35,490
localizing or making angular measurement
of a phone within a densely populated
205
00:22:35,490 --> 00:22:40,530
area, where there's possibly tens of
thousands of phones within the receptional
206
00:22:40,530 --> 00:22:48,140
area of a 3-kilometer-high drone. That
would obviously require you to be more
207
00:22:48,140 --> 00:22:54,580
sensitive on one hand than this cell tower
and on the other hand also receive at the
208
00:22:54,580 --> 00:22:58,240
same time and sort out all kinds of
interference.
209
00:22:58,240 --> 00:23:06,060
E: You usually a cell can be between,
let's say 200 meters, and 3 or 30
210
00:23:06,060 --> 00:23:11,560
kilometers in size, so 3 kilometers in
altitude it's not very high.
211
00:23:11,560 --> 00:23:18,330
M1: So you assume that the drone does a
pre-selection. We are digital beamforming
212
00:23:18,330 --> 00:23:24,960
on the ground path and only looks at a
cell of interest, because it knows from
213
00:23:24,960 --> 00:23:31,960
the network, the suspect is in that cell.
E: It depends on the area: In an urban
214
00:23:31,960 --> 00:23:37,770
area you have to reduce the size of the
cell, otherwise you would receive too many
215
00:23:37,770 --> 00:23:45,210
signals, but in a countryside you can have
larger cells or you can cover a larger
216
00:23:45,210 --> 00:23:49,230
area.
M1: Regarding covering larger areas: Did
217
00:23:49,230 --> 00:23:53,310
you take, considering that these drones
aren't really like our quadcopter size,
218
00:23:53,310 --> 00:24:01,360
they're more airplane-sized, proper
airplanes, did you take the classical
219
00:24:01,360 --> 00:24:06,830
synthetic aperture radar techniques of
observing something for a long time while
220
00:24:06,830 --> 00:24:11,640
flying straight over it and then
integrating over it into account? Because
221
00:24:11,640 --> 00:24:16,650
that's usually where we get our high-
resolution radar imagery of the earth.
222
00:24:16,650 --> 00:24:22,450
E: You can conduct multiple measurements
or you just conduct one, if you know that
223
00:24:22,450 --> 00:24:26,710
the target is on the ground.
M1: So, did that account for your
224
00:24:26,710 --> 00:24:31,470
estimated accuracy?
E: It's not necessary to integrate.
225
00:24:31,470 --> 00:24:36,020
M1: Okay, thanks.
H: Thank you. We have a question from the
226
00:24:36,020 --> 00:24:39,590
internet.
Signalangel: Yes, the internet wants to
227
00:24:39,590 --> 00:24:43,500
know if there are attributes, which you
can change of the phone, to stop
228
00:24:43,500 --> 00:24:47,010
surveillance. Attributes like the email,
for example.
229
00:24:47,010 --> 00:24:51,730
E: Can you please repeat the question?
S: Are there attributes of the phone,
230
00:24:51,730 --> 00:24:53,560
which you can change, to stop
surveillance?
231
00:24:53,560 --> 00:24:58,740
E: Yes, certainly you can fake the IMEI
or the IMSI. That is also another reason why
232
00:24:58,740 --> 00:25:06,300
it's not sufficient to prove the identity,
because any phone can just take these
233
00:25:06,300 --> 00:25:09,261
data.
S: And we have a second question, which
234
00:25:09,261 --> 00:25:18,090
is: Does the GSM network have a feature
which allows anyone to get the GPS data
235
00:25:18,090 --> 00:25:29,100
from the phone?
E: Yeah..., it would be..., that.., and
236
00:25:29,100 --> 00:25:32,530
the radio resource location service
protocol.
237
00:25:32,530 --> 00:25:38,230
S: So, thank you.
laughter
238
00:25:38,230 --> 00:25:39,120
E: Yeah.
H: Okay, number five.
239
00:25:39,120 --> 00:25:46,260
Microphone 5: Hello, you delivered you
work to the NSA Untersuchungsausschuss and
240
00:25:46,260 --> 00:25:51,920
they, the Bundestag did not say anything
about it, but is there a statement from
241
00:25:51,920 --> 00:25:56,540
the NSA Untersuchungssausschuss?
E: And the government said something about
242
00:25:56,540 --> 00:26:04,500
it. They said that, that they washed their
hands and said we did everything nicely
243
00:26:04,500 --> 00:26:09,300
because we added also a disclaimer to the
data we provided and that the disclaimer
244
00:26:09,300 --> 00:26:18,370
says that the NSA is forced to, to stick
to the German law and that they are not
245
00:26:18,375 --> 00:26:20,725
allowed to do whatever they want with this
data.
246
00:26:23,120 --> 00:26:29,640
M5: Thank you.
H: Very nice, number 6, please.
247
00:26:29,640 --> 00:26:38,270
M6: Hello, on slide 12, you got, you
specify the accuracy of about five meters
248
00:26:38,270 --> 00:26:44,266
for two drones. So how does it scale if
you would use more than two drones? For
249
00:26:44,266 --> 00:26:49,150
example 10 or whatever.
E: I think that there was a small
250
00:26:49,150 --> 00:26:52,910
misunderstanding. Actually, one drone is
sufficient.
251
00:26:52,910 --> 00:26:57,140
M6: Okay, so could you use more than one
drone?
252
00:26:57,140 --> 00:27:00,800
E: Yeah, you can use as many as you want
but one is sufficient.
253
00:27:00,800 --> 00:27:05,450
laughter
M6: Yeah, but that, of course. But does
254
00:27:05,450 --> 00:27:09,980
the accuracy increase by using more than
one?
255
00:27:09,980 --> 00:27:16,140
E: Yeah if you go closer to the target and
then their accuracy increases.
256
00:27:16,140 --> 00:27:22,990
M6: Okay, but with the same distance but
more than one drone?
257
00:27:22,990 --> 00:27:27,470
E: Actually not.
M6: Okay, thank you.
258
00:27:27,470 --> 00:27:32,559
H: Number four, please.
M4: Also referring to the accuracies, you
259
00:27:32,559 --> 00:27:37,520
were talking about field experiments and
so on. Did you conduct those yourself or
260
00:27:37,520 --> 00:27:39,600
where did you get all the information
from?
261
00:27:39,600 --> 00:27:43,760
E: These are some references, there you
can find the field experiments.
262
00:27:43,760 --> 00:27:46,700
M4: Thank you very much.
H: Number two, please.
263
00:27:46,700 --> 00:27:50,640
M2: Thank you very much for the
interesting talk. My question is regarding
264
00:27:50,651 --> 00:27:56,251
the fingerprint which you can use on many
phones to unlock the phone. Is there
265
00:27:56,251 --> 00:28:01,371
currently and if not will there, do you
think there will be a possibility that for
266
00:28:01,371 --> 00:28:05,290
example an app which requires the
fingerprint identification on the phone
267
00:28:05,290 --> 00:28:10,270
that this is also passively read and by
that you increase the identification of
268
00:28:10,270 --> 00:28:19,120
persons? Did you understand the question?
E: Yeah, but I think this is like based on
269
00:28:19,120 --> 00:28:25,960
the GSM network and the other I think that
that's based on the operating system.
270
00:28:25,960 --> 00:28:30,090
M2: So currently using this technology,
there they couldn't be, there, it's not
271
00:28:30,090 --> 00:28:33,240
possible to link this?
E: No.
272
00:28:33,240 --> 00:28:37,520
M2: Ok, thank you.
H: Ok, number one, please.
273
00:28:37,520 --> 00:28:40,800
M1: My question is actually about the
civil use of geolocation service not so
274
00:28:40,800 --> 00:28:44,660
much about phones. So, you mentioned that
every time you use an online service that
275
00:28:44,660 --> 00:28:51,370
use geolocation you send the SSids of
nearby Wi-Fi networks and with every
276
00:28:51,370 --> 00:28:57,760
request you actually enrich a Wi-Fi map,
Wi-Fi database of either Google, if it's
277
00:28:57,760 --> 00:29:04,220
on Android, or Apple if it's on iOS. Now,
there was a talk at CCC here in 2009 when
278
00:29:04,220 --> 00:29:09,420
this technology was still nascent and that
back then was called Skyhook but then the
279
00:29:09,420 --> 00:29:15,630
speaker had this provocative question:
Shouldn't this Wi-Fi map be public domain
280
00:29:15,630 --> 00:29:21,410
instead of just a belonging proprietary
and belonging either to Apple or Google
281
00:29:21,410 --> 00:29:25,910
nowadays? So, haven't we lost that
struggle? I mean we can't keep our SSids
282
00:29:25,910 --> 00:29:31,040
private, so shouldn't it be public domain?
E: Yeah it would be a good idea to make it
283
00:29:31,040 --> 00:29:35,660
public domain I said since also a lot of
positive things can be created with this
284
00:29:35,660 --> 00:29:40,146
technology, like helping people in
emergency situations.
285
00:29:42,753 --> 00:29:48,470
H: Okay ...
M1: I wanted to take the chance to say
286
00:29:48,470 --> 00:29:51,500
thanks for this talk. I'm one of the
people who actually commissioned the
287
00:29:51,500 --> 00:29:57,180
analysis because I work in the inquiry,
and it was extremely helpful for us to
288
00:29:57,180 --> 00:30:02,000
have the analysis done because we, like
you said, keep being confronted with
289
00:30:02,000 --> 00:30:07,560
Secret Service people who tell us that no
way can mobile phone numbers help in the
290
00:30:07,560 --> 00:30:12,040
secret war. So yeah I just wanted to say
thanks.
291
00:30:12,040 --> 00:30:20,120
applause
H: Yeah, thank you very much.
292
00:30:20,120 --> 00:30:26,410
H: Great, so thank you also very, very
much for your work and keep on going with
293
00:30:26,410 --> 00:30:26,988
that.
294
00:30:26,988 --> 00:30:31,738
music
295
00:30:31,738 --> 00:30:52,000
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!