<i>music</i>

Herald: so the NSA is spying, and was
spying, and we had Snowden, we have a lot

of documents to look at, and there is some
new research on how they used geolocation

methods in mobile networks. It is done by
the University of Hamburg and we have here

Erik who will present this research to you
and he has done this for the German

government and for the NSA
Untersuchungsausschuss which we call "NS

Aua", which means "NS Ouch", kind of. He
is a PhD student and holds a master's in

physics so give him a warm applause

<i>applause</i>

Herald: And for those coming later please

go to your seats and try to be quiet. Yep,
thank you.

Erik Sy: Hello. I'm really happy to have

you all here and I welcome you to my talk
about geolocation methods in mobile

networks. My name is Eric Sy and I'm a PhD
student at the University of Hamburg. So,

at the beginning I want to point out why
I'm giving this talk. So the German

parliamentary investigative committee
wanted to find out about the German

involvement in US drone strikes and then
the German government officials claimed

that they do not know anything or they do
not know any possibility how to use a

phone number for targeting drone strikes
and the investigative committee did not

really believe this statement and so they
asked our research group at the University

of Hamburg to prepare a report and we
handed in that report to the Bundestag and

it was very soon after what's also
published by netzpolitik.org

thank you for that

<i>Applause</i>

E: And it contains like technical
methods and approximates the accuracy to

localise mobile phones and it also points
out which technical identifiers are

required to conduct such geolocation. Now
I give you my agenda for today. First I

will speak about the purpose of
geolocation data and then we are looking

into a broad variety of different
approaches to conduct such a geolocation

in mobile networks, and then we specify on
drones and look into the technical methods

which can be conducted with drones, and
and then I'm going to point out which

technical identifiers we can use for such
a geolocation. And lastly I'm going to sum

up. So, the purpose of geolocation data:
it is a neutral technology, so we can use

it for rescue missions, for example if
somebody got lost in the forest or in the

mountains, we can use geolocation data to
find that person and rescue the person.

Or, if you ever used Google Traffic, there
you you can profit from monitoring traffic

conditions. But we can also use it to
invade the privacy of persons, for example

if we identify people on surveillance
footage, or if

we track the location of a certain
individual over a longer period, and

certainly we can use this data for
targeting drone strikes. However I want to

point out that this data, that they are
not suitable to prove the identity of a

person. So if somebody is conducting a
drone strike based on this data, then he

is actually not knowing who he is going to
kill. So, on the right side you see an

image of an explosion site from a Hellfire
missile. A Hellfire missile is usually

used by these drones and you can
approximate that the blast radius is

around 20 meters. So we would consider a
targeted drone strike if we have a

geolocation method which can determine the
position of a person more precise than 20

meters in radius. So, the first approach
which I want to present are time

measurements and the symbol which you will
see down there it's a base station, for

for the next couple of slides. And a base
station... this is the point in a mobile

network where your phone connects to. On
the slides you can certainly interchange

this base station with an IMSI-catcher.
IMSI-catcher is something like a fake base

station from a third party and you could
even build it yourself. So, the method

used to calculate the position of a phone
is for time measurements trilateration.

You have to know that that signal is
usually traveling with the speed of light,

so when you measure the time you can also
measure the distance. And here there are

three methods presented. There are "Time
of Arrival", where the signal moves from

the hand phone to the three base stations
and the accuracy is between 50 and 200

meters. This really depends on the cell
size and they can be more precise or less

precise. So, then we have "Time Difference
of Arrival," which is like a round-trip

measurement, and we have an "Enhanced
Observed Time Difference," where the

mobile phone actually computes the
location within the cell, and the accuracy

is between 50 to 125 meters.
So, and the next method which I want to

present are angular measurements. When you
conduct angular measurements, then you

determine the direction of arrival from
the signal and afterwards you do a

calculation which is called triangulation
and therefore you have to know the

position of the base station, but also the
alignment of your antenna and for this

method there's certainly two base stations
or IMSI-catchers sufficient to determine

the position of the mobile phone. The
accuracy is usually in field experiments

between 100 and 200 meters and the
challenge for this method but also for the

ones on the previous slides is that on the
normal mobile cells you don't have a line

of sight to each base station from your
mobile phone and so the signal gets

disturbed by buildings in the way and then
the accuracy becomes worse. So the next

method I want to show you, I think most of
you will know a little bit about GPS and

how it's calculated. So satellites, GPS
satellites, broadcast their time and their

position, and the mobile phone uses again
trilateration to calculate its position

and the accuracy is usually below 10
meters, but it depends a little bit on the

chipset within the mobile phone, and then
the base station can request the position

of the phone by issuing a radio... or by
issuing a request with the radio resource

location service protocol. So another
method which I want to present is the

mining of Internet traffic. Some
smartphones send GPS coordinates or the

names of nearby Wi-Fi networks, which are
also called SSIDs, to online services, and

usually these allow the determination of
the position around or below 10 meters,

and it is certainly possible to intercept
this traffic and evaluate the geolocation.

So here I have two quotes for you, and the
first one it effectively means that anyone

using Google Maps on a smartphone is
working in support of a GCHQ system. This

quote comes from the Snowden archive and
was issued in the year 2008. So we

certainly see that there's
some proof that at least at those days,

that they enter, some third parties
intercepted those traffic and use it for

determining the geolocation, and if you
want to work with, or determine the

location with the SSIDs, it is necessary
that you have a map where a certain Wi-Fi

access points are located. And therefore
we have also something like... like a

proof that this has been done by the NSA
and this is the mission victory dance,

where they are mapping the Wi-Fi
fingerprint in every major town in Yemen,

and in Yemen also a lot of drone strikes
are conducted. So, let's go to next

method. Signalling System No. 7 is a
protocol which is used for communication

between network providers, and network
providers need to know where, in which

cell, a mobile phone is located to... to
enable the communication, and these

informations are saved in location
registers, and a third party can easily

request these location informations. I
want to refer to the talk by Tobias Engel,

which... he gave a talk two years ago
which really goes into the details of this

method, and maybe if you like to, there
are also commercial services available to

access this data. So, let's talk about
drones. We do not have very solid proofs

that geolocation methods are conducted by
drones, but we have certainly hints. A

hint is this GILGAMESH system, which is
based on the PREDATOR drones, and is a

method for active geolocation, which
describes an IMSI-catcher so... but if

anybody of you has access to more
documents... yeah it would be nice to have

a look. So...
<i>applause</i>

E: So, the easiest method would be
certainly to request for GPS coordinates,

and there you just replace the base
station with a drone. But the method which

is better, or which I think is the
preferred one: Angular measurements.

Angular measurements, if you have a look
in our report, there we approximated that

the accuracy of these methods are between
five and thirty five meters in radius from

an altitude of two kilometers, and if you
get closer to the mobile phone it becomes

more accurate. So, it would be, to some
extent, sufficient to conduct a targeted

drone strike on this data, and in the
meantime, since this report was handed

over to the Bundestag, I also found other
work which described that they are able to

achieve an accuracy of one meter from
three kilometers altitude for small

airplanes. You have to know that those
sensors to measure the angle of arrival,

that they are usually located within the
wings and within the front of the plane,

and when the plane becomes larger it's
also easier to have a more accurate

measurement. Then I want to point out that
a single measurement can be sufficient to

determine the location of a mobile phone.
If we can assume that the target is on the

ground. So if you assume that the target
is maybe in a building in Yemen, so a

single measurement would be sufficient on
a low building in Yemen. And a sky scraper

would be more difficult. So, and the big
advantage of these methods is that

environmental parameters have a very low
influence, since we can have a almost line

of sight, which allows a better accuracy.
So now I'm going to talk about the

identifiers which can be used for
geolocation. Certainly the phone number

and each IMSI-catcher or base station can
request, can issue an identity request to

a mobile phone, and then receive the IMSI
or EMI. The IMSI is something like a

unique description for a certain customer
in the the mobile network and the EMI is

like a unique serial number for an device.
So, when we include those methods of

mining Internet traffic, then we can also
add a lot of more identifiers, for example

an Apple ID or Android ID, MAC address,
even cookies or user names. If you are

interested in this, you can have a look at
the link I provided there. That there's a

very interesting paper about this. So I
come to my last slide, my summary. I

showed you multiple, or a lot of different
methods to localize a mobile phone, and I

pointed out that a single drone can
localize a mobile phone with accuracy

which is sufficient to conduct a targeted
drone strike. Since this document was

handed over to the Bundestag, they also
never denied that these methods can be

used for... or that the accuracy of these
methods... is true. So then I pointed out

that as an identifier the phone number,
the IMSI, and the EMI each can be used for

the geolocation of a mobile phone, and the
last information which I want to give you

is that geolocation methods cannot prove
the identity of a person, and this is

really important to know, that we are
not... yeah. That when we conduct, or when

somebody is conducting these drone
strikes, that they are not aware who is

actually using the phone, and so and I can
happen that they are killing the wrong

person. So I thank you very much, I thank
my colleagues and my family and everybody.

<i>applause</i>

Herald: Thank you.
<i>applause</i>

H: That's great. Thank you very much. It's
the first talk we have here today where we

can have a lot of questions. So come on.
You have the microphones, number 1, number

2, number 3, number 4, and ask your
questions. It's the only chance to have

this man answering them. No questions?
Here's someone. No. Yeah. Sorry!

Microphone: No problem.
H: Number 4.

Microphone 4: Hello. Do you know why we
are located in London right now when we

use Google Maps here?
H: "Do you know", can you ask me again,

"do you know why we are located in
London?"

M4: Yes.
H: Here?

M4: When we use Google Maps, we are
located in London.

H: Do you know that? The Congress is
located in London. Do you know why?

E: I'm not aware.
M4: Okay, I thought this was on plan.

H: Okay.
M4: Thank you

H: Number 1.
Microphone 1: Okay, so on slide 12 you

showed this angle of arrival-
H: Can you please be quiet, we can't

understand the questions unless you're
quiet. Sorry.

M1: Okay, so, on slide 12 you showed the
angle of arrival method executed by a

drone. Is this a passive method or does it
require some cooperation by either the

phone company or by the targeted mobile
phone?

E: It can be conducted passively. Like, if
you call the phone or page the phone

multiple times and you see which phone is
answering this paging... okay, it needs to

be active in a way that you contact the
phone, but you don't need an active IMSI-

catcher for it. You just phone or call the
phone, and then you see which phone is

answering, and then you know where the
phone is situated.

M1: Thanks.
E: Yeah.

H: I see that we have a question over
there so can you just ask your question

please?
M8: Here?

H: Yes, number 8, please.
M8: Thank you for the talk. I'd like to

ask a question about tracking unpowered
mobile phones: I mean you mentioned lots

of methods for phones which are both...
with both have their batteries inserted

and are actively operating. Could you
elaborate a bit about the methods of

tracking phones, which seem to be off
turned off from the users point of view,

and maybe also something about those who
have their batteries removed?

E: Actually, if you really turn off your
phone over a long period, let's say a

couple of months, I think you are safe,
but... <i>laughter</i> Buf if you...

M8: That's good to know.
E: But, actually, like if you have a base

station and somebody is switching off his
phone and maybe he is meeting somebody

else at that point and somebody else is
also switching off his phone, then it can

be suspicious, but it really depends
whether somebody is looking into this data

or not.
H: Thank you. Number 8 again.

M8: I had a short question: As you
described, we are somehow dependent on the

good winning of the NSA, for instance, and
I wanted to ask if there's some way to

avoid geolocation or use Google Maps
without sending identity to location

services.
E: That is fairly difficult. I would

assume that GPS phones are a little bit
better to avoid geo-locationing,

especially if you add additional GPS
spoofing, because they are... The network

cells are really large and so it's more
difficult to track you within the network

cell, but if you have a drone right above
you and you emit a physical signal, then

the drone will always be able to localize
where the signal came from. So it's

difficult, because it's physically
difficult.

M8: Okay.
H: Thanks. Number 1, please.

M1: So, I have a question about the
physicalities of receiving a... or

localizing or making angular measurement
of a phone within a densely populated

area, where there's possibly tens of
thousands of phones within the receptional

area of a 3-kilometer-high drone. That
would obviously require you to be more

sensitive on one hand than this cell tower
and on the other hand also receive at the

same time and sort out all kinds of
interference.

E: You usually a cell can be between,
let's say 200 meters, and 3 or 30

kilometers in size, so 3 kilometers in
altitude it's not very high.

M1: So you assume that the drone does a
pre-selection. We are digital beamforming

on the ground path and only looks at a
cell of interest, because it knows from

the network, the suspect is in that cell.
E: It depends on the area: In an urban

area you have to reduce the size of the
cell, otherwise you would receive too many

signals, but in a countryside you can have
larger cells or you can cover a larger

area.
M1: Regarding covering larger areas: Did

you take, considering that these drones
aren't really like our quadcopter size,

they're more airplane-sized, proper
airplanes, did you take the classical

synthetic aperture radar techniques of
observing something for a long time while

flying straight over it and then
integrating over it into account? Because

that's usually where we get our high-
resolution radar imagery of the earth.

E: You can conduct multiple measurements
or you just conduct one, if you know that

the target is on the ground.
M1: So, did that account for your

estimated accuracy?
E: It's not necessary to integrate.

M1: Okay, thanks.
H: Thank you. We have a question from the

internet.
Signalangel: Yes, the internet wants to

know if there are attributes, which you
can change of the phone, to stop

surveillance. Attributes like the email,
for example.

E: Can you please repeat the question?
S: Are there attributes of the phone,

which you can change, to stop
surveillance?

E: Yes, certainly you can fake the IMEI
or the IMSI. That is also another reason why

it's not sufficient to prove the identity,
because any phone can just take these

data.
S: And we have a second question, which

is: Does the GSM network have a feature
which allows anyone to get the GPS data

from the phone?
E: Yeah..., it would be..., that.., and

the radio resource location service
protocol.

S: So, thank you.
<i>laughter</i>

E: Yeah.
H: Okay, number five.

Microphone 5: Hello, you delivered you
work to the NSA Untersuchungsausschuss and

they, the Bundestag did not say anything
about it, but is there a statement from

the NSA Untersuchungssausschuss?
E: And the government said something about

it. They said that, that they washed their
hands and said we did everything nicely

because we added also a disclaimer to the
data we provided and that the disclaimer

says that the NSA is forced to, to stick
to the German law and that they are not

allowed to do whatever they want with this
data.

M5: Thank you.
H: Very nice, number 6, please.

M6: Hello, on slide 12, you got, you
specify the accuracy of about five meters

for two drones. So how does it scale if
you would use more than two drones? For

example 10 or whatever.
E: I think that there was a small

misunderstanding. Actually, one drone is
sufficient.

M6: Okay, so could you use more than one
drone?

E: Yeah, you can use as many as you want
but one is sufficient.

<i>laughter</i>
M6: Yeah, but that, of course. But does

the accuracy increase by using more than
one?

E: Yeah if you go closer to the target and
then their accuracy increases.

M6: Okay, but with the same distance but
more than one drone?

E: Actually not.
M6: Okay, thank you.

H: Number four, please.
M4: Also referring to the accuracies, you

were talking about field experiments and
so on. Did you conduct those yourself or

where did you get all the information
from?

E: These are some references, there you
can find the field experiments.

M4: Thank you very much.
H: Number two, please.

M2: Thank you very much for the
interesting talk. My question is regarding

the fingerprint which you can use on many
phones to unlock the phone. Is there

currently and if not will there, do you
think there will be a possibility that for

example an app which requires the
fingerprint identification on the phone

that this is also passively read and by
that you increase the identification of

persons? Did you understand the question?
E: Yeah, but I think this is like based on

the GSM network and the other I think that
that's based on the operating system.

M2: So currently using this technology,
there they couldn't be, there, it's not

possible to link this?
E: No.

M2: Ok, thank you.
H: Ok, number one, please.

M1: My question is actually about the
civil use of geolocation service not so

much about phones. So, you mentioned that
every time you use an online service that

use geolocation you send the SSids of
nearby Wi-Fi networks and with every

request you actually enrich a Wi-Fi map,
Wi-Fi database of either Google, if it's

on Android, or Apple if it's on iOS. Now,
there was a talk at CCC here in 2009 when

this technology was still nascent and that
back then was called Skyhook but then the

speaker had this provocative question:
Shouldn't this Wi-Fi map be public domain

instead of just a belonging proprietary
and belonging either to Apple or Google

nowadays? So, haven't we lost that
struggle? I mean we can't keep our SSids

private, so shouldn't it be public domain?
E: Yeah it would be a good idea to make it

public domain I said since also a lot of
positive things can be created with this

technology, like helping people in
emergency situations.

H: Okay ...
M1: I wanted to take the chance to say

thanks for this talk. I'm one of the
people who actually commissioned the

analysis because I work in the inquiry,
and it was extremely helpful for us to

have the analysis done because we, like
you said, keep being confronted with

Secret Service people who tell us that no
way can mobile phone numbers help in the

secret war. So yeah I just wanted to say
thanks.

<i>applause</i>
H: Yeah, thank you very much.

H: Great, so thank you also very, very
much for your work and keep on going with

that.

<i>music</i>

subtitles created by c3subtitles.de
in the year 2018. Join, and help us!