Your mobile phone keeps track of all the activity done on the mobile network: from placing or receiving a call, to sending a message, browsing the web, or just being connected and ready to receive communication.
Despite its incredible convenience and usefulness, your mobile phone may reveal information about you and your physical location. This is especially problematic if you are worried about your physical location being discovered by unwelcome entities.
How do they know it’s me?
The mobile network operator requires particular pieces of data to maintain the connectivity of your device as well as bill you for your services. These include:
IMEI: a unique identifier number tied with the specific mobile phone device connected to the network, almost like a serial number for the specific phone.
IMSI: a unique identifier for a user of a mobile network. The IMSI is stored in the SIM card for those phones using GSM networks, and within the phone or the R-UIM card for phones using CDMA networks. The IMSI is shown on any mobile network that can connect with other networks. Thus, if you are roaming between GSM networks to a CDMA network (or vice versa), your IMSI will still appear on these different (but interconnected) networks.
In addition, when purchasing a SIM card or a mobile phone, you may have to provide additional personal information. In many countries, you may not be able to get a device and service plan without a credit card, or even buy a SIM card without presenting your ID, home address, etc.
When placing a call or sending a text message, both the IMEI and IMSI are detectable on the mobile network. When reaching out via mobile phone to a contact that is highly monitored (or if you as a journalist are under surveillance), this data can be retrieved and potentially used against you, either through legal mechanisms, intelligence or government requests for data, or extra-legal mechanisms (use of IMSI catchers, corrupt employees, etc.).
Coupled with these pieces of data, the actual physical location of you and your device can be discovered as well.
Where you’re at: There are several ways in which your phone can give away your physical location:
Cellular Network: Your mobile phone, when it is on, is constantly communicating to the nearest mobile network operator (MNO) towers. This process ensures that calls can be received, text messages sent, etc. This constant “pinging” to the nearest towers can triangulate your location, by estimating where you are based on the overlap of these towers’ reach. This can be seen by the MNO, and anyone with access to the MNO’s records.
GPS: Most smartphones come equipped with GPS functionality, to enhance the efficacy of any applications needing location-based data (maps, social media apps, etc.).
Internet (and provider): Phones connected to the internet are assigned a temporary IP address, which allows any website you visit to estimate your location based on your IP address. In fact, mobile providers keep a record of what phones were assigned which temporary IP addresses. If a mobile provider cooperates with a website, they can match an IP address with a mobile phone’s location using archived mobile network locations or GPS coordinates.
I want you to know where I’m at: Depending on the type of story you’re covering and the risks you may encounter, it’s quite powerful to use this revealed data about you and your geolocation to your advantage. Your device’s location tracking can be used as a record of your various locations for a given time. If you or a fellow journalist fails to check in or goes missing, the network operator and smartphone-specific applications can determine where the device is located.
Don’t follow me
If any of these facts raise concerns, and you must use a mobile phone for your work, here are some basic steps you can take to mitigate this leaked information:
Get a second phone and/or SIM card: to have a device and SIM card with as little traceability to you. Also known as a “burner phone,” the aim of these is to use these for short-term use. Good examples of these include buying a prepaid mobile phone in cash.
- Make sure to keep this phone physically separate from your normal phones or locations.
- When not in use, keep the battery removed (explained below) and turned off. Only turn the phone back on when you are away from your home or place of business.
- Don’t swap out the SIM card into your other phones: The IMSI number will then be paired and associated with your non-sensitive devices. It’s better to get a new burner phone, as the IMEI can still be traced to your previous activities on a different SIM card.
To turn the phone “off” completely, remove the battery: If someone has “tapped” into your mobile phone, it is possible for them to turn your phone back on, even without you physically pressing the “on” or power button.
- If you suspect this is happening, an indicator of this can be significantly reduced battery life when on for a short period of time.
- If you need to use your phone at a particular location, you can turn the phone off and remove the battery before you leave, then return the battery and turn it on after you arrive to obfuscate your travel path.
- Leave sensitive locations before putting the battery in and turning on your phone, and then turn the phone on later in a different location.
- Take the phone “for a walk”: give your phone to someone you trust who can to a different location where you will not be.
Disable GPS and location services: These features are available under the settings within your phone.
- Note: there may be multiple options for disabling location services. You should deselect all of them
Lindsay Beck is a Program Officer at the National Democratic Institute’s NDItech team. Lindsay works on integrating use of innovative applications of technology to the unique challenges of countries worldwide, focusing on how NDI and its partners can safeguard their data and communications in their projects to hold governments accountable as well as monitor elections and other political processes. Lindsay received her Master’s degree candidate in International Affairs, focusing on Technology in International Affairs, at the Elliott School at the George Washington University. You can find her on Twitter @becklindsay.
OpenITP improves and increases the distribution of open source anti-surveillance and anti-censorship tools by providing the communities behind these tools with many kinds of support. Follow us at @OpenITP If you would like to contribute to this column or learn more, contact Sandra Ordonez at sandraordonez AT OpenITP DOT org.
Great article.
I’d like to add something about “when should I be worried?” Do you need to be concerned about the phone company having this information? The FBI? Drug cartels? The Syrian government? Once you’ve figured out who you should be worried about, you then need to ask how (and how easily) they could get the information described above.
Without asking such questions there is no way to make sensible security choices.
Absolutely agree. Before determining any security choices, doing a risk/threat assessment to identify who would want access to your data and why, as well as how likely it is to happen and how damaging the effects of that data capture would be, is an important first step.
Thanks, this was very helpful. If you have any information about exactly what “airplane mode” does and doesn’t do, that might be good to talk about too. A lot of people think it makes their phone invisible to the mobile network…
And there you go! That’s why I search every IP address (even the least bit questionable) on http://ipaddress.com to see who is visiting me. You never know and it is not a 100% method because they can be spoofed, but most are identified and with what organization is, umm, browsing.
Thanks for this information, I don’t really convince about hacking but anyway thanks again for the tips.