The NSA is spying and was spying and we had Snowden, we have a lot of documents to look at

and there is some new research on how they used geolocation methods in mobile networks. It is done by the University of Hamburg and we have here Eric who will present

this research to you and he has done this for the German government and for the NSA which we call NS-Auer which means like NS-Auch kind of. He is a PhD student and holds a master

in physics so give him a warm applause and for those coming later please go to your seats and try to be quiet. Yeah, thank you. Hello, I'm really happy to have you all here and

I welcome you to my talk about geolocation methods and mobile networks. My name is Eric Su and I'm a PhD student at the University of Hamburg. So in the beginning I want to point out

why I'm giving this talk. So the German Parliamentary Investigative Committee wanted to find out about the German involvement in US drone strikes and then the German government officials claimed that they do not know anything or they

do not know any possibility how to use a phone number for targeting drone strikes and the investigative committee did not really believe this statement and so they asked our research group at the University of Hamburg to prepare a report and we handed in that report to

the Bundestag and it was very soon afterwards also published by netspolitik.org. Thank you for that. And it contains like technical methods and approximates the accuracy to localize mobile

phones and it also points out which technical identifiers are required to conduct such geolocation. Now I give you my agenda for today. First I will speak about the purpose of geolocation data

and then we are looking into a broad variety of different approaches to conduct such a geolocation in mobile networks and then we specify on drones and look into the technical methods which can be conducted with drones and then I'm going to point out which technical identifier we can use

for such a geolocation. And lastly I'm going to sum up. So the purpose of geolocation data it is a neutral technology so we can use it for rescue missions for example if somebody

got lost in the forest or in the mountains we can use geolocation data to find that person and rescue the person or if you ever use google traffic there you can profit from

monitoring traffic conditions but we can also use it to innovate the privacy of persons for example if we identify people on surveillance footage or if we track the location of a certain individual over a longer period and certainly we can use it use this data for targeting

drone strikes. However I want to point out that these data they are not they are not suitable to prove the identity of a person so if somebody is conducting a drone

strike based on this data then he is actually not knowing who he is going to kill. So on the right side you see an image of a explosion site from a Hellfire missile. A Hellfire missile is usually used from by these drones and you can approximate that the blast radius

is around 20 meters so we would consider a targeted drone strike if we have a geolocation method which can determine the position of a person more precise than 20 meters in radius.

So the first approach which I want to present are time measurements and the symbol which you see down there it's a base station for for the next couple of slides and a base station and this

is the point in in a mobile network where your phone connects to and you on the slides you can certainly interchange this base station with an MC catcher. MC catcher is something like a face fake base station from a third party and you could even build it yourself.

So the method used to calculate the position of a phone is for time measurements pre-literation. You have to know that that signal is usually traveling with this or is traveling with the speed of light so when you measure the time you can also measure the

distance. And here there are three methods presented. These are time of arrival where the signal moves from the hand phone to the three base stations and the accuracy is between 50 and 200 meters. This really depends on the cell size and it can be more precise or

less precise. So then we have time difference of arrival which is like a round trip measurement and we have an enhanced observed time difference where the mobile phone actually

computes the location within the mobile and within the cell and the accuracy is between 50 to 125 meters. So the next method which I want to present are angular measurements.

When you conduct angular measurements then you determine the direction of arrival from the signal and afterwards you do a calculation which is called triangulation and therefore you have to know the position of the base station but also the alignment of your antenna. And for this method there are certainly two base stations or MZ catch are sufficient to

determine the position of the mobile phone. The accuracy is usually in field experiments between 100 and 200 meters and the challenge for this method but also for the ones on the

slides is that on normal mobile cells you don't have a line of sight to each base station from your mobile phone and so the signal gets disturbed by buildings in the way and then the

accuracy becomes worse. So the next method I want to show you I think most of you will know a little bit about GPS and how it's calculated. So satellites GPS satellites broadcast their time

and their position and the mobile phone uses again pre-lateralization to calculate its position and the accuracy is usually below 10 meters but it depends a little bit on the ship set within the mobile phone. And then the base station can request the position of the phone by issuing a

radio or by issuing a request with the radio resource location service protocol. So another method which I want to present is the mining of internet traffic. Some smartphones send GPS coordinates or the names of nearby wi-fi networks which are also called SSIDs

to online services and usually these allow the determination of the position around or below 10 meters and it is certainly possible to intercept this traffic and evaluate the geolocation.

So here I have two quotes for you. The first one it effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system. This quote comes from this known archive and was issued in the year 2008. So we certainly see that there is some proof

that at least at those days they enter or some third parties intercepted those traffic and used it for determining the geolocation. And if you want to

work with and determine the location with the SSIDs it is necessary that you have a map where certain wi-fi access points are located and therefore we have also something like a proof

that this has been done by the NSA and this is the mission Victory Dance where they are mapping the wi-fi fingerprint in every major town in Yemen and in Yemen also a lot of drone strikes are conducted. So let's go to the next method. Signal system number seven is a protocol which is

used for communication between network providers and network providers need to know where in which cell a mobile phone is located to enable the communication and these informations are saved

in location registers and a third party can easily request these location informations. I want to refer to the talk by Tobias Engel which he gave a talk two years ago which really goes into the details of this method and maybe if you like to there are also commercial

services available to access this data. So let's talk about drones. We do not have very solid proofs that geolocation methods are conducted by drones

but we have certainly hints. A hint is this Gilgamesh system which is based on the which describes an MC catcher so but if anybody of you has access to more documents

yeah it would be nice to have a look. So the easiest method would be certainly

to request for GPS coordinates and there you just replace the base station with a drone but and the measurement the method which is better or which I think is the preferred one are angular measurements. Angular measurements if you have a look in our report

that we approximated that the accuracy of these methods are between five and 35 meters in radius from a altitude of two kilometers and if you get closer to the mobile phone it becomes more accurate. So it would be to some extent to be sufficient to

conduct a targeted drone strike on this data and in the meantime since this report was handed over to the Bundestag I also found other work which described that they are able to

achieve an accuracy of one meter from three kilometers altitude for small airplanes. You have to know that those sensors and to measure the angle of arrival that they are usually located within the wings and within the front of the phone and when the plane

becomes larger it's also easier to have a more accurate measurement. Then I want to point out that a single measurement can be sufficient to determine the location of a mobile phone if we can assume that the target is on the ground. So if you assume that the target is

maybe in a building in Yemen so a single measurement would be sufficient on a low building in Yemen and the skyscraper would be more difficult. So and the big advantage of these methods is that environmental parameters have a very low influence since we can have a

almost line of sight which allows a better accuracy. So now I'm going to talk about the identifiers which can be used for geolocation. Certainly the phone number

and each MC catcher or base station can request a can issue a identity request to a mobile phone and then receive the MC or EMI. The MC is something like a unique description for a certain

customer in the mobile network and the EMI is like a unique serial number for a device. So when we include those methods of mining internet traffic then we can also add a lot of

more identifiers. For example an Apple ID or Android ID, Mac address, even cookies or user names. If you are interested in this you can have a look at the link I provided there

that there's a very interesting paper about this. So I come to my last slide, my summary. I showed you a lot of different methods to localize a mobile phone

and I pointed out that a single drone can localize a mobile phone with an accuracy which is sufficient to conduct a targeted drone strike. Since this document was handed over to the Bundestag they also never denied that these methods can be used for the or that the accuracy

of these methods is true. Then I pointed out that as an identifier the phone number, the MC and the EMI each can be used for the geolocation of a mobile phone.

And the last information which I want to give you is that geolocation methods cannot prove the identity of a person and this is really important to know that we are not yeah that when we conduct or when somebody is conducting these drone strikes

and that they are not aware of who is actually using the phone and so it can happen that they are killing the wrong person. So I thank you very much. I thank my colleagues and my family and everybody. Thank you. That's great. Thank you very much. It's the first

talk we have here today where we can have a lot of questions. So come on, you have the microphones number one, number two, number three, number four and ask your questions. It's your only

chance to have this man answering them. No questions. Here's someone. No. Yeah. Sorry.

No problem. Number four. Hello. Do you know why we are located in London right now when we use Google Maps here? Do you know, can you ask it again? Do you know why we are located in London? Yes. When we use Google Maps we are located in London. Do you know that? The congress is located in London. Do you know why? I'm not aware.

Okay. I thought this was on plan. Okay. Thank you. Number one. Okay. So on slide 12 you showed this angle of arrival. Can you please be quiet? We can't understand the questions

unless you are quiet. Sorry. Okay. So on slide 12 you showed the angle of arrival method executed by a drone. Is this a passive method or does it require some cooperation by either the phone company or by the targeted mobile phone? It can be conducted passively. Like

if you call the phone or page the phone multiple times and you see which phone is answering this paging. Okay. It needs to be active in a way that you contact the phone but you don't need an active MC catcher for it. You just call the phone and then you see

which phone is answering and then you know where the phone is situated. Thanks. Yeah. I see that we have a question over there. So can you just ask your question please?

Here? Yes, number eight please. Thank you for your talk. I'd like to ask a question about tracking unpowered mobile phones. I mean you mentioned lots of methods for phones which are both we both have their batteries inserted and are actively operating. Could you elaborate a bit about the methods of tracking phones which seem to be all turned off from the user's

point of view and maybe also something about those who have their batteries removed? Actually if you really turn off your phone over a long period, let's say a couple of months, I

think you are safe. That's good to know. But actually like if you have a base station and somebody is switching off his phone and maybe he's meeting somebody else at that point and somebody else is also switching off his phone, then it can be suspicious. But

yeah it really depends whether somebody is looking into this data or not. Thank you. Number eight again. I had a short question. As you described, we are somehow dependent on the good

for instance and I wanted to ask if there's some way to avoid geolocation or use Google Maps without sending identity to services. That is fairly difficult. I would assume that GPS phones

are a little bit better to avoid geolocation, especially if you add additional GPS spoofing because the network cells are really large and so it's more difficult to track you within the

network cell. But if you have a drone right above you and you emit a physical signal then the drone will always be able to localize where the signal came from. So yeah it's difficult because it's physically difficult. Okay thanks. Number one please. So I have a question about the

physicalities of receiving or localizing or making angular measurements of a phone within as like a densely populated area where there's possibly like tens of thousands of zones within the receptional area of a three kilometer high drone.

That would obviously require you to be more sensitive on one hand than this cell tower and on the other hand also receive at the same time and sort out all kinds of interference. Usually a cell can be between let's say 200 meters and 30 kilometers in size. So

three kilometers in altitude is not very high. So you assume that the drone does a pre-selection via whatever digital beamforming on the ground path path and only looks at a cell of interest

because he knows from the network that the suspect is in that cell. It depends on the area like in an urban area you have to reduce the size of the cell otherwise you would receive too many signals but in a countryside you can have larger cells or you can cover a larger area.

Regarding covering larger areas, did you take, considering that these drones aren't really like our quadcopter size, they're more like airplane sized usually, proper airplanes, did you take the classical synthetic aperture radar techniques of like observing something

for a long time while flying straight over it and then integrating over it into account because that's usually where we get like our high resolution radar imagery of the earth. You can conduct multiple measurements or you just conduct one if you know that the target is on the

ground. So yeah but did that account for your estimated accuracy? No it's not necessary to integrate. Okay thanks. Thank you we have a question from the internet. Yes the internet wants to know if there are attributes which you can change off the phone to stop surveillance so attributes

like the EMI for example. Can you please repeat the question? Are there attributes of the phone which you can change to stop surveillance? Yeah certainly you can fake the EMI or the MC that is also another reason why it's not sufficient to prove the identity

because any phone can just fake this data. And we have a second question which is does the GSM network have a feature which allows anyone to get the GPS data from the phone?

Yeah it would be that the radio resource location service protocol. So thank you. Okay number five. Hello you delivered your work to the NSA Unterzurungsauschuss

and the Bundestag did not say anything about it but is there a statement from the NSA Unterzurungsauschuss? And the government said something about it. They said that they washed their hands and said we did everything nicely because we added also a disclaimer to the data

we provided and that the disclaimer says that the NSA is forced to stick to the German law and that they are not allowed to do whatever they want with this data.

Thank you. Very nice. Number six please. Hello I'm on slide 12. You specified accuracy of about five meters for two drones so how does it scale if you would use more than two drones

for example 10 or whatever? I think that there was a small misunderstanding actually one drone is sufficient. Okay so could you use more than one drone? Yeah you can use as many as you want but one is sufficient. Yeah but that of course but

does the accuracy increase by using more than one? Yeah if you go closer to the target and then the accuracy increases. Okay but with the same distance but more than one drone?

No actually not. Okay thank you. Number four please. Also referring to the accuracies you were talking about field experiments and so on, did you conduct those yourself or where did you get all the information from? These are some references there you can find the field

experiments. Thank you very much. Number two please. Thank you very much for the interesting talk. My question is regarding the fingerprint which you can use on many phones to unlock the phone. Is there currently and if not will there or do you think there will be a possibility

that for example an app which requires the fingerprint identification on the phone that this is also passively read and by that you increase the identification of persons? Did you understand the question? Yeah but I think this is like based on the GSM network and

the other things that's based on the operating system. So currently using this technology there couldn't be, it's not possible to link this or not? Okay thank you. Okay number one please. My question is actually about the civil use of geolocation services not so much about

phones. So you mentioned that every time you use an online service that uses geolocation you send the SSIDs of nearby wi-fi networks and with every request you actually enrich a wi-fi map, wi-fi database of either Google if it's on Android or Apple if it's on iOS.

Now there was a talk at CCC here in 2009 when this technology was still nascent and then back then it was called Skyhook but then the speaker had this provocative question shouldn't this wi-fi map be public domain instead of just a belonging proprietary and belong either to Apple or Google

nowadays? So haven't we lost that struggle? I mean we can't keep our SSIDs private so shouldn't it be public domain? Yeah it would be a good idea to make a public domain since also a lot of positive things can be created with this technology like helping people in emergency situations.

Okay Anna. I wanted to take the chance to say thanks for this talk. I'm one of the people who actually commissioned the analysis because I work in the inquiry and it was extremely helpful for us to have the analysis done because we like you said keep being confronted with secret

service people who tell us that no way can mobile phone numbers help in the secret war. So yeah I just wanted to say thanks. Yeah thank you very much. Great so thank you also very

much for your work and keep on going with that.