On Mobile Phone Privacy

Recently I've been writing one of the help pages for the Android app, Paranoid for Android, which informs users about some of the risks associated with the use of mobile phones. I thought it might be interesting to include it here.

Paranoid for Android tells you about the apps you have downloaded which could spy on you or spend your money without asking.

But this is not all you may need to be concerned about.

Apps pre-installed by your device's manufacturer can also spy on you. You are implicitly trusting your device's manufacturer, as well as the developers of its system software and its pre-installed apps. Even if you believe all these developers are currently trustworthy, you are still relying on their security and thier willingness to resist external pressure, either from government agencies, or from the need to make money.

Many apps back up all their data to remote servers. These backups many not be secure, or may be in a jurisdiction where government agencies can peruse the data, either with or without judicial oversight.

But it get's worse…

If you're using a mobile phone, even a dumb one, then you have other privacy problems too. For example:

  • Law enforcement and intelligence agencies have been known to install fake cellphone towers (IMSI catchers) to determine the identity (phone number) of all people present at political demonstrations. Often this has been done with no judicial oversight.
  • Your phone company has a record of your approximate location any time your phone is switched on, as well as all your phone calls and the content of all your SMS messages. Depending on where you live, law enforcement and intelligence agencies may have easy access to this information without a warrant.
  • The SS7 protocol used to manage phone calls assumes only trusted parties have access. Unfortunately, this has proved to be a naive assumption. Any phone company anywhere in the world has access to your approximate location, and can eavesdrop on calls and SMS messages. In addition anyone who has privileged access to one of these companies (a government agency or a hacker) can also exploit these features.
  • The phone company not only knows where you are, it also knows who is in the same place as you. By correlating your movements with those of other people, it can determine who your associates are. The same goes for anybody who can get access to this data.
  • You might think that carrying more than one phone will protect your anonymity. However, if two phones often travel together, or if one phone is always turned on shortly after another is turned off, a similar correlation attack can be used to associate your two phones. Indeed, this behavior may draw unwanted attention to your phone usage.

TL;DR

Using a mobile phone gives away a lot of information. Using a smartphone gives away much, much more. Government, business, and personal users should be aware of the amount of personal information that is being leaked every time they carry or use their phone.

Further Reading

  • The Wikipedia article on surveillance is a good starting point. It includes links to more detailed articles on surveillance in various countries, such as The United States , The United Kingdom, China, and India.
  • Hacker News carried a news report in March 2018 about malware being found on five million new Android phones from various manufacturers. It was apparently added without the manufacturers' knowledge at some point in the supply chain.
  • "Elliot Alderson" has produced several exposés of the blatant disregard for customer privacy and unauthorized capture of personal data by phone manufacturers and app developers. You can find these on the @fs0c131y twitter feed.
  • The Guardian reported in 2016 on some of the vulnerabilities in the SS7 protocol used by phone companies to manage and route calls. The problem is unlikely to be fixed.
  • Wikipedia has an article about IMSI catchers, used to obtain information about mobile phones using a fake cell tower.
  • The Citizen Lab is an laboratory based at the Munk School of Global Affairs, University of Toronto, which researches this and related areas. It has produced a report Communities @ Risk: Targeted Digital Threats Against Civil Society which looks at digital threats to groups worldwide.
  • Kieran Healy has written an excellent article on Using Metadata to Find Paul Revere. It illustrates the power of combining data from multiple sources to identify individuals.
  • The Safe and Savvy blog has an article All The Ways Facebook Can Track You, which looks at some of the data Facebook keeps on its users and makes available to its advertisers for user targeting.
  • If you have nothing to hide, you have nothing to fear is an argument frequently used to counter objections to surveillance. Refutations of this argument can be found on Wikipedia. A key point to remember is that the selective release of personal information can be used to smear anybody. As Cardinal Richelieu reportedly remarked, "If you give me six lines written by the hand of the most honest man, I would find something in them to have him hanged".
21 March 2018

If you found this article interesting, please consider please consider subscribing to the Risky Thinking Newsletter to get notified when new articles appear. Recently published articles can be found here.

Do you have any comments? I'd like to hear them. Please use the contact form to get in touch.