[DoctorOetker]

relevant clip:

https://www.youtube.com/watch?v=GOkFHTGgao8&t=68m36s

on a more serious note, even if such data is not resold commercially, and even if more detailled surveillance by a real human analyst only occurs when automated red flags are raised, and the system was designed to only allow the analyst access to the detailed data if enough or the right combination of red flags are raised there is a remaining problem: if your job consists of interpreting all day long the details surrounding red flags concerning an individual case by case, and an individual piques your interest (legitimately or not) and if your access to detailed surveillance on this individual expires when the red flags expire (in order to keep the analyst workforce focussed on their job, not their pet theories), then it becomes trivial for the analyst to "tag" an individuall of choice (out of curiousity, fascination) or a previous target (to prolong detailed surveillance): just arrange for an automated red flag concerning this individual to go off! you don't need to guess what types of automated red flags exist since you are constantly handling cases of individuals, and the red flags that were triggered!

(Oct 15) A few months back, my sister visited me in the city I live, and at one point she asked if I could use a prepaid sim card that was soon to get expired (16 days later or valid till including Oct 31), I said I don't really need it, but if she couldn't think of anyone else I would probably use it to call some of my more remote friends (I usually text). She remarked it was stupid that she had forgotten to bring the card. I remember asking why she bought it if she didn't use it?? But she said something along the lines of "I'm not really sure", I had the impression she didn't buy it, but in turn somebody had given her the card... I also said it's OK if she gave it to someone else. At that point I assumed that was what would happen, and simply forgot about her mentioning the SIM card.

Here in Belgium, the mail is delivered "D+1", so pretty quickly..

(Oct 24) Nine days after my sister visited me, I am staring out my living room out on the street, and I see the postman going through the street and crossing to enter the apartment building I am in. After a while I notice him at the end of the street, so he already passed.

I go down to check the mail, and there's a notification card, telling me about a letter with insufficient postage, that I wasn't home, and that I can go to the post office if I wish to pay and receive it nonetheless...

Here the weight for a single post stamp is 50 grams. So thats quite a letter. I had forgotten about the SIM card and started fantasizing about a (long) loveletter from N (a girl from the past).

Obviouly I go to the post office, I say I want to pay for the postage, and I ask who the letter was from. The employee looks at me as if I don't understand the postage system and says: "If it had a return adress, it would have gone straight back to the sender. So the envellope did not state a sender, in which case the recipient can elect to pay for sufficient postage." I suddenly had a flashback to elementary school, and these once-deeply-studied facts long ignored immediately sprang alive. "Of course!" I said...

I ask when I will receive it, and he says it depends if I want to go pick it up today at the main post depot, or if I wish to receive it by mail, and in that case in just a few days. I tell him they can send it by mail.

From then on, the first thing I do upon awaking, is run down to get "N's loveletter". However no letter marked with "insufficient postage" stamp arrives.

(Nov 1) The SIM card expires.

I distinctly remember one day noticing it had already been exactly 2 weeks and I still didn't get the letter. That same day (Nov 7) I read in the papers that the national postage system starts a strike, and mail already underway will be on tine, but new mail may get delayed.

The strike is still ongoing about 2 days later, when I finally receive the letter marked with the "insufficient postage" stamp. Immediate dissapointment: it's not from N but from my sister, and it's the SIM card.

Immediately more inconsistencies pop up: 1) my sister did of course as always state her name and return address on the letter 2) the whole envellope, greeting card, unopend prepaid SIM card weigh less than 20 grams, let alone 50 grams!

So I fire up my abductive reasoning skills.

Of the hundreds of letters I receive:

What is the probability or how often do I receive a letter that is insufficiently stamped? it was my very first such letter!

Moreover what is the probability that a letter is incorrectly marked with "insufficient postage"?

Moreover what is the probability that a letter with return address is sent on to the recipient if it has "insufficient postage" ?

Those co-incident probabilities are very low indeed. And it is also the first letter I receive that contains a prepaid SIM card. Bingo! obviously authorities do not want people mailing unused prepaid SIM cards! That may re-anonymize any over-the-counter de-anonymization, like paying with card!

Probably criminals (perhaps also investigative journalists) create demand for clean SIM cards, where the cleanliness to the buyer is illustrated by the prepaid SIM card package still being unopened...

So the motive to detect and intercept SIM cards in mail exists.

Now I obviously get curious, how did they detect this in the benign case of my sister sending me her almost expiring SIM card?

The actual SIM card is to be broken out of the larger card, which states the PIN and PUK code...

This larger card has the same dimensions as credit/smart cards...

They both contain a chip under the contacts...

Some credit cards contain RFID for contactless payments...

So I postulate abductively that the larger card with PIN and PUK code contains an RFID coil, and when breaking out the SIM card, it's connection to the coil is broken!

Are these RFID tags visible with off the shelf commercial RFID readers? or are their also "secret" tags that the readers refuse to identify by design? If so, and someone finds a way to detect this secret class of RFID tags, then we may find more of these in unexpected places/locations...

I will see my sister back in a few weeks, and she will obviously ask if I made use of the SIM card. Now I hate lying, and I also hate dissappointing people when something is not really my fault, since the unjustified inssuficient postage delay caused the card to expire. Then I will ask if she actually bought the card herself, was given the card, or if she somehow found the card, for example mysteriously in her mail box...

Everybody has their own SIM card, nobody really needs an extra one, and my sister is not very sociable, she wouldn't know who to give a surplus card about to expire.

So if an analyst wanted to tag me (or her), it is entirely predictable she would ask her younger brother if he perhaps could use it! And that she would send it by mail (since we live in different cities).

Any future analyst will come to believe this red flag in the record is genuine, and not a placed one! It is entirely conceivable that there are some very unlucky people with a boatload of flags on their record, which convince the new analyst that this individual needs more tracking even if the last flag expires... so they place a new flag! and after this analyst's second term of observing the individual, he gives up, ... until next time a new analyst observes the person's record, is amazed with the richly filled flags in the past, and perhaps does the same....

Now apart from being overzealous and having pet theories, what other motivation could the analyst have to bypass the agency focus mechanism by placing tags? What about pure boredom? The first time you investigate a bunch of neo-nazi scum you are all excited, and the first time you investigate some angry muslim lowlife, you are similarily excited... but after a few weeks/months/years you realize there is nothing exciting, just the endless stream of boring as hell hitler greetings, and the boring as hell angry muslim's communicating things like "the infidel whore!" etc... It's like working at the zoo, when you are small it seems awesome, and the public part of the zoo is nice, but when you actually work there, the non-public part of the zoo is just grim walls, and shovelling different kinds of excrement. Of course the analyst / zoo employee tries to make quick work of the shoveling part, so he can spend some time checking out the lizards or whatever kind of people really fascinate him in an entertaining way!!

[snazz]

This is:

a) the longest comment I’ve ever read all the way through on HN

b) an interesting anecdote

but c) most likely a coincidence.

I agree that the likelihood of such a thing happening is miniscule. However, I’ve had all sorts of strange postage-system-related issues in my time (granted, I’m in the US, which has likely a much worse system) and it doesn’t seem that far out to me that such a letter would have been mishandled by what is likely an automated system.

Maybe if you buy a SIM card and send it to someone else, you can get more conclusive evidence about whether prepaid SIMs are genuinely slowed in transit or if you were just very unlucky. One occurrence does not a trial make.

[DoctorOetker]

a) I didn't realize how long my post had gotten in the tiny entry box, until after I had posted it... but I will gladly accept the dubious Cup of "Longest readable HN comment in the Guinnes Book of Records"

b) Yes I also think it's very interesting. Initially before coming to these suspicions, I was pissed off about having to dissapoint my sister next time I see her, and the money that was lost buying the SIM card etc, ... but the longer I thought about it and noticed all the inconsistencies in what had happened, it's actually a nice puzzle/gift to receive! Turns out the journey really is the reward after all

c) I have also thought about possible mistakes, but really there is little that can go wrong with a strain gauge! And even if the strain gauge somehow broke, there would have been a long run of letters suddenly appearing for redirection, surely this would be noticed and the letters reweighted... And even if it is incorrectly marked with "insufficient postage" both the sorting which is supposed to redirect it to the return address, as the eventual post man who did not ring failed to see the return address! And with D+1, a delay of ~20 days is totally unheard of (counting up till Nov 7th when the strike was anounced)...

in my response to a sibling of your comment I describe we can simply dissolve a fresh prepaid SIM card to detect the presence of a possible RFID loop antenna

[megablast]

I have no idea what your story is trying to say.

[DoctorOetker]

I am saying I believe the creditcard-sized card that contains a fresh prepaid SIM card, probably contains an RFID loop antenna.

This is trivial to verify or falsify, just buy some acetone in the hardware store:

https://learn.adafruit.com/rfid-iphone/dissolve-the-card

I already bought the acetone, but I did not yet dissolve the SIM card, I want to do this in front of my sister, so she understands why I attach importance to finding out the origin of the unused expired SIM card she sent.

The card is supposedly expired anyway (well to be honest the validity date is printed on a sticker on the outside of the plastic foil package, so in theory it may be a still valid card with a fake early expiration date to encourage my sister to hurry with giving it away...).

I did not yet dissolve the card, but I feel pretty certain there is an RFID coil inside, and that is how they detected and stalled the letter without opening it. Stalled to determine if it is OK or not to allow the card to be sent on or not. "insufficient postage" to increase the possibility of the recipient deciding not to want the letter.

If you can't wait a couple of weeks to hear back from me if there is an RFID tag inside, you can try buying a prepaid SIM card and dissolving in acetone yourself. If you or someone tries this before february, I would like to know the result.

The whole story got me thinking that the human analysts that process and interpret red flags can easily build a repertoire of tricks to arrange for a red flag concerning a person to go off.

If my sister provides me with a name (perhaps even an address) of whoever gave her the card, I could consider tagging the person back (by sending the SIM card to him).

However I think it is unwise:

1) the person who gave it to her would not necessarily be the analyst, it may be an informant (perhaps a criminal turned informant, in which case I am effectively tagging myself into association with a criminal!)

2) if the person who gave it to her was the analyst, and I addressed the letter to Mr [name] "The Tagging Spook" [surname], and possibly arrange for the letter to have insufficient postage, while hilarious that my case file would then contain a red flag associating me with the analyst called out as a spook, it's unclear how he would react. Any future analyst could notice the burnt name of a colleague. He might need to self-report his bypassing of the automated system raising supposedly spontaneous red flags... Also, I estimate it would not be wise of me to go and poke the hornets nest. So I think I will stay with just observing and learning...

[salawat]

http://www.dslreports.com/forum/r28362704-RFID-sim-cards-goo...

https://patents.google.com/patent/US7784693B2

Neat read, and Godspeed.

Not sure whether your theories on there actually being an infrastructure for doing these sorts of things is correct, but even a 5 minute google search seems to suggest it is well within technical capabilities to do so.

Might do some more searching for ISO's and other Engineering standards related to them. Telephony is highly dependent on uniform technical standard adherence, so it's out there somewhere. I doubt that the RFID is in the plastic containg the card, it's probably in the card itself.

The unusual coincidences should be pretty easy to replicate with a P.O. Box, and could be consistent with holding times for information propagation or authorization.

Definitely seems like something to mess with if you are bored!

You'll be amazed the things you can find out when you start to peel back the layers, but don't be disappointed if it's just a coincidence.

[DoctorOetker]

>Not sure whether your theories on there actually being an infrastructure for doing these sorts of things is correct, but even a 5 minute google search seems to suggest it is well within technical capabilities to do so.

The infrastructure would just be an (perhaps surveillance grade) RFID reader and a small office or locker where the suspect letters end up at each post sorting facility, so a security officer or perhaps just the branch manager can store these until the surveillance state replies what to do with the letter.

I also believe it is probable the standards are visible somewhere, just like I remember the bulk of the surveillance state in Europe was/is visible pre-snowden in very high detail through the ETSI (european technology and standards institute) standards.

> I doubt that the RFID is in the plastic containg the card, it's probably in the card itself.

I may have used the incorrect word with "contain", so first the SIM card and the PIN and PUK card are one and the same card, before breaking out the SIM card. I mereley suspect the larger PIN/PUK card to contain the RFID coil, because the perforated C-shape around the SIM has the open part of the C directed at the closest edge. Of course it is possible that the RFID coil is in the smaller piece of SIM card itself, but I don't think so because: the contact pads would provide shielding to the coil, and to have the same total area as a 4 turns in a Credit Card size, the coil would need many more loops. As a designer I would prefer putting the RFID loop in the larger card.

So I did not mean to say that the coil is in the plastic wrap or anything, in case that was how you understood me.

It may seem weird that (if I am right) the surveillance state designed the SIM cards so the connection with the RFID coil breaks, why not design it monolithically such that you can also track used SIM cards in the mail? I simply predict that there is demand for clean SIM cards on the market, and unopened prepaid packages are considered clean, but then the coil is not broken yet... so used SIM card's may turn out safer (if the previous usage was clean)...

I agree the holding times would be roughly reproducible, but I don't want to cram my file full of red flags...

Yeah, spying involves lots of deceit, and as everyone (hopefully) rememmbers from kindergarten, the web of lies only grows (and the observable inconsistencies grow with them)

If it hadn't been stalled, I would probably have ended up calling some friends from university time, probably only spent 2/3's of the call credit before it expires, then simply went on with my life. It's their reckless tradecraft that betrayed them. I have no problem talking openly about what I suspect, I am pretty sure plenty of actual criminals have noticed this before me, but they probably don't talk about it in public fora...

[salawat]

Oh,no worries. I just think that SIM and handset manufacturer's are going the route of integrating NFC into handsets to support SIM stored payment credentials. I know for a fact it's a hot item in the FinTech industry.

Odds are, you could get a generic reader to get a chirp out of an RFID even without the PIN/PUK card that wouldn't be present in any other package.

IF I were an evil surveillance state taking an interest in mail borne SIM cards in ANY state (I mean think about this, if you could automate it, figuring out the networks of people who often send SIM's to each other in and of itself is a useful data point) I'd exploit using a small machine that can be innocuously placed on the sorting line to get that chirp.

Biggest problem I imagine would be possible tipping off through damage caused to EMF/RF sensitive packages, but I've not really looked up the math or engineering involved enough to make an educated guess.

Like I said. Interesting problem, and I seriously hope you're not right. That's levels of cyberpunk dystopia that just shouldn't be possible in anything remotely resembling a healthy society.