[surround]

The article assumes that the location data must have been collected because he gave an app permission to access his location. I bet they couldn’t figure out which app it was because it wasn’t an app.

Cell service providers can and do track your cellphone location. All they have to do is measure the signal strength of your cellphone at different towers, and they can triangulate its position.

https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hu...

I’m not familiar with other locations, but in the US, you only have the choice between three cell service providers. All of them admit to selling their own customer’s location data to third parties in their Privacy Policies.

AT&T https://about.att.com/csr/home/privacy/full_privacy_policy.h...

Verizon https://www.verizon.com/about/privacy/full-privacy-policy

T-Mobile/Sprint https://www.t-mobile.com/privacy-center/our-practices/privac...

Remember, you’re paying for these services. But they still sell you out.

I seriously recommend you read the privacy policy for your provider. It seems they collect as much data as possible (not just location, also browsing history and a whole host of other metrics) and share it with as many different parties as possible.

If you are using a cellphone, your location is being tracked. Period. You can’t avoid it. Even TOR isn’t gonna help you.

[henriklied]

> The article assumes that the location data must have been collected because he gave an app permission to access his location. I bet they couldn’t figure out which app it was because it wasn’t an app.

I worked on this story (and the others, we're still publishing [1] [2]).

The dataset we bought from Tamoco didn't contain an app name for most of the data. So instead of guessing, we're open about the fact that we don't quite know. Which is sort of the issue here – there's not a lot of transparency around what is collected and by whom.

The Norwegian Data Protection Agency (DPA) has opened an investigation into Tamoco [2] after our first story, and they want to cooperate with the UK DPA.

[1] https://translate.googleusercontent.com/translate_c?depth=1&...

[2] https://translate.googleusercontent.com/translate_c?depth=1&...

[sizzle]

You should search the dataset for government building coordinates to deanonymize politicians and that ought to really be a scandal worthy of legislation against mobile tracking once you air their dirty secrets e.g. suspected infidelity, leisure trips to brothels, etc.

[tixocloud]

It could be an app - we've had startups approach us to sell location data collected from apps so I wouldn't rule anything out at this point.

[henriklied]

Feel free to contact me if this is something you want to talk about!

[Lex-2008]

> I worked on this story

Having access to original NRK data, is it possible to deanonymize more people (try to check your home address, NRK HQ, etc), and ask them for a list of installed apps to check if all have one in common? Although it's questionable from privacy point of view, so probably better to pursue it in legal ways.

[henriklied]

> is it possible to deanonymize more people

There are more stories coming in the next days and weeks which will touch more on this topic.

[kbf]

I’m cautious about what apps and services get access to my location and I feel like I have good control, but I don’t really have any idea of how carriers like Telenor and Telia handle my location data. Are you planning to touch on this or investigate it in the upcoming articles?

[henriklied]

Not at this point, no. We went into detail on Telia and Telenors analytical platforms last year, though. Should still be up to date: https://nrkbeta.no/2019/10/11/telia-og-telenor-selger-analys...

[etrabroline]

From Verizon:

>We may de-identify or aggregate information so that Verizon or others may use it for business and marketing purposes. For example, the data we aggregate might be used to analyze, personalize and improve our services, to provide business and marketing insights to others and to help make advertising more relevant to you. You have choices about some of these uses

From AT&T:

>Equipment Information includes information that identifies or relates to equipment on our networks, such as type, identifier, status, settings, configuration, software or use. Location Information includes your street address, your ZIP code and where your device is located. Location information is generated when the devices, Products or Services you use interact with cell towers, Wi-Fi routers, Bluetooth services, access points, other devices, beacons and/or with other technologies, including GPS satellites. [...] We may share information with AT&T affiliates and with non-AT&T companies to deliver or assess effectiveness of advertising and marketing campaigns

[tinus_hn]

That kind of triangulation is nowhere near precise enough to reveal the data shown in the article. This is GPS data which the provider does not get.

Remember that many people ‘have nothing to hide’ so they turn on services like Google Latitude. Then later they’re al surprised when their data is sold to the highest bidder.

[user5994461]

>>> That kind of triangulation is nowhere near precise enough to reveal the data shown in the article.

Here, have a read at this article on how cell phone operate and how to track them. Wrote that a few years ago.

https://thehftguy.com/2017/07/19/what-does-it-really-take-to...

And the HN discussion, where developers admit they've been developing that for real for years: https://news.ycombinator.com/item?id=14803443

[tinus_hn]

Your link describes accuracy in an imaginary, optimal case to be ‘can see which block you’re in’.

Sorry, that’s not even close to the data they show in the article, where they can pinpoint the cage someone is watching in a zoo.

Makes sense of course, otherwise, why even have a GPS receiver in the phone?

[user5994461]

This describes how mobile communication work, since mobiles appeared in the 1990s. The phone network has to have (at least) block level accuracy on every phone, otherwise it doesn't work.

Of course it can do much better than that (building level is definitely trivial). The previous comments thread on Hacker News has more details, including some explanations on correlating movements of people to trace every individual one came across and the relations they have. Scary stuff.

GPS is more accurate of course (10 meters or less), but it requires the phone to run a spyware application and drains the battery, unlike simply having a phone that's on.

[mikorym]

> That kind of triangulation is nowhere near precise enough to reveal the data shown in the article

You don't have to speculate, the article does state the method:

>> All modern mobile phones have a GPS receiver, which with the help of satellite can track the exact position of the phone with only a few meters distance.

>> The position data NRK acquired consisted of a table with four hundred million map coordinates from mobiles in Norway. A number in the table led us on the trail of Karl Bjarne Bernhardsen.

I think the general observation is that they (government, cell providers, 3rd parties to whom this is sold) have access to most GPS data and all cell tower triangulation data; the latter they have however often it is set up to be recorded.

[tinus_hn]

Do you really propose a manufacturer like Apple is going to grant continuous access to the GPS receiver in their phone to the providers?

[mikorym]

I am not sure what you are asking. In the OP article they plot each point so that you can see them explicitly. They then mention these are GPS points.

Cell triangulation needs no client side data; it uses only signal strength and three or more towers.

[tinus_hn]

So what is the connection between the GPS points and the cell triangulation? How does having the cell triangulation data lead to having the GPS points? The parent claims the providers can magically access the GPS receiver in the handsets. But they really cannot, so the providers only have coarse data that cannot be used to track people on this level. The data is from another source, not the provider.

It’s much more likely the user agreed to install an app that is recording his location information.

[mikorym]

Oh, that is false of course. If you want GPS data you need access to the phone's GPS, as you are pointing out.

I think the original point about triangulation was just that even if you are as careful as possible, then people can still track you via cell towers.

[thdrdt]

Not exactly. In cities more towers are placed together to give better coverage (for 5G this is a must). Triangulation can then be as accurate as 30 meters.

If you then have a dataset of lets say 100 points around a location you can estimate the exact location even better.

[eitland]

> Remember that many people ‘have nothing to hide’ so they turn on services like Google Latitude. Then later they’re al surprised when their data is sold to the highest bidder.

Do you have any proof that Google does exactly this?

I don't like Google at all (anymore) but I thought Google was somewhat ok in that they never sold my raw data points even if they would sell accesss to place an ad to "visitors who have been at this geographic location recently".

[gvb]

Yes. I had it more than once where I purchased an item from a store and, about 10 minutes later, I received a coupon for a discount at the very store I just made the purchase. It happened to my wife as well.

After the second time that happened, I disabled location in my phone settings and only enable it if I have a specific need for it. I have not received any "spontaneous" coupons since disabling locations.

[eitland]

Still possible without Google dumping your raw location history, but still interesting.

[amelius]

> even if they would sell accesss to place an ad to "visitors who have been at this geographic location recently

So if I click on the ad, the company behind it knows I was on that geographic location recently. This is how Google leaks data.

[eitland]

Yep, but that is still on a vastly different scale than what this article is talking about where raw data points are dumped.

I'm not saying that the case you mention isn't problematic but there's still a not the same as being able to follow you around the city.

[tinus_hn]

The example is to illustrate that people are fine with giving away their data. Google Latitude no longer exists and I don’t think Google sells data like that, they analyse it themselves. But other services do.

[eitland]

1. Fine. But then one shouldn't single out one company that maybe doesn't do this. I was honestly interested in knowing if they were caught red handed but so far no references to that.

2.The function (at least the parts I used) now exists as part of Google maps.

[surround]

I’m not sure if Google would sell user’s location data to advertisers since Google is an advertiser. But they definitely record it for themselves, and the government has access to it as well.

[thdrdt]

This is what always bothers me in movies. There is a secret meeting. Everybody pulls out their sim because they don't want their location to be known.

Well.. no, you already revealed where you were going.

[chopin]

Even pulling out the sim wouldn't help. Without sim the phone can do emergency calls, so the phone is still connected to a network (afaik).

My paranoia is fulfilled with switching the phone off (before leaving home), but others would rely on removing the battery. Snowden recommended putting it in a fridge.

[TomMarius]

It is illegal to not track and save this data in the EU.

> If you are using a cellphone, your location is being tracked. Period. You can’t avoid it. Even TOR isn’t gonna help you.

It is still possible to buy an anonymous SIM in a few countries.

[Nextgrid]

Tracking it and disclosing it only upon a valid court order is one thing. Selling it to anyone who asks (or even leaking it for free) is another thing.

[geraltofrivia]

Even if the SIM's anonymous, as the article demonstrated, it would be easy to de-anonymize it.

[TomMarius]

There are ways to try to stay hidden, like having one stationary and VPN to it from the second one; using a burner second/third/fourth/...-hand phone for the second, etc.

[surround]

In order to connect to the VPN, you must connect to the cell towers, which reveals your location.

And no matter how many burner phones you use, as soon as you visit your home address, your identity is compromised.

[TomMarius]

> In order to connect to the VPN, you must connect to the cell towers, which reveals your location.

It reveals the location of an anonymous SIM with no readable traffic, connecting to an unknown (if you use Tor) and also stationary and anonymous device, which might be planted in any random school, library, workplace...

> And no matter how many burner phones you use, as soon as you visit your home address, your identity is compromised.

Of course - don't do that with the phone on :) that's the basics, isn't it?

[surround]

I don’t understand how connecting to the stationary device helps if you still have to connect to the cell towers.

[propelol]

I don't know if that is true. But the issue here is that the data is being sold to others for other use cases.

[eru]

You used to be able to be an anonymous SIM in the UK. (No clue whether that's still the case.)

The SIM would still be tracked.

Don't think whatever EU laws allowed the UK to keep some SIMS anonymous have changed since they left?

[TomMarius]

The country that still allows it is Czechia. So it's probably not an EU law that requires it.

[eru]

Thanks!

That figures. They are also pretty liberal on their citizens owning guns.

[TomMarius]

Indeed we are, and the gun ownership is not minor as well (every twelfth adult normally carries a weapon).

[jacobush]

Also Sweden

[surround]

As the article demonstrates, it’s easy to de-anonymize the data.