Mobile phone location tracking via cell towers - 4G vs 5G

Thanks @phnx!

I must admit I’m having a hard time thinking clearly about this. I’ve been over that Nature paper and I think it’s scary but I’m struggling to get a clear picture of what this means in practice.

Let me make up an example.

I start carrying a phone I bought with cash with a SIM card I bought with cash. I blithely go about my daily business carrying it everywhere, generating a nice trail of data points (from cell tower data) which doesn’t have my identity attached.

The paper mostly seems to talk about how dissimilar my trail will be from all the other trails everyone else is generating - four randomly chosen points will probably be enough to pick my trail out. It won’t at this point be known to be my trail, but those four points match my trail and my trail only.

So let’s say I use a credit card with my real name on it at four shops over the space of (say) a month. If we assume those four points are “as good as” random (which I think they probably are in this context), since the physical locations of the shops are known and my phone was turned on and its location being tracked when I visited them, someone who has a) the credit card data b) the shop locations c) my “anonymous” mobile phone trail can combined them and attach my real identity to the mobile phone trail, revealing my entire location history.

If I have that right, the key takeaway here is probably (as you said, I think - I don’t want to put words in your mouth) that it is surprisingly easy to do this kind of correlation. If you’d asked me before I read the paper, I’d have said “sure, you can do this - but you probably need quite a lot of data points”.

Where I am struggling is relating this to my threat model. I am not hiding from the government. (I might like to, just on principle, but it’s well past the point of diminishing returns for me.) I just want to be “left alone” and not tracked, profiled and monitored 24/7.

It doesn’t feel implausible that a random commercial surveillance firm buys both that “anonymous” location track and my credit card history and could tie them together. It’s just really hard for me to judge whether they are going to. Is it worth it for them, when 99% of people are just generating a constant stream of data directly linked to their identity? The commercial surveillance people aren’t specifically interested in me, and maybe I’m just slightly too much work for them to bother with.

I’d still like to thwart them if I can, and maybe this is sufficiently little effort for them that they are doing it anyway and it’s even more important I thwart them. But at this “they can, but will they?” level, it starts to feel more like guesswork.

It has occurred to me that except for a mostly theoretical need to be contacted urgently by family, I really wouldn’t suffer much from having airplane mode on almost 24/7 and relying almost exclusively on home and public wifi. If I really wanted to access the net and didn’t have wifi, it wouldn’t matter that much to reveal my location (from a KYC-ed SIM, let’s say) once in a while by turning airplane mode off for a few minutes - it’s the constant tracking that I really resent.

And maybe it would be good for my mental health etc to realise that I do not need to be contactable instantly 24/7 even by family - most of the time it wouldn’t be a big deal if I was out of touch for a couple of hours. And as I think THO’s video suggested, the reality is that most places I actually go would have free wifi anyway, so it wouldn’t take long before I built up a collection of wifi passwords so my phone was automatically connecting to wifi whenever I got to my destination, so I’d only be out of touch between leaving home and getting there.

Further thoughts/comments welcome, of course. I feel I’m starting to come to some sort of action plan which will give me the modest privacy I want, although I’m also feeling a bit annoyed that I have to work so hard to get it.

Its hard to be full privacy 24/7 and frankly its not worth the hits you take on your sanity. What you desire seems like an anonymity issue rather than a privacy issue. You can no longer be anonymous walking about in the city.

But you can still be private though. That is worth fighting for. Also I live in a rural-ish area now and everyone here knows everyone. You still have no anonymity as I go around town but like to think I still have privacy because people cant look into what I am talking to people in the internet and to my spouse. They dont know the pics I have because I dont post them. That is plenty of privacy for the average person. The kind of privacy and anonymity that you want is exhausting mentally, physically and financially - without a real threat model. Its not healthy nor practical.

Focus on what actually matters. Your private life and private moments. Your conversations and thoughts. Its better to look like a pleb like everyone than stand out without a Facebook account - well I still dont have a facebook account despite the social hits I take. But that is by choice because social media is unhealthy anyway. I will make and have accounts on bad sites if I have to and sometimes if I want to but its ok. I still have my old ancient Google account because its practical to have it (lol I got it from the invite only beta days).

Personally, I find this to be the best approach. It seems fairly pointless to attempt to ‘game’ the cellular networks, especially when location tracking is an inherent trait of the network. Obviously, you should use a trusted VPN on public WiFi.

I disagree. While anonymity definitively plays into it as well, not wanting to have your location constantly collected and tracked is a desire for privacy, not anonymity. I don’t believe wanting that information to be private is or should be any different from wanting your messages or photos to be private. OP says they aren’t overly concerned with revealing their location occasionally, and it is the constant tracking they dislike, which further proves seeking privacy rather than anonymity.

That being said, you are right about this statement, and I would also advise OP not to take it to the extreme. On the other hand, though, especially if you are out with friends or family, for example, disconnecting from your phone is probably a healthy thing to do anyways, and so turning on airplane mode couldn’t hurt.

Thanks @HauntSanctuary and @phnx, and (again) to the earlier contributors.

This has been a really helpful thread - and I’m still interested in any further opinions, if anyone has any. I think I am going to experimentally start turning airplane mode on unless I have a pressing need to be actively contactable and see how it goes - if this spoils my quality of life I can reconsider, but I think the experiment is worthwhile and may have benefits outside of privacy as well.

I disagree. While anonymity definitively plays into it as well, not wanting to have your location constantly collected and tracked is a desire for privacy, not anonymity. I don’t believe wanting that information to be private is or should be any different from wanting your messages or photos to be private. OP says they aren’t overly concerned with revealing their location occasionally, and it is the constant tracking they dislike, which further proves seeking privacy rather than anonymity.

I appreciated this paragraph more than is perhaps rational. I didn’t quite agree with HauntSanctuary’s classification of this as an anonymity issue, but it also didn’t seem to matter that much (no point getting into a tedious discussion of definitions) and I very much appreciated their response and the general advice. But I do sometimes find it hard to keep the distinction between anonymity and privacy straight in my head - I know what I want, but maybe I’m inclined to use the wrong words when I try to explain what I want, and I wondered if this was a case showing up my lack of clarity on these concepts.

Only use cellular when you need it, if you’re on Wi-Fi or don’t currently need cellular, then just turn on airplane mode.

The most important time to turn airplane mode on is when driving or walking, you don’t want cellular providers to build a profile about where you go and when, etc.

mobile connection is not private even locally even on 5g.

I use jmp.chat, it protects you atleast from local stringray / pineapple MITM like attacks.

anything that gets routed through PSTN will not be e2ee.

5g is a little bit more secure than 4g, but not really, Wifi calls’ security depends on the Access point you are connecting to, I think.

only Signal voice calls are e2ee (with metadata) afaik. can use a burner number.

Does GrapheneOS keep from sending precise GPS location when communicating with a cell tower?

Due to the increase no of towers and the use of special technology known as “small cell”, the location tracking is more accurate on 5G as compared to 4G.

GPS is purely passive (phone finds satellite and calculates its location based on where the satellite is), no data is being sent. Cell tower location tracking happens via triangulation (which cell towers you connect to and at what signal strength) and that can’t be avoided unless you’re in aeroplane mode.

I believe they are referring to Radio resource location services protocol - Wikipedia as part of Enhanced 911 - Wikipedia. This allows the carrier to request the GPS/GNSS location of the device.

I haven’t answered because I don’t know the answer. I strongly suspect this is still enabled on GrapheneOS since the network can trivially obtain your location regardless, but given the accuracy of GPS/GNSS, I think it could make sense to disable it (but that’s for the GrapheneOS devs to decide).

Yeah, ODFMA.

It is brilliant: https://youtu.be/bm53RpK-S2k