Service provider collaboration: Mobile network operators

Contents

Mobile network operators can provide information about you to an adversary.

They can provide:

Additionally, given your phone number, mobile network operators can provide (current and historical) data and metadata about your phone activity:

This means that any of the following conditions can allow an adversary, with the collaboration of mobile network operators, to access (current and historical) data and metadata about your phone activity:

Used in tactics: Incrimination

Mitigations

NameDescription
Anonymous phones

You can use anonymous phones to make it harder for mobile network operators to provide useful information to an adversary.

Digital best practices

You can follow digital best practices to make it harder for mobile network operators to provide useful information to an adversary. For example, you can:

  • Not use a phone, or leave your phone at home.
  • Use end-to-end encrypted messaging applications on your phone, instead of traditional SMS and calls.
Encryption

You can encrypt “in-motion” data to make it harder for mobile network operators to provide useful information to an adversary.

Used in repressive operations

NameDescription
Case against Louna

Investigators used the collaboration of mobile network operators to geolocate approximately 30 phones and intercept their calls in real time.[3] In particular, investigators used the intercepted calls to:

  • Hear about a meeting outside apartment buildings, set up physical surveillance of those buildings, and arrest two people who went to the meeting.
  • Hear Louna make an appointment with a doctor, then contact the doctor to obtain Louna's personal information, including her address and phone number.
Repression of the attack on Clarín's headquarters

Investigators used the collaboration of mobile network operators to:[4]

  • Analyze the activity of some of the defendants' phones at the time of the attack. Several phones were seemingly turned off shortly before the attack and turned back on shortly after, which was considered suspicious. For example, one phone was seemingly turned off ten minutes before the attack and turned back on approximately two hours after.
  • Geolocate the phones of some of the defendants retroactively. This showed that:
    • One defendant spent time near the attack site the day before the attack.
    • One defendant was present at the attack site a few minutes before the attack.
  • Intercept phone calls. In intercepted calls, some of the defendants expressed solidarity with those targeted by the investigation and concern about being targeted themselves.
Case against Boris

Investigators used the collaboration of mobile network operators to intercept calls from Boris's phone or the phones of people close to him.[5] They regularly listened to the intercepted calls in real time and used information from the calls to adjust ongoing physical surveillance operations.

December 8 case

Investigators used the collaboration of mobile network operators to geolocate the phones of the defendants and of people close to them in real time and to record unencrypted phone conversations.[6] In particular:

  • In one case, investigators could not determine the phone number used by one of the defendants, but had determined that the defendant often moved around with another person, so they geolocated the other person's phone in real time to locate the defendant.
  • In one case, investigators followed one of the defendants as part of a physical surveillance operation, but lost sight of them. In the following hour, they geolocated the defendant's phone in real time to locate them. As a result, one hour after losing sight of the defendant, investigators regained sight of them and resumed the physical surveillance operation.
Arrest of Stecco

Investigators used the collaboration of mobile network operators to:[7]

  • Intercept the calls of more than 40 phones.
  • Retroactively analyze the phone activity of 69 phones and one phone booth. In particular, once investigators thought they had found the general area where Stecco was living, they checked:
    • Whether any of the 69 phones had called a phone in the area in the past 6 years.
    • Whether Stecco had called a phone in the area in the 5 years before he went on the run.
Bure criminal association case

Investigators used the collaboration of mobile network operators to:[3]

  • Establish links between people.
  • Geolocate phones in real time.
  • Record a large number of phone conversations, including conversations that took place between the moment a call was placed and the moment it was answered (i.e., while the phone was ringing).
  • Identify the phone numbers that were active around Bure during three demonstrations that took place there in February, June, and August 2017, including 55 numbers that were active during all three demonstrations.
Case against Revolutionära fronten

Investigators used the collaboration of mobile network operators to retroactively geolocate the phones of some of the defendants on the day of the Stockholm beating.[3] This showed that, on that day:

  • Some phones had moved to Stockholm, suggesting that their owners had also traveled to Stockholm.
  • Some other phones were turned off early in the morning and turned back on late at night, suggesting that their owners may have turned off their phones to avoid being tracked when going to Stockholm.
Case against Amos Mbedzi

Investigators found Mbedzi's and his comrades' phones at the bombing site, and used the collaboration of mobile network operators to retrospectively geolocate them and analyze their call history.[8] This showed that Mbedzi and his comrades regularly called each other and therefore knew each other, and had traveled together from South Africa to Eswatini the night before the bombing attempt.

Mauvaises intentions

Investigators used the collaboration of mobile network operators to link phone numbers to civil identities, to know which phone numbers were in contact with each other, to geolocate phones (both retrospectively and in real time) and to record phone calls.[9]

Operation 8

Investigators used the collaboration of mobile network operators to intercept calls and text messages.[10] The intercepted text messages revealed the dates and locations of the “training camps” and who attended them.


1. 

An International Mobile Equipment Identity (IMEI) number is a number that uniquely identifies a phone.

2. 

For example, if an adversary knows that you were in place A on Monday and in place B on Tuesday, and they know from cell tower data that a particular phone was the only phone that was also in place A on Monday and in place B on Tuesday, they can deduce the phone is yours.

3. 

Private source.