Service provider collaboration: Mobile network operators

You can use anonymous phones to make it harder for mobile network operators to provide useful information to an adversary.

You can follow digital best practices to make it harder for mobile network operators to provide useful information to an adversary. For example, you can:

• Not use a phone, or leave your phone at home.
• Use end-to-end encrypted messaging applications on your phone, instead of traditional SMS and calls.

You can encrypt “in-motion” data to make it harder for mobile network operators to provide useful information to an adversary.

Investigators used the collaboration of mobile network operators to geolocate approximately 30 phones and intercept their calls in real time.^[3] In particular, investigators used the intercepted calls to:

• Hear about a meeting outside apartment buildings, set up physical surveillance of those buildings, and arrest two people who went to the meeting.
• Hear Louna make an appointment with a doctor, then contact the doctor to obtain Louna's personal information, including her address and phone number.

Investigators used the collaboration of mobile network operators to:^[4]

• Analyze the activity of some of the defendants' phones at the time of the attack. Several phones were seemingly turned off shortly before the attack and turned back on shortly after, which was considered suspicious. For example, one phone was seemingly turned off ten minutes before the attack and turned back on approximately two hours after.
• Geolocate the phones of some of the defendants retroactively. This showed that:
  • One defendant spent time near the attack site the day before the attack.
  • One defendant was present at the attack site a few minutes before the attack.
• Intercept phone calls. In intercepted calls, some of the defendants expressed solidarity with those targeted by the investigation and concern about being targeted themselves.

Investigators used the collaboration of mobile network operators to intercept calls from Boris's phone or the phones of people close to him.^[5] They regularly listened to the intercepted calls in real time and used information from the calls to adjust ongoing physical surveillance operations.

Investigators used the collaboration of mobile network operators to geolocate the phones of the defendants and of people close to them in real time and to record unencrypted phone conversations.^[6] In particular:

• In one case, investigators could not determine the phone number used by one of the defendants, but had determined that the defendant often moved around with another person, so they geolocated the other person's phone in real time to locate the defendant.
• In one case, investigators followed one of the defendants as part of a physical surveillance operation, but lost sight of them. In the following hour, they geolocated the defendant's phone in real time to locate them. As a result, one hour after losing sight of the defendant, investigators regained sight of them and resumed the physical surveillance operation.

Investigators used the collaboration of mobile network operators to:^[7]

• Intercept the calls of more than 40 phones.
• Retroactively analyze the phone activity of 69 phones and one phone booth. In particular, once investigators thought they had found the general area where Stecco was living, they checked:
  • Whether any of the 69 phones had called a phone in the area in the past 6 years.
  • Whether Stecco had called a phone in the area in the 5 years before he went on the run.

Investigators used the collaboration of mobile network operators to:^[3]

• Establish links between people.
• Geolocate phones in real time.
• Record a large number of phone conversations, including conversations that took place between the moment a call was placed and the moment it was answered (i.e., while the phone was ringing).
• Identify the phone numbers that were active around Bure during three demonstrations that took place there in February, June, and August 2017, including 55 numbers that were active during all three demonstrations.

Investigators used the collaboration of mobile network operators to retroactively geolocate the phones of some of the defendants on the day of the Stockholm beating.^[3] This showed that, on that day:

• Some phones had moved to Stockholm, suggesting that their owners had also traveled to Stockholm.
• Some other phones were turned off early in the morning and turned back on late at night, suggesting that their owners may have turned off their phones to avoid being tracked when going to Stockholm.

Investigators found Mbedzi's and his comrades' phones at the bombing site, and used the collaboration of mobile network operators to retrospectively geolocate them and analyze their call history.^[8] This showed that Mbedzi and his comrades regularly called each other and therefore knew each other, and had traveled together from South Africa to Eswatini the night before the bombing attempt.

Investigators used the collaboration of mobile network operators to link phone numbers to civil identities, to know which phone numbers were in contact with each other, to geolocate phones (both retrospectively and in real time) and to record phone calls.^[9]

Investigators used the collaboration of mobile network operators to intercept calls and text messages.^[10] The intercepted text messages revealed the dates and locations of the “training camps” and who attended them.