 The NSA is spying and was spying and we had Snowden, we have a lot of documents to look at and there is some new research on how they used geolocation methods in mobile networks. It is done by the University of Hamburg and we have here Eric who will present this research to you and he has done this for the German government for the NSA Untersuchungsausschuss which we call NS-Auer which means like NS-Auch kind of. He is a PhD student and holds a master in physics so give him a warm applause and for those coming later please go to your seats and try to be quiet. Yeah, thank you. Hello, I am really happy to have you all here and I welcome you to my talk about... Hello, I think it's good that you are all here, welcome to my talk. I am Alexi, Eric Sy. I am a student here at the University of Hamburg. At the beginning I would like to explain why I am holding this talk. The German parliamentarian investigative committee has set up the NSA Untersuchungsausschuss in NS-Auer to find out how they are involved in the drone war. The government says that they do not know anything or they do not know any possibility. The government says that they have no idea or do not even know how to use a phone number to make a target drone. The committee did not really believe the statement and so they asked our research group at the University of Hamburg to give a report and we handed in that report and the one after what was also published by NetsPolitik.org, thank you for that and it contains technical methods and approximates the accuracy to localize the phone and it also points out which technical identifiers are required to do something like that. Now I give you my agenda for today. First of all, I would like to talk about the purpose of geolocation data and the reason why you need geolocation data, then different possibilities, how you can find someone via geolocations, then specifically about the methods with the drones and then I will talk about which technical identifiers we have for mobile network. And then I will make another summary. It is geolocation data is a technology that we can use to find everyone, for example who lives in the forest or who has already used Google traffic. They use it, for example, to monitor the traffic situation. But we can also use the privacy of a person who uses it to listen out. For example, if we observe an individual for a longer period of time and of course also to carry out targeted drone attacks, but I would like to point out that these data are not suitable to determine a person individually. If you make a drone attack based on this data, you are not sure who you are actually turning around. On the right side you can see a picture of such a crater that has caused a hellfire rocket. You can estimate that the explosion radius is about 120 meters. A targeted drone attack we would estimate something more precise than 20 meters. So the first, the first voguing that I want to show are time measurements. What you see here is a base station used to connect mobile phones with the network. You can see it from a fake station to log on to mobile phones. The method used to find a mobile phone is the triangulation of different masses. A signal moves mostly with the speed, the light speed. So if you have the difference of the different signals that come, you can estimate where the phone is. The accuracy for such a measurement is between 50 and 200 meters. It depends on the size of the cell. So then we have time difference like a round trip measurement. Then we have the difference of the time of the time difference and we have the improved observed time difference and the accuracy is between 50 and 125 meters. So the next method which I want to show you is angular measurements. If you want to determine the direction of arrival, then I would say you do a calculation which is called a triangulation of the position of the two base stations and also the direction of the antenna. The accuracy is approximately 100 to 200 meters from experiments and the difficulty of this method and the last sheet is that you don't always have a contact with the mobile phone to the base station. So the signal is destroyed and destroyed by buildings in between and the accuracy suffers from it. The next method which I want to show, which most of you know, most of you know, is GPS. GPS satellites broadcast their position and the actual time and the mobile phone triangulates these data to determine their own position. The accuracy varies, but that depends on the chipset of the mobile phone. The base station can then ask the mobile phone for the radio resource location service protocol. A further method to take over are, for example, the mobile phone networks, the SSID data that you have on your phone. These allow the accuracy of the position of less than 10 meters. It is definitely possible to cut this communication in order to determine the position of a person. Here in the first example, each of the Google Maps is used on a mobile phone. And that's 2008 from the Snowden archives. So there we see at least that it was possible at that time, we have evidence for that. There you can see that people used it to recognize the position of people. And if you want to determine the location with the SSID, it is necessary that you have a card on which it is shown where different Wi-Fi access points are positioned for example. And for that, we also have a proof that it was done by the NSA, that was the Mission Victory Dance, where they used the Wi-Fi fingerprint, that was in Yemen, where they did relatively a lot of drone shots. That was the next method. Signal system number seven is a protocol that is used to communicate between network providers. And network providers need to know in which cell a mobile phone is to enable the communication. The position of the mobile phone is saved in a local register and third parties, other people can ask this position. Here I refer to a lecture by Tobias Engel, who has been holding it for two years, who goes into detail on this method. And if you want, you can also ask commercial providers to ask this data. Now let's talk about drones. We have very good evidence that the geolocation position recognition of drones is made. A proof for that is the Gilgamesh system. This is a method for active geolocation recognition on the Predator drones, which a MCCatcher describes. If one of you has more documents for something like that, it would be very cool to be able to see something about it. It was a call, if you have documents, give it on. The easiest method would be to ask the GPS coordinates. You just have to exchange the base location with the drone. And the method that is better, or where I think it is preferred, is the angular measurement. If our foreman looks at our report, you can see that we find the accuracy of this method and that it is between 5 and 35 meters from a height of 2 kilometers distance. And if you get closer to the mobile phone, it becomes even more accurate. It would be enough for a certain degree to make targeted drones a crime in the meantime. So while this report was handed over to the Bundestag, I have found other works that speak with a accuracy of 1 meter to 3 kilometer height. You have to know that these sensors to recognize the angle of the phone when the bigger plane becomes lighter to recognize the position. I also want to show that a single measurement can be sufficient to determine the position of the phone if we can assume that the phone is located on the ground. For example, if the phone is located in a building in Yemen, a measurement would be sufficient. So a low building in a high house would not be so good. The big advantage of this method is that nature has little influence. For example, if you don't see things. Now I'm going to talk about the identification and how the identifiers can be used to recognize the position. Every base station or IMSI location can send a request to the position and then get an IMSI or EMI back. An IMSI is like a unique description for a customer in a mobile phone network. And the EMI is a unique serial number for a device. If we include these methods in the Internet Traffic Minds, we can add a lot more identifiers. For example, an Apple ID or Google ID, a MAC address, cookies or user names. I'm really interested in that. Could you follow this link to the photo? There's a lot of interesting stuff about it. I'm coming to my last photo, to my summary. There are many different methods to determine the position of a mobile phone. I've also shown that a single drone can locate a mobile phone with a precision of a target drone attack. You said that the precision of these methods is not accurate enough. Then I've shown that the identifier of a mobile phone, the IMSI or EMI, can be used to determine the geoposition of a mobile phone. And the last information I want to give you is that geoposition can't be used to identify which person the device actually has. That means that they are not actually sure who uses the mobile phone. They only pay attention to the signal that the mobile phone sends. And they can also transfer the wrong person. Thank you for your attention. I thank my colleagues and my family and everyone. That was very nice. Thank you. That was the first lecture today where we can answer many, many questions. Come to the microphone, number one, number two, three, four. And ask your questions. It's your only chance to get an answer from this man. No questions. There's someone. No. Yeah. Sorry. No problem. Number four. Okay, the first question from number four. Hello. Do you know why we are in London right now? We are using Google Maps here. Can you ask again? Do you know why we are located in London? Yes, when we use Google Maps, we are in London. Do you know that? The Congress is located in London. Do you know why? I'm not aware. Okay. Can you please be quiet? We can't understand the questions unless you are quiet. Sorry. Okay, so on slide 12 you showed a different method. Is this a passive method or does it require an active target? It can be passive. As long as you just turn on the phone. So it has to be active in the sense that it is connected to the network. But you don't need an INSI catcher for it or something like that. You just call it and see what happens. You look at which phone is back and then you know which phone it is. I see that we have a question over there. Can you just ask a question, please? Yes, number eight, please. Thank you for the talk. I'd like to ask you a question. Can you tell us about the connection of mobile phones that are powered without electricity? Of mobile phones that are switched off. Can you elaborate on different methods? So from the user perspective. And what is it with which they took out their batteries? The answer, the answer. So to be honest, if you switch off your phone for several months, then you are sure. That's good to know. But actually, like if you have a base station and someone switches off his phone because he just wants to talk to someone privately. But if someone else, if you meet someone and he switches off his phone, then it can be suspicious. But then it really depends on whether I always look at these data or not. Thank you. Number eight again? A question from microphone number eight. I have a short question. You described, somehow, that we are dependent on the good will from, for example, the NSA. And I would like to know if there is any way to prevent that you send this information, if you use Google Maps, for example. That is fairly difficult. That's the answer. That is very difficult. I would guess that GPS phones are a little bit better for us to prevent something like that. Yes, for example, if you set up GPS buffing, because the network cells are very large and therefore it is more difficult to position yourself in the cell. And if you emit a physical signal, then the drone will always be able to localize where the signal came from. But the drone will always be able to find out where the signal comes from if you send it. It's just physically difficult. Number one thing. I have a question about the physicality of receiving or positioning of positions in a, for example, really deep-fledged region. If that is done by a drone that is 3 kilometers away, that would of course be more sensitive, that you have to be more sensitive about what your evaluation is. And then you have to be able to sort out better in the same time, with all the intelligence and so on. The answer. Normally, such a cell is between 200 and 3 kilometers big. That's why 3 kilometers in the height are not really high. So you assume that a drone meets a preliminary selection and only looks at a sub-frequency, because it, for example, knows which network you come from and in which cell you are. It depends on the region. In the urban environment, you have to reduce the size of a cell because otherwise you get too much information. But you can also have bigger cells in remote areas. Because of the remote areas, the drones are the size of a quadcopter or the size of a plane. Do you have the classic methods to observe something for a longer time while you fly over it to integrate it into your calculation? Those are the methods with which we get our high resolution radar pictures. Yes, you can use different measurements, but you can only use one if you already know where the target is. But that's not necessarily necessary. Thank you. One question from the internet. Yes, the internet wants to know if there are attributes that you can change from your phone to stop surveillance, for example the email address. The email, not the email. Yes, of course, you can fake the email or the IMSI. That's another reason why the mobile alone is not enough to prove who the person is. Another question from the internet is does the GSM network have a feature that allows everyone to ask the GPS data from a mobile phone? Yes, it would also be the Radio Resource Location Service protocol. The Radio Resource Location Service protocol is the answer. Thank you. Hello. You never, you worked to the NSA investigation office? They had an NSA investigation office and the Bundestag didn't say anything about it. Is there a statement from the NSA investigation office? Yes, the government said that. They said that they washed their hands clean. We did everything nice and nice because we added a disclaimer to the data. And then the disclaimer says that the NSA has to stick to the German law and then also to make sure that they stick to the German law and therefore the data cannot be misused. Another question from microphone 6. Hello. You specified that the accuracy is about 5 meters with two drones. How would it be if you used more than 10 drones? I think it's a misunderstanding. One drone is long enough. Okay, then you could use more than one drone? Yes, you can use as much as you want. Yes, of course. But do you improve the accuracy? Yes, if you go closer, then yes. But with the same distance, but with more drones? No, actually not. Another question. I'm talking about the accuracy. You went into experiments. Have you conducted these experiments yourself? Answer. Number two, please. Yes, here's a list of things in the references where it says. My question is about the fingerprinting of the mobile. For example, in the app, which requires the fingerprinting at any time that your app, for example, asks for the fingerprinting, is this to identify the person, whether they can connect it. Yes, but I think it depends on the GSM network and the other one is dependent on the operating system. Okay, so with the current technology, is it not possible to connect it? No. So my question is about the civil use of such data. You always say geodata. They are from Wi-Fi networks and so on. And you say, yes, that you use the database from Google or something like that. There was a lecture here in 2009. Back then, it was called Skyhook. And the speaker had this provocative question, should this Wi-Fi map not be public domain, be accessible to everyone and not only belong to Apple or Google as a proprietary system. So we have, so to speak, lost this gap. So we gave our first IDs to the public domain and they shouldn't be public domain because of that. Yes, should you be able to help people in emergency situations? I would like to say thanks for the lecture and the people who have the report. It was very helpful for us because I am an expert and the people from the secret services just don't give us any information. And we need it. So for the information for you, that was one of the session members there. Okay, thanks. The talk is over. This is from the office.