GPS is off so you can’t be tracked, right? Wrong

Don’t want anybody tracking you through your smartphone? Just turn off “location services” or whatever your device calls your GPS, and you will vanish from the online radar screen, right?

Of course not. That’s never been entirely true – since your phone continues connecting with cell towers even with GPS turned off, anyone with access to that data can come reasonably close to locking in on your location.

Recall, as Naked Security’s Lisa Vaas reported just a few weeks ago, that lawyers for Timothy Ivory Carpenter, convicted in 2014 of a string of robberies in the Midwest, are arguing that the convictions should be thrown out because prosecutors relied in part on cell tower data for which law enforcement didn’t obtain a warrant. Legal arguments aside, the point here is that, as Vaas noted, whether he had his GPS turned on or not was irrelevant:

The cellphone records… revealed that over a five-month span in 2010 and 2011, his cellphone connected with cell towers in the vicinity of the robberies.

But adding yet more evidence to the bulging “privacy-is-even-more-dead-than-that” folder are several researchers from the Electrical Engineering Department at Princeton University who created an app they call “PinMe” to show that, with just a couple thousand lines of added code (plenty of games and apps have hundreds of thousands of lines of code), smartphone users can be tracked just as precisely as their GPS, even when it’s turned off.

The researchers – Arsalan Mosenia, Xiaoliang Dai, Prateek Mittal and Niraj Jha – in a 15-page paper published on the IEEE (Institute of Electrical and Electronics Engineers) website (paywall), describe how their app collects data from sensors in the device that don’t require special permission to access.

As they put it, in tests using an iPhone 6, iPhone 6S and Galaxy S4 i9500:

We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure and device’s timezone, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS are turned off.

This does come with a caveat. Mosenia, a post-doctoral research scientist at Princeton’s EDGE and INSPIRE labs, acknowledged to Naked Security that he and his colleagues had no way to verify if commercial apps are doing this kind of data collection and tracking, “since their codes are not publicly available and we cannot modify/examine their codes.”

But through their “proof of concept,” they have demonstrated that it is possible. Which is more than creepy enough, if not outright dangerous to those for whom privacy can be a life and death matter.

As they say, both iOS and Android are designed to run with third-party apps, of which there are hundreds of thousands on the market. And while smartphone operating systems are also designed to protect most personal information, “several types of non-sensory/sensory data, which are stored on the smartphone, are either loosely protected or not protected at all.”

Those include a gyroscope, accelerometer, barometer and magnetometer. According to the researchers, measurements from those sensors:

…are accessible by an application installed on the smartphone without requiring user’s approval. As a result, a malicious application that is installed on the smartphone and runs in the background can continuously capture such data without arousing suspicion.

Using what they describe as “presumably non-critical data” from those sensors, the app first determines what the user is doing – walking, driving a car, riding in a train or an airplane. As Christopher Loren put it, writing on Android Authority:

Moving at a slow pace in one direction indicates walking. Going a little bit quicker but turning at 90-degree angles means driving. Faster yet, we’re in train or airplane territory. Those are easy to figure out based on speed and air pressure.

And then, the sensors also tell the app your speed, your relation to true north and how far above sea level you are. It takes four algorithms to narrow down the location of somebody on a plane. It is even simpler if you’re in a car:

The app knows the time zone you’re in based on the information your phone has provided to it. It then accesses information from your barometer and magnetometer and compares it to information from publicly available maps and weather reports. After that, it keeps track of the turns you make. With each turn, the possible locations whittle down until it pinpoints exactly where you are.

During a test run in Philadelphia, the researchers said it took only 12 turns for the app to know exactly where the car was.

Cryptography and privacy researcher Bruce Schneier, CTO at IBM Resilient, linked to the research on his blog, adding the observation that:

This is a good example of how powerful synthesizing information from disparate data sources can be. We spend too much time worried about individual data collection systems, and not enough about analysis techniques of those systems.

That is the concern of other privacy experts as well. “It’s pretty alarming and definitely creepy,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology (CDT).

Location data is extremely sensitive personal information, especially when it is collected over a long time, with high frequency and in real-time. It can be dangerous for victims of domestic violence or stalking, and for people with very sensitive roles in society, like law enforcement, judges, politicians, etc.

And Rebecca Herold, CEO of The Privacy Professor, said commercial apps are not only, “collecting, storing, and sharing all the data possible from the devices upon which they are loaded,” but are combining that data with other datasets about users, including their locations.

They may be correct in saying they are not collecting explicitly named data from you specifically, but they almost always are combining what they do collect with other datasets, to then establish very detailed insights into your life, activities, locations, likes and dislikes, and a wide range of views into your private life.

What, if anything, can you as an individual do about that? Not all that much, other than to practice basic “security hygiene.” One of the most obvious, Herold says, is to remove all apps you’re no longer using. Stay away from sketchy apps – get them from “stores” that have done some vetting. Do a bit of homework on the companies that develop and sell them.

Beyond that, “users also need to periodically shut down and clear out cache, memory, and delete unnecessary files,” she said. “These are also valuable sources of data for apps.”

But that, of course, takes time, and most users are much more interested in the features of an app than in its security or what it collects.

So, for years, advocates have been lobbying for legislation to require apps that want to use the sensors to request access. This might get as much (very little) attention as Terms of Service and Privacy Policies, but at least it would raise awareness of what apps are collecting, and give users a chance to opt out.

The researchers offer some recommendations for the industry. Among them:

  • Require sensors to decrease their sampling rate when they are inactive. That would make it harder for malicious apps to get the data they need.
  • Add hardware switches to phones, allowing users to deactivate the sensors when they aren’t in use.

And Hall says it’s long past time for Congress to pass, “general data protection legislation that steps away from the silo-ed, sector-specific manner we legislate privacy protections now.” He said for years, CDT has pointed out that only the US and Turkey lacked such general privacy regulations.

But Turkey actually passed such a law recently, making the USA the lone hold out… we’re an opt-out country living in an opt-in world; something has got to give.