Tech

Spies Tracking Our Phones? Don't Be So Shocked

The discovery of "stingray" devices in Washington is a reminder of how much data we're giving away.

Who's watching?

Photographer: Angel Garcia/Bloomberg

The press has been in a lather of late over reports that the Department of Homeland Security had discovered evidence that cellphone tracking tools were being used by “unauthorized” parties in and around Washington. Formally known as International Mobile Subscriber Identity catchers, and often called stingrays, 1  these devices fool your phone’s baseband into believing it is in contact with a cell tower. IMSI catchers can use your phone’s signal to track your movements and contacts. In some cases they might persuade your phone to turn off its encryption. It’s a powerful, scary technology. Scarier still, federal officials admit that although they can detect the devices, they can’t find them. Still, here are three reasons that the excitement over the news from Washington is a little overdone.

In the first place, the use of IMSI catchers by unauthorized parties isn’t news. Privacy advocates have long fought to reduce reliance on the devices by law enforcement, on the ground that they sweep up too much data from those suspected of nothing. But techies have been warning for years that stingrays could be used by criminals and foreign governments. 2  A 2014 article in the Harvard Journal of Law and Technology was succinct: “Hostile foreign intelligence services can and, almost certainly, are using the technology in this country for espionage.”

In other words, the concern that’s suddenly making headlines has been around for a while -- so long that entrepreneurs have been developing tools to help us detect their presence. Remember that IMSI-catchers trap mobile phone signals by mimicking cell towers. One means for uncovering stingrays, then, is to use algorithms that identify what would seem to be towers except that they switch frequency too often or actually change location. Last year, researchers at the University of Washington announced that they had used exactly these techniques to uncover hidden IMSI catchers in and around Seattle.

All of which is to say that although it’s useful to have longstanding suspicions confirmed, the widespread use of stingrays, with or without authorization, should hardly be considered newsworthy.

In the second place, to borrow from John le Carré, spying is eternal. We shouldn’t profess such surprise that foreign powers try to use against us the same tools we would use against them if we didn’t have anything better. Americans are always shocked to learn that we’re not invulnerable to espionage. But spying is tit for tat, and the phones to which we as a nation seem addicted are a natural and tempting target. For our own convenience, we constantly send vulnerable packets of data into the ether. We should hardly be surprised that foreign governments (or whoever the unauthorized users are) yield to the temptation to study what we so casually broadcast.

But in the third place, we should never allow ourselves to forget that lots of people who don’t happen to be spies are already spying on us. Like our cellphone carriers. Like just about every website we visit. (Although not all to the same extent. A 2016 Princeton University study of the 1 million most visited sites found that news sites tend to be the most intrusive, and sites maintained by government and educational institutions the least.) True, the data most sites collect is formally anonymous, but de-anonymizing might not be all that hard, particularly with social media. In a 2017 paper, researchers from Stanford and Princeton universities showed how, given 30 anonymized links originating from Twitter Inc., they could deduce the underlying Twitter account with 50 percent accuracy.

And that’s before we even get to Facebook Inc. Now, I have zero interest in kicking a good company when it’s down, so let me start out by saying that users who are howling about their (anonymyized) data falling into the wrong hands may not have spent much time perusing Facebook’s terms of service. The challenge for the privacy-conscious user isn’t third parties; the challenge is Facebook itself, which exists not to connect you with friends but to package data about your online activities and use it to sell targeted advertising. Happily, the company has recently translated the list of what it admittedly collects about its users from legalese into something approaching English, and anybody with an account (all 2 billion-plus of us) should take a gander at the remarkable result. 3

It’s natural that we worry about digital privacy -- and we do worry about it, apparently a lot -- but we need to stop acting like babes in the woods. We can’t go squalling for our parents whenever some new set of prying eyes sets its sights on our data. Not when we allow all sorts of corporate strangers to rummage through our digital lives, and rarely raise a peep. That’s our Faustian bargain: Give us access to these wonderful tools, and we’ll give you access to pretty much anything you want. Along the way, all sorts of uninvited guests are bound to listen in. 4  That’s been the deal from the start. So let’s all stop pretending we didn’t know what we were getting ourselves into.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
  1. Technically, Sting Ray is the brand name of an IMSI-catcher manufactured by a Florida company. But the term seems to be coming into generic use.

  2. For another sobering assessment, see this report.

  3. And this is assuming that you don’t make the mistake of installing Onavno Protect, Facebook’s mobile VPN app, which vacuums up more data still.

  4. Including, of course, the National Security Agency.

To contact the author of this story:
Stephen L. Carter at scarter01@bloomberg.net

To contact the editor responsible for this story:
Stacey Shick at sshick@bloomberg.net

Before it's here, it's on the Bloomberg Terminal.
LEARN MORE
Comments