this post was submitted on 06 Dec 2023
151 points (99.3% liked)

Privacy

31609 readers
266 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
all 25 comments
sorted by: hot top controversial new old
[–] [email protected] 59 points 11 months ago* (last edited 11 months ago) (2 children)

Years ago, I worked for a company that provided phone location for emergency services (fire, police, medical) to the big 3 cellular companies in the US. It required cell providers to install special hardware; back then, GPS was less ubiquitous, but it (still) suffers from accuracy in urban environments; it doesn't take much to block GPS signals. Also, you don't need access to anything more than the service provider's logs to do trilateration; it's harder to get GPS data from a phone without having software on the phone. In any case, Google pioneered getting around that by mapping wifi signals and supplementing poor GPS with trilateration, and it was good enough. Even back then, our lunch was being eaten by the cost of our systems, and work-arounds like wifi mapping.

Anyway, fast forward a decade and I'm working for a company that provides emergency support for customers who are traveling, and we're looking at ways to locate customers' business phones to provide relevant notifications. One of the issues was that there are places in the world where data connections are not great, and it was not acceptable for us to just ignore clients without data connections. One of the things we explored was called zero-length SMS. It's what it sounds like: an SMS message with zero-length does not alert the phone, but it does cause a ping to the phone. It was an idea that didn't pan out, but that's not relevant.

Cell phones have a lot of power-saving algorithms that try to reduce the amount of chatter -- both to reduce load on cell towers, but because all that cellular traffic is battery-intensive. So, if you're a government trying to track a phone, and you're working with a cell provider, and you don't have a backdoor in the phone, then you will be able to see which cell tower the phone last spoke with, but that probably won't give you very good location data and it may not update frequently. This is especially true in rural environments, where there's low density and a single cell tower might have a service radius of 3 miles -- that's a lot of area.

If you're tracking someone by phone, a normal cell connection may not be granular enough. Sending SMSes to a phone can force the phone to ping the tower and give you more data points about where the phone may be, how it's moving, and so on.If you're lucky, you can get pings from multiple towers, which might allow you to trilaterate to within a dozen meters.

Push notifications use data, but I wouldn't be surprised if there's some of that going on, too. It says "through Apple and Google's servers" which means they're talking about the push notification servers and not the phones. Android phones are constantly sending telemetry back to Google, so if that is what they're doing sending push notifications is probably more useful to them for Apple phones.

The article is light on details, but that'd be my guess. Forcing traffic to get more frequent cell tower pings and more data points for trilateration.

[–] cheese_greater 10 points 11 months ago

Very detailed, thanks brotha

[–] [email protected] 2 points 11 months ago (1 children)

Just been reading up on this, they're basically using the push device ID to see when certain devices are receiving data and from what apps. It sounds like more work than its worth, but it's clearly something that's being used widely.

[–] [email protected] 1 points 11 months ago (1 children)

That makes sense, too. So it's not that they're using push notifications, but the server data.

[–] [email protected] 0 points 11 months ago
[–] [email protected] 9 points 11 months ago (3 children)

This is why I have always said you shouldn't trust Apple. They have absolute power over you.

[–] [email protected] 8 points 11 months ago (3 children)

Did you read the article? It says the federal government compelled Apple to comply and gave them a gag order.

[–] [email protected] 13 points 11 months ago (1 children)

You can de-Google an Android phone with a custom ROM and have a phone that you have control over and know nobody is spying on you by running a firewall on the phone.

Can't do that on an Apple.

[–] [email protected] 2 points 11 months ago* (last edited 11 months ago) (1 children)

Actually, you can, with Lockdown for iOS or Lulu for macOS. There are other alternatives available, these are just a pair of FOSS examples. You can totally block *.apple.com if you really want to.

[–] [email protected] 1 points 11 months ago

It’s not quite the same though. With a custom android ROM, you can be pretty confident that everything kernel-and-up is not spying on you. On iOS and macOS, you don’t have the same level of verifiability, as the OS could just circumvent any VPN/firewall you might have configured. They might pinky promise not to, but without running another external firewall it’s not really verifiable.

[–] [email protected] 5 points 11 months ago

Which means Apple can't be trusted. My data stays local.

[–] [email protected] 3 points 11 months ago (2 children)

As the article says, Apple and Google both do it. Apple disclosed it, Google did not.

How is your conclusion 'I don't trust Apple'?

[–] [email protected] 6 points 11 months ago (1 children)

The Ars article on this said Google had been disclosing this for the past decade already whereas Apple didn't.

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago)

It said that Google put it in their aggregated report. Not that they disclosed it. There is a big difference between 'we got 100 requests' and 'we got 10 requests for X info, 30 for Y info'.

ETA: I just looked at the data again, it's broken in to categories like FISA NSL etc, then it just gives a range of requests 0-1000 etc.

[–] [email protected] 1 points 11 months ago (1 children)

Fine, I don't trust google or apple. I don't use any of there services anyway.

[–] [email protected] 0 points 11 months ago (1 children)

Well, you do. You just don’t know it or like it.

[–] [email protected] 2 points 11 months ago (1 children)

I do? I don't use google services at all. On my phone I run Lineage os and for file sharing I use self hosted nextcloud.

[–] [email protected] 2 points 11 months ago

You can’t really go anywhere on the internet without using Google in some capacity. Cookies and trackers in all the things. Ads aplenty, and blocking them is perpetually an arms race.

[–] cheese_greater 2 points 11 months ago

Just trust me, I've always got contingency plans. I'm not naïve about them