A bit of context for non-Norwegians: The government owned media NRK bought location data from Tamoco worth approximately 3,400 USD.
The NRK subsidiary NRKbeta has "connected the dots" from that data set. In this article they present how they could track down military personnel visiting restricted military sites in Norway, including the disputed radar installation in Vardø, close to the Russian border.
This reminds me of this rumour about how someone used tinder to triangulate opponent units during an exercise and arty them to shit. Supposedly Finns outwitting Norwegians, but is a anon text so who knows: https://imgur.com/gallery/bySUH
Reminds me of a story I heard: In a conflict, Russia sent SMS to the mothers of Ukrainian(?) soldiers, informing them of their son’s death (pretending to be the Ukrainian government/military). The mothers, distraught, called their son’s cellphone. The increased, clustered cellphone activity near the frontline gave away the unit positions. Shortly after, Russian bombs dropped.
If the russians could get the mother's phone numbers, why not the sons? If you're able to identify the location of call activity, why aren't you able to identify the cell while not on a call, when as far as I am aware there is still communication?
Maybe they couldn’t and just sent the SMS to a lot of random numbers. Those that belonged to mothers at the frontline naturally tried to call their sons.
Right. Still curious about monitoring cell activity only during calls. Thinking if you can monitor the cells, just look at the front line cells for comms.
I'm guessing: they needed a way to distinguish the troops from the civilians living in the area. By triggering a mass amount of calls to frontline soldiers, they made their positions light up in front of the overall background.
Is it typical that soldiers carry mobile phones? It seems like it would open them up to all kinds of possible problems, and I can't think of a reason you would need a cell phone in a conflict when you have a radio, right?
From the volume of photos and videos from US, UK, etc that were based in Afganistan, Iraq etc you can deduce a smartphone is quite normal in those forces, so I would assume the same in Ukrainian forces.
They might not wear them out on patrol or manoeuvres, but back at their tents/barracks, I would assume some if not all have their personal phones. You only need a couple to track them.
I also read once Strave/Fitbit type trackers was rife at army bases and used to work out patrol routes.
There have been alot of stories about stuff like this. One of the public ones I remember was if you were looking for US forces in unusual places, you'd find their running paths on Strava.
"NRKbeta is NRKs sandbox for technology and media. We write about media, the internet and new technology with a focus on you as the user, and what we at NRK do in this field. We call it a sandbox because we want to test things out, be curious and find out how things change. And bring you, the users, with us on this journey."
I also think it's important to contextualize this journalism with the current debate around the Norwegian contact tracing application.
The application has been heavily criticized for the collection of GPS data for research usage and track behaviour when new guidelines are announced. They claim this data is going to be "anonymized", but alter clarified it would only be "pseudonomized".
It is also unclear if the data collected is going to be deleted in December, when the app is set for deletion by the current regulation from Stortinget.
They picked a dumb name. As a Norwegian, I was under the impression that they've actually got a beta version of some supposed new site functionality for the longest time.
Is december a realistic end date for the epidemic control it is supposed to provide? Herd immunity by vaccination at that point is extremely unlikely...
If you are using it for data instead of control, well, that's months of data about how people move around with varying restrictions. It is enough to refine policies and note how different sorts of restrictions change people's behavior. For example, if no one really follows x mandate, well, you either drop the mandate, change it, or come in with some fairly heavy-duty force.
Now, other uses might require more time. If you really need to see where the person has infected others and this is your tool, it might not be enough time. It is too early to tell, though, and I'm not sure how well phone inspections would go here in Norway nor how many people would download the app. It would make me more likely to leave my phone at home if, you know, I had much life outside of home.
It is surprising that this is not illegal. It should be illegal under GDPR as sufficient anonymized data should not allow you to connect the dots to do anything like tracking military personnel. Transporting sensitive military information over the Norwegian border sounds also very illegal under Norwegian law.
Back when Wikileaks released the Afghan War Diary, I wonder what would have happened if rather than a whistleblowers we would have people buying data collected from soldiers smartphones in order to reconstruct the material. It should be pretty easy to identify colaborators by which smartphone gets into contact with someones else smartphone thus reconstruct who is working with who.
This reminds me of an experiment I'd like someone to run on Strava. They had this big scandal some time ago where People identified US military bases simply by having a lot of activity in an otherwise empty area.
Now they've added some mojo to prevent this but still sell location data.
So how about running the same attack but instead of using the browser and their own website just use the bought location data.
I suspect they didn't fix that as I've disabled appreaing on their heatmap but they still sold my location data when I forgot to disable my vpn during a run some time ago.
It wasn't just the US military. There were plenty of jogging circuits around strange desert installations in Syria by joggers who had recently jogged around military bases in Russia, at a time when Russia was claiming no deployments and only observers and things.
There were also armchair people wondering about other tracks in various places in the world.
Not only could you see bases because of activity around an otherwise empty area. You could almost pinpoint the exact shape of the bases perimeter because soldiers would prefer to jog along the inside of the perimeter. Smartphones and location based apps and services are a security nightmare.
Seems to me the scandal is that US military bases allowed people in protected areas to upload GPS traces of their activities, more so than strava showing these along with millions of other traces in their activity maps...
What should strava do? Ask each country in the world which areas they want censored?(nuclear power plants, parliament buildings, boarding schools for rich kids, ...?)
Pretty sure that’s how it will end up being, eventually, in the same way GoogleMaps had to buckle.
I can see the smartest countries providing a standard webservice: you-private-company-using-geolocation will have to query a certain area, and get back a shape that you must blur or otherwise suppress. Access to the service should be heavily logged / throttled to avoid mass-scanning, and obviously “customers” will be vetted and forced to sign onerous NDAs. You don’t like the service constraints? Tough shit, here is a law that says use it or be fucked.
You can add privacy zones around locations so when people look at your activities your line just disappears inside the radius of your privacy zones.
I have ones around my home and where I work. No idea if that affects whatever data they sell (I doubt it, since you can still the full activity yourself even with a privacy zone), but stops people finding where you live/work and nicking your bike
That’s effective on an individual level, but tricky to enforce at an organizational level. It’s not like it would be wise for the DoD to log into Strava and setup a privacy fence around every sensitive location.
What a great signal for thieves too - this user has enough disposal income to have a fitness device, and is worried about being tracked, they must have good stuff.
Presumably you could filter by average speed and only get people with expensive bikes too.
You could also tell who from the public data has a private area, how long they are in it and when they leave it. You could do graph analysis to find folks on 20k bikes (correlate by zipcode) traveling at > 20mph with other folks that also have privacy areas.
If you find that > 3 of folks in that clique are close together and somewhere else, probably having a group event, many of them may not be in their "privacy area".
Anything that collects your location data is a shtshow when it comes to operational security. Even having one friend with poor GNSS hygiene can expose an entire network of relationships.
> Now they've added some mojo to prevent this but still sell location data.
Strava publish a "heat map" that shows aggregated activity of all their users. It's useful for finding common running/biking routes in areas you don't know well. That's how the military bases were found.
The vast majority. You have to go out of your way to find apps that don't scoop up all the data they can. Why not? It's not like consumers penalize it.
A lot of British intelligence during WW2 was gleamed not from the contents of the messages they intercepted, but rather from tracking who was where and communicating with whom.
And if you stop soldiers from using mobile phones on restricted ground, you are just going to have lots of tracks stopping abruptly at the gates and secure facilities identifiable by their lack of emissions.
Patterns.
There have been great examples of correctly identifying the crews of nuclear submarines by their predictable periods of time offline.
It was giving that away in his book, rather than any of the other activities at Bletchley Park, that got Gordon Welchman into trouble. Even without any detail as to the techniques used, the fact that he and his group had basically worked out the German operational structure and deployment situation entirely from traffic analysis before the improved Enigma was reliably broken revealed a lot that was meant to be kept secret.
Yes the hut six story was an excellent and eye opening book. We are quick to idolize Turing - and he was an amazing man - but there are others such as Welchman and Tutte who sadly get less attention.
In fact, if I were running strategy, I would want my opponent to think I used a computer of speed x or storage system of size k, spending lots of resources chasing a false solution.
Just make the exclusion region a bit bigger than the grounds itself?
In any case, the attack here was to identify personnel based on known locations, not finding new locations in the first place. Big bases can't be hidden anyway, the best you can do is conceal what happens indoor in them so it seems silly to let foreign intelligence track personnel movement inside a base...
Nonsense. I agree, the soldiers should not be permitted to have cellphones in critical areas unless exception is given for some other reason. There are ways to communicate using encrypted communication bands used by police etc. They could be using small handheld devices for 2 way radio and basic messaging.
Reminded me of this New York Times article where they got hold of location data from 12 million americans.
I think NRK found some inspiration from that.
I'm sorry, but we have enough trouble getting this audience to read the articles as it is.