3/13/2013

A practical guide to protecting your identity and security when using mobile phones

A practical guide to protecting your identity and security when using mobile phones

Many activists have been tracked via their mobile phones, and some countries conduct surveillance more extensively than others. You need to assess the risk for your own activities given the practices used in your country, how high-profile your work is, and what others in your community have experienced.
Phone companies have the capability to track and collect information about your use of mobile phones, including your location, and may share that information with the government if so requested. There is also the possibility of installing surveillance software on a phone that runs in the background without the user noticing. There is a risk of this, if your handset has been physically out of your hands for a period of time.

When your phone is on, it is constantly communicating the following information with towers nearby:

  • The IMEI number – a number that uniquely identifies your phone’s hardware
  • The IMSI number – a number that uniquely identifies the SIM card - this is what your phone number is tied to.
  • The TMSI number, a temporary number that is re-assigned regularly according to location or coverage changes but can be tracked by commercially available eavesdropping systems.
  • The network cell in which the phone is currently located. Cells can cover any area from a few meters to several kilometers, with much smaller cells in urban areas and even small cells in buildings that use a repeater aerial to improve signal indoors.
  • The location of the subscriber within that cell, determined by triangulating the signal from nearby masts. Again, location accuracy depends on the size of the cell - the more masts in the area, the more accurate the positioning.

Because of this, when your phone is on and communicating with the network towers, it can be used as a surveillance device for those with access to the information that telecoms collect, including:

  • Your phone calls received and sent
  • Your SMS received and sent, including the information of senders and recipients
  • Any data services you use (e.g., web browsing activities if not using HTTPS, unsecured instant messaging) as well as the volume of data transferred e.g., “did you upload to YouTube”)
  • Your approximate location (from within a few meters to a few km depending upon density of towers)
It is important to note that if you think you are being tracked, it is not always enough to switch SIM cards, as you can be tracked by the ID (IMEI) of your mobile device/handset alone. There is also a lot of information on your phone that may be used against you if the phone is confiscated or taken from you. All mobile phones have a small amount of storage space on the SIM card, as well as internal phone memory. (In addition, some phones have a SD (or microSD) storage card for multimedia files.) In general, storing data on the SIM card and SD card (if available) is better than storing internally on the phone, because you can more easily remove and destroy

Data stored on your SIM, internal phone memory, and SD storage card (if present) include:

  • Your phone book - contact names and telephone number
  • Your call history - who you called, who called you, and what time the call was placed
  • SMS you have sent or received
  • Data from any applications you use, such as a calendar or to-do list
  • Photos or video that you have taken using the phone camera, if your phones has one. Most phones store the time the photo was taken, and may also include location information.
For phones that allow web browsing, you should also consider how much of your browsing history is stored on the phone. If possible, do not keep a browsing history. Emails are a further potential danger should an attacker obtain access to the SIM card or phone memory.
Like the hard drive in a computer, the SIM memory of your mobile phone keeps any data ever saved on it until it is full, when old data gets written over. This means that even deleted SMS, call records and contacts can potentially be recovered from the SIM. (There is a free application to do this using a smartcard reader). The same applies to phones that have additional memory, either built into the phone or using a memory card. As a rule, the more storage a phone has, the longer deleted items will be retrievable.

So what does this mean for you?

Mobile phones can be powerful tools for activists, but they can also be incredible liabilities if the government or security forces are actively working with telecoms to track you. If you are in a country that uses mobiles extensively for surveillance, especially if you think you are being closely watched for high-profile activities, it’s recommended that you don’t use mobile phones to communicate. Conduct meetings face-to-face.
Ultimately, the risks you take are up to you: if you don’t think you’re being targeted as a high- profile activist or as part of a larger surveillance campaign and want to use your phone to communicate with fellow activists, record photos and video, or pass on information, you can use the following tactics:
  • Create and use a code word system to communicate with fellow activists. Use “beeping” as a system for communication with fellow activists (calling once or twice and hanging up in order to let someone know you’ve arrived at a location, are safe, etc.)
  • Don’t use the real names for fellow activists in your address book; give them numbers or pseudonyms. This way if your phone or SIM card is taken by security forces, they don’t have your entire network of fellow activists in hand.
  • Bring back-up SIM cards with you to protests if you know they are being confiscated and it’s important that you have a working cell phone with you at an event. If you have to get rid of a SIM card, try to physically destroy it.
  • If your phone can be locked with a password, use it. This can also be your SIM card’s PIN number: SIM cards comes with a default PIN number; if you can, change the default PIN number and enable PIN locking on your SIM. You’ll then be required to enter a password (your PIN number) each time you use your phone.
  • If you think a protest is going to meet with an increased crackdown by security forces, you may want to put it in airplane mode while at an event; you won’t be able to send or receive calls, but you can still capture video and photographs and upload them to online sites later. This tactic is also useful if you think security forces are cracking down on everyone with a cell phone at an event. Later on the government can request call/SMS or data records for all individuals who were in a particular location at a particular time in order to perform mass arrests.
  • Turn off location tracking and geotagging for various applications unless you are using this feature as part of a targeted project to geotag certain media at an event as part of an action. If you are using your cell phone to stream video live, turn off the GPS/geotagging option (Directions for Bambuser.)
  • If you have a phone that runs on the Android Operating System, you can use a number of tools to encrypt web browsing, instant messaging, SMS, and voice calls via the tools created by the Guardian Project and Whispersys. When using your mobile device to browse the web, use HTTPS whenever possible.

Note for BlackBerry users:

BlackBerry-maker Research in Motion (RIM) provides two types of accounts with corresponding levels of encryption. For ordinary individual consumers, there has never been true end-to-end encryption on your BlackBerry communications – RIM or your mobile provider can always intercept your calls, emails, SMS, web browsing, etc. By way of contrast, enterprise users whose company uses a BlackBerry Enterprise Server (BES) will have end-to- end encryption on their email, messenger (BBM), and web browsing. However, if you’re an Enterprise user, keep in mind that whoever runs your company’s server, typically your IT admin, has the means to decrypt all of your communications, and there are a variety of legal (and not so legal) processes which a government can use to get your decrypted communications. Recently the UAE tried to force Research in Motion to give them the mechanism to decrypt all BlackBerry communications, but RIM has refused to do so. BlackBerry users should keep up to date on any news of negotiations between their government and RIM on these issues. They should also be aware of other attempts to intercept encrypted BlackBerry communications. In 2009, UAE’s Etisalat sent BlackBerry users an unofficial “update” that allowed the telecom to receive copies of all users’ messages. RIM soon sent users an update that removed the fraudulent software, but BlackBerry users should be aware of any suspicious software updates that do not come directly from RIM.
This article is an extract of Access Now handbook, A PRACTICAL GUIDE TO PROTECTING YOUR IDENTITY AND SECURITY ONLINE AND WHEN USING MOBILE PHONES. It was written for citizens in the Middle East and North Africa who want to use technology safely to communicate, organize, and share data (news reports, information, media, etc.) – but it can be used by anyone online anywhere who wants to protect their privacy and security. Download the complete handbook English, Russian, Vietnamese, Korean, Polski, Indonesian.

More resources

Files: 

Founder of Blogger semsam,Independent Blogger 2005.Middle East observer,Writer on Egypt,Yemen ,Arab,Current affairs-member in Arab blogger,Editor in Global Voices,Technology,Geek τέχνη,web development,internet security