By Dell Cameron
December 08, 2017
As the Supreme Court mulls over the case of Carpenter v. United States, which may have far-reaching consequences for police who track suspects without a warrant via their cellphones, four engineers at Princeton University have revealed a brand-new method for identifying the location of a cellphone user. The result of their ingenuity is as remarkable as it is alarming.
Using only data that can be legally collected by an app developer without the consent of a cellphone’s owner, researchers have been able to produce a privacy attack that can accurately pinpoint a user’s location and trajectory without accessing the device’s Global Position System—GPS. And while the ramifications of this ability falling into the wrong hands are distressing, the way in which they pulled it off is nothing short of genius.
To protect a cellphone user’s privacy, any app distributed through Google Play or the Apple App Store must explicitly ask for the user’s permission before accessing location services. We know that even with that functionality turned off in a phone’s settings, law enforcement is able to track cellphones using either historical cell-site data (identifying cell towers you’ve been closest to) or cell-site data collected using a class of law enforcement devices colloquially referred to as Stingrays. But as it turns out, neither cell-site data nor locational services are needed to track a cellphone owner with GPS-like precision.
In fact, all you really need is your phone’s internal compass, an air pressure reading, a few free-to-download maps, and a weather report.
Your cellphone comes equipped with an amazing array of compact sensors that are more or less collecting information about your environment at all time. An accelerometer can tell how fast you’re moving; a magnetometer can detect your orientation in relation to true north; and a barometer can measure the air pressure in your surrounding environment. You phone also freely offers up a slew of non-sensory data such as your device’s IP address, timezone, and network status (whether you’re connected to Wi-Fi or a cellular network.)
All of this data can be accessed by any app you download without the type of permissions required to access your contact lists, photos, or GPS. Combined with publicly available information, such as weather reports, airport specification databases, and transport timetables, this data is enough to accurately pinpoint your location—regardless of whether you’re walking, traveling by plane, train, or automobile.