Tags:








Conspiracy Theory Cell Phone Tracking
February 17, 2007 6:01 PM   RSS feed for this thread Subscribe

TinFoilHatFilter: So what's the most current info on cell-phone tracking? What can government/private agencies do nowadays if you own a cell phone? (Location? Coversation monitoring? Direct microphone feeds even when phone is off?) What *do* they do with any frequency? (Feel free to differentiate between agencies such as FBI, local police and private investigators)

I've read some info (such as the news article linked above), but I'd like to get more specific, less sensationalist info. Something like:

*Who (if anyone) has access to your approximate location when your phone is on but not engaged in a call? When engaged in a call? When phone is off?
(FBI? Police? Phone company? Anyone who pays some private agency money?)
posted by anonymoose to technology (11 comments total) 4 users marked this as a favorite
A similar question ...

I would not doubt that it would be technically feasible to have a phone that is powered on turned into a remote microphone by a software push.

It is also feasible to track someone fairly accurately as the nature of cell phones necessitates that the phone negotiate between towers. I do not know how accurate they would be able to get, but based on the news reports of stranded people -- I would say fairly accurate.

If your phone is off, your phone is off. If the phone had some sort of wake-on-reception capability the battery would wear down similar to it being on standby. This is not the case with my phone or any phone I know of.
posted by geoff. at 6:54 PM on February 17, 2007


If your phone is off, your phone is off

I just made my Nokia power on simply by setting the alarm. It was off; the alarm woke it up. I suspect this is only disabled by removing the battery, as the article says.
posted by dash_slot- at 7:09 PM on February 17, 2007


What it boils down to is, how do you know your phone is on? Because the screen is on and maybe there's an LED. If they powered up everything but the visible parts, it could be on but would look off. Certainly technically possible.
posted by smackfu at 7:18 PM on February 17, 2007


Yes, with special software anything is possible. I still do not think any phone can transmit while off without such software. Again, from newspaper reports of survivor's turning off phones and the towers being unable to locate them during this interim.
posted by geoff. at 7:25 PM on February 17, 2007


It depends on the cell phone. It's very much a function of the underlying RF technology being used.

Sorry if I'm too pedantic here, but the devil is in the details. There are three possibilities, which are known as Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA) and Code Division Multiple Access (CDMA).

The old AMPS system was FDMA. IS-136 (what AT&T used to use), IDEN, and GSM 2G use TDMA. IS-95, J-STD008, CDMA2K, and GSM 3G (AKA UMTS) use CDMA. (Some people got in the habit of using "TDMA" to refer to IS-136 and "CDMA" to refer to IS-95, but that's incorrect usage of both terms.)

In the US currently Sprint and Verizon use a mix of IS-95, J-STD008 and CDMA2K. (They're both upgrading to CDMA2K, which is backward compatible with the other two) but it's an evolutionary process gated by the capital investment they can afford per fiscal year.) Cingular is mostly GSM 2G; they absorbed AT&T's IS-136 system but are changing it over. They plan eventually on switching to UMTS but it's not backward compatible with GSM so it's not an easy change, and I don't know when or how they're going to do it.

The process of locating a phone varies enormously depending on which of FDMA, TDMA or CDMA the phone uses. An FDMA phone (e.g. AMPS) is granted exclusive use of a particular frequency while it's in a call, so you can do classic triangulation to find it.

With TDMA (e.g. Cingular) it's a bit more tricky. The problem is that in GSM 2G, eight phones in calls share each frequency and take turns. So classical triangulation is a real problem because the time slices are only 20 milliseconds long (to permit timing guard bands) and the phone you're trying to find only transmits 20 milliseconds out of every 200. It's still possible to triangulate but you need to know the time precisely and you need to know which slice he was assigned. Then you'd need a custom triangulation system which ignored most of the traffic on the frequency you're hunting.

"Frequency reuse" refers to how close together phones can be who are using the same frequency/slice. In FDMA and TDMA, neighboring cells aren't permitted to use the same frequencies because they'd pick each other up.

Not so with CDMA, and here's where it gets tricky. In CDMA, every cell uses (or at least can use) the entire licensed spectrum. Channels in AMPS were 25 KHz (supporting 1 call); channels in GSM 2G are 200 KHz (to support 8 calls). But channels in IS-95 (CDMA) are 1.25 MHz and can support as many as 40 calls. (The theoretical limit is 61 but in practice that is never possible. CDMA has what's known as "soft capacity" which means that you can't actually predict just how many calls any given carrier can support; it varies based on circumstances.)

And all 40 (or so) transmit on the same frequency simultaneously. Moreover, their transmit power changes 800 times per second. Classical triangulation is impossible.

(It's actually worse than that. If the phone is transmitting a half-rate packet, it transmits it twice. But its transmitter turns on and off rapidly so that it only actually transmits each bit of the packet once. For a quarter rate packet it transmits four times, but the transmitter is off three quarters of the time, and only on for one quarter which is randomly spread out over the whole packet time. There's also eighth rate packets, and...)

Now it turns out that the cell is capable of determining the round-trip RF path length to the phone very precisely. (That comes from the long code phase delay.) In IS-95 that calculation is accurate to about 25 meters. But the RF path length isn't necessarily direct, and the downlink and uplink don't necessarily follow the same route, and in any case all that does is give you a round-trip radial distance from the tower.

A lot of the time (maybe a third) the phone is, or could be commanded to be, in "soft handoff" which means it's using two towers at the same time. In that case both towers can calculate the range and then you've got a pretty good fix. But the rest of the time there's not much you can do.

That's why the FCC rules pretty much required that new phones have GPS receivers in them. Currently it's possible for the cell to send a command to the phone to do a GPS fix and send the result back. IIRC in IS-95 that requires a traffic channel to be open (i.e. the phone has to be in a call) but I'm not certain of that.

If one is paranoid one can imagine all kinds of weird scenarios where your phone could be used to track you and/or to spy on you, but those kinds of commands aren't in the specification -- and they don't exist secretly. (I used to work on that firmware.) And in any case, if that was being done you'd notice because it would drain your battery really fast.

Anyway, as far as I know it isn't possible for an IS-95, J-STD008, or CDMA2K phone to open a traffic channel without either a user operation or the phone ringing. No such commands exist in the specification (and there are no secret commands).

If a phone is on and idle it's possible to do a rough track of its location. In fact, the cell system has to do so because it needs to know where the phone is if there's an incoming phone call for it. If your phone is on and has service your home system will know where you are, anywhere at all, because it has to redirect calls for you to whatever system you're currently in, and that system has to know which zone you're in to issue the page.

Remember the "happy face" bomber from a few years ago? He got bagged because he turned his cell phone on. That was all he had to do, but that placed him in one particular sector of one particular cell in the wastes of Nevada IIRC, which turned out to mean he was on a particular highway. His phone company alerted the police, and the Nevada highway patrol in that area was alerted and finally spotted him.

OJ was tracked on his thunder run through LA the same way.

But that's crude. It places you in a single cell sector -- but that can be an area of several square miles.
posted by Steven C. Den Beste at 8:42 PM on February 17, 2007 [12 favorites]


The amount of shit Steven knows about cell phones is amazing.
posted by Ironmouth at 10:06 PM on February 17, 2007


Nice response, Steven! You said that you don't believe it's possible for an IS-95, J-STD008, or CDMA2K phone to open a traffic channel w/o ringing. Does the phone just need to ring, or does the cell phone owner have to answer the phone in order to open a traffic channel through which the phone provider can send a GPS command?

Also, how recently did this new FCC requirement for GPS become active?
posted by anonymoose at 10:07 PM on February 17, 2007


Anonymoose, it's been years since I was at Qualcomm and my memory is starting to get dim. But here's what I remember, keeping in mind that I might be having a "senior moment":

For an incoming call, the cell sends a "page" message (on the "paging channel", though that's not all that's on that channel) and the phone and cell do some handshaking and open a traffic channel. Then the phone rings, and waits for a user response. If the user doesn't respond, eventually the traffic channel is torn down and the call goes to voice mail. If the user does respond, then the "ring" comfort tone sent to the caller stops and voice traffic starts.

The reason the traffic channel is set up first is so that it's ready whenever the user answers the call. If, for some reason, the traffic channel cannot be created, the phone won't ring.

So a traffic channel is open when the phone is ringing. But I don't believe it can be used for a GPS operation at that time. I think you have to be in voice mode first.

The FCC requirement isn't for GPS. The FCC requirement was for a way to locate the phone reliably within a small error, something like 10 meters. It turned out that GPS was the only reasonable way to do it. But before settling on that, the industry looked into other approaches.

The FCC first announced that requirement something like 10 years ago, but with a "when you can reasonably do it" time limit. It's kind of a phased implementation, and there are still a lot of phones out there who don't have it. (There will probably still be some five years from now.)

It wasn't a trivial change. First the industry standards process had to agree on an approach, and then on detailed specification for it. Then all the infrastructure and handset makers had to implement it (as an upgrade, in the case of infrastructure) and the operating companies had to roll it out. The folks at the FCC can be intransigent at times, but they're not idiots and know that it wasn't something that could happen in 6 months.
posted by Steven C. Den Beste at 11:10 PM on February 17, 2007


Yikes: Channels in AMPS were 30 KHz, not 25 KHz. (Sigh)
posted by Steven C. Den Beste at 12:03 AM on February 18, 2007


I don't have an answer to your question.

As a cell phone aficionado, I'm only here to bow down before the god that is Steven C. Den Beste. In praying to him, I'm hoping he can get me an early release of the Apple iPhone.
posted by matty at 9:01 AM on February 18, 2007


The IPhone is Cingular only. You're better off with the Apple iTwo-tin-cans-and-some-string. Though that does cost more for the cans which have been spraypainted black.
posted by Riemann at 11:14 AM on February 18, 2007


« Older Cover songs, legal vs. practic...   |   I'm considering skipping out o... Newer »

You are not logged in, either login or create an account to post comments



Related Questions
Help me remember this Free Custom Ringtone site! January 26, 2008
How do I turned the Enhanced 911 feature off my... December 21, 2007
What can I do with SMS? July 10, 2007
I Would Like My Cell Phone to "Ring" September 28, 2006
Phones are bugged May 28, 2006