Illustration: Michael Mucci
Makers of surveillance systems are offering governments across the world the ability to track the movements of almost anybody who carries a mobile phone, whether they are blocks away or on another continent.
The technology works by exploiting an essential fact of all mobile phone networks: They must keep detailed, up-to-the-minute records on the locations of their customers to deliver calls and other services to them. Surveillance systems are secretly collecting these records to map people's travels over days, weeks or longer, according to company marketing documents and experts in surveillance technology.
The world's most powerful intelligence services, such as the National Security Agency in the US and Britain's GCHQ, have long used mobile phone data to track targets around the globe. But experts say these new systems allow less technically advanced governments to track people in any nation with relative ease and precision.
Users of such technology type a phone number into a computer portal, which then collects information from the location databases maintained by mobile phone carriers, company documents show. In this way, the surveillance system learns which tower a target is currently using, revealing his or her location to within a few blocks in an urban area or a few kilometres in a rural one.
It is unclear which governments have acquired these tracking systems, but one industry official, speaking on the condition of anonymity to share sensitive trade information, said that dozens of countries have bought or leased such technology in recent years. This rapid spread underscores how the burgeoning, multibillion-dollar surveillance industry makes advanced spying technology available worldwide.
"Any tin-pot dictator with enough money to buy the system could spy on people anywhere in the world," said Eric King, deputy director for Privacy International, a London-based activist group that warns about abuse of surveillance technology. "This is a huge problem."
Security experts say hackers, sophisticated criminal gangs and nations under sanctions also could use this tracking technology, which operates in a legal grey area. It is illegal in many countries to track people without their consent or a court order, but there is no clear international legal standard for secretly tracking people in other countries, nor is there a global entity with the authority to police potential abuses.
In response to questions from The Washington Post this month, the US Federal Communications Commission said it would investigate possible misuse of tracking technology that collects location data from carrier databases. The United States restricts the export of some surveillance technology, but with multiple suppliers based overseas, there are few practical limits on the sale or use of these systems internationally.
"If this is technically possible, why couldn't anybody do this anywhere?" said Jon Peha, a former White House scientific adviser and chief technologist for the FCC who is now an engineering professor at Carnegie Mellon University. He was one of several telecommunications experts who reviewed the marketing documents at The Washington Post's request.
"I'm worried about foreign governments, and I'm even more worried about non-governments," Peha said. "Which is not to say I'd be happy about the NSA using this method to collect location data. But better them than the Iranians."
Location tracking is an increasingly common part of modern life. Apps that help you navigate through a city or find the nearest coffee shop need to know your location. Many people keep tabs on their teenage children - or their spouses - through tracking apps on smartphones. But these forms of tracking require consent; mobile devices typically allow these location features to be blocked if users desire.
Tracking systems built for intelligence services or police, however, are inherently stealthy and difficult - if not impossible - to block. Private surveillance vendors offer government agencies several such technologies, including systems that collect cellular signals from nearby phones and others that use malicious software to trick phones into revealing their locations.
Governments also have long had the ability to compel carriers to provide tracking data on their own customers, especially within their own countries. The National Security Agency, meanwhile, taps into telecommunication-system cables to collect mobile phone location data on a mass, global scale.
But tracking systems that access carrier location databases are unusual in their ability to allow virtually any government to track people across borders, with any type of cellular phone, across a wide range of carriers - without the carriers even knowing. These systems also can be used in tandem with other technologies that, when the general location of a person is already known, can intercept calls and internet traffic, activate microphones, and access contact lists, photos and other documents.
Companies that make and sell surveillance technology seek to limit public information about their systems' capabilities and client lists, typically marketing their technology directly to law enforcement and intelligence services through international conferences that are closed to journalists and other members of the public.
Yet marketing documents obtained by The Washington Post show that companies are offering powerful systems that are designed to evade detection while plotting movements of surveillance targets on computerised maps. The documents claim system success rates of more than 70 per cent.
A 24-page marketing brochure for SkyLock, a cellular tracking system sold by Verint, a maker of analytics systems based in New York, carries the subtitle "Locate. Track. Manipulate". The document, dated January 2013 and labelled "Commercially Confidential," said the system offers government agencies "a cost-effective, new approach to obtaining global location information concerning known targets."
The brochure includes screen shots of maps depicting location tracking in what appears to be Mexico, Nigeria, South Africa, Brazil, Congo, the United Arab Emirates, Zimbabwe and several other countries. Verint says on its website that it is "a global leader in Actionable Intelligence solutions for customer engagement optimisation, security intelligence, and fraud, risk and compliance" with clients in "more than 10,000 organisations in over 180 countries".
(Privacy International has collected several marketing brochures on cellular surveillance systems, including one that refers briefly to SkyLock, and posted them on its website. The 24-page SkyLock brochure and other material was independently provided to The Washington Post by people concerned that such systems are being abused.)
Verint, which also has substantial operations in Israel, declined to comment for this story. It said in the marketing brochure that it does not use SkyLock against US or Israeli phones, which could violate national laws. But several similar systems, marketed in recent years by companies based in Switzerland, Ukraine and elsewhere, likely are free of such limitations.
At The Washington Post's request, telecommunications security researcher Tobias Engel used the techniques described by the marketing documents to determine the location of a Post employee who used an AT&T phone and consented to the tracking. Based only on her phone number, Engel found the Post employee's location, in downtown Washington DC, to within a city block - a typical level of precision when such systems are used in urban areas.
"You're obviously trackable from all over the planet if you have a cellphone with you, as long as it's turned on," said Engel, who is based in Berlin. "It's possible for almost anyone to track you as long as they are willing to spend some money on it."
AT&T declined to comment for this story.
The tracking technology takes advantage of the lax security of SS7, a global network that carriers use to communicate with one another when directing calls, texts and internet data.
The system was built decades ago when only a few large carriers controlled the bulk of global phone traffic. Now thousands of companies use SS7 to provide services to billions of phones and other mobile devices, security experts say. All of these companies have access to the network and can send queries to other companies on the SS7 system, making the entire network more vulnerable to exploitation. Any one of these companies could share their access with others, including makers of surveillance systems.
The tracking systems use queries sent over the SS7 network to ask carriers what tower a customer has used most recently. Carriers configure their systems to transmit such information only to trusted companies that need it to direct calls or other telecommunications services to customers. But the protections against unintended access are weak and easily defeated, said Engel and other researchers.
By repeatedly collecting this location data, the tracking systems can show whether a person is walking down a city street or driving down a highway, or whether the person has recently taken a flight to a new city or country.
"We don't have a monopoly on the use of this and probably can be sure that other governments are doing this to us in reverse," said lawyer Albert Gidari Jr., a partner at Perkins Coie who specialises in privacy and technology.
Carriers can attempt to block these SS7 queries but rarely do so successfully, experts say, amid the massive data exchanges coursing through global telecommunications networks. P1 Security, a research firm in Paris, has been testing one query commonly used for surveillance, called an "Any Time Interrogation" query, that prompts a carrier to report the location of an individual customer. Of the carriers tested so far, 75 per cent responded to "Any Time Interrogation" queries by providing location data on their customers.
"People don't understand how easy it is to spy on them," said Philippe Langlois, chief executive of P1 Security.