By Ian Smith and Peter Ney August 11, 2017
The Carpenter v. U.S. case is set to hit the Supreme Court this coming term, and it could have broad implications for future surveillance law in the U.S. (See this Lawfare article for a good overview.)
In an earlier opinion on Carpenter, the 6th Circuit held that law enforcement may request subscriber cell-site location data without a warrant. To give some background, phones continuously connect and transmit data to nearby base stations, and the transmissions create logs at the cell site. These logs can be used to generate a location trail of phone subscribers. Within the ruling, the 6th Circuit determined the sensitivity of location data based on untested assumptions of cell-site location accuracy. Using facts provided by an expert witness, the majority opinion stated that cell-site location data is 12,500 times less accurate than GPS:
“The second problem with the defendants’ reliance on Jones is that—unlike Jones—this is not a GPS-tracking case. GPS devices are accurate within about 50 feet, which is accurate enough to show that the target is located within an individual building… Instead, per the undisputed testimony at trial, the data could do no better than locate the defendants’ cellphones within a 120- (or sometimes 60-) degree radial wedge extending between one-half mile and two miles in length. Which is to say the locational data here are accurate within a 3.5 million square-foot to 100 million square-foot area—as much as 12,500 times less accurate than the GPS data in Jones.” [emphasis added]
In fact, the location accuracy of cell-site data varies considerably depending on where a subscriber is located, and is much higher in dense urban areas.
We can roughly estimate the localizability of subscriber phones using base station density. To illustrate this, consider an area with base stations evenly distributed across it, with an average of one base station operating per square mile. In that case, cell-site data records showing which phones are connected could be used to place a subscriber within roughly a square mile. If density increased to 10 per square mile, location resolution would increase 10-fold, placing individuals within 1/10th of a square mile.
It is simple to calculate density if given base station locations, but locations are proprietary information and not publicly available. Luckily, we collected months of GSM cell network data with SeaGlass in Seattle and Milwaukee that we can use to estimate their locations (see the SeaGlass paper for how these are generated).
Note that the analysis is complicated slightly by the fact that many base stations do not transmit the same power in every direction, but instead use directional sector antennas. Sectors distinguish themselves by the Cell IDs they broadcast, so here we treat each sector as a separate base station (fitting with the definition of Base Transceiver Station in the GSM spec).
We found 1027 GSM base stations within the Seattle city limits and 348 within Milwaukee city limits (see table below). This indicates an average of 12.25 base stations per square mile in Seattle and 3.62 in Milwaukee. In practice, phones only connect to base stations of their own provider, so the density estimate should also be considered by provider.
Number of GSM base stations per square mile in Seattle and Milwaukee:
|Seattle (83.87 sq mi)||466||561||1027|
|Milwaukee (96.17 sq mi)||109||239||348|
Average GSM base station density (number per square mile) in Seattle and Milwaukee:
|AT&T avg. density||T-Mobile avg. density||Total avg. density|
Note: Average density provided as number of GSM base stations per sq mi.
However, this does not provide a complete picture because the base station density is not uniform. The map below is a heatmap of base station densities around Seattle. (These are estimated using received signal strengths so locations are not exact.)
Localizability Is Not Uniform
The map shows that higher-density areas, such as downtown, have 86 GSM base stations per square mile. This would allow localization to a city block — much more precisely than the lower-bound estimate cited in the 6th Circuit decision.
Location privacy also depends on how often the network collects cell-site location data. Every time a phone communicates with the cell network, the base station could log a cell-site data record. Communications occur when a phone sends or receives a call or text, powers on or off, or moves between location areas (zones the size of neighborhoods). Phones also communicate when they are idle, periodically advertising locations according to the network-configured “Location Update Timer.” In our Seattle and Milwaukee data this setting is configured by AT&T base stations to be 54 minutes, and by T-Mobile base stations to be 60 minutes. These times mean that the longest phones go on the GSM network before announcing their location is about an hour, even if no other phone calls, texts, or data are sent or received by the phone.
We have seen that GSM subscriber location accuracy depends on a number of factors, from base station density, to location update timer configurations set by the provider. In practice, cell-site data can provide much better location estimates than the analysis about averages on the GSM network might suggest. For example, the trends for more advanced protocols such as 4G LTE and 5G are toward higher base station density and smaller cells. The smaller coverage area of femtocells can be used to locate a phone very precisely, sometimes within a single room in a building. Similarly, moving between cell-site coverage areas can locate a subscriber to the smaller intersecting area between them.
Perhaps most relevant for today’s users is that smartphones tend to transmit and receive cellular internet data continuously, allowing service providers to log subscribers’ locations on a continuous basis. Finally, some providers, like Sprint, are known to share precise GPS locations of subscribers with law enforcement.
Ultimately, what matters most is that cell providers own the network, and to a certain extent, the software on your phone. They can collect location information on subscribers as often as they choose, and their limitations are not constrained by the technology, but by their internal policies. When it comes to location privacy from governments, evidence in the Carpenter case shows it is not just malicious base stations, like IMSI-catchers, but also historical logs from the legitimate cell network that law enforcement can use to track locations of cell phone users.