1 00:00:00,165 --> 00:00:13,330 *music* 2 00:00:13,330 --> 00:00:22,570 Herald: so the NSA is spying, and was spying, and we had Snowden, we have a lot 3 00:00:22,570 --> 00:00:31,669 of documents to look at, and there is some new research on how they used geolocation 4 00:00:31,669 --> 00:00:38,570 methods in mobile networks. It is done by the University of Hamburg and we have here 5 00:00:38,570 --> 00:00:46,890 Erik who will present this research to you and he has done this for the German 6 00:00:46,890 --> 00:00:52,080 government and for the NSA Untersuchungsausschuss which we call "NS 7 00:00:52,080 --> 00:01:03,160 Aua", which means "NS Ouch", kind of. He is a PhD student and holds a master's in 8 00:01:03,160 --> 00:01:06,430 physics so give him a warm applause 9 00:01:06,450 --> 00:01:14,710 *applause* 10 00:01:16,470 --> 00:01:18,280 Herald: And for those coming later please 11 00:01:18,280 --> 00:01:22,550 go to your seats and try to be quiet. Yep, thank you. 12 00:01:22,550 --> 00:01:26,340 Erik Sy: Hello. I'm really happy to have 13 00:01:26,340 --> 00:01:32,030 you all here and I welcome you to my talk about geolocation methods in mobile 14 00:01:32,030 --> 00:01:39,680 networks. My name is Eric Sy and I'm a PhD student at the University of Hamburg. So, 15 00:01:39,680 --> 00:01:47,229 at the beginning I want to point out why I'm giving this talk. So the German 16 00:01:47,229 --> 00:01:53,299 parliamentary investigative committee wanted to find out about the German 17 00:01:53,299 --> 00:01:59,909 involvement in US drone strikes and then the German government officials claimed 18 00:01:59,909 --> 00:02:05,729 that they do not know anything or they do not know any possibility how to use a 19 00:02:05,729 --> 00:02:11,120 phone number for targeting drone strikes and the investigative committee did not 20 00:02:11,120 --> 00:02:15,850 really believe this statement and so they asked our research group at the University 21 00:02:15,850 --> 00:02:26,250 of Hamburg to prepare a report and we handed in that report to the Bundestag and 22 00:02:26,250 --> 00:02:31,070 it was very soon after what's also published by netzpolitik.org 23 00:02:31,070 --> 00:02:32,570 thank you for that 24 00:02:33,800 --> 00:02:39,080 *Applause* 25 00:02:39,080 --> 00:02:45,519 E: And it contains like technical methods and approximates the accuracy to 26 00:02:45,519 --> 00:02:51,739 localise mobile phones and it also points out which technical identifiers are 27 00:02:51,739 --> 00:03:01,530 required to conduct such geolocation. Now I give you my agenda for today. First I 28 00:03:01,530 --> 00:03:05,769 will speak about the purpose of geolocation data and then we are looking 29 00:03:05,769 --> 00:03:11,900 into a broad variety of different approaches to conduct such a geolocation 30 00:03:11,900 --> 00:03:19,269 in mobile networks, and then we specify on drones and look into the technical methods 31 00:03:19,269 --> 00:03:26,260 which can be conducted with drones, and and then I'm going to point out which 32 00:03:26,260 --> 00:03:34,930 technical identifiers we can use for such a geolocation. And lastly I'm going to sum 33 00:03:34,930 --> 00:03:42,900 up. So, the purpose of geolocation data: it is a neutral technology, so we can use 34 00:03:42,900 --> 00:03:49,080 it for rescue missions, for example if somebody got lost in the forest or in the 35 00:03:49,080 --> 00:03:53,940 mountains, we can use geolocation data to find that person and rescue the person. 36 00:03:53,940 --> 00:04:03,129 Or, if you ever used Google Traffic, there you you can profit from monitoring traffic 37 00:04:03,129 --> 00:04:12,269 conditions. But we can also use it to invade the privacy of persons, for example 38 00:04:12,269 --> 00:04:16,519 if we identify people on surveillance footage, or if 39 00:04:16,519 --> 00:04:23,960 we track the location of a certain individual over a longer period, and 40 00:04:23,960 --> 00:04:32,160 certainly we can use this data for targeting drone strikes. However I want to 41 00:04:32,160 --> 00:04:41,190 point out that this data, that they are not suitable to prove the identity of a 42 00:04:41,190 --> 00:04:46,740 person. So if somebody is conducting a drone strike based on this data, then he 43 00:04:46,740 --> 00:04:54,180 is actually not knowing who he is going to kill. So, on the right side you see an 44 00:04:54,180 --> 00:04:59,360 image of an explosion site from a Hellfire missile. A Hellfire missile is usually 45 00:04:59,360 --> 00:05:06,280 used by these drones and you can approximate that the blast radius is 46 00:05:06,280 --> 00:05:14,340 around 20 meters. So we would consider a targeted drone strike if we have a 47 00:05:14,340 --> 00:05:21,970 geolocation method which can determine the position of a person more precise than 20 48 00:05:21,970 --> 00:05:29,820 meters in radius. So, the first approach which I want to present are time 49 00:05:29,820 --> 00:05:36,280 measurements and the symbol which you will see down there it's a base station, for 50 00:05:36,280 --> 00:05:43,449 for the next couple of slides. And a base station... this is the point in a mobile 51 00:05:43,449 --> 00:05:50,759 network where your phone connects to. On the slides you can certainly interchange 52 00:05:50,759 --> 00:05:57,569 this base station with an IMSI-catcher. IMSI-catcher is something like a fake base 53 00:05:57,569 --> 00:06:04,861 station from a third party and you could even build it yourself. So, the method 54 00:06:04,861 --> 00:06:11,880 used to calculate the position of a phone is for time measurements trilateration. 55 00:06:11,880 --> 00:06:19,020 You have to know that that signal is usually traveling with the speed of light, 56 00:06:19,020 --> 00:06:25,160 so when you measure the time you can also measure the distance. And here there are 57 00:06:25,160 --> 00:06:33,800 three methods presented. There are "Time of Arrival", where the signal moves from 58 00:06:33,800 --> 00:06:42,120 the hand phone to the three base stations and the accuracy is between 50 and 200 59 00:06:42,120 --> 00:06:47,690 meters. This really depends on the cell size and they can be more precise or less 60 00:06:47,690 --> 00:06:55,240 precise. So, then we have "Time Difference of Arrival," which is like a round-trip 61 00:06:55,240 --> 00:07:02,699 measurement, and we have an "Enhanced Observed Time Difference," where the 62 00:07:02,699 --> 00:07:09,759 mobile phone actually computes the location within the cell, and the accuracy 63 00:07:09,759 --> 00:07:17,930 is between 50 to 125 meters. So, and the next method which I want to 64 00:07:17,930 --> 00:07:25,030 present are angular measurements. When you conduct angular measurements, then you 65 00:07:25,030 --> 00:07:30,410 determine the direction of arrival from the signal and afterwards you do a 66 00:07:30,410 --> 00:07:35,930 calculation which is called triangulation and therefore you have to know the 67 00:07:35,930 --> 00:07:42,280 position of the base station, but also the alignment of your antenna and for this 68 00:07:42,280 --> 00:07:48,199 method there's certainly two base stations or IMSI-catchers sufficient to determine 69 00:07:48,199 --> 00:07:55,539 the position of the mobile phone. The accuracy is usually in field experiments 70 00:07:55,539 --> 00:08:01,530 between 100 and 200 meters and the challenge for this method but also for the 71 00:08:01,530 --> 00:08:11,909 ones on the previous slides is that on the normal mobile cells you don't have a line 72 00:08:11,909 --> 00:08:18,550 of sight to each base station from your mobile phone and so the signal gets 73 00:08:18,550 --> 00:08:27,800 disturbed by buildings in the way and then the accuracy becomes worse. So the next 74 00:08:27,800 --> 00:08:33,175 method I want to show you, I think most of you will know a little bit about GPS and 75 00:08:33,175 --> 00:08:41,210 how it's calculated. So satellites, GPS satellites, broadcast their time and their 76 00:08:41,210 --> 00:08:48,220 position, and the mobile phone uses again trilateration to calculate its position 77 00:08:48,220 --> 00:08:53,650 and the accuracy is usually below 10 meters, but it depends a little bit on the 78 00:08:53,650 --> 00:09:02,440 chipset within the mobile phone, and then the base station can request the position 79 00:09:02,440 --> 00:09:09,340 of the phone by issuing a radio... or by issuing a request with the radio resource 80 00:09:09,340 --> 00:09:16,700 location service protocol. So another method which I want to present is the 81 00:09:16,700 --> 00:09:21,860 mining of Internet traffic. Some smartphones send GPS coordinates or the 82 00:09:21,860 --> 00:09:29,580 names of nearby Wi-Fi networks, which are also called SSIDs, to online services, and 83 00:09:29,580 --> 00:09:36,910 usually these allow the determination of the position around or below 10 meters, 84 00:09:36,910 --> 00:09:44,600 and it is certainly possible to intercept this traffic and evaluate the geolocation. 85 00:09:44,600 --> 00:09:51,200 So here I have two quotes for you, and the first one it effectively means that anyone 86 00:09:51,200 --> 00:09:57,375 using Google Maps on a smartphone is working in support of a GCHQ system. This 87 00:09:57,375 --> 00:10:05,183 quote comes from the Snowden archive and was issued in the year 2008. So we 88 00:10:05,183 --> 00:10:10,113 certainly see that there's some proof that at least at those days, 89 00:10:10,113 --> 00:10:16,900 that they enter, some third parties intercepted those traffic and use it for 90 00:10:16,900 --> 00:10:27,150 determining the geolocation, and if you want to work with, or determine the 91 00:10:27,150 --> 00:10:34,480 location with the SSIDs, it is necessary that you have a map where a certain Wi-Fi 92 00:10:34,480 --> 00:10:40,260 access points are located. And therefore we have also something like... like a 93 00:10:40,260 --> 00:10:47,400 proof that this has been done by the NSA and this is the mission victory dance, 94 00:10:47,400 --> 00:10:53,390 where they are mapping the Wi-Fi fingerprint in every major town in Yemen, 95 00:10:53,390 --> 00:10:59,130 and in Yemen also a lot of drone strikes are conducted. So, let's go to next 96 00:10:59,130 --> 00:11:07,210 method. Signalling System No. 7 is a protocol which is used for communication 97 00:11:07,210 --> 00:11:15,520 between network providers, and network providers need to know where, in which 98 00:11:15,520 --> 00:11:21,570 cell, a mobile phone is located to... to enable the communication, and these 99 00:11:21,570 --> 00:11:27,880 informations are saved in location registers, and a third party can easily 100 00:11:27,880 --> 00:11:35,777 request these location informations. I want to refer to the talk by Tobias Engel, 101 00:11:35,777 --> 00:11:40,707 which... he gave a talk two years ago which really goes into the details of this 102 00:11:40,707 --> 00:11:48,310 method, and maybe if you like to, there are also commercial services available to 103 00:11:48,310 --> 00:11:58,430 access this data. So, let's talk about drones. We do not have very solid proofs 104 00:11:58,430 --> 00:12:05,980 that geolocation methods are conducted by drones, but we have certainly hints. A 105 00:12:05,980 --> 00:12:15,000 hint is this GILGAMESH system, which is based on the PREDATOR drones, and is a 106 00:12:15,000 --> 00:12:22,090 method for active geolocation, which describes an IMSI-catcher so... but if 107 00:12:22,090 --> 00:12:28,590 anybody of you has access to more documents... yeah it would be nice to have 108 00:12:28,590 --> 00:12:37,170 a look. So... *applause* 109 00:12:39,283 --> 00:12:45,580 E: So, the easiest method would be certainly to request for GPS coordinates, 110 00:12:45,580 --> 00:12:54,030 and there you just replace the base station with a drone. But the method which 111 00:12:54,030 --> 00:13:01,054 is better, or which I think is the preferred one: Angular measurements. 112 00:13:02,196 --> 00:13:08,680 Angular measurements, if you have a look in our report, there we approximated that 113 00:13:08,680 --> 00:13:14,430 the accuracy of these methods are between five and thirty five meters in radius from 114 00:13:14,430 --> 00:13:20,830 an altitude of two kilometers, and if you get closer to the mobile phone it becomes 115 00:13:20,830 --> 00:13:28,360 more accurate. So, it would be, to some extent, sufficient to conduct a targeted 116 00:13:28,360 --> 00:13:35,550 drone strike on this data, and in the meantime, since this report was handed 117 00:13:35,550 --> 00:13:42,250 over to the Bundestag, I also found other work which described that they are able to 118 00:13:42,250 --> 00:13:47,910 achieve an accuracy of one meter from three kilometers altitude for small 119 00:13:47,910 --> 00:13:55,980 airplanes. You have to know that those sensors to measure the angle of arrival, 120 00:13:55,980 --> 00:14:03,320 that they are usually located within the wings and within the front of the plane, 121 00:14:03,320 --> 00:14:07,416 and when the plane becomes larger it's also easier to have a more accurate 122 00:14:07,416 --> 00:14:16,435 measurement. Then I want to point out that a single measurement can be sufficient to 123 00:14:16,435 --> 00:14:22,290 determine the location of a mobile phone. If we can assume that the target is on the 124 00:14:22,290 --> 00:14:28,210 ground. So if you assume that the target is maybe in a building in Yemen, so a 125 00:14:28,210 --> 00:14:34,160 single measurement would be sufficient on a low building in Yemen. And a sky scraper 126 00:14:34,160 --> 00:14:42,180 would be more difficult. So, and the big advantage of these methods is that 127 00:14:42,180 --> 00:14:48,290 environmental parameters have a very low influence, since we can have a almost line 128 00:14:48,290 --> 00:14:59,670 of sight, which allows a better accuracy. So now I'm going to talk about the 129 00:14:59,670 --> 00:15:06,770 identifiers which can be used for geolocation. Certainly the phone number 130 00:15:06,770 --> 00:15:13,810 and each IMSI-catcher or base station can request, can issue an identity request to 131 00:15:13,810 --> 00:15:22,510 a mobile phone, and then receive the IMSI or EMI. The IMSI is something like a 132 00:15:22,510 --> 00:15:31,350 unique description for a certain customer in the the mobile network and the EMI is 133 00:15:31,350 --> 00:15:41,080 like a unique serial number for an device. So, when we include those methods of 134 00:15:41,080 --> 00:15:51,020 mining Internet traffic, then we can also add a lot of more identifiers, for example 135 00:15:51,020 --> 00:15:59,746 an Apple ID or Android ID, MAC address, even cookies or user names. If you are 136 00:15:59,746 --> 00:16:06,126 interested in this, you can have a look at the link I provided there. That there's a 137 00:16:06,126 --> 00:16:14,490 very interesting paper about this. So I come to my last slide, my summary. I 138 00:16:14,490 --> 00:16:21,701 showed you multiple, or a lot of different methods to localize a mobile phone, and I 139 00:16:21,701 --> 00:16:27,180 pointed out that a single drone can localize a mobile phone with accuracy 140 00:16:27,180 --> 00:16:33,180 which is sufficient to conduct a targeted drone strike. Since this document was 141 00:16:33,180 --> 00:16:39,350 handed over to the Bundestag, they also never denied that these methods can be 142 00:16:39,350 --> 00:16:51,000 used for... or that the accuracy of these methods... is true. So then I pointed out 143 00:16:51,000 --> 00:16:58,410 that as an identifier the phone number, the IMSI, and the EMI each can be used for 144 00:16:58,410 --> 00:17:05,720 the geolocation of a mobile phone, and the last information which I want to give you 145 00:17:05,720 --> 00:17:11,760 is that geolocation methods cannot prove the identity of a person, and this is 146 00:17:11,760 --> 00:17:21,281 really important to know, that we are not... yeah. That when we conduct, or when 147 00:17:21,281 --> 00:17:25,880 somebody is conducting these drone strikes, that they are not aware who is 148 00:17:25,880 --> 00:17:30,920 actually using the phone, and so and I can happen that they are killing the wrong 149 00:17:30,920 --> 00:17:39,920 person. So I thank you very much, I thank my colleagues and my family and everybody. 150 00:17:39,920 --> 00:17:41,740 *applause* 151 00:17:41,740 --> 00:17:49,930 Herald: Thank you. *applause* 152 00:17:49,930 --> 00:17:54,430 H: That's great. Thank you very much. It's the first talk we have here today where we 153 00:17:54,430 --> 00:18:00,540 can have a lot of questions. So come on. You have the microphones, number 1, number 154 00:18:00,540 --> 00:18:07,080 2, number 3, number 4, and ask your questions. It's the only chance to have 155 00:18:07,080 --> 00:18:19,606 this man answering them. No questions? Here's someone. No. Yeah. Sorry! 156 00:18:19,606 --> 00:18:22,252 Microphone: No problem. H: Number 4. 157 00:18:22,252 --> 00:18:28,190 Microphone 4: Hello. Do you know why we are located in London right now when we 158 00:18:28,190 --> 00:18:32,680 use Google Maps here? H: "Do you know", can you ask me again, 159 00:18:32,680 --> 00:18:34,590 "do you know why we are located in London?" 160 00:18:34,590 --> 00:18:35,500 M4: Yes. H: Here? 161 00:18:35,500 --> 00:18:38,990 M4: When we use Google Maps, we are located in London. 162 00:18:41,330 --> 00:18:47,430 H: Do you know that? The Congress is located in London. Do you know why? 163 00:18:47,430 --> 00:18:51,350 E: I'm not aware. M4: Okay, I thought this was on plan. 164 00:18:51,350 --> 00:18:53,370 H: Okay. M4: Thank you 165 00:18:53,370 --> 00:18:57,950 H: Number 1. Microphone 1: Okay, so on slide 12 you 166 00:18:57,950 --> 00:19:01,610 showed this angle of arrival- H: Can you please be quiet, we can't 167 00:19:01,610 --> 00:19:04,450 understand the questions unless you're quiet. Sorry. 168 00:19:04,450 --> 00:19:11,340 M1: Okay, so, on slide 12 you showed the angle of arrival method executed by a 169 00:19:11,340 --> 00:19:18,350 drone. Is this a passive method or does it require some cooperation by either the 170 00:19:18,350 --> 00:19:21,040 phone company or by the targeted mobile phone? 171 00:19:21,040 --> 00:19:26,170 E: It can be conducted passively. Like, if you call the phone or page the phone 172 00:19:26,170 --> 00:19:33,751 multiple times and you see which phone is answering this paging... okay, it needs to 173 00:19:33,751 --> 00:19:39,620 be active in a way that you contact the phone, but you don't need an active IMSI- 174 00:19:39,620 --> 00:19:45,000 catcher for it. You just phone or call the phone, and then you see which phone is 175 00:19:45,000 --> 00:19:51,690 answering, and then you know where the phone is situated. 176 00:19:51,690 --> 00:19:53,690 M1: Thanks. E: Yeah. 177 00:19:53,690 --> 00:19:58,660 H: I see that we have a question over there so can you just ask your question 178 00:19:58,660 --> 00:20:00,660 please? M8: Here? 179 00:20:00,660 --> 00:20:04,520 H: Yes, number 8, please. M8: Thank you for the talk. I'd like to 180 00:20:04,520 --> 00:20:11,080 ask a question about tracking unpowered mobile phones: I mean you mentioned lots 181 00:20:11,080 --> 00:20:16,300 of methods for phones which are both... with both have their batteries inserted 182 00:20:16,300 --> 00:20:21,290 and are actively operating. Could you elaborate a bit about the methods of 183 00:20:21,290 --> 00:20:26,880 tracking phones, which seem to be off turned off from the users point of view, 184 00:20:26,880 --> 00:20:30,418 and maybe also something about those who have their batteries removed? 185 00:20:34,310 --> 00:20:39,058 E: Actually, if you really turn off your phone over a long period, let's say a 186 00:20:39,060 --> 00:20:45,010 couple of months, I think you are safe, but... *laughter* Buf if you... 187 00:20:45,010 --> 00:20:52,530 M8: That's good to know. E: But, actually, like if you have a base 188 00:20:52,530 --> 00:20:57,490 station and somebody is switching off his phone and maybe he is meeting somebody 189 00:20:57,490 --> 00:21:02,980 else at that point and somebody else is also switching off his phone, then it can 190 00:21:02,980 --> 00:21:09,470 be suspicious, but it really depends whether somebody is looking into this data 191 00:21:09,470 --> 00:21:15,200 or not. H: Thank you. Number 8 again. 192 00:21:15,200 --> 00:21:24,560 M8: I had a short question: As you described, we are somehow dependent on the 193 00:21:24,560 --> 00:21:33,220 good winning of the NSA, for instance, and I wanted to ask if there's some way to 194 00:21:33,220 --> 00:21:40,230 avoid geolocation or use Google Maps without sending identity to location 195 00:21:40,230 --> 00:21:45,420 services. E: That is fairly difficult. I would 196 00:21:45,420 --> 00:21:51,600 assume that GPS phones are a little bit better to avoid geo-locationing, 197 00:21:51,600 --> 00:21:58,180 especially if you add additional GPS spoofing, because they are... The network 198 00:21:58,180 --> 00:22:04,050 cells are really large and so it's more difficult to track you within the network 199 00:22:04,050 --> 00:22:10,620 cell, but if you have a drone right above you and you emit a physical signal, then 200 00:22:10,620 --> 00:22:17,640 the drone will always be able to localize where the signal came from. So it's 201 00:22:17,640 --> 00:22:19,820 difficult, because it's physically difficult. 202 00:22:19,820 --> 00:22:23,390 M8: Okay. H: Thanks. Number 1, please. 203 00:22:23,390 --> 00:22:28,691 M1: So, I have a question about the physicalities of receiving a... or 204 00:22:28,691 --> 00:22:35,490 localizing or making angular measurement of a phone within a densely populated 205 00:22:35,490 --> 00:22:40,530 area, where there's possibly tens of thousands of phones within the receptional 206 00:22:40,530 --> 00:22:48,140 area of a 3-kilometer-high drone. That would obviously require you to be more 207 00:22:48,140 --> 00:22:54,580 sensitive on one hand than this cell tower and on the other hand also receive at the 208 00:22:54,580 --> 00:22:58,240 same time and sort out all kinds of interference. 209 00:22:58,240 --> 00:23:06,060 E: You usually a cell can be between, let's say 200 meters, and 3 or 30 210 00:23:06,060 --> 00:23:11,560 kilometers in size, so 3 kilometers in altitude it's not very high. 211 00:23:11,560 --> 00:23:18,330 M1: So you assume that the drone does a pre-selection. We are digital beamforming 212 00:23:18,330 --> 00:23:24,960 on the ground path and only looks at a cell of interest, because it knows from 213 00:23:24,960 --> 00:23:31,960 the network, the suspect is in that cell. E: It depends on the area: In an urban 214 00:23:31,960 --> 00:23:37,770 area you have to reduce the size of the cell, otherwise you would receive too many 215 00:23:37,770 --> 00:23:45,210 signals, but in a countryside you can have larger cells or you can cover a larger 216 00:23:45,210 --> 00:23:49,230 area. M1: Regarding covering larger areas: Did 217 00:23:49,230 --> 00:23:53,310 you take, considering that these drones aren't really like our quadcopter size, 218 00:23:53,310 --> 00:24:01,360 they're more airplane-sized, proper airplanes, did you take the classical 219 00:24:01,360 --> 00:24:06,830 synthetic aperture radar techniques of observing something for a long time while 220 00:24:06,830 --> 00:24:11,640 flying straight over it and then integrating over it into account? Because 221 00:24:11,640 --> 00:24:16,650 that's usually where we get our high- resolution radar imagery of the earth. 222 00:24:16,650 --> 00:24:22,450 E: You can conduct multiple measurements or you just conduct one, if you know that 223 00:24:22,450 --> 00:24:26,710 the target is on the ground. M1: So, did that account for your 224 00:24:26,710 --> 00:24:31,470 estimated accuracy? E: It's not necessary to integrate. 225 00:24:31,470 --> 00:24:36,020 M1: Okay, thanks. H: Thank you. We have a question from the 226 00:24:36,020 --> 00:24:39,590 internet. Signalangel: Yes, the internet wants to 227 00:24:39,590 --> 00:24:43,500 know if there are attributes, which you can change of the phone, to stop 228 00:24:43,500 --> 00:24:47,010 surveillance. Attributes like the email, for example. 229 00:24:47,010 --> 00:24:51,730 E: Can you please repeat the question? S: Are there attributes of the phone, 230 00:24:51,730 --> 00:24:53,560 which you can change, to stop surveillance? 231 00:24:53,560 --> 00:24:58,740 E: Yes, certainly you can fake the IMEI or the IMSI. That is also another reason why 232 00:24:58,740 --> 00:25:06,300 it's not sufficient to prove the identity, because any phone can just take these 233 00:25:06,300 --> 00:25:09,261 data. S: And we have a second question, which 234 00:25:09,261 --> 00:25:18,090 is: Does the GSM network have a feature which allows anyone to get the GPS data 235 00:25:18,090 --> 00:25:29,100 from the phone? E: Yeah..., it would be..., that.., and 236 00:25:29,100 --> 00:25:32,530 the radio resource location service protocol. 237 00:25:32,530 --> 00:25:38,230 S: So, thank you. *laughter* 238 00:25:38,230 --> 00:25:39,120 E: Yeah. H: Okay, number five. 239 00:25:39,120 --> 00:25:46,260 Microphone 5: Hello, you delivered you work to the NSA Untersuchungsausschuss and 240 00:25:46,260 --> 00:25:51,920 they, the Bundestag did not say anything about it, but is there a statement from 241 00:25:51,920 --> 00:25:56,540 the NSA Untersuchungssausschuss? E: And the government said something about 242 00:25:56,540 --> 00:26:04,500 it. They said that, that they washed their hands and said we did everything nicely 243 00:26:04,500 --> 00:26:09,300 because we added also a disclaimer to the data we provided and that the disclaimer 244 00:26:09,300 --> 00:26:18,370 says that the NSA is forced to, to stick to the German law and that they are not 245 00:26:18,375 --> 00:26:20,725 allowed to do whatever they want with this data. 246 00:26:23,120 --> 00:26:29,640 M5: Thank you. H: Very nice, number 6, please. 247 00:26:29,640 --> 00:26:38,270 M6: Hello, on slide 12, you got, you specify the accuracy of about five meters 248 00:26:38,270 --> 00:26:44,266 for two drones. So how does it scale if you would use more than two drones? For 249 00:26:44,266 --> 00:26:49,150 example 10 or whatever. E: I think that there was a small 250 00:26:49,150 --> 00:26:52,910 misunderstanding. Actually, one drone is sufficient. 251 00:26:52,910 --> 00:26:57,140 M6: Okay, so could you use more than one drone? 252 00:26:57,140 --> 00:27:00,800 E: Yeah, you can use as many as you want but one is sufficient. 253 00:27:00,800 --> 00:27:05,450 *laughter* M6: Yeah, but that, of course. But does 254 00:27:05,450 --> 00:27:09,980 the accuracy increase by using more than one? 255 00:27:09,980 --> 00:27:16,140 E: Yeah if you go closer to the target and then their accuracy increases. 256 00:27:16,140 --> 00:27:22,990 M6: Okay, but with the same distance but more than one drone? 257 00:27:22,990 --> 00:27:27,470 E: Actually not. M6: Okay, thank you. 258 00:27:27,470 --> 00:27:32,559 H: Number four, please. M4: Also referring to the accuracies, you 259 00:27:32,559 --> 00:27:37,520 were talking about field experiments and so on. Did you conduct those yourself or 260 00:27:37,520 --> 00:27:39,600 where did you get all the information from? 261 00:27:39,600 --> 00:27:43,760 E: These are some references, there you can find the field experiments. 262 00:27:43,760 --> 00:27:46,700 M4: Thank you very much. H: Number two, please. 263 00:27:46,700 --> 00:27:50,640 M2: Thank you very much for the interesting talk. My question is regarding 264 00:27:50,651 --> 00:27:56,251 the fingerprint which you can use on many phones to unlock the phone. Is there 265 00:27:56,251 --> 00:28:01,371 currently and if not will there, do you think there will be a possibility that for 266 00:28:01,371 --> 00:28:05,290 example an app which requires the fingerprint identification on the phone 267 00:28:05,290 --> 00:28:10,270 that this is also passively read and by that you increase the identification of 268 00:28:10,270 --> 00:28:19,120 persons? Did you understand the question? E: Yeah, but I think this is like based on 269 00:28:19,120 --> 00:28:25,960 the GSM network and the other I think that that's based on the operating system. 270 00:28:25,960 --> 00:28:30,090 M2: So currently using this technology, there they couldn't be, there, it's not 271 00:28:30,090 --> 00:28:33,240 possible to link this? E: No. 272 00:28:33,240 --> 00:28:37,520 M2: Ok, thank you. H: Ok, number one, please. 273 00:28:37,520 --> 00:28:40,800 M1: My question is actually about the civil use of geolocation service not so 274 00:28:40,800 --> 00:28:44,660 much about phones. So, you mentioned that every time you use an online service that 275 00:28:44,660 --> 00:28:51,370 use geolocation you send the SSids of nearby Wi-Fi networks and with every 276 00:28:51,370 --> 00:28:57,760 request you actually enrich a Wi-Fi map, Wi-Fi database of either Google, if it's 277 00:28:57,760 --> 00:29:04,220 on Android, or Apple if it's on iOS. Now, there was a talk at CCC here in 2009 when 278 00:29:04,220 --> 00:29:09,420 this technology was still nascent and that back then was called Skyhook but then the 279 00:29:09,420 --> 00:29:15,630 speaker had this provocative question: Shouldn't this Wi-Fi map be public domain 280 00:29:15,630 --> 00:29:21,410 instead of just a belonging proprietary and belonging either to Apple or Google 281 00:29:21,410 --> 00:29:25,910 nowadays? So, haven't we lost that struggle? I mean we can't keep our SSids 282 00:29:25,910 --> 00:29:31,040 private, so shouldn't it be public domain? E: Yeah it would be a good idea to make it 283 00:29:31,040 --> 00:29:35,660 public domain I said since also a lot of positive things can be created with this 284 00:29:35,660 --> 00:29:40,146 technology, like helping people in emergency situations. 285 00:29:42,753 --> 00:29:48,470 H: Okay ... M1: I wanted to take the chance to say 286 00:29:48,470 --> 00:29:51,500 thanks for this talk. I'm one of the people who actually commissioned the 287 00:29:51,500 --> 00:29:57,180 analysis because I work in the inquiry, and it was extremely helpful for us to 288 00:29:57,180 --> 00:30:02,000 have the analysis done because we, like you said, keep being confronted with 289 00:30:02,000 --> 00:30:07,560 Secret Service people who tell us that no way can mobile phone numbers help in the 290 00:30:07,560 --> 00:30:12,040 secret war. So yeah I just wanted to say thanks. 291 00:30:12,040 --> 00:30:20,120 *applause* H: Yeah, thank you very much. 292 00:30:20,120 --> 00:30:26,410 H: Great, so thank you also very, very much for your work and keep on going with 293 00:30:26,410 --> 00:30:26,988 that. 294 00:30:26,988 --> 00:30:37,398 *music*