Meet the 'Keyzer Soze' of Global Phone-Tracking
By Spencer Ackerman
July 18, 2011
Chances are you've never heard of TruePosition. If you're an AT&T or T-Mobile customer, though, TruePosition may have heard of you. When you're in danger, the company can tell the cops where you are, all without you knowing. And now, it's starting to let governments around the world in on the search.
The Pennsylvania company, a holding of the Liberty Media giant that owns Sirius XM and the Atlanta Braves, provides location technology to those soon-to-be-merged carriers, so police, firefighters and medics can know where you're at in an emergency. In the U.S., it locates over 60 million 911 calls annually. But very quietly, over the last four years, TruePosition has moved into the homeland security business -- worldwide.
Around the world, TruePosition markets something it calls "location intelligence," or LOCINT, to intelligence and law enforcement agencies. As a homeland security tool, it's enticing. Imagine an "invisible barrier around sensitive sites like critical infrastructure," such as oil refineries or power plants, TruePosition's director of marketing, Brian Varano, tells Danger Room. The barrier contains a list of known phones belonging to people who work there, allowing them to pass freely through the covered radius. "If any phone enters that is not on the authorized list, [authorities] are immediately notified."
TruePosition calls that "geofencing." As a company white paper explains, its location tech "collects, analyzes, stores and displays real-time and historical wireless events and locations of targeted mobile users."
It can also work other ways: pinging authorities when a phone used by a suspected terrorist or criminal enters an airport terminal, bus station or other potential target. And it works just as well in monitoring the locations of phones the suspect's phone calls -- and who they call and text, and so on.
For the past four years, TruePosition has quietly taken that tracking technology global. In the U.S., Varano says, TruePosition sells to mobile carriers -- though it's cagey about whether the U.S. government uses its products. But abroad, it sells to governments, which it won't name. Ever since it came out with LOCINT in 2008, he says, "Ministries of Defense and Interior from around the world began beating down our door."
That's got some surveillance experts and mobile activists worried. Keeping suspected terrorists away from nuclear power plants and discovering their networks of contacts is well and good. But in the hands of foreign governments -- not all of whom respect human rights -- TruePosition tech can just as easily identify and monitor networks of dissidents.
For a company that can do so much to find out where a mobile user is, few outside of the surveillance industry know much about TruePosition. That's a deliberate strategy on the company's part, to keep a "low profile from jump," Varano says. It grants few interviews -- a little-noticed Fox News story from 2009 is a rare exception -- and discloses little about its foreign clients. Several surveillance experts contacted for this story were unfamiliar with the company.
The result, says Christopher Soghoian, a graduate fellow at Indiana University's Center for Applied Cybersecurity Research, is to make TruePosition the most important global geolocation company you've never heard of. "It's like that line about Keyser Soze from The Usual Suspects -- the greatest trick the devil ever pulled was convincing the world he didn't exist," Soghoian says. "They've done the same thing. Staying entirely below the radar."
Except TruePosition is hardly satanic. Its "Enhanced 911," or "E-911," services save lives. In one case the company cites, a corrections officer in Ohio's Hamilton County was abducted by a recent parolee and stuffed into the trunk of his car. Her family had no idea where she was. But because her cellphone was turned on and her carrier used TruePosition's location tech, police were able to locate the phone along a Kentucky highway. They set up a roadblock, freed the officer and arrested her captor.
Here's how it works. TruePosition's location tool, known as Uplink Time Difference of Arrival or U-TDOA, calculates the time it takes a signal travelling from a mobile device to reach sensitive receivers installed in the transceiver station of a cell tower. (The receiver itself is said to resemble a pizza box.) Determining the difference in time it takes for the signal to reach receivers in different towers, determined by servers called Wireless Location Processors, calculates the phone's location. The company says it has receivers installed in about 75,000 cell towers around the country.
Notice that the location tech here has nothing to do with GPS. It's network-based, rather than dependent on a GPS receiver inside a handset. It's not reliant on any line of sight to a satellite. That's a point of pride within TruePosition. GPS has accuracy and precision woes in dense urban areas and the indoors. Or inside the trunk of a car.
For the better part of the decade, TruePosition has had contracts to provide E-911 services with AT&T (signed originally with Cingular in 2001, which AT&T acquired) and T-Mobile (2003). As more and more 911 calls came from mobile phones -- by definition not linked to a fixed address -- the Federal Communications Commission required wireless providers provide precise location data to emergency call centers. The accuracy requirements for E-911 top out at 300 meters. TruePosition says U-TDOA is accurate to within 50 meters. (The FCC met on Monday to consider changing the standard -- the reason, Varano says, he granted me an interview.)
But TruePosition soon saw a growth market in a field where U-TDOA had relevance: the expanding, globalized field of homeland security. "It really was recession-proof," Varano explains, "because in many parts of the world, the defense and security budgets have either maintained where they were or increased by a large percentage."
That realization led the company to explore U-TDOA's potential for as a security tool, as it's the rare terrorist or criminal who doesn't have a mobile device. LOCINT was born in October 2008. Imagine, a LOCINT primer on TruePosition's website explains, "An explosion destroys an oil refinery -- who, exactly, was inside the facility prior to the explosion?" If they've got a mobile device, U-TDOA-enabled geofences can answer the question.
Or consider the value that U-TDOA could have for finding networks that build and detonate homemade bombs. If the bomb is detonated with a cellphone -- as Iraq's bombs were, before jamming tech neutralized them [1] -- "we can go back into the cellular network and figure out which phone disappeared at the time of the detonation," Varano says. "We find which phone called that phone -- that's our triggerman. Then we find which phones they called -- the initial suspects. If they held onto that phone, we'd be able to see who that phone contacted." And where they are now, in real time.
This isn't something TruePosition does itself. It had nothing to do with the "location-gate" [2] scandals that plagued Apple and Google earlier this year, when both companies conceded they collected and stored geodata from iPhone and Android phone customers. All the company does is enable a geolocation security system for its clients to use. How they use it is up to them -- and the relevant laws of the countries that employ it.
But geofences might be legally problematic inside the United States. Law enforcement can't just set up blanket location surveillance of mobile phones around a particular area; courts have to sanction surveillance around specific phones. The fences, however, would approve specific authorized phones; but any unauthorized phone that enters the fence triggers an alert.
"It would be hard for the company's tool to distinguish the terrorist from the tourist," says Greg Nojeim, a senior counsel with the Center for Democracy and Technology in Washington.
And what if the governments using TruePosition's gear aren't so scrupulous about following laws, or respecting the civil liberties of their citizens? In the U.S., even after the Patriot Act and the FISA Amendments Act, law enforcement and intelligence agencies still don't have unfettered abilities to turn a cellphone into a homing device, or to trace a web of connections between callers or SMS recipients. If, say, Syria's Bashar Assad had TruePosition's technology, could he use it to determine who's participating in anti-government protests?
"Correct," Varano says, "if it was deployed in that region." He adds, however, "we've never run into anything like that."
Varano won't specify which governments use TruePosition's LOCINT tools. "I have to be nebulous about where it's actually being deployed," he says. That includes inside the United States. "We do not disclose who is currently using TruePosition LOCINT," Varano says, but adds, "U.S. government [agencies] have not bought anything from us, and don't write a check to us." But, he says, the company's various outposts (London, Dubai, Miami) pitch LOCINT solutions to countries from Europe to the Middle East to Latin America to the Carribean.
And if some repressive governments are in that mix, TruePosition's position is that what they do with LOCINT is on them.
"We're providing this tool to governments and it's the governments' onus to adhere to laws on its use," Varano says. In western countries, he says, warrants, court orders and other safeguards prevent LOCINT abuse. But surveillance works differently elsewhere: "It's not being used like that in the U.S. or western societies, but in other parts of the world, the capability of doing mass tracking is possible."
That's what worries advocates for foreign dissidents. "This seems to be integrated a little bit deeper and the operator is fully complicit in the situation. It makes it more difficult for activists, for sure," says Nathan Freitas of the Guardian Project, which designs anonymity tools for mobile users. "Vodaphone Egypt would only go so far to violate the rights of the Egyptian people [3] -- it shut the network down, but beyond that, they don't have a fire hose out of a data center. U-TDOA could be a firehose-type product." Again, Varano says the company's never encountered such a situation.
An FBI spokesman, Christopher Allen, was unfamiliar with TruePosition, and invited Danger Room to file out a Freedom of Information Act request. Department of Homeland Security officials didn't respond to repeated requests for comment. AT&T didn't respond to an inquiry. T-Mobile USA's director of external communications, Hernan Daguerre, confirmed the company's relationship with TruePosition but wouldn't comment beyond saying, "We'll continue to monitor and evaluate advances in all E-911 location solutions to ensure the safety of our customers."
Federal contractor databases don't show any contracts between TruePosition and government agencies, with the exception of a 2006 deal with the General Services Administration (cancelled in 2009) for computer services that appears never to have been actualized. Varano, initially unfamiliar with the contract, explains, "We originally signed up to be part of the GSA in 2006, but nothing ever came from it." Joining the GSA Schedule is what allows companies to compete for federal contracts.
Varano didn't directly answer whether TruePosition intends to seek U.S. government contracts or is content to peddle LOCINT abroad while remaining an e-911 company at home.
At home, the courts are currently deciding whether geolocation tracking by law enforcement requires a warrant, and there's legislation moving on Capitol Hill [4] to settle the question in the affirmative. Should U.S. homeland security or intelligence officials make use of TruePosition's LOCINT, they may have to go through a judge first.
But for this global geolocation company, the worldwide interest is piling up.
"We do go to a lot of defense and security trade shows," Varano says. "Once people hear about the capabilities -- they know cellphones are being used by bad guys doing bad things -- their eyes widen and jaws drop. Typically, the deals grow in terms of the geographical area they wanna cover and the number of government agencies that want access to this type of intelligence."
[1] https://www.wired.com/2011/06/iraqs-invisible-war/
[2] https://www.wired.com/2011/04/iphone-location/
[3] https://www.wired.com/2011/02/egypt-hacked-vodafone-to-send-pro-regime-texts/
[4] https://www.wired.com/2011/05/bill-would-keep-big-brothers-mitts-off-your-gps-data/