Cell Phone Tracking

Phil Karn, karn@ka9q.net

This paper describes how and why cellular telephone networks track of the physical location of their users. The discussion is somewhat technical, but the basic facts can be summarized very simply. If you only want to know the "bottom line", you need read only the following 4 items:

1. Every cellular telephone is a physical locating device!

2. This is generally true even when the user is not in a call. The phone need merely be switched on.

3. Location tracking is inherent in the way cellular telephones work. The network needs to know (approximately) where you are in order to do its job. There is no known way to avoid revealing your location when you use a cell phone.

4. Law enforcement would dearly love to get their hands on location information.

A Very Basic Introduction to Cellular Telephony

Cellular telephones ("cell phones") have been around since the early 1980s, when they were introduced by AT&T. The basic idea of cellular telephones is to overcome the scarcity of radio frequency channels by dividing a service area up into relatively small "cells". These are relatively small regions each served by a "base station", a radio installation connected to the cellular network. Cell sites are easily seen in any metropolitan area, especially along highways and other areas where there are many users.

Each cell site is given a subset of the channels available to the whole system. In the US Advanced Mobile Phone System (AMPS, the technical term for conventional analog cellular), a total of 832 channels are available. Each channel is actually a pair of channels 45 MHz apart. The mobile phone transmits on the reverse channel of the pair while the base station transmits on the forward channel. The US cellular system therefore occupies a total of 50 MHz of spectrum, from 825-850 MHz for the reverse channels and 870-895 MHz for the forward channels.

416 channel pairs, half of the total, are assigned to each of two service providers, "A" and "B", in each metropolitan serving area. Originally the "B" or "wireline" carrier was to be the local telephone company, while the "A" carrier was to be a separate company to give the local phone company some competition. Most of the "A" carriers were bought up by McCaw (doing business as Cellular One), which was in turn acquired by AT&T. So an easy way to remember the distinction is that "A" generally stands for AT&T while "B" generally stands for "Bell". Obviously there are exceptions; for example, in the San Diego area where I live, the "A" carrier used to be US West while the "B" carrier was PacTel. Then PacTel spun off Airtouch, which inherited the "B" system, and Airtouch and US West merged their cellular operations, selling off US West's interest in the "A" system to GTE to meet FCC competition rules.

In any event, each cell in a system uses only a fraction of the total channels. That's because the channels used in adjacent cells must be avoided to prevent interference; typically only 1/7 of the channel pairs are used in each cell. That means a fully equipped cell can theoretically carry a maximum of about 60 calls.

But some channels are set aside for overhead functions, specifically paging and access. These are digital control channels (10 kb/s data rate) used to request service and to notify users of incoming calls. The cells transmit continuously on the paging channels; whenever your phone is on, it is monitoring the strongest one it can find that belongs to the desired system. (If it can't find a usable paging channel, the phone lights the NO SERVICE indicator).

The reverse channels paired with the paging channels are used by the phones to request service. When you dial a number and hit the SEND button, your phone sends a short digital message over the access channel corresponding to the paging channel it has been monitoring. If the system receives the request, it acknowledges it on the paging channel and sends further commands to transfer to a "traffic" channel for the actual call.

As an aside, the messages over the access and paging channels are not encrypted in standard analog AMPS. This has made them extremely vulnerable to eavesdroppers who intercept the electronic serial numbers and telephone numbers and then program ("clone") other phones to uses these same numbers to obtain fraudulent service. Only now, with the introduction of digital cellular phones, are cryptographic authentication techniques being introduced to foil this attack.

It is now common knowledge that analog cellular systems are extremely vulnerable to eavesdropping, as the voice is sent with ordinary Frequency Modulation (FM). Cryptographic authentication does nothing to protect the privacy of the communication itself.

Why The System Must Know Where You Are

It should be fairly obvious by now why the cellular system must know your location, at least while you're in a call. You announce your location by the act of making a call, as your phone has already selected the strongest base station it can find -- which is probably the nearest one. As the call progresses, you may move from one cell to another. If this happens, the system must find the new cell and transfer the call to that cell. AMPS does this by a rather inefficient technique: when you get weak in your current cell, the system asks the neighboring cells to look for you with special scanning receivers. When another cell reports having found you, the system hands the call off to that new cell. So as long as you keep talking, the system can locate you to at least the nearest cell.

The size of a cell (and the accuracy of the system's idea of your location) depends on many factors, such as the local terrain and the user population density. In busy areas, the carriers deploy many small cells to maximize the capacity of the system. In such an area, you might be located to an area as small as a few city blocks. Furthermore it is common for many high capacity cells to be "sectorized", that is, directional antennas are used at the site to break up the area into smaller "sectors". Three sectored cells are extremely common; in some cases there are as many as six. The sector of the cell you are using tells the system the approximate direction to you from the cell.

On the other hand, in rural areas cells are much farther apart. This is especially true in the desert southwest, where a single cell on a mountaintop can easily cover thousands of square miles.

Why The System Knows Where You Are Even When You're Not Talking

This one is more subtle. How and/or why should the cellular system know the location of a phone that's just quietly monitoring a paging channel, waiting either for the user to place a call or for a call to come in?

It has to do with efficiency. If cell phone users only placed calls and never received them, there wouldn't be a need to track their locations even when idle. But a substantial fraction of calls are made to cellular phones. When someone calls a cell phone, a message is sent over the paging channel to the phone (this is why the phone monitors this channel whenever it is on but idle). But which cell's paging channel should the system use to page the mobile? The system may have literally hundreds of cells or sectors, and the user might be in any one of them -- or indeed, nowhere at all if he's out of town or has his phone switched off. The system could simply send the page over every cell in the system repeatedly until the mobile answers or the system gives up -- a practice called flood paging -- but this is obviously rather inefficient. It was done in the early days, before the number of cells and customers made it impractical. After all, each paging channel is only 10 kb/s, and each unanswered page has to be resent some reasonable number of times before the system can give up.

The alternative to flood paging is registration-based paging. That's where the phone announces itself to the system with a short message on the access channel so that the system knows exactly where to direct a page should an incoming call come in. If the mobile moves to another cell, it re-registers in that new cell and the system updates its database accordingly. The mobile also re-registers occasionally even if it stays in the same cell, just to refresh the database entry (the phone might be switched off without warning, or its battery could run down).

Different carriers have different registration policies. Their design is a careful balance between avoiding unsuccessful and/or flood paging on the one hand and wasting too much control channel overhead on registration, which after all produces no revenue because it's not associated with a call. I know from personal experimentation with GTE in San Diego that one's phone must successfully register before it can receive a call. This is easy to verify if your account has a "forward on no answer" feature. If you set up this feature and then call your cell phone when it has been switched off for a while, the call immediately forwards. But switch the phone on, let it register, turn it off and then try calling it. There will be a much longer pause while the system unsuccessfully attempts to page it in the cell where it last registered, and only when this fails will the call forward.

Most phones give no audible or visible sign that they're registering. The IN USE indicator remains unlit even though the phone may be actively sending registration messages. (By the way, this is the reason you should turn off your cell phone on an airliner -- simply not placing a call with it is not enough to keep it from transmitting). Some phones, such as my Motorola MicroTAC Lite, produce a slight but characteristic audible "click" when their transmitters switch on, either when a call is placed or a registration message is being sent. But this is clearly an unintentional artifact of this particular design.

The bottom line is simple: the only way to prevent a cell phone from registering (and revealing your location) is to turn it off. To make sure, remove the battery pack.

Wide Area Locating - Roaming

If "flood paging" is impractical within a single service area such as a city, it is obviously also impractical on a larger scale, such as when you roam to a different city. Many cellular carriers have long had "roaming agreements" whereby they will accept and deliver calls to users belonging to another system; the charges for the use of the serving system appear in a separate section of the user's regular monthly cellular bill. More recently, automatic "follow-me" type roaming has also been widely implemented. With this type of roaming, the user can send and receive calls anywhere he goes, just as if he were in his "home" system (except for the higher price, of course).

Naturally, a registration process is involved in providing for call delivery to roaming mobiles. The protocols are different because multiple carriers are involved, but the principles are exactly the same. (The standard that describes intersystem roaming and handoff is a very thick TIA document called IS-41C.)

The system that owns the user account is called the "home system"; this is the one that sends you your bill. The system serving the area where you're currently roaming is called the "serving system". The home system maintains a database called the Home Location Register (HLR), which lists each user and the identity of the system where he last registered. The serving system maintains its own database, the Visitor Location Register (VLR), listing all of the roamers that have registered with that system.

When a call is made to the roaming user, the regular telephone network routes it to the user's home system because the number belongs to that system; the telephone network doesn't "know" that it's a cellular user who's out of his area. When the call arrives at the home system, the HLR is consulted and the call is forwarded (at the cellular user's expense) to the serving system. Assuming the user's entry in the VLR is still valid, the call is delivered to the roaming user in the usual way (by sending a paging message in the cell in which the user last registered).

Again, because this sort of "follow me" roaming is now totally automatic across most of North America, anyone with access to your home carrier's HLR can follow your travels if you merely turn on your phone. In most cases, a few minutes after arriving in a new city your record in the HLR will be updated, although sometimes this process is expedited by placing an outbound call. It should now be obvious why law enforcement could find this information so interesting.

Countermeasures

It should be clear by now that there is essentially no way to defeat the location-tracking capability of the cellular telephone. Location tracking is an inherent part of the cellular network, as it needs to know your (approximate) location to do its job. The only way to avoid being tracked, if you're concerned about it, is to not carry a cellular telephone -- at least not one traceable to you. (I do not recommend fraud as a way to avoid being tracked, even though this is quite probably the major incentive for the current wave of cellular fraud. Aside from the ethical issues, the carriers have gotten quite good at tracking down and prosecuting fraudulent users. This is how Kevin Mitnick was finally caught.)

If you still need to be reachable , a one-way "sky" pager with nationwide coverage can deliver messages to you without revealing your location -- these systems work by flood paging the entire country (or whatever service area you subscribe to). Of course, the originating location of any phone calls you make in response to these pages could in theory be tracked, so even this approach is not foolproof.