The US military’s privacy pearl clutching

The Ease of Tracking Mobile Phones of U.S. Soldiers in Hot Spots – WSJ:

 

In 2016, a U.S. defense contractor named PlanetRisk Inc. was working on a software prototype when its employees discovered they could track U.S. military operations through the data generated by the apps on the mobile phones of American soldiers.

…  The discovery was an early look at what today has become a significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.

 

A bunch of thoughts:

I can’t help but immediately think about the push in many political quarters to weaken security by breaking encryption. I’ll get back to that.

Why did this get attention in 2016? And no, this was not “an early look”.

The government has known for decades that cell phones are trackable if they have power and their transceiver is on. It’s how cell phones work. Anyone who’s watched any incarnation of Law & Order in this century or the last also knows this. The government could have mandated a phone system that would have afforded protections but the carriers resisted, I expect.

And don’t forget cell phones aren’t always phones – laptops and tablets and watches and Kindles and a bunch of other things might – and eventually will – have cell connectivity. With 5G, the distinction might go away if the media (cell, wired, wifi, &c.) converge as advertised. Imagine golf gloves that report your stats back to the cloud.

By the way, all that additional social media data is gravy to the buyer, but someone specifically wanting to track the movement of US military personnel around the globe don’t need it … from military personnel.

Take this scenario:

  • They script a tool like the McDonalds Ice Cream Machine tracker to scrape airline seat assignments to see if open seat availability suddenly drops on certain routes;
  • They scrape social media for hub airport and airline workers who are talking about increases in military personnel coming through; and
  • They watch counts for private Facebook groups for military families to see if their memberships increase.

Based off of that trivial-to-collect data (It’s free or for sale), and we assume they just generally monitor social media and the news, it’s not hard to get an idea of what’s happening. And before anyone complains that my loose lips are sinking ships, this is a simple scenario that is well understood and the plot of several books, movies, and TV shows.

Note, my above scenario assumes all the military personnel are disconnected and analog.

Also note that the above scenario works for advertisers as well as it does for bad actors and for industrial espionage …  and other use cases..

That things would evolve into what the Wall Street Journal article describes was predictable:

buried in the data was evidence of sensitive U.S. military operations by American special-operations forces in Syria. The company’s analysts could see phones that had come from military facilities in the U.S., traveled through countries like Canada or Turkey and were clustered at the abandoned Lafarge Cement Factory in northern Syria, a staging area at the time for U.S. special-operations and allied forces.

The U.S. military’s clutching of pearls and muttering, “Well, I do declare that I never …  ,” about this situation is perhaps disingenuous. ※

The U.S. government has built robust programs to track terrorists and criminals through warrantless access to commercial data. Many vendors now provide global location information from mobile phones to intelligence, military and law-enforcement organizations.

But those same capabilities are available to U.S. adversaries, and the U.S.—having prioritized a free and open internet paid for largely through digital advertising with minimal regulation of privacy—has struggled to effectively monitor what software service members are installing on devices and whether that software is secure.

Which brings us back to encryption – strong, uncompromized encryption –  is one of the tools that the government could bring to bear to help protect troop movements. There are innumerable ways they could, and do, leverage encryption. By the way, we need strong encryption for e-commerce, on-line banking, and a ton of other critical things.

There’s some reflection on the tech industry welding batteries into their phones (and devices) and adopting eSIMs, predicating an always on-line but always trackable society, that needs considering.

Solving this problem, the consolidation of anyone’s/everyone’s/each-of-our on-line and off-line life into a revenue stream for the advertising companies that are Facebook and Google, one that is very much the government’s own creation yet needs to be solved by the government, is a complex undertaking that will require the private sector to forgo some profits for the greater good. Oh, it could fix some of the military troop movement leak issue as a byproduct.

※ There is a American trope about the White southern belle or matriarch who, when faced with realities with which she does not want to deal, does what I describe.

By Paul

I’m a Detroit expat recently returned from Tokyo living in Chattanooga. I’m a consulting security professional and father of two. I promise that my views and politics are mine; not yours or my employer’s or anyone’s. I follow no party or affiliation or anything. My things are released under the Creative Commons Attribution-ShareAlike 4.0 International license unless otherwise stated.

1 comment

Be nice with what you write.