EPUK Editorial Photographers United Kingdom and Ireland. The private mailing list and public resource for editorial photographers

Staying Safe: Mobile Phone Security

24 June 2013 - David Hoffman

As we increasingly take our mobile phones for granted David Hoffman suggests that photographers should be alert to the dangers of carrying a sophisticated monitoring device in their pocket, especially when working abroad.

What is the first thing most travellers do on arriving in a foreign country? They turn on their phone. States wanting to monitor who is arriving will be set up to watch these handsets popping up at the airport. Rich countries and hot dusty countries are the most likely to be watching. Denmark is less likely to be bugging you than Dubai. Don’t turn your phone on until you are a few kilometres clear of the airport to avoid being spotted as a new arrival.

Countries that feel a need to keep an eye on their visitors can use a device called an MD Grabber or GSM/UMTS Grabber at airports and border crossings. This allows secret collection of mobile phone identification information by forcing a phone to identify itself without the user’s knowledge. With this information it will be far easier for them to track your location and who you call.

Even the most experienced professionals may be unaware their mobile phone traffic could be monitored. Photo © Graham Harrison

A phone can only be forced to turn its microphone on and become a secret monitoring device if it has had special software installed to do that. One middle-eastern country managed to install bugging software on a large number of BlackBerry devices by pushing out a software ‘update’ that gave them the ability to remotely activate the microphone.

Trojans – apps that appear harmless or are invisible to the phone user but have hidden malicious functionality – can make a phone secretly transmit what it picks up and reveal where it is even when not in use.

Be aware that simply turning the phone off by pressing a button and seeing the screen go blank doesn’t turn the phone off, it simply puts it into standby mode. Only a full power off shutdown (from the ‘Power Off’ menu) or taking out the battery (where that is possible) totally disables all functionality.

Careful phone hygiene will keep you safe from all but the top national spy agencies.

Phone hygiene

Only download apps from trusted sources such as iTunes and Google Play. If you’re not sure that your phone is clean then remove all non essential apps before travel or, to be really sure, do a factory reset and then download only the apps that are essential for your trip. If the phone is clean then the address book should be secure.

Password discipline is important not just when travelling but at all times. Strong passwords, frequently changed and with 14 or more characters, are virtually uncrackable and are the ideal but the practicality of remembering many different passwords is of course a problem.

Sat phones always report your position to the satellite and this can be monitored as it is not always strongly encrypted. The military and secret services can do this very quickly. In addition, sat phones are uncommon and have a distinctive signal so anyone using one will stand out.

GPS in the phone can give away your location in transmissions but also in other ways. Photos, for instance, may have the location embedded by default. While GPS gives the most accurate location data; simply having the phone switched on (unless in ‘flight mode’) can locate you to within 30 metres by triangulating your position relative to nearby phone masts and even more closely by using WiFi data. Some of this data may be stored in the phone giving a record of your movements. Tracking this in real time takes a considerable effort from a specialist team of a couple of dozen people. The moving red dot on the map is strictly fiction. The reality is that if location data is needed it will be extracted at some later time.

You should only have essential and trusted apps on the phone but even so it’s best to avoid giving them permission to know your location. Apps can leak and it’s hard to be certain about what happens to that information.

Foreign phone numbers are easy to spot

If you have your own phone with a UK, US or European number and are coming in to a country that may want to take an interest in you then remember that these numbers, being relatively unusual, are routinely watched for and easily spotted. Users of these numbers WILL stand out. If you want to keep a low profile then it’s best to buy a local SIM and cheap phone. If you are using the phone a lot and have serious worries for yourself or those you contact then take a lesson from drug dealers and replace both the phone and SIM card frequently.

If you can be sure that your phone itself is unknown in the country you might just use local SIMs. While the handset IMEI (the number sent by a phone that identifies a particular handset) could trace back to your home country the international trade in secondhand phones means that ‘foreign’ IMEIs are not unusual – but don’t put your own SIM back into that phone!

Police and security department’s systems may store your IMEI from a previous visit so if you have been somewhere before with your own SIM in that phone then there’s no point using a local card in the same phone. Best practice is not to take your UK SIM or phone at all.

Skype and other VOIP (Voice Over IP) services don’t send the encryption keys within the call and so are far more secure than the ordinary phone system, effectively safe with regard to interception by commercial organisations. However all VOIP is illegal in India & a number of other countries. Many country’s state services will monitor at least the time and IP addresses of calls even if the content is successfully encrypted.

State agencies can listen in if they have your number or IMEI. Non state agencies can’t easily tap a phone but of course corruption in a state agency (which may be commonplace in some countries) can give all sorts of people including commercial investigators, criminal gangs and terrorist groups access to your data. In countries such as Russia, India and Pakistan the line between state and underground groups can be very fuzzy.

In the UK mobile phone operating companies only pass on information with a warrant or court order. In some countries the operating company may just get a visit from a state agency and be told what to do under threat of never seeing their family again.

Although UK police have certainly shared intelligence with UK businesses there is no evidence at present of commercial organisations having access to the data that the authorities extract from the phone system.

Working undercover?

It is possible but seriously difficult for an interceptor to set up a false base station. Currently these are flaky and unreliable but they can work for short periods – and technology always improves! If your calls are being diverted in this way the only clue may be that the calls don’t show in your bill. Also beware of internet cafes, these may be monitored and the computers may have key logging.

If you are working undercover but need to call your UK office or other regular numbers you can relay the call by setting up call forwarding via a third country that won’t excite suspicion.

Never forget that who you call is more important than what you say. The recent PRISM revelations show that eavesdropping by state agencies is just a small part of the overall surveillance of digital traffic.

Millions of requests

Phone tapping looks good on TV but in reality the security services bulk capture massive amounts of data and comb through it separating out locations, times and identities of interest, then run pattern recognition software on the filtered results. Speech to text software can be run on intercepted calls for further analysis.

Mobile phone operating companies get tens of millions (yes, really!) of requests from state agencies regarding phone use each year. One country with just four mobile operators gets 3.5 million requests a year alone. Many are just ‘benign’ queries as to whether an individual has an account or not and the bulk of the activity is in fact designed to exclude people from the enormous data dumps that the state routinely captures so as to make the needle easier to spot as the haystack is slimmed down. Dealing with these requests is a significant part of the mobile phone business operation. It requires major capital expenditure and many employees so it’s clear that there is a great deal of activity around the monitoring of mobile use.

If an interception request is made then real time information from a phone (active or inactive) will be sent to the state agency though it’s not generally monitored in real time. David Davis MP ran an exercise asking his phone company to monitor him. After just a few weeks this amounted to 7,000 pages. Only with considerable resources can useful information be extracted from such a large pool of data.

Phone companies themselves only need to record data when there’s a billable phone activity but the law will require retention of location and other information from times when the user is not using the phone. That data will be collected in real time and stored by the company before being transmitted in bulk on a daily basis to the appropriate authority.

Ahead of the game

We know that in the UK – and surely in many other countries – there will be a secret state owned device installed in the telephone company’s incoming data stream so that the state has access to all data even before the operating company gets to see it.

Mobile operators have no choice but to comply with state requests for monitoring or to deny specific services such as SMS messaging to specified users or even for a complete network shutdown. 

You are only as strong as your weakest link

Mobile phone use was so high during the Arab Spring in Egypt that the state monitoring systems became overwhelmed and the security services forced the mobile phone operating companies to shut down the networks rather than allow unmonitored communications. In reaction the operators joined together and stated that all such orders in future will immediately be made public. Whether that statement can be relied upon is not clear.

Major incidents will often overload networks simply because so many users are attempting to make calls or send SMS messages and this is often wrongly believed to be state action. For instance after the Boston marathon bomb and the 2005 London bombings mobile phones were unable to connect but this was probably not a deliberate shutdown of the whole service. More likely is that most users were blocked by automated systems reducing the sudden high demand so as to prevent overload on the system. When a system is in partial lockdown in this way some pre-specified authorised devices (such as emergency services) will remain connected while the majority are locked out.

No matter how careful you may be remember that you are only as secure as your travelling companions and work colleagues. Each of you is equally responsible for the other’s security.

The Mossad, MI6 and many other state agencies are resourceful. Secretly swapping your phone for one that they have ‘prepared’, setting up fake wifi in your home or hotel and much more lie within their spooky reach. But if you’re working at that level then you won’t be wasting your time with articles like this, will you?

Text © David Hoffman June 22, 2013

EPUK is run on a not-for-profit basis, funded solely by advertising, donations and hosting other lists. You can make a donation to EPUK through Paypal here:

EPUK is discussing:

Copyright infringements abroad and how to manage themCOVID-19 and photographyEPUK Members Lockdown ShowcasePhotographing in public places - where/when/is it allowed?

What is EPUK?

EPUK is an email group for professional editorial photographers who want to talk business. We don’t do techie stuff or in-crowd gossip. We don’t talk cameras or computers. What we talk about are the nuts and bolts of being in business - like copyright, licensing, fees and insurance.

Donate to EPUK

EPUK is run on a not-for-profit basis, funded solely by advertising, donations and hosting other lists. You can make a donation to EPUK through Paypal here:

Donate Now with PayPal

Site content is © original authors. To reproduce any content on this website, contact editor@epuk.org who will put you in touch with the copyright holder. You can read our privacy policy. Any advice given on this site is not intended to replace professional advice, and EPUK and its authors accept no liability for loss or damage arising from any errors or omissions. EPUK is not responsible for third party content, such as epuk.org adverts, other websites linked to from epuk.org, or comments added to articles by visitors.