Is tracking the virus spread in conflict with citizens’ privacy?

In recent times there have been several privacy related questions raised by the public regarding how governments could monitor infected people moving across their countries. Is this a legitimate concern?

A brief overview of the content of CDRs is necessary to understand what is possible and what is not regarding their use. A Call Detail Record, or simply “phone record” is a carrier’s historical chronicle of a users’ activity and it is used to bill your expenses. It is common practice for police forces to request and study them to investigate the behaviours of those involved in criminal cases. By analyzing the information stored in those logs, with software like SecurCube PhoneLog, it is possible to figure out the heatmap of contacts, meeting points, most contacted users, and also perform cross-analysis between multiple profiles and much more. In building a criminal case, information related to suspects must be investigated and checked, so the breach of privacy is not a real concern.

The following elements are recorded in a CDR:

  • Phone number of the person generating the traffic
  • IMEI, the mobile phone identification number that determines the device make, model and serial number
  • IMSI, the SIM card identification number
  • Type of generated traffic, i.e. phone call, SMS, or data connection
  • Direction of the generated traffic, that can be incoming, outgoing or forwarded
  • Connected cell tower, information on the physical cell tower the mobile phone connects to when initiating traffic, and sometimes also end cell tower, which is the last cell installation used when traffic is closed.

Sometimes, depending on the carrier, other fields are displayed, but the most important thing to know is that a CDR does not record any traffic content: no call wiretaps, no SMS body or any specific internet surfing details.

Which elements of a citizen’s privacy are exposed when using information stored inside a CDR?

The mobile number, first of all. Everyone’s phone number is saved in their device, which is carried with them almost 24/7.

Publishing a user’s number exposes them to the public. The IMEI on the other hand, despite being the mobile phone’s id number, is different. No public registries exist in which an association between user profiles and specific mobile phones are held. Furthermore, duplicated IMEI numbers could be found on the network1, so this type of data is not really a privacy concern. IMSI is a mandatory field on a CDR, and it is the main and most important part of the entire system: when you buy a new mobile plan or perform the portability of your existing phone number to a new carrier in order to maintain it, a new SIM card with a specific and unique IMSI code is given to you. Despite being an important element, there is not a direct way of retrieving personal user information by checking the IMSI number on a public registry. As mentioned above, the type of traffic does not disclose any information about the user, since no body of content is stored in a CDR. Connected cell tower is something that links a specific mobile number, IMEI, or IMSI to the geographical location of the cell tower used for a transmission. It is therefore possible to track the device’s movements by analyzing this field, and additionally dig deeper into an investigation by discovering feasible meeting points with other users.

Now it is clear that the only highly sensitive data stored inside a CDR that can track a citizen’s movements are the phone number (who) and the connected cell towers (where). A detailed description of “where” is mandatory at this point. The information stored inside a CDR can be explained as follows: “that number was connected to that specific cell tower”, but this should not be thought of as being similar to a GPS tracking system. These types of devices connected to a satellite, and also mobile phones serviced by a GPS app, can display geographical positions with an accuracy of a few meters. The theoretical coverage of a cell tower is conversely extremely wider: it may vary from a few hundred meters to many dozens of kilometers, depending on the technology, the network traffic, the level of population density of the cell tower installation area, and other parameters. Connecting to a single cell tower only identifies a generalized area, relative to the theoretical coverage that cell tower generates. It cannot be used to pinpoint an exact position, for example, the condo in which the user is living.

1 Having an IMEI number linked to a mobile phone is not necessary for a mobile network to work properly, and for this reason very often a single batch of phones produced in China are all assigned the same IMEI code.

Public concerns related to the protection of personal privacy are quite justified and realistic when considering geoposition applications everyone has installed on their mobile phones. These extract a person’s movements directly from the GPS chipset of the device, and then not only store them but also share this information with the app’s developer or to the cloud. This is not the case when using CDR connected cell tower data, due to the nature of the information stored by the cell phone carriers, as described above.

In terms of connected cell tower information and potential loss of personal privacy, a scenario could be considering a small community living in a remote rural area where maybe only one single cell tower is in service: certainly a limited group is easier to break down, hack or expose. This is true, but one should also consider that the cell tower range, in these conditions, is most certainly much wider than a cell tower installation of a city center. This expands the number of users which in turn reduces the risk of people not entrusted with the integrity of CDR information of being able to easily extract, single out and use confidential data for hostile reasons.

Considering what has been discussed, when using the CDR of an infected person for tracking purposes but also taking into consideration that person’s privacy, proactive solutions can be adopted. If the carriers simply replace the phone number with an anonymized one, this is something that can keep the citizen’s privacy safe: for example, replacing the number +39.0423.5647312 with the term “User A”. For the providers, publishing an anonymized CDR is quite immediate, since they can just set up how their systems write the exported CDR data to a spreadsheet. They could also add something more to the CDR, such as highlight whether the user is infected or not, for example replacing the mobile number with infected_User_A.

CDR data can track the spread of a virus from person to person across a country, and governments can use cell phone activity information to discover if and in which areas an infected user has been moving. Once this risk area has been defined, perform a widespread check to discover all other subjects present in that timeframe and geography: implement swab procedures for everyone but without disclosing the first and last name of the original infected user. In the case of a confined red zone, it is possible to check if someone is illegally exiting that area, breaking the rules. In this situation, legal authorities can easily ask the cell phone provider for a complete CDR linked to a specific quarantined subject, based on the IMSI stored in the anonymized CDR. As said, there is no need to change an IMSI number because this type of data does not breach any privacy terms. This last aspect gives carriers the freedom to store the correlation between the anonymized mobile number and the real one in a separate and safe emergency database, the location of which should be protected and kept safe from hackers.

Tracking movements of mobile numbers, if this is performed properly, does not expose citizens to privacy concerns but in fact helps the community in the fight against pandemic viral outbreaks.

SecurCube is a digital forensics company specialized in developing technology for the analysis of Call Detail Records and cell tower real coverage investigation. The team cooperates with law enforcement agencies and digital experts committed to the examination of electronic devices and related data, providing them consultancy as well as support and training.

Phonelog is a software solution created from the imagination and desire of Nicola Chemello and Massimo Bastianon, two young IT engineers who in 2010 set out to create a system which would help investigative forensic data analysis: not a highlighter, a pen, and stacks of paper phone records, but a user-friendly, modern and efficient tool to save time and create strong forensic analysis. The result is able to absorb, analyze and correlate data from different sources: call detail records, cell tower data, mobile extractions, GPS logs, and more. It simplifies the investigative task offering many ways to manage, organize and show visual results in a simple and efficient fashion. Phonelog offers a variety of functions which range from map positioning to defining user habits and interactions with other entities.

BTS tracker is a hardware device designed to scan an area of interest and define its radio environment. It specifically searches for all the cell towers active in that area and logs their real coverage: this helps an investigator define and understand how cell towers really perform and connect to mobile devices and have a deeper understanding of the digital environment that surrounds us and fine-tuning research and the mapping of a device’s movements.

Nicola Chemello – Professional Engineer and Digital Forensics Expert.

Securcube CEO

2 SecurCube’s landline number written in the form: +39 (international prefix) 0423 (local area prefix) 564731 (phone number)

Digital Forensic Community