Skip to content

Top Best Ask Show New Jobs

Norway: Soldiers' location history found in data sold by Tamoco (opens in new tab)

(nrk.no)

315 pointssantamarias6y ago73 comments

73 comments

39 comments · 9 top-level

Grollicus6y ago· 11 in thread

This reminds me of an experiment I'd like someone to run on Strava. They had this big scandal some time ago where People identified US military bases simply by having a lot of activity in an otherwise empty area.

Now they've added some mojo to prevent this but still sell location data.

So how about running the same attack but instead of using the browser and their own website just use the bought location data.

I suspect they didn't fix that as I've disabled appreaing on their heatmap but they still sold my location data when I forgot to disable my vpn during a run some time ago.

willvarfar6y ago

It wasn't just the US military. There were plenty of jogging circuits around strange desert installations in Syria by joggers who had recently jogged around military bases in Russia, at a time when Russia was claiming no deployments and only observers and things.

There were also armchair people wondering about other tracks in various places in the world.

iamacyborg6y ago

If anyone's interested in how this data can be used, this article breaks it down quite nicely.

https://www.bellingcat.com/resources/how-tos/2018/01/29/stra...

Not only could you see bases because of activity around an otherwise empty area. You could almost pinpoint the exact shape of the bases perimeter because soldiers would prefer to jog along the inside of the perimeter. Smartphones and location based apps and services are a security nightmare.

nxpnsv6y ago

Seems to me the scandal is that US military bases allowed people in protected areas to upload GPS traces of their activities, more so than strava showing these along with millions of other traces in their activity maps...

Or that soldiers aren't trained well enough in SECOPS that they won't give away base details just to track their own fitness.

What's the punishment for having GPS tracking devices on a military base?

Bet they all love their free USB drives sent from a friend they forgot they had, too.

Hope they're epoxying the USB connections on their Win95 nuclear submarines.

Well, yes, but also that Strava takes this hands-off approach like they're not responsible for the data they collate

You can add privacy zones around locations so when people look at your activities your line just disappears inside the radius of your privacy zones.

I have ones around my home and where I work. No idea if that affects whatever data they sell (I doubt it, since you can still the full activity yourself even with a privacy zone), but stops people finding where you live/work and nicking your bike

egwor6y ago

The fact that an area is made private is also a piece of information. I was thinking that you could use that to track down sensitive areas.

ashtonkem6y ago

That’s effective on an individual level, but tricky to enforce at an organizational level. It’s not like it would be wise for the DoD to log into Strava and setup a privacy fence around every sensitive location.

bluntfang6y ago

you're essentially telling strava that the privacy area is very important to you (ie your home, work, etc) and they are probably selling that fact.

thinkling6y ago

> Now they've added some mojo to prevent this but still sell location data.

Strava publish a "heat map" that shows aggregated activity of all their users. It's useful for finding common running/biking routes in areas you don't know well. That's how the military bases were found.

https://www.strava.com/heatmap#7.00/-120.90000/38.36000/hot/...

EDIT: I forgot that Strava do sell heatmap data to government transportation departments and such so I fixed the comment.

santamariasOP6y ago· 10 in thread

A bit of context for non-Norwegians: The government owned media NRK bought location data from Tamoco worth approximately 3,400 USD.

The NRK subsidiary NRKbeta has "connected the dots" from that data set. In this article they present how they could track down military personnel visiting restricted military sites in Norway, including the disputed radar installation in Vardø, close to the Russian border.

SiempreViernes6y ago

This reminds me of this rumour about how someone used tinder to triangulate opponent units during an exercise and arty them to shit. Supposedly Finns outwitting Norwegians, but is a anon text so who knows: https://imgur.com/gallery/bySUH

Reminds me of a story I heard: In a conflict, Russia sent SMS to the mothers of Ukrainian(?) soldiers, informing them of their son’s death (pretending to be the Ukrainian government/military). The mothers, distraught, called their son’s cellphone. The increased, clustered cellphone activity near the frontline gave away the unit positions. Shortly after, Russian bombs dropped.

skocznymroczny6y ago

"Hot missile silos in your area are waiting for you"

There have been alot of stories about stuff like this. One of the public ones I remember was if you were looking for US forces in unusual places, you'd find their running paths on Strava.

emilfihlman6y ago

Yeah that'd be Finns and Exercise Trident Juncture 2018

A bit context on NRKbeta from their website.

"NRKbeta is NRKs sandbox for technology and media. We write about media, the internet and new technology with a focus on you as the user, and what we at NRK do in this field. We call it a sandbox because we want to test things out, be curious and find out how things change. And bring you, the users, with us on this journey."

https://nrkbeta.no/

EDIT:

I also think it's important to contextualize this journalism with the current debate around the Norwegian contact tracing application.

The application has been heavily criticized for the collection of GPS data for research usage and track behaviour when new guidelines are announced. They claim this data is going to be "anonymized", but alter clarified it would only be "pseudonomized".

It is also unclear if the data collected is going to be deleted in December, when the app is set for deletion by the current regulation from Stortinget.

They picked a dumb name. As a Norwegian, I was under the impression that they've actually got a beta version of some supposed new site functionality for the longest time.

SiempreViernes6y ago

Is december a realistic end date for the epidemic control it is supposed to provide? Herd immunity by vaccination at that point is extremely unlikely...

belorn6y ago

It is surprising that this is not illegal. It should be illegal under GDPR as sufficient anonymized data should not allow you to connect the dots to do anything like tracking military personnel. Transporting sensitive military information over the Norwegian border sounds also very illegal under Norwegian law.

Back when Wikileaks released the Afghan War Diary, I wonder what would have happened if rather than a whistleblowers we would have people buying data collected from soldiers smartphones in order to reconstruct the material. It should be pretty easy to identify colaborators by which smartphone gets into contact with someones else smartphone thus reconstruct who is working with who.

santamariasOP6y ago

perhaps useful to replace the wording "track down" with "identify"?

john_minsk6y ago· 6 in thread

Don't allow soldiers to have mobile on restricted ground...

willvarfar6y ago

Traffic Analysis.

A lot of British intelligence during WW2 was gleamed not from the contents of the messages they intercepted, but rather from tracking who was where and communicating with whom.

And if you stop soldiers from using mobile phones on restricted ground, you are just going to have lots of tracks stopping abruptly at the gates and secure facilities identifiable by their lack of emissions.

Patterns.

There have been great examples of correctly identifying the crews of nuclear submarines by their predictable periods of time offline.

stan_rogers6y ago

It was giving that away in his book, rather than any of the other activities at Bletchley Park, that got Gordon Welchman into trouble. Even without any detail as to the techniques used, the fact that he and his group had basically worked out the German operational structure and deployment situation entirely from traffic analysis before the improved Enigma was reliably broken revealed a lot that was meant to be kept secret.

SiempreViernes6y ago

Just make the exclusion region a bit bigger than the grounds itself?

In any case, the attack here was to identify personnel based on known locations, not finding new locations in the first place. Big bases can't be hidden anyway, the best you can do is conceal what happens indoor in them so it seems silly to let foreign intelligence track personnel movement inside a base...

That is akin to not letting them have guns in modern warfare. Or a field shovel.

sgt6y ago

Nonsense. I agree, the soldiers should not be permitted to have cellphones in critical areas unless exception is given for some other reason. There are ways to communicate using encrypted communication bands used by police etc. They could be using small handheld devices for 2 way radio and basic messaging.

No, it's more like requiring them to use their issued equipment, over bringing their own guns.

daffy6y ago· 2 in thread

It would be interesting to know which ``apps'' were responsible for leaking the data.

dylkil6y ago

check the settings on your phone, the ones with location data access are selling it.

daffy6y ago

All of them? How do you know this?

dang6y ago· 1 in thread

We have nothing but respect for Norway, but HN is an English-language site, so articles here need to be in English.

I'm sorry, but we have enough trouble getting this audience to read the articles as it is.

santamariasOP6y ago

point taken, thanks :)

"On average app publishers make $10,000 a month with Tamoco data monetization."

https://www.tamoco.com/blog/best-app-revenue-calculator/

user59944616y ago

Google translate: https://translate.google.com/translate?sl=auto&tl=en&u=https...

Original article is in Norwegian.

JacobHonore6y ago

Reminded me of this New York Times article where they got hold of location data from 12 million americans. I think NRK found some inspiration from that.

https://www.nytimes.com/interactive/2019/12/19/opinion/locat...

TazeTSchnitzel6y ago

Something similar has happened before: https://news.ycombinator.com/item?id=16249955

j / k navigate · click thread line to collapse