Following the Digital Footprints

February 9, 2017

Because the Learn section of TalkRights features content produced by CCLA volunteers and interviews with experts in their own words, opinions expressed here do not necessarily represent the CCLA’s own policies or positions. For official publications, key reports, position papers, legal documentation, and up-to-date news about the CCLA’s work check out the In Focus section of our website.

 

6 Ways the Police Can Use Your Digital Footprints to Find You

We like to think that the Internet is anonymous. Sure, when we log into Facebook or tell eBay our mailing address, that information is available. But that’s all information we chose to provide. Most people never post their home addresses or the location of every coffee shop they sit in. So does that mean those locations cannot be discovered? Not at all! Here are 6 simple ways:

 

  1. Ask Your Internet Service Provider

To access a webpage, your computer broadcasts your digital location (known as an “IP address”), so that the Internet knows where to send your content. Finding this IP address is not particularly difficult for the police, especially if they are watching the site you just accessed. It’s safe to assume the police can find your digital location. But that only tells them where you are in cyberspace, not where you are in the real world.

Enter your Internet Service Provider. This is the company you pay for Internet access – think Rogers or Bell – and whose routers assign your IP address. When you signed up, you gave them your name and physical address as well. So, if the police say they are looking for your IP address, your ISP could give them your name and tell them that you live at 123 Conspicuous Street.

Thankfully, there are some limits to when and how police can get a warrant for this information (see R. v. Spencer: https://scc-csc.lexum.com/scc-csc/scc-csc/en/item/14233/index.do). And without a warrant, your ISP may not cooperate. But the police don’t really need your ISP’s help.

 

  1. Use IP Lookup or Traceroute

Your IP address is not entirely divorced from the physical world. Your ISP is assigned a block of IP numbers to allocate to its clients and this set of numbers is publicly available information. Additionally, most ISPs assign IP addresses in a predictable way that reflects what networks each user is connecting to. There are free online tools which can use your IP address to find your ISP, then run a statistical analysis of how your ISP generally assigns its IP addresses. These tools are known as IP Lookup (for example: http://whatismyipaddress.com/ip-lookup), and can give a rough estimate of where you currently are (to the city at least; possibly to within a few blocks).

For a more precise estimate, the police could turn to a traceroute. These tools send a message to your IP address, and record what path that message took to get to you. The last step in that path must be the connection you’re physically closest to, so if they can find out where that router is, they now know that you’re nearby. And since the location of major routers is generally not a secret, this could narrow down a search considerably.

There are ways to hide your IP address (a practice known as “IP spoofing”), generally by using a Virtual Private Network (“VPN”). These services let you pretend you have a different IP address. But an IP address is not the only way to track you.

 

  1. Ask Cell Tower Owners

Every few seconds, without your knowledge, your cell phone sends a short message to the cell towers nearby, essentially saying, “I’m here”. The purpose of this message is to identify the closest tower so that you can get the fastest service. But that message includes 2 key identifying numbers: your International Mobile Subscriber Identity (“IMSI”) and your phone’s International Mobile Equipment Identity (“IMEI”). Your IMSI tells the tower what SIM card you are using. But even if you abandon your SIM card, your IMEI tells the tower what physical device you are using.

Police investigating an incident can ask the owners of nearby cell towers for the IMSIs and IMEIs which messaged them. They can then ask your telecom provider (often the same as the cell tower owner) to tell them who owns each of these IMSIs and IMEIs. Like your ISP, your telecom provider knows who you are and where you live, and can share this information with the police.

Again, there is a Supreme Court case limiting when and how police can get a warrant for cell tower data (see R. v. Fearon: https://scc-csc.lexum.com/scc-csc/scc-csc/en/item/14502/index.do). But once they have that, telecoms subscriber data is already conveniently available in a database. http://www.huffingtonpost.ca/2014/03/26/warrantless-surveillance-canada-telecoms_n_5036936.html

 

  1. Use A StingRay (a.k.a. an IMSI Catcher)

Suppose that the police cannot get the cell tower data. In that case, they could simply pretend to be a cell tower and get your phone to send them your IMSI directly. A device called a StingRay does just that (there are other proprietary names for these devices as well; technically, they are called IMSI Catchers). It is unclear how often Canadian police use StingRay devices, but American police forces have been using it for almost 20 years, and there is evidence that it has at least occasionally been used:

 

  1. Geolocate Photos

Most people upload photos they took, or have photos of them uploaded, to some form of social media. And when just looking at these images, it’s generally hard to determine precisely where they were taken. But if they were taken on a phone with location services on, that information may be encoded in the metadata of the photo. With access to the file, it’s not hard to find the exact latitude and longitude where such photos were taken.So if, for instance, you have public photos on Facebook, the police could simply download the file, look at the metadata, and plot your location on Google Maps. It is unclear how often they actually do so, if they do, but they could.

 

  1. Ask Any App Developer

We increasingly authorize apps to use our location to make our lives easier. And the established ones – think Facebook, Google Maps, Instagram, Tinder, Twitter, Uber, or Yelp – tend to have reasonable security measures preventing third parties from accessing your location without their permission. But that doesn’t stop the police from asking. In fact, Canadian police make hundreds of requests for information from these established companies every day, some of which relate to locations. Most of these companies even have well-established databases to provide law enforcement quick and easy access to user information, presumably including location data.

This list is not exhaustive: there may be other ways police can trace your digital footprints. There are also physical ways to find you, like CCTV cameras and automated traffic cameras. And this list has been limited to the capabilities of ordinary police – intelligence agencies have significantly greater digital and physical surveillance capabilities. But hopefully even this limited list makes clear that your digital devices are constantly broadcasting your IP address, IMSI, IMEI, metadata, and in-app location services. If police (or anyone else) can get any of this, they could easily track you down.