Surveillance data challenges what we thought we knew about location tracking
50 comments
·October 14, 2025malwrar
armchairhacker
Everyone thinks when they have power, they’ll use it correctly, because they have (from their perspective) good intentions.
An ideal government with total surveillance is the best case. You get the benefits of low crime without the drawback of corruption and ideology. The problem is in practice:
- Large institutions aren’t good at exercising fine control: even if the leaders have truly good intentions, corrupt mid-level employees and inaccurate data lead to bad outcomes.
- Good leaders seem to often pick bad successors, and unless they frequently pick better successors, someone will eventually pick a corrupt one.
- Corrupt leaders seem to be good at ousting or sidelining good leaders, more than vice versa, perhaps because good leaders are less passionate about gaining and keeping power.
Perhaps there are other reasons. Not just ideal governments, but even self-preserving governments don’t tend to last. Hence, although decentralization and privacy are never ideal, they should exist at least for backup, “just in case” (inevitably in practice) the centralized surveillance system goes rouge.
Gigachad
I’m not totally opposed to surveillance, I just wish it was more transparent and limited to need to know uses.
If the police need your google search history thats ok as long as they can get a warrant showing they have justification and then perhaps at a delayed time, the account owner should be notified that this happened.
If they need access to your phone, rather than hacking it they should just take it off you and get the password from you.
This limits tracking since this is a fairly disruptive and visible thing and prevents just passive tracking of everyone all the time.
Businesses who use facial recognition for loss prevention should be legally required to only use their data for this purpose and never for marketing and analytics. They must not ever sell the data and delete it within a reasonable time.
01HNNWZ0MV43FF
It might be like prison reform and prisoners' rights - Nobody gets elected on a "soft on crime" platform, and civic engagement at the state and local level is so bad that people typically put up with cameras instead of agitating to get them banned. I say agitate. Show up, keep showing up, keep talking, keep telling friends. We can fight this. Democracy will work if we get people onboard, one way or another
3eb7988a1663
You are more optimistic than I am. Flock and friends seem something like ChatControl. Those in power who want it have unlimited patience. They will keep pushing for expanded capabilities for the day when public attention has failed. Once they win, near impossible to revoke.
janwillemb
It is about a company, First Wap, that makes it possible to track individuals. Their USP is a piece of software that operates at phone network level and uses the fact that phone companies still support an old protocol, Signalling System 7:
> Phone networks need to know where users are in order to route text messages and phone calls. Operators exchange signalling messages to request, and respond with, user location information. The existence of these signalling messages is not in itself a vulnerability. The issue is rather that networks process commands, such as location requests, from other networks, without being able to verify who is actually sending them and for what purpose.
> These signalling messages are never seen on a user’s phone. They are sent and received by “Global Titles” (GTs), phone numbers that represent nodes in a network but are not assigned to subscribers.
overfeed
> The issue is rather that networks process commands, such as location requests, from other networks, without being able to verify who is actually sending them and for what purpose
'Fun' fact: "other networks" includes any foreign network with a roaming partnership. It's possible to abuse SS7 to track people across borders, from half the world away.
beached_whale
I assumed it was the telecoms just selling the data about their subscribers. https://www.telecomstechnews.com/news/fcc-fines-major-telcos...
pkulak
Why not both?
beached_whale
One would hope the selling is illegal and did more than just fine the companies.
nostrademons
It's fascinating how these secrets are turning up in the press now. The article is (probably intentionally) vague about it's sources: they only say "Lighthouse found a vast archive of data on the deep web". But reading between the lines - does that imply that this surveillance company kept records on thousands of targets, and then left them in an open S3 bucket? Not the first time - the TM_Signal leak of upper-echelon U.S. government communications was also facilitated by an open S3 bucket that contained the message archives of everything that, say, the Secretary of Defense was messaging to the POTUS.
But it is highly ironic that these companies specialize in surveillance, tracking, and security, and then have a tendency to leave the data that they steal from others open to the Internet in a very amateurish security lapse that in turn leads to everyone stealing from them.
dylan604
Is it possible the phreakers are so specialized they have no experience with cloud admin and just went with some copypasta from SO answers to get the boring shit done so they could get back to phreaking? Not everyone is an expert in cloud management. It is easy to bork something when you have no idea what you're doing because you don't want to be doing it. They could have also hired low level people to do something for them and just didn't spend enough to have it done correctly. There's many reasons for a very specialized group of smart people to do something utterly dumb and easy to avoid by people with other specialized skills. These people would probably look at you as silly and amateur for using SMS.
null
dontNotDoDrugs
[dead]
walterbell
"Why the US still won’t require SS7 fixes that could secure your phone" (2019) https://arstechnica.com/features/2019/04/fully-compromised-c...
the group:
- dragged its feet on resolving SS7 security vulnerabilities
- repeatedly ignored input from DHS technical experts
- [identified] best practices.. using different filtering systems
- [but] pushed.. to rely on voluntary compliancebaxtr
For anyone interested, they also have a technical explainer that describes their methodology in detail.
https://www.lighthousereports.com/methodology/surveillance-s...
Flockster
I could not compare it completely, but it sounds very much like this talk that I saw many years ago at the CCC.
SS7: Locate. Track. Manipulate. [2014] https://media.ccc.de/v/31c3_-_6249_-_en_-_saal_1_-_201412271...
dogman144
Reads like they’re doing one of several way to get mobile device IDs, and then x-ref those against anon’d adtech datasets that anchor on the mobile ID.
If your device privacy is a mess, mobile ID links you to all the good and bad things you do on a phone.
Had no idea this was part of the tool options, but backbone cell network makes sense.
Other TTPs I’d read about was variations on geo-fenced adserving to phish a mobile ID basically via user interaction or scroll past the ad. Small enough geofence and do it a few times, one could safely figure out the user being the ID. Googling “RTB surveillance” or “DSP surveillance” are ways into the topic.
Scary stuff! Pair that with this tech has been working for years, and is international. Frames a bit differently every action by a public figure - also at risk via the same threat model.
Also long have wondered what data analysis like this is done on technical forums… ran by a VC firm… with a lot of insider context (product market fit?) in the comments.
kklisura
> This investigation began with an archive of data. [...] It contains 1.5 million records, more than 14,000 unique phone numbers, and people surveilled in over 160 countries.
Why not HIBP (Have I Been Pwned) style site to check against the database if your number is in?
hughw
Right! I expected one.
EMM_386
More on ALTAMIDES and system modules:
https://www.giosec.uk/specialist-services---geo-location.htm...
simultsop
And then they call people paranoid to go off the grid.
dylan604
That's what they do to the people that figure things out. They discredit them so other people will not listen to them. It's the ones that go full tilt with lining the walls of their houses to be Faraday cages that make it all fringy cringy the rationally paranoid folks get lumped in with.
null
physarum_salad
Well its always funny to observe politicians/other VIPs use similar technologies to the most "loopy" prepper when they need to. Like actual faraday/signal jamming tents during negotiations or similar.
lawlessone
tbf, when the UK introduced a text to notify people of missing children ,some people(including relatives) were complaining on facebook that it could be used by the UK government to track everyone.
As if their government couldn't just track the smartphone or them via social media already.
dylan604
The cognitive dissonance of thinking that apps are needed to track someone with a phone vs just being able to track your phone directly is very telling. Even before smart phones with apps, the tracking was there as a required feature to make mobile work. Granted, the number of people that spend any cycles thinking about how mobile signals work probably rounds to 0. It takes someone really dialed in to the details to come up interesting bolt on things to an existing system like tracking people with a mobile device just by looking at the logs. Same thing with looking at "just the metadata". While it may be obvious to those dialed in, to those oblivious it sounds crazy.
null
aucisson_masque
I didn't quite understand how they are capable of tracking people and breaking WhatsApp encryption.
There is mention of fake antenna but I don't think they cover entire country with that, how do they do?
CGMthrowaway
They use vulns in the outdated SS7 system to trick networks into revealing a numbers location (1), and intercept SMS including the verification codes sent by apps like WhatsApp - allowing them to hijack accounts and monitor messages and calls directly (2). This method works remotely and doesn’t require antennas
The SMS are intercepted because thru SS7 by tricking the network into thinking the target phone is roaming (3).
(1)https://www.lighthousereports.com/methodology/surveillance-s...
(2)https://www.motherjones.com/politics/2025/10/firstwap-altami...
(3)https://www.fyno.io/blog/is-it-easy-to-intercept-sms-a-compl...
arkadiyt
> intercept SMS including the verification codes sent by apps like WhatsApp
For anyone worried, this approach:
1) Breaks the existing phone from receiving WhatsApp messages, so you can notice that behavior
2) Can be prevented by setting up a WhatsApp pin in your settings
citizenpaul
Not just vulns. It is possible to simply purchase access or become a provider in the SS7 system (<$20-50k USD). SMS is basically a completely open system at this point. Cybersecurity companies do it all the time for pentesting. So do "Cybersecurity companies".
Horrifying that nearly banks still require you to use sms as a 2fa and do not offer any other alternative.
Did you really think the US Gov was OK with facebook running the biggest "encrypted" SMS system on earth. LOL of course they already had access to all the messages.
varenc
Hijacking WhatsApp SMS authentication codes can be prevented by just adding a PIN to your account. Doing this attack also doesn't grant you access to someone's old WhatsApp messages, and contacts with "security notices" enabled will see that your device has changed. It's quite different than big gov just having access to all your WhatsApp messages. (But there might be other ways they can do this, but just SMS sniffing doesn't get you there)
bayindirh
> Horrifying that nearly banks still require you to use sms as a 2fa and do not offer any other alternative.
In my country banking applications are tied to your phone via IMEI, SIM and other hardware dependent information available.
Forget getting banking details and use another device without the user knowing, either.
If someone clones your SIM or gets a replacement in behalf of you, your all banking access is blocked until you enable them one by one with your ID card or other means.
One of the banks can use FaceID as a secondary factor, too.
So, other methods are possible. It's an "implementation detail" at this point.
jonplackett
Yes - and they also claim not to track users themselves. Is that just a lie or is there someone else doing the tracking?
This article answers none of my questions!
kipchak
There's more details in the technical explainer linked in the article.
https://www.lighthousereports.com/methodology/surveillance-s...
Tenemo
> We found Netflix producer Adam Ciralsky, Blackwater founder Erik Prince, Nobel Peace Prize nominee Benny Wenda, Austropop star Wolfgang Ambros, Tel Aviv district prosecutor Liat Ben Ari and Ali Nur Yasin, a senior editor at our Indonesian partner Tempo.
Political figures being there I somewhat understand, but a Netflix producer? Why would anyone need to track a Netflix producer?
layer8
He’s also a journalist and had a carrier at the CIA. Why don’t you look him up if you’re curious about that?
attila-lendvai
look up Operation Mockingbird. half of the media is government operatives...
netflix is a crucial tool of narrative control...
they are nowhere near "just producers"...
trinsic2
This is why I think Microsoft, Apple and Google are owned as well. And answers a lot of questions about gatekeeping and vendor lock-in
gnatman
Looking at his career and production credits, it’s probably more accurate to describe him as a journalist who’s covered some sensitive subjects.
kipchak
Maybe hoping to bump into them for a impromptu elevator pitch for a show?
null
kjs3
They're a critic?
I wish journalists would explore why the technical methods & information sharing that enable this surveillance are allowed to exist. Highlighting instances of abuse and the quasi-legal nature of the industry doesn’t really get at the interesting part, which is _what motivates our leaders to allow surveillance in the first place_.
I recently completed Barack Obama’s A Promised Land (a partial account of his presidency), and he mentions in his book that although he wanted to reform mass surveillance, it looked a little different once he was actually responsible for people’s safety. I often think about this when I drive past Flock cameras or walk into grocery stores; our leaders seem more enticed by the power of this technology than they are afraid of vague abuses happening in _not here_. It seems like no one sees a cost to just not addressing the issue.
By analogy, I feel that reporting on the dangers of fire isn’t really as effective as reporting on why we don’t have arson laws and fire alarms and social norms that make our society more robust to abuse of a useful capability. People who like cooked food aren’t going to engage with anti-fire positions if they just talk about people occasionally burning each other alive. We need to know more about what can be done to protect the average person from downsides of fire, as well as who is responsible for regulating fire and what their agenda for addressing it is. I’d love to see an article identifying who is responsible for installing these Flock cameras in my area, why they did so, and how we can achieve the positive outcomes desired from them (e.g. find car thieves) without the negatives (profiling, stalking, tracking non-criminals, etc).