A bit of context for non-Norwegians: The government owned media NRK bought location data from Tamoco worth approximately 3,400 USD.
The NRK subsidiary NRKbeta has "connected the dots" from that data set. In this article they present how they could track down military personnel visiting restricted military sites in Norway, including the disputed radar installation in Vardø, close to the Russian border.
This reminds me of this rumour about how someone used tinder to triangulate opponent units during an exercise and arty them to shit. Supposedly Finns outwitting Norwegians, but is a anon text so who knows: https://imgur.com/gallery/bySUH
"NRKbeta is NRKs sandbox for technology and media. We write about media, the internet and new technology with a focus on you as the user, and what we at NRK do in this field. We call it a sandbox because we want to test things out, be curious and find out how things change. And bring you, the users, with us on this journey."
I also think it's important to contextualize this journalism with the current debate around the Norwegian contact tracing application.
The application has been heavily criticized for the collection of GPS data for research usage and track behaviour when new guidelines are announced. They claim this data is going to be "anonymized", but alter clarified it would only be "pseudonomized".
It is also unclear if the data collected is going to be deleted in December, when the app is set for deletion by the current regulation from Stortinget.
It is surprising that this is not illegal. It should be illegal under GDPR as sufficient anonymized data should not allow you to connect the dots to do anything like tracking military personnel. Transporting sensitive military information over the Norwegian border sounds also very illegal under Norwegian law.
Back when Wikileaks released the Afghan War Diary, I wonder what would have happened if rather than a whistleblowers we would have people buying data collected from soldiers smartphones in order to reconstruct the material. It should be pretty easy to identify colaborators by which smartphone gets into contact with someones else smartphone thus reconstruct who is working with who.
This reminds me of an experiment I'd like someone to run on Strava. They had this big scandal some time ago where People identified US military bases simply by having a lot of activity in an otherwise empty area.
Now they've added some mojo to prevent this but still sell location data.
So how about running the same attack but instead of using the browser and their own website just use the bought location data.
I suspect they didn't fix that as I've disabled appreaing on their heatmap but they still sold my location data when I forgot to disable my vpn during a run some time ago.
It wasn't just the US military. There were plenty of jogging circuits around strange desert installations in Syria by joggers who had recently jogged around military bases in Russia, at a time when Russia was claiming no deployments and only observers and things.
There were also armchair people wondering about other tracks in various places in the world.
Not only could you see bases because of activity around an otherwise empty area. You could almost pinpoint the exact shape of the bases perimeter because soldiers would prefer to jog along the inside of the perimeter. Smartphones and location based apps and services are a security nightmare.
Seems to me the scandal is that US military bases allowed people in protected areas to upload GPS traces of their activities, more so than strava showing these along with millions of other traces in their activity maps...
You can add privacy zones around locations so when people look at your activities your line just disappears inside the radius of your privacy zones.
I have ones around my home and where I work. No idea if that affects whatever data they sell (I doubt it, since you can still the full activity yourself even with a privacy zone), but stops people finding where you live/work and nicking your bike
> Now they've added some mojo to prevent this but still sell location data.
Strava publish a "heat map" that shows aggregated activity of all their users. It's useful for finding common running/biking routes in areas you don't know well. That's how the military bases were found.
A lot of British intelligence during WW2 was gleamed not from the contents of the messages they intercepted, but rather from tracking who was where and communicating with whom.
And if you stop soldiers from using mobile phones on restricted ground, you are just going to have lots of tracks stopping abruptly at the gates and secure facilities identifiable by their lack of emissions.
Patterns.
There have been great examples of correctly identifying the crews of nuclear submarines by their predictable periods of time offline.
Reminded me of this New York Times article where they got hold of location data from 12 million americans.
I think NRK found some inspiration from that.
dang|5 years ago
I'm sorry, but we have enough trouble getting this audience to read the articles as it is.
santamarias|5 years ago
santamarias|5 years ago
The NRK subsidiary NRKbeta has "connected the dots" from that data set. In this article they present how they could track down military personnel visiting restricted military sites in Norway, including the disputed radar installation in Vardø, close to the Russian border.
SiempreViernes|5 years ago
Foxboron|5 years ago
"NRKbeta is NRKs sandbox for technology and media. We write about media, the internet and new technology with a focus on you as the user, and what we at NRK do in this field. We call it a sandbox because we want to test things out, be curious and find out how things change. And bring you, the users, with us on this journey."
https://nrkbeta.no/
EDIT:
I also think it's important to contextualize this journalism with the current debate around the Norwegian contact tracing application.
The application has been heavily criticized for the collection of GPS data for research usage and track behaviour when new guidelines are announced. They claim this data is going to be "anonymized", but alter clarified it would only be "pseudonomized".
It is also unclear if the data collected is going to be deleted in December, when the app is set for deletion by the current regulation from Stortinget.
belorn|5 years ago
Back when Wikileaks released the Afghan War Diary, I wonder what would have happened if rather than a whistleblowers we would have people buying data collected from soldiers smartphones in order to reconstruct the material. It should be pretty easy to identify colaborators by which smartphone gets into contact with someones else smartphone thus reconstruct who is working with who.
santamarias|5 years ago
Grollicus|5 years ago
Now they've added some mojo to prevent this but still sell location data.
So how about running the same attack but instead of using the browser and their own website just use the bought location data.
I suspect they didn't fix that as I've disabled appreaing on their heatmap but they still sold my location data when I forgot to disable my vpn during a run some time ago.
willvarfar|5 years ago
There were also armchair people wondering about other tracks in various places in the world.
snorremd|5 years ago
nxpnsv|5 years ago
mathieuh|5 years ago
I have ones around my home and where I work. No idea if that affects whatever data they sell (I doubt it, since you can still the full activity yourself even with a privacy zone), but stops people finding where you live/work and nicking your bike
thinkling|5 years ago
Strava publish a "heat map" that shows aggregated activity of all their users. It's useful for finding common running/biking routes in areas you don't know well. That's how the military bases were found.
https://www.strava.com/heatmap#7.00/-120.90000/38.36000/hot/...
EDIT: I forgot that Strava do sell heatmap data to government transportation departments and such so I fixed the comment.
erikbye|5 years ago
https://www.tamoco.com/blog/best-app-revenue-calculator/
user5994461|5 years ago
Original article is in Norwegian.
daffy|5 years ago
dylkil|5 years ago
john_minsk|5 years ago
willvarfar|5 years ago
A lot of British intelligence during WW2 was gleamed not from the contents of the messages they intercepted, but rather from tracking who was where and communicating with whom.
And if you stop soldiers from using mobile phones on restricted ground, you are just going to have lots of tracks stopping abruptly at the gates and secure facilities identifiable by their lack of emissions.
Patterns.
There have been great examples of correctly identifying the crews of nuclear submarines by their predictable periods of time offline.
ganzuul|5 years ago
JacobHonore|5 years ago
https://www.nytimes.com/interactive/2019/12/19/opinion/locat...
TazeTSchnitzel|5 years ago
unknown|5 years ago
[deleted]