Protect the Mobile Phone User – Not Just the Data
Encryption has been used to protect secret information for centuries. You could get lost in a rabbit hole googling the history of encryption and ancient ciphers. Organizations of all kinds have data they need to protect, and data protection has been the focus of many mobile device management solutions.
It’s important and necessary. But data isn’t all that needs to be protected. For government entities, managing mobile devices must include protecting the user as well.
Constant Surveillance and Tracking
It seems many people are well aware of the constant surveillance phones perform. What might not be so well known is:
- How important it is to disable this surveillance in certain cases
- The difficulty of doing so reliably & consistently
- The consequences of failure
The People Are the Targets
The average mobile phone user faces threats such as spam calls attempting theft via deception. Fortunately, my Mom is called “Nana,” so any thief calling and saying, “Grandma, I need money,” is easily identified as a liar.
But the individuals working in government, military, and intelligence roles are themselves the targets. Nation states want more than just their data.
A recent Wall Street Journal article describes the, “significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.”
Unexpected Sources of Exposure
The identity of a covert intelligence operative can easily be exposed by something seemingly innocuous. For example, the predominant style of eating meat in the U.S. involves skewering the meat with the fork in the left hand, knife in the right, then putting the knife down and switching the fork to the right hand, tines up, to eat. Whereas in Europe, the knife remains in the right hand and the food is eaten promptly after being cut, with the tines still down. (And, for the record, the American style is considered impolite through much of Europe.) “US. Legend has it that this style actually blew the cover of American spies operating in Germany in the second World War.”
At least in this case, one must witness the American in the act of eating, which requires visual surveillance, whereas phone signals are even easier to detect and don’t require close proximity.
Varied Uses of Mined Data
There are ethical implications for invasions of privacy resulting from data mining, such as retailer Target detecting women were pregnant before they’d announced to their loved ones. That particularly creepy story is now nine years old.
But for national security employees, the intelligence harvested can endanger people’s lives. Consumer phones create a trail of breadcrumbs about the user such as:
- Where they work
- Where they live
- Spending habits
- Social activities
- Travel habits
In turn, this can drive human intelligence on an industrial scale, revealing such insights as:
- If a user is having an affair
- Frequently visits casinos
- Spends beyond their means
This insight can provide foreign intelligence services with a very low risk way of identifying government employees that they can pressure to try to subvert, to try to recruit as sources and agents and spies for them.
What You Don’t Know Can Hurt You
Devices, Android specifically, turn on wireless capabilities, Bluetooth and Wi-Fi, without the user’s knowledge or understanding. Numerous studies have shown that idle, stationary Android phones running Chrome browser communicate with Google’s servers multiple times every hour. We’ll examine this in our upcoming article, “Off Means Off – Are Your Mobile Devices Listening?”
In some cases, the user may have given permission for this behavior without understanding what it really means, which is a trick of clickthrough licenses. While we may recognize that it’s wise to always read an agreement in its entirety before signing, the default action for most people is to simply agree to EULAs without reading in full.
And misunderstandings can lead to trouble. Often, the outcome is merely inconvenient or even amusing, such as the time my European friend ordered an 18-inch pizza for the two of us, due to lack of familiarity with the English measurement system. We found some people to share it with, so the result was a happy accident.
But when phone users don’t understand the implications of granting certain permissions, the consequences can be dire.
For example, when a user turns off Wi-Fi and Bluetooth, Android turns them on periodically to help do location detection. Additionally, it doesn’t even bother to notify the user. For most consumers, the consequences are typically nothing more than indiscernible decrease in battery life, but it is life threatening for a military unit is in the field.
Unfortunately, Mobile Device Management (MDM) applications can’t stop this either because they can only use the APIs provided by the operating system. [More to come in a future blog.]
The Need for Camouflaged Phones
No, covert ops don’t need a literal camo print cell phone case, but rather the ability to blend in and remain undetected. U.S. government people are particularly at risk when travelling. They must ensure they don’t stand out. In addition to the electronic signatures emitted by mobile phones, many secure government phones have a distinct appearance that is as glaringly obvious as someone driving on the wrong side of the road. Camouflage is needed for both the physical and electronic aspects.
Protecting the Users of Mobile Phones
A Google search for, “mobile phone data protection” yields about 1.86B results, and “mobile phone protection,” 1.46B results, starting with warranties and insurance for loss, theft, and damage.
But what about protecting the user?
And no, we’re not referring to the need for protection from the psychological damage social media inflicts. Mobile phone security that protects the users requires an undetectable physical appearance combined with absolute certainty of control over electronic signals. For more on how CIS Secure achieves this for our government clients, read this post on the NSA’s guidance for limiting data exposure.