The popularity of crowdsourcing projects has skyrocketed across Internews as local communities realize the potential to use mobile phones to crowdsource information on elections, human rights abuses, corruption and a variety of other critical topics.
Those systems often rely on bound and unbound crowdsourcing, from a variety of actors, often including the local population, local journalists trained by Internews and local civil society groups. Activities often blend reporting from mobile phones (SMS), face to face meetings and the Internet to enable information gathering.
They hype around crowdsourcing projects often masks a harsher reality: securing such a system is impossible. Complex relationship exist among governments, private industry and telecommunications companies, exposing the system to unknown and immeasuarable risk from the outset. Users assume the tools you give them are safe. They are not.
These early experiments remind us of the vulnerabilities of mobile technology. Security assessments have led us to a definitive conclusion: talking about mobile security is an oxymoron. There is no such a thing as a secure mobile phone. As the NYT recently also pointed out, “That's no phone, that's my tracker”. Let's examine the weaknesses of different mobile options:
1. A simple feature phone.
Feature phones are the most difficult to secure. You can take some precautions, but you will never make them 100% secure. Why?
The International Mobile Equipment Identity. The IMEI is a number, usually unique, used to identify mobile phones as well as some satellite phones. It is usually found printed inside the battery compartment of the phone. The IMEI number is used by a GSM network to identify valid devices and therefore can be used to prevent a stolen phone from accessing that network. Even if the IMEI is only used for identifying the device and has no permanent or semi-permanent relationship to the subscriber, many network and security features are activated and registered through that number. This basically means that your mobile provider is always able to track your phone by locating the battery via the IMEI number.
The SIM card. Your SIM card has a International Mobile Subscriber Identity or IMSI, stored in it, a unique identification associated with all GSM, UMTS and LTE network mobile phone users. It is sent by the phone to the network. It is also used for acquiring other details of the mobile in the Home Location Register (HLR) or as locally copied in the Visitor Location Register.
The phone number. As you can see from above, the triangulation of those two codes (IMEI and IMSI) can give not only your location, but also the ability to track your device and the name of the subscriber, plus all the information you gave when you registered your SIM card.
Some partial solutions to those issues have been:
1) To remove the battery from your phone – which means that you cannot use the phone
2) To use unregistered SIM cards, which are illegal in most countries
3) To frequently change both phones and SIM cards, which makes is more difficult to track but not impossible
4) To use specific phones that can be used once and then thrown away
2. Smart Phones.
The GPS. Due to the availability of GPS in almost all smart phones and mobile applications, this is the first and most common way smart phones can be tracked. From Facebook to Google Maps to Twitter, the use of GPS-enabled features in smart phones make it very easy to track the devise as well as the identity of the owner.
Internet Connection. Any mobile internet use exposes the user to the undetected installation of malwares on your phone so that not only can the phone be tracked, but all your data can be easily gathered by a third party.
Use of Wifi. Even if you don’t have a GPS-enabled function in your phone, every time you connect to a wireless network your phone is geo-located in the area covered by that connection.
With smart phones there are several software options that can be used to protect your location and data, for example, to encrypt SMSs and Internet browsing, or to install antivirus and security software. In general though, even with all those systems in place your devise is still traceable via the IMEI, the SIM card and your phone number.
So what’s left?
To be honest: nothing.
Your mobile devise will never be 100% safe. So should we stop using them? Of course not, we can keep using our devices but we need to be aware and make other users aware of the risks of participating in crowdsourcing activities. Security is almost never about securing something absolutely but as implementers of high-stakes crowdsourcing activities, it is all about knowing what is safe and what is not, and being prepared for all possible outcomes.
[Images in this page are taken from the IBM Managed Security Services team infographic on mobile security challenges]