Surveillance data challenges what we thought we knew about location tracking

Original Article ↗ Hacker News Discussion ↗

How the tracking works

  • Core mechanism is abuse of SS7, the legacy inter-carrier signaling system that still underpins 2G/3G and backwards compatibility for 4G/5G.
  • Surveillance firms lease “Global Titles” from operators or get in-country SS7 links, then send location and routing commands that other networks accept without strong authentication.
  • This enables remote location tracking (including across borders) and interception of SMS, especially one-time verification codes (e.g. for WhatsApp login) without fake antennas.
  • Other attack surfaces mentioned: femtocells and fake base stations/IMSI catchers, which can downgrade connections and capture identifiers or traffic; and adtech/RTB-style tracking via mobile IDs.

Security implications and mitigations

  • Hijacking WhatsApp via SMS codes:
    • Doesn’t reveal past message history.
    • Breaks service on the original phone (a warning sign).
    • Can be blocked by enabling a WhatsApp PIN and security notices.
  • SMS-based 2FA is widely criticized as “basically open”; attackers can buy or rent SS7 access. Some banks implement stronger device binding (IMEI/SIM/hardware, biometrics) to reduce reliance on SMS.
  • Several comments emphasize that dissidents effectively cannot safely carry phones, and in Europe mandatory SIM registration links almost everyone’s movements to identity.

Telecom and regulatory failures

  • SS7 weaknesses have been publicly documented for well over a decade; 4G/5G still depend on it, and fixes are largely voluntary.
  • Foreign roaming partners and even misconfigured or modified femtocells can abuse SS7 globally.
  • Telcos have also been fined for selling location data outright; commenters assume both formal and “shadow” markets exist.

Journalism, leaks, and data access

  • Some speculate the dataset came from a sloppy cloud deployment (e.g. open S3), others think reporters obtained samples by posing as customers. Exact source remains unclear.
  • There’s praise for cross-border investigative journalism and the separate technical explainer.
  • Several want a “Have I Been Pwned”-style lookup to see if their number appears in the archive, but no such tool is offered.

Surveillance, crime, and power

  • Debate over whether mass surveillance meaningfully prevents serious crime; many argue it mainly empowers states against dissent and protest.
  • Discussion of leaders’ incentives: once in office, they prioritize perceived safety and political risk over civil liberties; surveillance is described as an “externality” the public quietly absorbs.
  • Some advocate strict warrant requirements, narrow use, transparency, and shorter political careers; others hold a hard pro-surveillance stance (“only criminals fear it”), which is challenged as authoritarian and short-sighted.