French lawmakers agreed to a justice reform bill that includes a provision granting police the power to remotely activate suspects' geolocation, microphone and camera (source).
Following the senators, the deputies also gave their green light to allow certain features of smartphones and other devices to be activated remotely, thus turning them into surveillance trackers.
The deputies determined a list of professions "protected" from any capture: journalists, doctors, notaries, and bailiffs, in addition to lawyers, magistrates and members of parliament.
Technically, will it be possible for them to set up this type of surveillance on phones? If so, how will they go about it?
I wonder how authorities can effectively activate microphones and cameras from popular smartphones using iOS or Android.
I am also wondering how can the privacy of individuals not involved in any criminal activity be safeguarded when such wide-reaching surveillance measures are implemented.
134k55 gold badges311 silver badges357 bronze badges
asked Jul 8, 2023 at 6:35
2
There is no backdoor by design in the smartphones which would provide government agencies this kind of access. With a properly signed update process (i.e. only able to install signed updates, phone not unlocked) there is also no way for a government, carrier or nearby user to push some unauthorized software update with such a backdoor to the phone, neither for baseband processor nor for the application processor.
Of course, it is technically possible to implement such backdoor or to provide governments a way to install their own. But this would either require laws to mandate such backdoors or voluntary or involuntary secret collaboration of major manufacturers with the government. Involuntary means that the manufacturer itself is compromised. In the current supply chain it is really hard to keep such backdoors secret forever though. It will be noticed by employees at the manufacturer or by security experts reverse engineering the phone or observing suspicious traffic. At least democratic governments will risk losing lots of trust if it gets known that they implement such secrets backdoors in a broad number of devices.ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ
But, there are other more targeted ways with less broad impact, which are therefore seem to be more acceptable (not good but less evil) for the majority of citizens: Smartphones are complex software and such software has bugs. In the past there were enough critical security vulnerabilities both in the baseband firmware and the application OS (i.e. iOS, Android) which could be exploited to install some backdoor functionality. Several companies used this to provide ways for both democratic and non-democratic governments to observe citizens and track their digital activities. See for example Pegasus project for more information about such attacks.
It is likely that there will also be sufficient vulnerabilities in the future, so there is no actual need for manufacturers to cooperate with governments to explicitly add backdoors.
I am also wondering how can the privacy of individuals not involved in any criminal activity be safeguarded when such wide-reaching surveillance measures are implemented.
This is primarily a legal and not a technical issue, i.e. what rules are there in place to limit who can be observed and what data can be collected. And of course, how these rules are enforced.
answered Jul 8, 2023 at 18:16
17
Such a thing is not possible natively. Police would either need to:
- install something on the device
- get device makers to include this functionality
So, this could simply be an allowance to try to "hack" devices legally or social engineer suspects to install surveillance apps. Sort of a blanket "if you can figure out how, or if you have the ability to, then there is a legal fast-track for approval to do it."
9
Yes, it's possible.
Every single competent intelligence service on Earth has access to dozens of zero-day vulnerabilities on most popular phone brands/models. In France, this includes foreign intelligence (DGSE), internal security (DGSI), police intelligence (RG), as well as some branches of the police.
I knew someone who was (or still is) routinely paid by the government to find vulnerabilities on specific phone models.
I'm not that worried, though, because I think applying this at scale is not that practical without actual backdoors. It is unlikely that they will waste their portfolio of zero-day vulnerabilities on low-profile cases.
answered Jul 8, 2023 at 18:11
1
The government could simply demand (or ask nicely, please) that the cellular network carrier push an update to remotely activate the microphone, gps, etc. This is absolutely technically possible without physical possession of the device. The "baseband" processor is separate from the user OS, and it has low level access to the hardware. The only requirement is that the government can coerce the cellular provider into cooperating with the scheme which seems entirely within their power. In the US, cellular carriers voluntarily cooperate with government surveillance. I see no reason that it would be much different in France.
Outside of compelling the carrier to push an update, there are many many reports of 0-day vulnerabilities in cellular baseband processors, a quick internet search will turn up lots of them. Governments like to collect such vulnerabilities to be exploited rather than patched.
answered Jul 8, 2023 at 16:03
7
It is possible, but legally (not technically): government passes a law that makes unlawful to have a smartphone and not have a certain application installed, and allows the police to ask any citizen to show that the application is installed.
Or it can require every ISP to deny internet service to anyone that does not have that application installed, and the application would have a way to connect to the ISP service, provide the IMEI or IMSI of the phone or SIM to an government application, and that would allow general internet service to that number.
It would not force installation on any phone (that's usually not possible for every brand and version of phones), but would make you install the application to be able to connect your phone to cellphone service. Without that kind of application, your phone would only work when connected to Wifi.
There are 2 major points in activating surveys on individuals. First one is technical (what application, how to install or update it, possible passive ways...). And second one is legal. It is no use for governmental organizations in democratic countries to care for the first one unless the second one is solved: any information obtained outside of a legal procedure is deemed not to exist and cannot be used in court.
This law has 2 points. First is to allow the intelligence services to make use of any security flaw present in smartphone and optionaly to use third party tools like Pegasus to gather informations. That is already an important point and had probably been requested for a long time by security services. The second one is simply communication. It is essential for governments to show their electors that they act. Whether the action is efficient is often seen as a minor concern...
For the privacy concern, it is not different from what exists in the real world. Policy has the ability to spy on any citizen, and set up telephonic conversation recordings. But it is only allowed to do so after a judge decided it was required by a legal investigation. And any information that could be obtained but that would be unrelated to the specific investigation would again be deemed not to exist and should be erased.
I am far more confident in law to protect my privacy than to any technical way: only the law could prevent various merchants to call my phone at any moment in the day. Any technical filtering would be a sure way to prevent a legitimate and important call to reach my phone if the caller's phone is out of battery and they use a friend's one...
answered Oct 23, 2023 at 6:41
You must log in to answer this question.
Explore related questions
See similar questions with these tags.