The spy in his pocket

An obvious implication of Aftenposten's detection of false base stations – IMSI prisoners – near the Storting, among others, is that it is not only politicians' communication that is captured, but also the communication to most people. The revelations have raised discussions about espionage on the elected officials, but activists and random people traveling in the area are probably more vulnerable than politicians in the Storting. Politicians working on state secrets should use encrypted channels, nor is it a secret that they are staying at their workplace – the Storting. Although the use of IMSI prisoners around the Parliament is clearly a provocation, state secrets should be safe as long as security procedures are followed. What about the safety of most people?

Little control. Eidsvoll's place in front of the Storting is one of the most used places for demonstrations and markings for and against various political issues. IMSI catchers located in the area can register who shows up at the various demonstrations – as long as they carry the mobile phone. In addition, they can potentially capture the content of phone calls, text messages and data traffic from the mobile phones in the area. What we don't know is who's behind it. PST has called into question the findings, although several experts have been very clear that the measurements Aftenposten has had, probably indicate the presence of IMSI prisoners in the center of Oslo. This may indicate that they either belong to the PST, or that the PST will cover that they themselves have failed to detect the false base stations.
According to a report prepared by the Norwegian authorities in collaboration with the telecom operators, foreign powers are also behind part of the surveillance – and there is little or no control over what is going on. This means that, for example, when there are demonstrations aimed at another country in central Oslo, the potential exists for this country to find out who showed up.
So what can you do to protect yourself from being registered as a participant in a demonstration? Or to protect your communications from being intercepted by fake base stations? There are things you can do to try to prevent your mobile phone from connecting to a fake base station, such as blocking a connection to the 2G network – but if you want to be absolutely sure that your presence in a demonstration or in a given place to a given time is not captured via your mobile phone, you should preferably leave your mobile at home.
If you can live with the fact that the owners of the fake base stations know that you are in the area, but want to protect the content of your communication, the possibilities are far better.

Mobile security for activists. The possibilities for encrypting communication between mobile phones are becoming better and more common. For several years, Apple has had encryption built-in for messages between two iPhones. For those who prefer open source solutions to prevent the owner of the solution from cracking the encryption or installing backdoors, Open Whisper Systems is a developer worth following. Edward Snowden is among the experts in computer security who recommend their solutions. Open Whisper Systems has recently launched the app Signal for iPhone, which allows you to call and send text messages encrypted with others who have the app. Signal communicates seamlessly with Textsecure and RedPhone for Android, respectively for text messages and encrypted phone calls.
Signal, Textsecure and RedPhone also facilitate the exchange of fingerprints – a method of verifying that you are talking to the person you think you are talking to. A common way to attack encrypted communication is by a so-called man-in-the-middle attack. Instead of you and a friend talking directly, you send the communication between you via a third person who can see and change the messages. The communication you think you have encrypted to your friend is in fact encrypted to the third person in the middle, who then encrypts your friend's message before it is forwarded. To avoid this scenario, it is a good idea to verify each other's fingerprints. For communication via SMS, you and those you want to communicate securely with, compare fingerprints by clicking "verify" on the toolbar in the message, and read each other's fingerprints so that you are sure that the fingerprint has been received correctly on the other side. When using RedPhone and Signal for phone calls, a password appears on the screen for each new call – if you have the same password, everything should be fine.
In addition to encrypting the calls you have via your mobile phone, there are also opportunities for private surfing on the web via the phone. If you want to make sure that no one knows what you are doing in your mobile browser, you can use Orbot and Orweb for Android or Onion Browser for iPhone. These apps use the Tor anonymity tool to connect to the internet, and allow your traffic to be encrypted between three intermediaries so that no one can connect your identity with your online activity. On Android, you can also set up the settings so that more apps use Tor to connect to the internet. Check The Guardian Project website for instructions.

Are you your worst enemy? One thing is what fake base stations can pick up from information from your phone, but in the chaotic and confusing world of mobile phone apps, it is entirely possible that you are giving away your innermost secrets for free. The cell phone is probably the thing in life that knows the most about you. Not only does it have access to your various user accounts on social media, email services and the like – it also has gps that accompanies all your movements, and it has an overview of all your contacts and communication with them. In short, your mobile is a portable monitoring station, complete with a built-in microphone and camera, which you can also use to make calls. Who do you give control of the information on your mobile to?

The possibilities for encrypting communication between mobile phones are becoming better and more common.

On the list of the most popular apps in Norway, most places in the lead are taken up by large companies that are easy to identify, and which we have probably trusted in terms of private information from before: Facebook, Instagram, Finn and NRK, among others. Inside the top list, we also find apps that are somewhat more difficult to find out who is behind, or who comes from a far less well-known company. Many of the large and established companies have in recent years become much better at restricting what permissions the app asks for when you install it, although many apps still ask for permissions that can be very intrusive in privacy, without the permission being seen. appears to have some clear application. What when unknown companies ask for very intrusive permissions?

Who is behind the app? A few apps in the top list of Google Play can serve as an example. Number 15 on the list of free apps is 360 Mobile Security from the Chinese company Qihoo. The app protects against viruses and can be used to optimize the performance of the phone by cleaning up the file structure. To do this, it requests almost full access to all areas of the mobile phone, including access to sensitive data stored on the phone, and access to call and take pictures. There is basically no reason to doubt that the app does what it says it does, even though Qihoo has been accused of cheating with numbers and reviews, and has therefore been banned from Apple's Appstore on several occasions. The question is rather whether one is comfortable with giving such intrusive permits to a company based in a country where it will be very difficult to enforce Norwegian standards for privacy.
Another example is the Emoji Keyboard Dev, which has many popular Emoji keyboards. Such keyboards basically have the ability to register everything you type on the phone – searches, messages, your own drafts and of course passwords and codes you use to log in to various places. With full network access, the app can also send everything you write back to the developer. Emoji Keyboard Pro, which is among the 100 most popular apps in Norway, refers to an anonymous gmail.com address and a blog post on a Japanese blogspot with a very short and unreliable privacy statement. The description also includes a link to the Facebook page of Kika Keyboard, a Chinese company that has its own keyboards on Google Play. What the connection between the two developers is is uncertain. In any case, it is not possible to see who is behind the Emoji Keyboard Dev without further ado.

Make conscious choices. Both the chaotic app market and the presence of fake base stations mean that we in reality have very little control over the thing in life that knows the most about us. Is it so likely that the apps use their permissions in questionable ways, or that the fake base stations are used to register and intercept the communication of most people? The answer for each case is that we largely do not know, but it would be naive to think that the answer is always no. Many people probably assume the best to avoid thinking about what the consequences could be if the worst strikes – out of sight, out of mind. This is not necessarily a good way to deal with the problem. What chances you want to take must be up to each individual, but it is possible to hope that Aftenposten's revelations lead to greater awareness of mobile security, also for most people.