The truth is, it's hard to say whether your phone is being tracked, but probably yes.
In the early days of March 2020, Canada's Prime Minister admitted that he was not opposed to the idea of using smartphone data to track Canadians to ensure they were complying with public health orders in an effort to curb the beginnings of the COVID-19 pandemic. While that never actually happened, it did raise ethical concerns in what could have created a dilemma regarding public safety over privacy rights.
While many nations in the Western world have clearly-established protections for personal communications and data, device-identifying information such as the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) are often unprotected by the law. Most countries require law enforcement authorities to acquire judicial approval before intercepting private communications or data, but few have laws against the tracking and collecting of mobile device identifiers, despite their ability to identify individuals and reveal their locations with a high degree of accuracy. In fact, the use of technologies like IMSI catchers seems to fall through legal loopholes in many countries, as this information is often not considered to be private, protected communications or data. Many governments do not disclose the existence or use of IMSI catchers to track and identify mobile devices to the public, so it is difficult to determine with certainty whether or not a given country utilizes these technologies.
We researched a few major countries about how they are perceived to treat device-tracking efforts. The information presented is not a statement of fact, but an informal collection of our findings, along with a reminder that the use of secure communications tools is becoming an urgent necessity.
Canadian law enforcement agencies are required to obtain a wiretap warrant to intercept private communications, unless one or more of the participants of a conversation have consented to this lawful interception. Despite these protections, the collection of device-identifying information like IMEI and IMSI numbers do not require a warrant, as these are not considered to be private information. This position is contested by privacy advocates as the IMEI and IMSI can be used to identify a smartphone customer and can track the location of that individual. Another issue with the collection of identifiers such as IMEI and IMSI is that the methods used to collect these often involve "StingRay" devices which mimic cell towers and trick all nearby devices into connecting to them. This process lacks the precision needed to target individual devices, and instead records the identifiers of all nearby devices. As a result, individuals who are of no interest to law enforcement agents are also having their privacy breached by these methods. Law enforcement agencies within Canada have been hesitant to disclose details of their electronic surveillance capabilities, with many refusing to provide any information whatsoever to inquiring journalists.(1) There has also been very little information made public about what happens to collected IMEI and IMSI data, which authorities keep as part of the "evidentiary record" of ongoing investigations.(2) As a result, it is unclear how long collected IMEIs are kept. There does not appear to be any specific legislation or regulation that limits the period of time that these identifiers can be kept, which - given the lack of clear guidelines around the collection of this information - is not entirely surprising.
The true extent of electronic tracking in the United States is difficult to ascertain since efforts have been made to conceal details of these investigative practices from the public. According to documents obtained by the American Civil Liberties Union (ACLU) via a Freedom of Information Act (FOIA) request in 2013, many American local and state police departments entered into non-disclosure agreements with the FBI to gain access to IMSI-catching technology.(3) It has nonetheless been confirmed that law enforcement agencies in 27 states have access to the technology, with some agencies like the Baltimore Police Department using the devices in thousands of cases over a decade. High rates of use like this are not surprising since the U.S. Federal government has taken the position that IMSI catchers do not require a probable-cause warrant to be used. As a result, there is no definite record of the extent to which these technologies are deployed by domestic law enforcement agencies in the U.S., and there is also no indication that the data collected by these tools is deleted after a period of time. It may be likely that all of the information collected using IMSI catchers is kept indefinitely, perhaps on the justification that these databases may one day become useful in future investigations. As a result of the secrecy that surrounds the use of electronic surveillance in the U.S., it is unclear to what extent mobile device identifiers are used to track individuals.
Various police forces across the UK have been suspected of using IMSI catchers such as StingRay since at least 2011.(4) Documents obtained by the Bristol Cable, a citizen's media cooperative, indicated that several police forces across the country had purchased Covert Communications Data Capture (CCDC) devices.(5) Despite persistent calls from privacy watchdogs, civil rights groups, and activists, entities like the Metropolitan Police Service (MPS) have refused to confirm or deny their use of electronic surveillance devices. In July 2018, the UK's Information Commissioner's Office ruled that the MPS was justified in its position of neither confirming or denying the use of CCDC technology based on the MPS' claim that revealing the use of these methods would hinder investigations and endanger the public.(6) This ruling has been appealed. As a result of the continuing disputes over the transparency of British law enforcement methods, there is little or no reliable information available regarding how electronic surveillance is used or how the data is handled. Given the knowledge that police forces in the UK have access to CCDC technology, it could be safely assumed that these devices are used and that identifying information like IMEI and IMSI data is being obtained from citizens' mobile devices.
France passed legislation called the Intelligence Act in July 2015, creating a new chapter in the nation's Code of Internal Security. This new chapter focuses on regulating the surveillance programs of French intelligence agencies, with particular attention paid to the activities of the General Directorate for Internal Security (DGSI) and the Directorate-General for External Security (DGSE). This bill was a reaction to the Charlie Hedbo terrorist attack that took place in Paris in January 2015. The bill gives intelligence and law enforcement agencies the ability to intercept communications in a variety of formats without seeking permission from a judge, so long as one of the objectives being pursued includes protecting national security, thwarting terrorism, maintaining the public peace, defending against foreign influence, and protecting the nation's major foreign policy, economic, industrial, and scientific interests.(7) The law also allows the government to extend the use of extra-judicial surveillance to agencies other than the DGSI and DGSE, which means that local law enforcement agencies may have access to similar surveillance technologies.
The Intelligence Act allows authorities to utilize wiretaps on phone and internet connections, geotagging, and computer network exploitation, and additionally grants access to identifying data and metadata. Some of this data is collected through the use of what the French government calls "black boxes", devices attached to the infrastructure of telecom operators and hosting providers.(8) The use of these investigative techniques is governed by a body called the National Oversight Commission for Intelligence-Gathering Techniques, a nine-member council which gives approval for surveillance activities. The deliberations of this body do not appear to be a matter of public record, further obfuscating the extent of electronic surveillance in France. There are some restrictions on the storage of communications data and metadata, however they do not specify whether IMEI and IMSI numbers are included, which might mean that they be retained indefinitely.
German state and federal law enforcement agencies have access to various intelligence-gathering techniques, including "silent SMS" attacks, IMSI catchers, and cell-site analysis. These agencies are often aided by telecommunications providers in their investigative efforts. While details of the use of IMSI catchers remain elusive, it has been reported that the Federal Office for the Protection of the Constitution sent over 180,000 silent SMS messages in the second half of 2017.(9) This figure indicates the extensive use of at least one of these mobile phone tracking methods, and leads to the conclusion that other methods of mobile device tracking are likely used just as extensively.
Danish law enforcement agencies have been accused of using IMSI catchers since 2015, but have continually refused to disclose whether they are using them. The Danish Constitution provides protections for citizens against law enforcement agencies monitoring their communications, which requires a court order. The nation's intelligence services - which are generally concerned with national security and military-related matters - can also intercept personal communications, although this also requires a court order.(10) Like several other European nations, the protections afforded to individual communications do not seem to protect against the tracking of digital device identifiers, which presumably can be tracked without judicial approval.
Norway is yet another nation in which digital device identifiers like IMEI and IMSI seem to fall through a loophole, exempting them from the protections that are afforded to personal communications. While the interception of phone calls, emails, and other digital communications require the nation's law enforcement or intelligence agencies to acquire a court order, there is no indication that tracking digital identifiers requires such judicial approval.(11) Norway's law enforcement agencies and government officials have all denied using IMSI catchers. In 2015, investigative journalists from the newspaper Aftenposten revealed the results of a months-long investigation that was conducted alongside two security firms proving the existence of several IMSI catchers in Oslo, the nation's capital, in the vicinity of important government and business buildings.(12) The investigation conducted by Aftenposten found that these devices were actively collecting information from all of the mobile phones within range, but researchers were unable to determine any more about their use. The government and police agencies denied ownership of the devices, so the owner who was using them to collect data officially remains a mystery. Under the Wassenaar Arrangement - which counts Norway among its members - it is illegal for companies to sell surveillance equipment to private individuals or oppressive regimes. It seems unlikely that these devices were being used by private citizens or companies, but the exact purpose of these devices also remains a mystery.
The Hong Kong Police Force (HKPF) - which is independent of the People's Republic of China (PRC) - is responsible for investigating crimes and enforcing the rule of law in the Special Administrative Region of Hong Kong. The HKPF is assisted in these activities by the Criminal Intelligence Bureau and the Joint Financial Intelligence Unit (JFIU), as well as the Customs and Excise Department.(13) The HKPF, Customs and Excise Department, and the Independent Commission Against Corruption (ICAC) can apply to a panel judge of the Court of First Instance for authorization to intercept private communications. There is no clear legal protection against the use of mobile device trackers in Hong Kong. There are companies based in Hong Kong and China which sell IMSI catchers for $15-20,000 USD which appear to sell these devices to non-government agencies. Unlike most nations in the Western world, the PRC is not a member of the Wassenaar Arrangement, which limits and controls the sale of technologies that have military or intelligence applications to private citizens and oppressive government regimes.(14) As a result, surveillance devices like IMSI catchers are more widely available in this part of the world, making it more likely that both government agencies and private companies or citizens are deploying these devices.
Evidence of the use of mobile device tracking technology appears around the world, and it is prudent to assume that most developed nations have access to IMSI catchers or similar technology and are actively using them in both law enforcement and national intelligence operations. It is also likely that device IMEIs and IMSIs are being collected and tracked to some extent, which is a misuse of privilege and another threat to our security and our privacy.