Skip to content
Naked Security Naked Security

Smile! You’re on a stolen phone’s candid camera!

But was it ethical for filmmaker to set up a device as a honeypot for a thief?

What kind of jerk steals somebody’s phone? Dutch film student and former iPhone owner Anthony van der Meer decided to find out.

His investigation – and the 21-minute documentary that resulted – were initially triggered by the dreaded feeling so much of us have experienced: that of reaching into his pocket only to find it empty.

Van der Meer never did find his old phone. Apple’s Find My Phone feature proved unhelpful: all a thief has to do is remove the Sim card and reset the phone so it’s untraceable, he said.

He used Find My Phone to trace the phone for a few blocks, then it vanished off the GPS radar. That’s the last he saw of that phone.

The filmmaker also found that the internet is full of services and tutorials on how to unlock iPhones, so he knew that whoever got their hands on the phone had access to his personal photos, text messages, contacts and more. So in the end, it was goodbye, iPhone.

Hello, decoy phone, and hello, plans to cast an unwitting phone thief (or phone finder…?) in a film.

Van der Meer loaded a new phone with an anti-theft application called Cerberus. He worked with the app maker to rename Cerberus, to make it all the more undetectable. The app was tucked away in the device’s system side, where resets and Sim card swap-outs wouldn’t wipe it away.

Like other mobile anti-theft or spyware tools, Cerberus allows device owners to access any file on their phones remotely, as well as to unobtrusively trigger their phone’s camera and microphone.

Van der Meer says the toughest part of the stunt was to actually entice a thief into taking the bait. He hung out in a lobby, the phone hanging out of a backpack nearby, but nobody grabbed it. In fact, multiple people pointed out to him that he was on the verge of losing his phone.

Finally, on the subway, when his film crew’s cameras were off, not rolling as they’d been in the lobby, somebody took his phone.

Van der Meer wound up tracking, photographing, and eavesdropping on the man who’d taken the phone. Or *a* man, at any rate.

He captured audio recordings, intercepted the man’s calls to a sex hotline, and even eavesdropped on a long conversation between his surveillance target and a woman whom he overheard the man referring to as a junkie in a conversation with another person.

Are you starting to feel uncomfortable with any of this on an ethical level? I sure did when I was viewing the film, and that discomfort takes a sharp turn toward alarm at the point in the film when van der Meer physically goes to check up on his surveillance subject after the phone goes silent for a few days.

His film features a still of the man, shirtless, coming out of a house, captured before van der Meer scurries away, shocked at his subject’s aggressive demeanor. Van der Meer had, after weeks of tracking the man, begun to think he understood him. The man slept in a homeless shelter sometimes. Sometimes on friends’ couches. It all seemed so sad.

The filmmaker wound up sending data credit to the guy after feeling guilty for using up his credit, since the video recording he was surreptitiously collecting was so data-intensive.

Van der Meer himself says in the documentary that this is a gray area, ethically. After all, it’s our right to install spyware on our own devices. They’re our devices, after all, and it’s crooks’ problem if they get recorded when they’re caught red-handed, right?

As it is, we’ve seen plenty of people become the unwitting subjects of selfies snapped by lost or stolen phones. There was the case of the Australian woman who wound up reunited with her stolen iPhone, thanks to an accidental Facebook selfie taken on a beach and posted to her Facebook wall.

Was the guy caught red-handed? Well, no. Actually, after her post about it went viral, the man in the photo reached out to her, via Facebook, to apologize and tell her that he’d bought her phone from a third party, not realizing it had been nicked.

Then too there was the woman captured in a selfie looking down at a phone in a car as she tried to unlock it. How do we know if she took the phone or found it? Borrowed it from the real thief? Well, we don’t.

That’s the thing: people are presumed innocent until proved guilty. And no matter how suspicious somebody may look in a surveillance-generated selfie, they’re simply that: presumed innocent until proved otherwise.

But while we don’t know for sure if people captured in selfies by stolen or lost phones are in fact guilty of larceny, we do know that surreptitious surveillance is most certainly illegal, to greater or lesser degree, and depending on what country you’re talking about.

In the US, there are some circumstances in which it’s more or less legal to install spyware on devices – on those used by employees or your children, specifically.

But woe to those app makers who advertise their software as being suitable for catching adulterers, as in, those that don’t emphasize that it’s illegal to surreptitiously install spyware on a device without informing the surveillance subject.

For example, in August, a US court said that a man could sue a spyware company whose software was used unlawfully by a jealous spouse to intercept his messages.

Either van der Meer’s surveillance subject disappeared after the shirtless, physical encounter, or he blipped out of view from a technological standpoint, or both: Van der Meer doesn’t specify in the film.

Was the man a thief? Who knows.

Was van der Meer in the right to surreptitiously record him and track him?

I don’t know. I’m not working for the NSA.

What do you think? Please let us know in the comments section.

Note: the headline was updated on December 23 to correct the phone used


Interesting question. Is this entrapment? Or does that term only apply to law enforcement?

If I leave my front door open for the express reason that I want you to come in when I’m not home, what is that? Or if I leave my keys in my car on purpose to see if you’ll steal it?


I don’t think it is entrapment. He was not forced or told to steal the phone so I don’t think this would fit into entrapment. Since the phone did not belong to him he was in the possession of stolen property. Don’t do the crime if you can’t do the time!


Absolutely right to install spyware. …I’m sure that guy knew he was buying a nicked phone he won’t have paid the going rate…therefore he knew he was handling stolen goods and is as guilty as the person who took it


Whether it’s easy to do the wrong thing (steal an iPhone), or more of a challenge to do the wrong thing (steal an iPhone), you’ve still made the choice to do the wrong thing. I don’t see entrapment happening in this story.


“But woe to those app makers who advertise their software as being suitable for catching adulterers, as in, those that don’t emphasize that it’s illegal to surreptitiously install spyware on a device without informing the surveillance subject.”

Is it illegal to install spyware on your won device then? This sounds as stupid as if my car by a natural fault have no brakes on it. So I should place a sign on it’s front window: “Don’t steal this car, it has no brakes”?


I think they meant if you suspect your partner of having an affair, you can’t just put it on their phone without telling them.


I think every phone owner has the right to know who’s using their phone. Unsuccessful attempts at unlocking a phone should result in a photo of the suspect being emailed to the phones owner. Perhaps an upgrade for the Sophos app for iPhone and android.


I was once asked for this very feature – quite persuasively – by the barista in my favourite coffee shop, no less (no #hipster jokes, please) because he tried our product and found it didn’t have this capability, so switched back to his previous Android product. I just said I wasn’t sure that “secret selfies” were such a good idea.

About three weeks later he suddenly announced that he now sided with me after he’d received two emails containing pictures of his one-year-old daughter after she’d fiddled briefly with his phone, and figured that he’d rather lose his phone (strongly encrypted of course) and have to buy a new one than be sitting wondering how many unexpected pics had been uploaded “just in case”.

Coffee shops are good places for computer security discussions :-)


In reciept of stolen property is commission of a crime and while you are committing a crime are you really protected from being surveilled!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!