Skip to content
Naked Security Naked Security

Error-laden phone location data suspended from use in Danish courts

10,700 cases will be reviewed over 2 months, and 32 detainees have already been released after finding bugs in software and raw telecom data.

Denmark has found multiple glitches in cellphone tracking data that’s thrown some 10,700 verdicts into question and led to the release of 32 detainees.

On Monday, Justice Minister Nick Haekkerup ordered a two-month halt to prosecutors’ use of cellphone location data in criminal cases, during which a steering group will investigate the extent of the legal problems the errors may have caused and will monitor the reviews of cases that may have been affected.

Better safe than sorry, he reportedly told local news agency Ritzau:

We shouldn’t take the risk that innocent people could be convicted.

Haekkerup said in a statement that the discoveries have shaken trust in the justice system. Hence, the Attorney General has “now decided to apply the handbrake.”

Location mis-data

The errors have been surfacing over the course of months. AFP reports that the first bug cropped up in software that converts raw data from mobile towers to make it usable for police.

During that conversion, important data was being dropped. For example, if a phone made five calls within an hour, the software would sometimes register only the first four. That led to the creation of a less detailed image of a phone’s whereabouts. According to the New York Times, Danish national police, who had discovered the bug, fixed it in March 2019.

Jan Reckendorff, the director of public prosecutions, told Denmark’s state broadcaster that a separate error was found in how some cellphone tracking data associated phones with the wrong towers, potentially linking innocent people to crime scenes.

Reckendorff:

It’s a very, very serious case. We cannot live with incorrect information sending people to prison.

Other glitches that have surfaced include how phones can be connected to several mobile phone towers at once, incorrect registering of the origin of text messages, and incorrect information on the location of specific towers.

Besides errors in police software, Danish national police went on to find what they said are several errors in the raw data that police are getting from the telecommunications companies. The scope and significance of those errors weren’t clear as of 18 August 2019, Haekkerup said at the time.

The telecom industry doesn’t understand how it can be at fault, though. We’re in the business of getting people to talk to each other, not of providing police surveillance, it responded, while acknowledging that law enforcement values this data.

As it is, the use of cellphone tower data in court cases has gone beyond its original purpose. Here’s what Jakob Willer, director of the Telecommunications Industry Association in Denmark, told AFP:

We should remember that the data is created to deliver telecom services, not to control citizens or for surveillance.

He said that “the mistakes appear when you interpret the data.”

Karoline Normann, who heads the Danish Bar and Law Society’s criminal law committee, told the Times that going forward, lawyers are going to have to interrogate the accuracy of cellphone data in ways they haven’t previously, given that…

…evidence that may appear objective and technical doesn’t necessarily equal high evidence value.

Unraveling the mess

In a 2 July letter to Parliament, the Justice Ministry said that the review of criminal cases that have involved mobile phone location data – they date back to 2012 – would prioritize currently pending cases.

After that, the next priority will be to review cases where people have been sentenced to prison time, probation or other penalties. Next come suspended investigations or acquittals. Finally, the steering group will review cases being actively investigated. If people are in prison based on no evidence besides phone location data, they may have to be released, the Justice Ministry said in the letter.

The letter also said that a report on each review will be forwarded to the court and to the case’s defense lawyer, and that cases will be retried if necessary.

It’s not just Denmark

These kind of location data errors have also been spotted in the US and in South Africa.

It happened to Wayne Dobson, of Las Vegas: a repeat victim of what Naked Security’s Paul Ducklin calls “precise imprecision”: because of a flaw in a mobile phone company’s database, as of 2013, it was sending people who’d lost their phones to his house, even though all it really knew was that their phone was located somewhere in that part of the world.

Here’s Paul:

It doesn’t draw a little circle on the map to say, “That phone’s probably in a 2km radius of here,” or a jagged polygon to say “It’s somewhere inside this grid of lines joining the following five transmission towers spread over an 8km2 area.”

It as good as says, “Head to Casa Dobson. You’ll find the phone in the kitchen, next to the kettle, under this morning’s newspaper.”

Nor is geolocation imprecision limited to cellphone towers.

In 2016, a Kansas couple sued over an IP mapping glitch that repeatedly sent Feds to their house, associating their address with the geographic center of the US and turning what should have been a quiet rural farmhouse into the default answer to “Where the hell is this nefarious IP address located,” as opposed to what that answer should have been: “We don’t have a clue.”

6 Comments

When mine worked it gave my location as a city 180 miles away!

Reply

Google sometimes accuses me of being in another country… right now, for example, I am across the border in a city in Scotland, 500km north of where I really am. From time to time I pop up in the Welsh Borders, and occasionally I am on the South Coast of England. Once or twice I’ve been a Londoner – in Kensington, no less. What really makes me laugh is when companies who are probably paying plenty of money to pretend that they’re local and to care about me personally say things like “Why your property in Bumflannel-on-Sea is could be worth twice what you think.” Ironically I live almost as far from the ocean as it is possible to get in the United Kingdom…

(It’s a long and thinnish country with lots of inlets and estuaries so you can’t actually get that far from the sea – 110km is about the maximum.)

Reply

52 miles is I believe as far as you can get from the sea. Not sure if that’s just England, or England and Scotland combined.

Reply

Everyone seems to have their own answer – it’s near Coventry; it’s in Leicestershire; and so on. But it seems that the Ordnance Survey gives the title to a place in Derbyshire that it says is 113km (70 miles) from “coastal waters”.

If you count any part of any river that is tidal then you will get a different answer, but I would not consider Teddington in London, for example – where the Thames meets its first weir and lock and thus becomes non-tidal – to be “on the sea”.

Reply

Could it be the location of fiber routers being reported as your location?

Reply

No idea. I have been to Scotland many times, will be doing a talk in Edinburgh soon, great place, nearly as cool as Newcastle upon Tyne but the beaches aren’t as good, although they are closer to the CBD…

…but was not there last night. My closest fibre router (if I have traced the cabling correctly) is at the bottom of the utility riser shaft in the building in which I live. It’s VDSL to ‘the cabinet’, as they call it, and fibre from there. The ‘cabinets’ are often in the street nearby, and are not the sort of cabinet you would put the family silver in, more like a shed from the land of Lilliput, or in the basement of a shared building.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!