While most people know cell towers can approximate location, cellular standards include hidden protocols that let carriers silently request precise GPS coordinates from your device - a capability governments have exploited for mass surveillance.
Mobile carriers have access to far more precise location data than most people realize, thanks to built-in cellular protocols that allow them to silently request GPS coordinates from your device. This capability, which has existed for decades across 2G through 5G networks, represents a significant privacy vulnerability that has been exploited by law enforcement and intelligence agencies worldwide.
The Two Ways Carriers Track You
When most people think about carrier location tracking, they imagine the basic cell tower triangulation method. Your phone connects to nearby towers, and by measuring signal strength and timing from multiple towers, carriers can estimate your location within tens to hundreds of meters. This is the method that requires no special cooperation from your device - it's simply a byproduct of how cellular networks function.
However, cellular standards include much more invasive capabilities. Through protocols called RRLP (Radio Resources LCS Protocol) in 2G/3G networks and LPP (LTE Positioning Protocol) in 4G/5G networks, carriers can directly request your device's precise GPS, GLONASS, Galileo, or BeiDou coordinates. These protocols operate at the control plane level - meaning they work silently in the background without any user interaction or notification.
The mechanism is straightforward: the network simply asks "tell me your GPS coordinates if you know them" and compliant devices respond with their precise location data, accurate to within single-digit meters. This is the same level of precision you see in mapping applications, but instead of staying on your device, this data flows directly to your carrier.
Why This Matters
GNSS location data is fundamentally different from cell tower triangulation because it's never meant to leave your device. GPS coordinates are calculated entirely passively - your phone receives signals from satellites and computes its position locally, without transmitting any information. It's analogous to reading a road sign to determine your location: you don't need to tell anyone else you read the sign, and the people who put up the sign don't know who read it or when.
Yet cellular protocols deliberately break this privacy model by creating a mechanism for devices to transmit this sensitive data. The protocols are not secrets - they're documented features of cellular standards - but they've largely remained outside public awareness despite being actively used for surveillance.
Real-World Exploitation
The Drug Enforcement Administration has used these capabilities since at least 2006, obtaining court orders (though not search warrants) to ping suspects' phones and retrieve GPS coordinates. In Israel, the Shin Bet intelligence agency operates a comprehensive tracking system called the GSS Tool that monitors all cellular phones in the country through cellular company data centers. This system combines cell tower triangulation with GPS data to track individuals with high precision.
During the COVID-19 pandemic, Israeli authorities rapidly deployed this surveillance infrastructure for contact tracing. Within weeks of the first confirmed case, the government began sending SMS messages to individuals who had been in close contact with infected persons, ordering them to quarantine. The speed of deployment strongly suggests that carriers were already collecting precise location data beyond what cell towers alone could provide.
Technical and Security Concerns
Several critical questions remain unanswered about these surveillance capabilities. While RRLP and LPP are documented protocols, we don't know if they're the only methods carriers and governments use to collect GPS data. There could be additional protocols, backdoors, or undocumented features that provide even broader access to location information.
The international implications are particularly concerning. While we know that Saudi Arabia has exploited the SS7 signaling system to track individuals in the US, this technique only provides location accuracy at the level of mobile switching center coverage areas - less precise than cell tower data. However, if RRLP and LPP can be exploited remotely across carrier boundaries, it would mean that state actors could potentially obtain precise GPS coordinates for anyone with a phone, anywhere in the world.
Recent Privacy Improvements
Apple has taken a significant step toward addressing this vulnerability with iOS 26.3, which introduces a new privacy feature that limits the precise location data made available to cellular networks via cell towers. This feature is only available on devices with Apple's in-house modem, introduced in 2025, highlighting how hardware control is essential for implementing such protections.
However, this improvement only addresses one vector of location surveillance. The more invasive GNSS data collection through RRLP and LPP remains largely unchecked. For meaningful privacy protection, Apple and other device manufacturers should implement three key safeguards:
- Allow users to completely disable GNSS location responses to mobile carriers
- Provide clear notifications when carriers attempt to access location data
- Implement robust security measures to prevent unauthorized access to these protocols
The cellular industry's track record on security and privacy is abysmal, with numerous documented cases of surveillance abuse and technical vulnerabilities. Until these fundamental issues are addressed, the precise GPS coordinates of billions of people remain vulnerable to collection by carriers, governments, and potentially malicious actors who can exploit these built-in surveillance capabilities.
Comments
Please log in or register to join the discussion