In our newsletter of two weeks ago, we wrote about @PigSpotter, a South African Twitter celebrity who tweets and retweets road blocks and speed traps in South Africa from the safety of his Blackberry. Since the writeup, it’s been reported that the South African Police Service has laid charges against him, and that he’s hired a lawyer to help defend him.
This brought up the question here at RAAK HQ: How anonymous can someone like @PigSpotter be, exactly? What does an organization like the SAPS have to do to discover some random Twitter user’s true identity?
Tweeting from the Desktop
First of all we’re looking at the network traffic associated with the Twitter API. This is a small portion of network traffic that flows between a Twitter client (Hootsuite, in this case) and Twitter when a I tweet the message Testing API traffic:
The interesting to note was that, contrary to my expectations, my username was not directly associated with the tweet. It is, however, a trivial task to match up a specific public tweet with its twitter user by searching for the message on the public timeline.
If a larger portion of the above message is revealed, you can see fields meant to contain location information:
Since Hootsuite does not support location information (location doesn’t really make a lot of sense for a desktop client) these fields are empty. On a mobile client with location enabled, the location information will be included, of course, and open for the world to see.
Tweeting from a Mobile Device
Network traffic from a mobile device is intrinsically less secure, due to it’s airborne nature. As a result, there’s more security built into mobile communications protocols. GSM has long been poked full of holes, providing practically no security at all anymore. 3G has built on this though, relying on stronger encryption algorithms and proper authentication protocols.
A successful, practical attack against the KASUMI encryption protocol that 3G is built on have been demonstrated, but the attack is not of practical use in 3G’s specific implementation of the protocol.
There are, however, two other factors to consider.
All of South Africa’s mobile bandwidth have been allocated inside a very wide band of frequencies originally allocated to the military. Many people believe that this have been done to facilitate compliance to existing military radio equipment, used to analyse 3G traffic in real time. Conspiracy theory or not, this is a definite possibility to consider when you’re breaking the law.
The main hurdle in the public lawbreaker’s path, though, is mobile providers’ enforced data retention policies. This practically nullifies any security provided by the network from a government point-of-view. By law, a government can at any point ask mobile providers for a log of their 3G traffic over a specified period of time. This involves no traffic analysis or deciphering whatsoever.
Tweeting from a Blackberry
Blackberry supports encrypted connection from mobile devices to an encryption device relaying traffic on behalf of mobile phones. This device, called a VPN device, is typically located in the Blackberry user’s company intranet. When it comes to public traffic, this mean the traffic is encrypted over a VPN tunnel to the Twitter user’s office.
From there, however, the traffic travels in clear all the way to Twitter’s servers – exactly the same scenario as for desktop clients. It will lead any investigations directly to the VPN device’s location, without them even needing to do any mobile traffic analysis. In this case, they will come knocking at the door of the user’s employers.
Whichever way, it seems that breaking the law on a public network like Twitter is not a good idea. Not if you want to stay out of jail.
Posted by Adriaan Pelzer