Wireless network location data is an under‐used asset for national security.

In a world of increasing threats, the preventive and responsive capabilities of national security bodies regarding manmade disasters are challenged daily. Government agencies increasingly collaborate with private industries in the development of innovative technologies to better protect the populations, while taking into account local privacy regulations.

For decades, Mobile Network infrastructures have clearly been instrumental in lawful investigations. And yet, only a fraction of mobile network potential has been exploited. In the era of big data, telecommunications networks constitute a strategic asset in the fight against current threats. Indeed, an ocean of data from several million individuals flows through these virtual pipes daily. To comply with increasing intelligence requirements, new investigation tools are required, leveraging the inherent benefits of big data technologies.

First, this document highlights the possibilities and limitations offered by 3GPP standards on geolocation. Then it addresses the interest of passive collection, an alternative technology, to complement these standards. Last, it illustrates examples of innovative security use cases that can be unlocked by such technologies.

1. Merits and limits of 3GPP-standards

Since their inception, subscriber geolocation is one of the many functions defined in Mobile Networks Standards, along with providing their core services such as call / SMS. These standards define dedicated signaling and processes in the different network nodes. This approach is called active geolocation as it triggers specific activities on the network to retrieve a given subscriber location.

quote telefonica

As these technologies are standard, they have been widely leveraged by law enforcement forces namely: Upon request by legal authorities, mobile network teams use these techniques to track location of a list of identified suspects.
Such technologies present outstanding features. Most important one being the fact that they are entirely device-agnostic and unspoofable which in turns provides highly reliable information to act on. They also offer several modus operandi, favouring either instant refresh of subscriber’s location or undetectability of the location retrieval. Their basic accuracy is a network cell, which ranges typically from 100 meters in dense urban areas to several kilometers in rural ones. But this accuracy can be improved through radio-triangulation techniques (E-CID, A-GPS, OTDOA…).

These options do imply a price increase given the need of further network equipments along with features to be activated. And the overall end results do not always meet the initial expectations (e.g: you can’t triangulate if the area is covered by only one cell for example).
However, we also need to bear in mind the drawbacks of standard-based active geolocation:

Limited scaling

As each tracking requires additional network activity, the volume of geolocation tracking is limited. First, because operational expenses are directly linked to the number of location queries. Second, because too many tracking requests would quickly overwhelm mobile network capacity.

Disappearing targets

Criminals are well aware of these capabilities and are used to frequently swapping their SIM card and mobile handset in order to evade any surveillance. Another technique is to keep the phone switched off unless necessary. In such cases, active queries will most probably fail to geolocate the subscribers.

Several blind spots

In theory, standards allow geolocation of inbound roamers. But such an option requires operators to establish bilateral interconnections between their geolocation equipments. In real life, this architecture has not been deployed and thus operators cannot geolocate visitors on their networks. Another blind spot: it’s not possible to track subscribers’ location based on their device identifier (IMEI).

No exploratory investigation

The whole system assumes that the targets (and their mobile number) are already identified and under investigation. Active geolocation offers no option to leverage historical data to explore and detect suspicious behaviors.

In summary, active geolocation presents undeniable benefits but also severe limitations. As it only leverages a fraction of all relevant information flowing through mobile networks, exploring complementary approaches is required to improve its efficiency.

2. Passive collection of events offers new paradigm

In order to make your mobile phone ring when someone tries to reach you, the mobile networks needs to know where you are at all times. Therefore, for the sake of this very basic functions, network signaling natively carries location information.

network signaling natively carries location information

Network signaling natively carries location information 

The idea of passive geolocation is to constantly listen and extract this information. It’s denominated “passive” because contrary to active geolocation it does not generate any specific network activity. As a consequence, it is possible to continuously track the location of each and every connected mobile, with absolutely no impact on network load.
There are many events that carry location information: events originated from subscriber’s activity - sending/receiving SMS/calls, surfing the web, receiving e-mails, app synchronization with the network, etc.- but also events originated from subscriber’s mobility management such as switching the device on/off, handover from one location area to another,etc. The high frequency of such events ensures a very fine tracking of all subscribers’ locations at any point in time. It is handset agnostic, unspoofable and undetectable by the targeted individual.

events collection with passive location

Collecting events with passive location 


Passive collection works on traditional mobile networks (2G, 3G or 4G) but can be extended to other types of networks. A typical example is Wi-Fi networks, used by operators to off-load their cellular networks through data or voice over Wi-Fi services. Such extensions provide better coverage (indoor) and spatial accuracy (smaller cells) for geolocation.

passive location addressing the limitations of active


Make the most of the limited active geolocation capabilities.

Why would you trigger a costly active request if you know where he was three minutes ago (through passive collection)? Other example: it may be interesting to get location updates only when a target is close to a specific area of interest, using passive collection in any other areas.

Inbound roamers

Inbound roamers are natively geolocated through passive collection, as they generate activity on the network like any other subscriber. Furthermore such passive collection can be used to unlock active geolocation queries on inbound roamers, without the need to query foreign networks.

Mobile-handset tracking

Passive collection enables tracking of individuals either on their SIM card, on their mobile number or on their terminal identifier (IMEI). This possibility allows to track individuals even without knowing their mobile number, based on their device. Additionally, switching SIM cards is not enough to evade surveillance: suspects can no longer simply disappear.

Less blind spots

In addition to inbound roamers and IMEI tracking, passive collection ensures no mobile activity goes undetected. As soon as a mobile connects to the network, even for a very short amount of time, this event is captured and the location is updated. As an additional benefit, the last known location (of a missing person for example) is always available.

active vs passive location

Active vs passive location 

To summarize, combining both geolocation techniques optimizes network resources, reduces classical blind spots and provides new tracking capabilities.

3. Unlocking new applications with location data

3.1 Historical investigations

Storage of the continuous stream of geolocated events unlocks further possibilities of investigations, using additional analytics software.
Applications are countless:
Suspect identification: suspicious targets can be identified through their physical presence on past key incidents, their frequent proximity to other persons of interest and mutual communications. These analyses can be enriched with different filters (e.g. targets having transited through, or are communicating with, a specific country). They aim at reconstructing social circles gravitating around criminal organizations. This process can be fine-tuned and confirmed through the detection of suspicious patterns such as frequent swapping of SIM and/or handsets.
Forensic judicial reconstitution: historical records can be used to build retrospects of the location events over the course of any given period. Given the update frequency of location events, individuals’ paths can be easily reconstructed and visualized.

3.2 Area monitoring and geofencing

The protection of sensitive areas (international borders, official buildings, military facilities, hazardous waste repositories…) requires a constant surveillance and passive collection can play a significant role in the detection of trespassers.


Sensitive areas to be protected efficiently 

This feature, known as “geofencing”, triggers instant notification whenever someone enters (or leaves) a predefined perimeter.

Whereas classical geolocation systems limit geofencing capabilities to a list of identified suspects, those using passive collection enables notification on entry, based on filtering tools to differentiate authorised personnel from suspicious intruders. Such instantaneous notifications can feed applications with real-time dataflows for contextual analysis.
In case of specific threat / emergency, public authorities can monitor in real-time who is present in a given area. Thresholds can be set to notify authorities whenever abnormal attendance in an area is detected. 

4. Precision in location when needed

Usually the Location-Based Services rely on the Cell-Id location of the customers, leading to an average of 200-500m precision in urban environment, and from 1 to 10 km in rural areas.
Such accuracy is relevant for many use cases: for geotargeted advertising for example, it would be considered as too intrusive to text a customer exactly in front of the corresponding Point of Sales. But there are cases where more precision is needed and where new technologies can reach sub-cell accuracy.

4.1 In which verticals or contexts is cell accuracy insufficient?

While cell-accuracy can be perfectly relevant to calculate the attendance in a mall or a stadium, it is clearly inadequate when it comes to smaller venues, or when computing the audience around a billboard. Real Estate studies are also highly demanding in terms of location measurements. In transport planning applications, cell-id can only account for quick means of transportation (car, train and plane) where cell-id often changes during the journey. It is insufficiently accurate to study bicycle or pedestrian paths, to distinguish the traffic from two neighboring parallel roads or to avoid false positives in security use cases. Even in location-based advertising, it can be critical to avoid the confusion between the customer entering in a mall and the one who is driving along the highway nearby!

4.2 Limitations in standard technologies

“Triangulating” the position of a mobile requires to access detailed information about the radio access network surrounding a mobile device. This information circulates within the OSS (Operation Support System) and SMLC (Serving Mobile Location Center) actively fetch this information to locate precisely a mobile. This method works fine for individual tracking but because it generates additional signaling in the network, it cannot collect all locations of a given area.
Probes systems are also a mine of technical information. However, because these equipment were primarily designed to monitor the quality of service in the access network they are not well adapted to tracking individual moves: locations are provided with delay, lack regular updates and imply to much investment compared to the expected benefits derived from Location Based Services. 

4.3 A new approach

Intersec has developed an original approach, extracting just the necessary information from the RAN (Radio Access Network). As this passive collection is achieved from a centralized equipment with limited scope, it is way more affordable and resilient to any network upgrade.

subcell accuracy                                                                         subcell accuracy global view

 trace processingSuch information is mixed with all networks available (including Wi-Fi) to limit the number of blind spots for any individual device.

This Passive SubCell technology offers new perspectives to the service providers: more precise studies in rural areas, on-line visualization of crowd densities and audience real-time management for billboard advertisers to name a few. It is currently used by several of our customers and the results are amazingly positive.


The limitations inherent to 3GPP-standard geolocation bridle applications with security purposes. We’ve seen that new technologies, mixing passive collection and Big/Fast data can be valuable complements to current geolocation standards, making up for their shortfalls and enabling new security use cases. Adding Passive SubCell technology is also a way to deal with rural areas where the size of cell prevents any Location-Based insight.

This paper has only mentioned the software analytical performance and data science capabilities required to transform raw data into contextual insights. Indeed, the development of a library of location-specific algorithms is the following step to industrialize forensic analyses and the operation of these use cases. Such algorithms can vary from the identification of origin and destination of suspects, to routes and conveyance means taken, to the counting of recurring visits in specific areas.
The technologies described enable a plethora of other use cases of public interest that cannot be detailed in such a condensed document. In case of a major event, these can enable authorities to locate Wi-Fi emergency calls and analyze population movements in real-time. Thus, improving the dissemination of factual guidelines to emergency services and local communities while adapting resources accordingly. Equipped with the software technologies described, national security and law enforcement agencies can significantly enrich intelligence and optimize responsiveness to better protect and serve the population.