How your phone betrays your location

I get involved as a kind of home-grown expert because, like it or not, many of these cases involve computers and the internet. I get to explain technical topics in terms that she can understand and at that time explain to the jury in trials.

Printout of calls made to

This time she had a printout of calls made to and from the defendant's mobile phone covering the period while which the alleged crime took place. The report showed the originating phone number, the called number, the duration, and at that time some extra information: a code for a cell tower antenna and its azimuth for both the caller and the called.

But what did the azimuth number mean? Mobile phones work by using radio waves to communicate with cell phone towers and from them to the normal 'wired' public switched telephone network.

The cellular network consists of strategically placed sites arranged in a regular pattern so that the carrier can provide blanket coverage over an area or region.

Mobile phone

When you switch on a mobile phone, it will search for a signal from the cellular network. I should point our here that I'm in America and our system is subtly different to the one used in the UK. Ours, like yours, uses pre-defined carrier frequency bands for communication. My iPhone is on the AT&T network, and the bands are at 850MHz and 1,900MHz. These frequencies differ across the globe.

Each band is divided into channels. The phone scans the bands trying to find a channel with the strongest signal, the inference being that that signal must come from the nearest cell site. In urban areas, cell sites cover smaller areas - say half a mile in radius. In rural areas a site could cover an area up to five miles in radius.

The strongest signal has been identified

Once the strongest signal has been identified, the phone will negotiate using a standard protocol to log into the cell site. While this process, the phone will transmit a couple of numbers to the cellular network for identification purposes.

The first is the International Mobile Equipment Identity, or IMEI. This is a in a class by itself number, and it's big - my phone's is 15 digits. If you have a GSM phone, you can type *#06# on the keypad to see if that identifies the device. If your phone is stolen, you can ask for the IMEI to be blocked, rendering the phone useless on the network.

The second is the International Mobile Subscriber Identity or the IMSI number. This uniquely identifies you, the subscriber, and is encoded on the SIM card. Again, it's a 15-digit number. The combination of these two fields identifies the mobile's phone number, though at times the IMEI number is used by itself.

The protocol negotiation is complete

After the protocol negotiation is complete, the phone's location is registered with the cellular network and the features of the network are made available. These are things like the ability to make and receive phone calls, test messaging and internet access.

Since the whole point of mobile phones is that they are mobile, the cellular network has protocols in place to make sure the phone is connected using the strongest signal possible as it's moved around. As you travel, the phone and network are cooperating and handing over your phone from cell site to cell site. As part of this handoff, your phone may switch from one channel to another.

The network

The network and phone are designed so that this switch can happen as a call is taking place. To you, it's as if the phone is connected to the network in a nutshell and is the only device on that network.

That's the theory. In practice things can be or rather different. The internet is full of stories of dropped calls and bad reception. Carriers craft their advertising to target a competitor's perceived bad network, nevertheless all carriers in fact suffer. The more phones are within range of a cell site, the more calls are possible at any one time, which can swamp the possible channels.

The cellular network knows where the phone is at all times when it's switched on - not necessarily being used for a phone call or for data communications. This isn't a GPS-style position to within a few tens of meters, nevertheless a location in terms of the area covered by the cell site.

If you think about it, the carrier has to know where the phone is, if not you wouldn't be able to receive any calls or get any push notifications.

Going back to my wife's phone call list, that explains the codes for the cell site for the originating phone and the receiving phone, however where does azimuth come in?

As it happens, each antenna to tell the truth provides about 130 degrees of coverage. This is to ensure a little overlap so a phone doesn't 'fall off the radar' in between two antennas and get handed over to a more distant site.

The direction each antenna of a cell site points in is known as the azimuth. The report from the phone company in fixed and final form let us track where the defendant was every time he made or received a phone call on his mobile phone.

The defendant at a particular place in Denver

My wife's case needed to place the defendant at a particular place in Denver, nevertheless the defense attorney's counter to that was that the defendant was driving along I-25 then. If he was too close to another site, the phone would register there.

I told my wife that she needed to subpoena the carrier for a complete list of cell sites in the Denver area. Once we had that, we could more easily determine where the defendant's mobile phone was located. A week or so later, we had the list as an Excel spreadsheet. I was totally surprised: there are hundreds of cell sites in Denver. This was looking like a real problem.

Figure 1 shows the result. The marker in the middle is our friend NCO0706R_II25_Colo. As you can see, cell sites are placed pretty close at the same time in this part of south Denver. The then cell sites north and south are very close, whereas the sites to the east and west are about a mile away. That is, the defendant was less than half a mile from the cell tower when he was making or receiving calls.

The fun stuff

Now the fun stuff: there were three calls in quick succession. The first was picked up by antenna 2, the second a couple of minutes later by antenna 1, the third a few minutes later by antenna 2. The remainder of the calls used antenna 2. This couldn't be explained by driving up and at the time down the Interstate - there wasn't time to make a U-turn.

Since there is an overlap, it's absolutely feasible that his phone switched antennas at the nearest cell site for one call. And my wife had other corroborating evidence that he was in a building on that dividing line. Case closed.