Surveillance for Hire — and Nobody Asked Permission
Researchers at the Citizen Lab, the University of Toronto-based digital watchdog group, have caught two commercial surveillance vendors doing something they absolutely should not be doing: using their access to the backbone of the world's cellular networks to track the real-world locations of individuals without their knowledge or consent.
The findings, published this week, reveal that the vendors abused their position inside the global telecom ecosystem to run location-tracking operations on multiple victims across several countries.
How It Works
To understand the severity of this, you need to know a bit about how cellular networks talk to each other. When you travel abroad and your phone still works, that's because carriers around the world are connected through a shared signalling infrastructure — protocols with names like SS7 and Diameter — that routes calls, texts, and location data between networks.
Access to this infrastructure is supposed to be restricted to legitimate telecom operators. But over the years, surveillance companies have found ways to gain that access — sometimes by partnering with small or poorly regulated carriers, sometimes through more opaque arrangements — and then using it to silently query where a given phone is located anywhere in the world.
The Citizen Lab found two distinct vendors doing exactly that, targeting victims across multiple countries. The researchers did not publicly name all the targets, but described the surveillance as affecting real individuals — not test cases.
A Long-Known Problem That Keeps Getting Worse
SS7 vulnerabilities have been known to security researchers since at least 2014, when German researchers first publicly demonstrated how the ageing protocol could be exploited to intercept calls and messages. Since then, regulators in the US, UK, Europe, and elsewhere have repeatedly called for carriers to patch the holes — with limited success.
What the Citizen Lab findings underscore is that the problem isn't just rogue hackers exploiting technical flaws. There is now a commercial industry built around selling this kind of access as a product. Vendors market location-tracking tools to governments, law enforcement agencies, and — as researchers have found repeatedly — actors with far more questionable motives.
Who Are the Targets?
The Citizen Lab has a long track record of documenting surveillance that disproportionately affects journalists, lawyers, dissidents, and human rights workers. While the full details of this particular investigation are still emerging, the pattern fits: people who have reason to fear being watched, tracked, and silenced.
For everyday users, the finding is a reminder that your phone's location is not solely in your hands — or even in the hands of your carrier. It passes through a sprawling, loosely governed global infrastructure that, as this research shows, can be tapped by companies operating with minimal accountability.
What Comes Next
The Citizen Lab has shared its findings with affected telecom carriers and relevant authorities. Whether those carriers act — and how quickly — remains to be seen. Calls for international regulatory coordination on SS7 reform have been made for over a decade; meaningful action has been slow.
For now, the research adds to a growing body of evidence that the commercial surveillance industry is outpacing the rules meant to govern it.
Source: TechCrunch, reporting on research published by the Citizen Lab at the University of Toronto.
