T-Mobile’s timing advance file is used to estimate the location of the phone. It is used in legal cases and includes an estimated latitude/longitude location for the phone, date and time, phone information, tower information and the phone’s estimated distance to the cell.

The position of the phone is typically an estimated one based on the time it takes for a signal to reach the phone. In its simplest form we can calculate the distance the mobile is from the tower if we know how long it takes for a message to get from the tower to the mobile because we know radio waves travel at approximately the speed of light. We can multiply the speed of light times the time it takes to determine the distance.

I say this is simplistic because there are many factors that add many inaccuracies in this approach.

T-Mobile will include a latitude/longitude estimate of the phone, but they will also include a confidence factor of low, medium or high. High confidence represents <100m, medium confidence represents 100m - 300m, and low confidence represents >300m. These would be taken as drawing a circle around the estimated location with a radius of the confidence value. If we take their worst-case numbers then we would draw a 100-meter radius circle around the high, 300-meter radius circle around the medium and exclude the low confidence values. If we are to believe these estimates and confidence values, then we would plot them onto a map, and the phone would be estimated to be within these circles.

A map of these points might look something like this.

I recently received a T-Mobile timing advance file that had something new in it. It included "MDT GPS" in the confidence column. Here is a cut out of the data file showing this.

According to T-Mobile's records interpretation document the latitude/longitude location for the phone comes directly from the GPS receiver in the phone. See the following cutout from this document.

The description is clear, stating that the phone location is coming from the GPS receiver in the phone. Since these are historical records, T-Mobile is collecting and storing GPS location information on phones in their network. This is different than calculating the position of the phone based on timing after the fact and upon request from a search warrant.

I won’t delve too much into the legality of privacy and the 4^th Amendment, but it seems to be legal for them to do this if they do not share this information without a court order.

I dug into the technical side of things further as I was interested in how this information is sent from the mobile to the network and what other data it is sending. There is a description in the cellular 3GPP standards that discusses and describes MDT.

MDT is an acronym for Minimization of Drive Tests and is part of the 3GPP wireless communication standards. If you want to read the overall description in the specification, please click here.

It is quite a bit to read through so I will give you the highlights. MDT contains measurement information along with optional location information from the phone that is sent to the network and used by radio engineering to improve system performance. It is designed to minimize the need to send engineers into the field to perform drive tests and collect performance data as this can be costly and time consuming.

The MDT overview document does not contain the acronym GPS or it's full meaning "Global Positioning System". It does not specify that the location information included in the MDT message comes from the GPS receiver. The phone may not have GPS enabled or it may not have access to the GPS satellites. In these cases, it resorts to Wi-Fi, cellular towers or internal sensors to determine its location all of which are less accurate than GPS.

This is where it gets interesting. The MDT message sent from the mobile does not include the source of the phone’s location, meaning the MDT message does not define if the location is based on GPS, Wi-Fi, cellular towers, internal sensors, etc. Yet T-Mobile states that when the confidence field contains “MDT GPS” the latitude longitude comes from the GPS receiver in the phone.

How does T-Mobile know that the location is from GPS if the location source is not sent to the network from the phone? The only possible answer is that T-Mobile looks at the location information itself and performs some analysis on the location measurement to determine if it was a GPS created location. For example, they may look at the precision of the latitude/longitude values such that more precise (more decimal digits) numbers is associated with a GPS fix. They may also look at multiple measurements and ones where locations are smooth from one to the other are more associated with a GPS fix. They may also look at bearing, deltas, curvatures, etc.

T-Mobile does not provide their algorithms for how they determine the fix is from the phone’s GPS receiver. The MDT specification does not include a location source indicator. Therefore, we are left with where we were before with the location estimates based on timing. They both use proprietary algorithms to determine the location and thus they do not pass the Frye/Daubert rules. We cannot test whether the locations came from the phone’s GPS receiver and the location source is not in the MDT messaging. The MDT GPS values are just as meaningless in legal cases as the timing estimated values.