Welcome to New America, redesigned for what’s next.

A special message from New America’s CEO and President on our new look.

Read the Note

Close

Aerial of farms in Thailand

Accuracy for All

Table of Contents

Spoofing, Proof of Location, and Trusted Data

Even if we assume that dual-frequency phones augmented with PPP or RTK will solve the location accuracy problem in the near future, the integrity and provenance of community mapping data, both geospatial and attribute, will remain a serious concern. Indeed, as the latest GNSS User Technology Report points out, “high accuracy is not the endgame, but rather ‘trusted and resilient’ high accuracy remains the ultimate goal.”1

Many of the new, safety-critical uses for high-accuracy GNSS, most notably aviation and autonomous vehicles, have drawn attention to the possibility of spoofing attacks, in which false signals are generated to disrupt or mislead receivers. Once thought to be prohibitively complex and expensive for any but the most sophisticated actors to execute, successful spoofing attacks were demonstrated in 2012 against targets including drones and ships using hardware that cost only $2,000.2 In 2018, we saw that fake signals can be broadcast using a software-defined radio and a $5 USB to VGA display adapter.3

The use of multiple frequencies and constellations makes spoofing inherently more difficult because more false signals have to be generated at different frequencies. But additional steps must be taken to harden receivers against spoofing. Galileo is working to incorporate a cryptographic message authentication system into its signals, and GPS is considering doing the same.4 Galileo’s version is expected to be fully operational by 2020.5 There are a number of other hardware and software tools for combating spoofing. Some types of antennas can detect the direction from which a signal originates, allowing spoofed signals (which tend to originate from one location) to be identified and discarded. Other techniques involve measuring qualities of the signals, including signal power and the doppler shift caused by the motion of the satellite.6 These require access to the raw satellite tracking data.7

But spoofing is not a major concern with community mapping. It remains quite difficult to do, especially when directed against multiple receivers, and would be easy to detect when coordinates were overlaid with the base map. Perhaps most importantly, there would be very little incentive for a bad actor to do it in the first place.

There is a much greater risk of mappers submitting falsified data. This is especially true if crowdsourced data collection is done remotely and is driven by economic incentives. There are already several examples of location-based services being manipulated by users faking their GNSS coordinates in order to cheat at games like Pokémon Go or earn cryptocurrency for participating in crowdsourced mapping projects.8 In the future there will be many more services that require verified location data, including autonomous transportation, supply chain tracking, usage-based insurance, and location-based access control.

There is a much greater risk of mappers submitting falsified data.

Defenses against spoofing address the trustworthiness of the signals received, not of the receiver. Proof of location addresses a very different problem: how can a third party authenticate location data from an untrusted receiver?

There are several approaches to this problem. One would be to create an aggregated proof of location, cross-checking GNSS data against input from a number of other sensors in the phone, like the inertial measurement unit and barometer, in addition to network-based location information from Wi-Fi and cell networks. Apps like Truepic already do this to verify the authenticity of photographs for their clients, including insurance companies.9 An obvious drawback to this solution is the reliance on network access, though it would also be possible to store the data on the user’s device in such a way that it would be extremely difficult to tamper with it. This could be accomplished with a Trusted Computing architecture in which the data is signed and encrypted by a secure chip attached to the device CPU.10

Another solution would be to incorporate a proof of location method into the GNSS signal itself. For example, one proposed system for “Pretty Good Proof of Location”11 would be to encrypt the navigation signal and have the satellite send the encryption key after a small time delay, perhaps five minutes. The receiver would be able to store the raw data or stream it to a third party, who could decode it upon publication of the key. The forger would be unable to forge the raw data without knowing the key beforehand.12

Even in the absence of these technical solutions, community mapping is inherently resistant to forgery of location data because it is a group activity in which claims are made and validated collectively. For community boundary surveys, trained community members supervise the collection of GNSS data, and it is validated against a base map with identifiable landmarks, like trees, fences, and buildings. Moreover, the boundaries of the demarcated plots are reviewed and agreed to by the owners of adjacent plots. This leaves very little room for falsification or manipulation of coordinates.

Box 3

Basic Stages of a Community Land Mapping Program13

  1. Community Planning Meeting: A meeting with the whole community to explain the purpose and objectives of a land mapping program and to start a discussion with all parties. This should be a public meeting, welcoming everyone, and should be well advertised in advance.
  2. Community Rough Mapping: The team does a rough map. Rough mapping is a process that records a community’s geographic, social and economic features. It can also be a useful tool for identifying specific issues that affect a community.
  3. Land mapping team selection: Mapping teams are appointed and allocated to each area. Teams should be representative of the community or area that is to be mapped.
  4. Planning and training: The teams are trained. They learn what is to be mapped and consider the challenges that data collection will raise.
  5. Questionnaire/survey design: After the rough mapping, a working group identifies key areas where quantitative data would be useful.
  6. Launch: The program is launched at a public meeting, the results of the rough mapping are shared and a detailed plan and schedule for household mapping agreed.
  7. Survey: The mapping team goes house to house with questionnaires, explain what the survey is for, and measures plots and house sizes.
  8. Verification: The data is checked for standardization, any errors or omissions. Incomplete or disputed information may need to be recollected.
  9. Group Discussions: The information is shared with the whole community at fully inclusive public meetings and smaller group discussions.
  10. Creation of Public Awareness.

That brings us to the related question of recording attestations between community members. Our recent research into self-sovereign identity provides a possible answer, one that is conveniently amenable to use with smartphones. Self-sovereign identity (SSI) uses cryptography to give individuals a secure digital identity under their control, paired with a platform for storing and sharing verifiable, digitally signed data. This is critical for recording attestations in a way that is secure and easily tracked and audited.

Current community mapping apps can upload scans of signed paper documents and record videos of neighbors agreeing on property boundaries. Video is much harder to fake than a signature, and therefore harder to repudiate. But while it might provide stronger evidence in court, the use of video creates a number of problems. Video files are large and take up a lot of storage capacity. Moreover, they are hard to check. How do you verify the identities of the people in the video? And validating the interaction requires a human to sit down and watch it. By contrast, SSI uses cryptographic signatures to record agreements and attestations in a way that is both secure and easy to validate. Signatures can be indelibly linked to a single digital identity, or even to a natural person using biometry.

SSI architecture can also allow communities to organize themselves and determine group membership. When documenting the claims of a given indigenous community, for example, it might be necessary to know who is and is not a member. In many cases that determination is best made by the community itself rather than by outsiders, for example a foreign NGO organizing the mapping. The community could instead issue membership credentials to its members who could present them to the NGO as necessary.

Finally, SSI can provide a critical infrastructure component for connection to a variety of services, for example subsidies. The SSI firm Everest has partnered with the Government of Indonesia to distribute liquefied petroleum gas subsidies to digital wallets linked to self-sovereign identities.14 Similarly, a digital credential issued and signed by the land registry could be used to establish entitlement to agricultural subsidies, which could even be delivered to the farmer’s digital wallet. SSI can also incorporate a messaging system. If integrated into a digital registry this could be used combat fraud, sending automated notifications to property owners whenever a transfer of their land is initiated or when it is used as collateral for a loan. (For more on SSI and land registries, see the Future of Property Rights report The Nail Finds a Hammer: Self-Sovereign Identity, Design Principles, and Property Rights in the Developing World.)

Citations
  1. GNSS User Technology Report: Issue 2, European Global Navigation Satellite Systems Agency, 5.
  2. Mark L. Psiaki and Todd E. Humphreys, “Protecting GPS From Spoofers Is Critical to the Future of Navigation,” IEEE Spectrum, July 29, 2018, source, accessed November 6, 2018.
  3. Tom Nardi, “Spoofing Cell Networks with a USB to VGA Adapter,” Hackaday (blog), April 23, 2018, source, accessed November 6, 2018; “Osmo-fl2k,” Osmocom, accessed November 6, 2018, source.
  4. “Assuring authentication for all,” European GNSS Service Center, European Global Navigation Satellite Systems Agency, last updated November 10, 2018, source, accessed November 6, 2018.
  5. “A new generation of OS-NMA user terminals,” European Global Navigation Satellite Systems Agency, last updated April 9, 2018, source, accessed November 6, 2018.
  6. Markus G. Kuhn, “Signal Authentication in Trusted Satellite Navigation Receivers,” Department of Computer Science and Technology, University of Cambridge, accessed November 14, 2018, source, 11-12..
  7. Ibid., 16.
  8. Greg Milner, “A New Way of Mapping Everything,” Breaker, October 22, 2018, source, accessed November 2, 2018.
  9. Joshua Rothman, “In the Age of A.I., Is Seeing Still Believing?,” The New Yorker, accessed November 9, 2018, source.
  10. Eric Roberts, “What is Trusted Computing?,” Computer Science Department, School of Engineering, Stanford University, accessed November 14, 2018, source; John Lyle and Andrew Martin, “Trusted Computing and Provenance: Better Together,” paper presented at TaPP ‘10: 2nd Workshop on the Theory and Practice of Provenance, San Jose, California, February 22, 2010.
  11. “Spoofs, Proofs & Jamming,” Inside GNSS, September 3, 2012, source, accessed November 2, 2018.
  12. Gianluca Caparra et al., “Design Drivers and New Trends for Navigation Message Authentication Schemes for GNSS Systems,” Inside GNSS (September/October 2016): 66.
  13. Victoria Stodart, ‘Minimum elements’ for community-based land mapping approaches in post disaster contexts, International Federation of Red Cross and Red Crescent Societies, Geneva, Switzerland, 2015, source, accessed November 13, 2018, 16-17.
  14. GlobeNewswire, “Everest, ID2020 and the Government of Indonesia (TNP2K Secretariat) Announced Innovative Identity and Blockchain Pilot Solution to Enhance the National LPG Subsidy Program,” Morningstar, September 14, 2018, source, accessed November 9, 2018.

Close

Spoofing, Proof of Location, and Trusted Data

View as PDF

Table of Contents

Close

Accuracy for All