In a blog entry , Harald Welte recently published a a paper about his GSM test network at HAR2009 . It mainly contained information about how OpenBSC, his open-source GSM network stack implementation, worked and behaved under the field test conditions there.
While most of the report was interesting but not new, one section struck me: "RRLP testing". To quote the report:
Many modern smartphones with GPS receiver are rumoured to have support of the RRLP protocol. According to its specification, RRLP enables the network (or anyone claiming to be the network) to obtain the current GPS fix of the MS without any form of authentication.
...
Result: RRLP is not just a theoretical feature specified in the GSM/3GPP specs. It is implemented by numerous high-end smartphones. There is no authentication of the network. There is no notification of the user. There is no way for the user to disable this [mis]feature.
In short: If you have a mobile phone with GPS, everyone can determine your current position without asking you. Everyone! So apart from tracking your mobile cells over time, network operators (and all other parties!) just can query your phone actively.
This is a massive privacy breach and one of the reasons I was so excited about OpenMoko - one could switch off the GSM chip when it was not needed. Currently, I switch off the phone when I do not use it, but with a smartphone this would be a bit silly.