Each SIM card on your phone has a permanent ID number, known as an “international mobile subscriber identity,” or IMSI number. When your device reboots, has been inactive for a while, or just needs to establish a fresh connection, it reaches out to the nearest cell tower and presents an IMSI number. This allows carriers to check whether you’ve paid your phone bill and should be allowed access to service, and it also tells the network which cell towers you’re close to. Surveillance tools known as “stingrays” or “IMSI catchers” take advantage of this same interaction to grab your physical location and even eavesdrop on your calls and texts.
To make it more difficult to track you all the time, wireless standards already assign each device a random, rotating ID after the initial IMSI exchange. This means that there are already some protections built into the system; making that first IMSI step more private would have far-reaching benefits for users.
Pretty Good Phone Privacy, whose name is a nod to the groundbreaking 1991 communication encryption program Pretty Good Privacy, aims to achieve just that by reimagining the billing check that networks perform. The researchers propose installing portals on every device—using an app or operating system function—that run regular checks with a billing server to confirm that a user is in good standing. The system would hand out digital tokens that don’t identify the specific device, but simply indicate whether the attached wireless account is paid up. When the device attempts to connect to a cell tower, the exchange would funnel through this portal for a yes or no on whether to provide service. The researchers further realized that if the system has an alternate method of confirming billing status, it can accept the same IMSI number or any random ID for each user.
“When you attach to the network, you offer the IMSI number to show the backend database that you are a paying customer, and here are the services that you have subscribed to,” Schmitt says. “The system then informs the rest of the core to allow you onto the network. But what we do with PGPP changes the calculus. The subscriber database can verify that you’re a paying user without knowing who you are. We’ve decoupled and shifted billing and authentication.”
Reworking some billing systems and distributing an app to users would be far more manageable for carriers than deeper network overhauls. Raghavan and Schmitt are in the process of turning their research into a startup to make promoting the project easier among United States telecoms. They acknowledge that even with the ease of adoption, it’s still a long shot that the whole industry would shift to PGPP anytime soon. But getting only a few carriers, they say, could still make a big difference. That’s because bulk location data becomes much less reliable if any significant portion of the total set is tainted. If 9 million Boost Mobile subscribers, for instance, were to broadcast identical or randomized IMSI numbers, that would undermine the accuracy and usefulness of the entire data set.
The fact that small, virtual providers who don’t even operate their own cell towers—known as MVNOs—could implement this scheme independently is significant, says cryptographer Bruce Schneier, who originally learned about PGPP in January and has recently become a project adviser.
“One carrier can do it on their own without anybody’s permission and without anybody else changing anything,” Schneier says. “I can imagine one of these smaller companies saying they’re going to offer this as a value-add, because they want to differentiate. This is privacy at very little cost. That’s the neat thing.”
In the competitive, monolithic wireless market, standing apart on privacy could be appealing as a marketing tactic. It’s possible that the big three carriers could attempt to block MVNOs from adopting something like PGPP through contractual moratoria. But the researchers say that some MVNOs have expressed interest in the proposal.
Between potential pressure from law enforcement and loss of data access—plus the need to distribute an app or get mobile operating systems to participate—carriers could have little incentive to adopt PGPP. To the extent that law enforcement might oppose such a scheme, Schmitt notes that it would still be possible for carriers to perform targeted location history lookups for specific phone numbers. And the researchers say they believe the approach would be legal in the US under the Communications Assistance for Law Enforcement Act. This is because one caveat of PGPP is that it only adds privacy protections for cell tower interactions that involve data networks like 4G or 5G. It doesn’t attempt to interoperate with the historic telephony protocols that facilitate traditional phone calls and SMS text messages. Users would need to rely on VoIP calling and data-based messaging for maximum privacy.
The approach also focuses on IMSI numbers, along with their 5G counterparts known as Subscription Permanent Identifiers, or SUPI, and it doesn’t protect or occlude static hardware identifiers like International Mobile Equipment Identity (IMEI) numbers or media access control (MAC) addresses. These aren’t used in the cell tower interactions the researchers are trying to anonymize, but they could provide other avenues for tracking.
Having a simple and straightforward option to address one major location data exposure is still significant, though, after years of data misuse and rising privacy concerns.
“Just to be totally frank, the feeling for me now is, how did we not see this before?” Raghavan says. “It’s not, ‘Wow, this was so difficult to figure out.’ It’s obvious in retrospect.”
“That actually made us feel better as systems researchers,” Schmitt adds. “Ultimately, the simpler the system, the better the system.”
**culled and rewritten