Share location data of wireless carriers has been a major privacy concern in recent years. Marketers, sellers, and even bounty hunters could pay shady third-party companies to track where people have been, using information carriers gathered from interactions between your phone and nearby cell towers. Even after promising to stop selling the data, the major carriers — AT&T, T-Mobile and Verizon — reportedly continued the practice in the US until the Federal Communications Commission proposed nearly $200 million in combined fines. Carriers remain forever hungry to learn as much about you as possible. Now researchers are proposing a simple plan to limit how much bulk location data they can get from cell towers.
Much of the third-party location data industry is powered by apps that are allowed to access your GPS information, but the location data carriers can collect from cell towers has often provided an alternate pipeline. For years, it seemed like little could be done about this leak, as cutting off access to this data would likely require the kind of system upgrades that carriers don’t want to make.
However, at Thursday’s Usenix security conference, network security researchers Paul Schmitt of Princeton University and Barath Raghavan of the University of Southern California are presenting a scheme called Pretty Good Phone Privacy that can mask the locations of carrier wireless users with a simple software upgrade that every carrier can use. can apply – no tectonic infrastructure shifts are required.
“The main problem we are trying to tackle is collecting massive data and selling it,” Raghavan says. “We see it as a privacy concern for users that carriers can collect this location data whether or not they are currently actively selling it. And our goal here was backwards compatibility. We didn’t want telecoms to roll out anything because we knew they wouldn’t.”
The ability to collect bulk location data from wireless networks comes from the fact that each SIM card has a permanent ID number, also known as an “international mobile subscriber identity” or IMSI number. When your device reboots, has been inactive for a while, or just needs to establish a new connection, it will reach out to the nearest cell tower and display an IMSI number. This allows carriers to check if you’ve paid your phone bill and need to access the service, and it also tells the network which cell towers you’re near. Surveillance tools known as “stingrays” or “IMSI catchers” use the same interaction to find out your physical location and even eavesdrop on your calls and text messages.
To make it harder to track you all the time, wireless standards already assign each device a random, rotating ID after the first IMSI exchange. This means that some protections are already built into the system; making that first IMSI step more personal would have far-reaching benefits for users.
Pretty Good Phone Privacy, whose name is a nod to the pioneering 1991 communications encryption program Pretty Good Privacy, aims to achieve just that by reinventing the billing control that networks perform. The researchers suggest installing portals on any device — using an app or operating system function — that run regular checks with a billing server to confirm a user is in good standing. The system would hand out digital tokens that don’t identify the specific device, but simply indicate whether the connected wireless account has been paid. When the device tries to connect to a cell tower, the exchange runs through this portal for a “yes” or “no” on whether or not to provide service. The researchers further realized that if the system has an alternative method of confirming billing status, it can accept the same IMSI number or a random ID for each user.
“When you connect to the network, you present the IMSI number to show the backend database that you are a paying customer, and these are the services you have subscribed to,” says Schmitt. “The system then informs the rest of the core to give you access to the network. But what we do with PGPP changes the calculus. The subscriber database can verify that you are a paying user without knowing who you are. We have unlinked and shifted billing and authentication.”
Reworking some billing systems and distributing an app to users would be much more manageable for carriers than deeper network overhauls. Raghavan and Schmitt are turning their research into a startup to make it easier to promote the project to telecoms in the United States. They recognize that even with the ease of adoption, there’s still a long shot that the entire industry would switch to PGPP any time soon. But getting just a few carriers, they say, can still make a big difference. That’s because bulk location data becomes much less reliable if a significant portion of the total set is infected. For example, if 9 million Boost Mobile subscribers broadcast identical or randomized IMSI numbers, it would undermine the accuracy and usability of the entire dataset.
The fact that small, virtual providers that don’t even operate their own cell towers — known as MVNOs — can implement this scheme independently is telling, says cryptographer Bruce Schneier, who first learned about PGPP in January and recently became a project consultant.
“One carrier can do it alone without anyone’s permission and without anyone else changing anything,” says Schneier. “I can imagine one of these smaller companies saying that they will offer this as added value because they want to distinguish themselves. This is privacy at a very low cost. That’s the fun.”
In the competitive, monolithic wireless market, it can be attractive to distinguish yourself in the field of privacy as a marketing tactic. It’s possible the big three airlines could try to prevent MVNOs from adopting something like PGPP through contractual moratoria. But the researchers say some MVNOs have expressed interest in the proposal.
Between potential law enforcement pressures and loss of data access — plus the need to distribute an app or allow mobile operating systems to participate — carriers could have little incentive to use PGPP. To the extent law enforcement could oppose such a plan, Schmitt notes that it would still be possible for carriers to perform targeted searches in location history for specific phone numbers. And the researchers say they believe the approach would be legal in the US under the Communications Assistance for Law Enforcement Act. This is because a caveat of PGPP is that it only adds privacy protections for cell tower interactions involving data networks such as 4G or 5G. It does not attempt to cooperate with the historical telephony protocols that allow traditional telephone calls and text messages. Users should rely on VoIP calling and data-based messaging for maximum privacy.
The approach also targets IMSI numbers, along with their 5G counterparts known as Subscription Permanent Identifiers or SUPI, and it protects or excludes static hardware identifiers such as International Mobile Equipment Identity (IMEI) numbers or media access. control (MAC) addresses. † These aren’t used in the cell tower interactions the researchers are trying to anonymize, but they could provide other ways to track.
However, having a simple and straightforward option to deal with one major location data exposure is still significant, after years of data misuse and mounting privacy concerns.
“To be quite honest, the feeling for me now is, how haven’t we seen this before?” says Raghavan. “It’s not, ‘Wow, this was so hard to figure out.’ In retrospect it is clear.”
“It actually made us feel better as systems researchers,” Schmitt adds. “Ultimately, the simpler the system, the better the system.”
This story originally appeared on wired.com.