Location data sharing from wireless carriers has been a major privacy issue in recent years. Marketers, salespeople, and even bounty hunters were able to pay shadowy third-party companies to track where people have been, using information that carriers gathered from interactions between your phone and nearby cell towers. Even after promises to stop selling the data, the major carriers—AT&T, T-Mobile, and Verizon—reportedly continued the practice in the US until the Federal Communications Commission proposed nearly $200 million in combined fines. Carriers remain perennially hungry to know as much about you as they can. Now, researchers are proposing a simple plan to limit how much bulk location data they can get from cell towers.
Much of the third-party location data industry is fueled by apps that gain permission to access your GPS information, but the location data that carriers can collect from cell towers has often provided an alternative pipeline. For years it's seemed like little could be done about this leakage, because cutting off access to this data would likely require the sort of systemic upgrades that carriers are loath to make.
At the Usenix security conference on Thursday, though, network security researchers Paul Schmitt of Princeton University and Barath Raghavan of the University of Southern California are presenting a scheme called Pretty Good Phone Privacy that can mask wireless users' locations from carriers with a simple software upgrade that any carrier can adopt—no tectonic infrastructure shifts required.
“The primary problem we’re trying to address is bulk data collection and the sale of it,” Raghavan says. “We see it as a user privacy issue that carriers can amass this location data whether or not they are currently actively selling it. And our goal here was backward compatibility. We didn’t want the telecoms to have to roll out anything, because we knew they weren’t going to."
The opportunity to collect bulk location data from wireless networks arises from the fact that each SIM card has a permanent ID number, known as an “international mobile subscriber identity,” or IMSI number. When your device reboots, has been inactive for a while, or just needs to establish a fresh connection, it reaches out to the nearest cell tower and presents an IMSI number. This allows carriers to check whether you've paid your phone bill and should be allowed access to service, and it also tells the network which cell towers you're close to. Surveillance tools known as “stingrays” or “IMSI catchers” take advantage of this same interaction to grab your physical location and even eavesdrop on your calls and texts.
To make it more difficult to track you all the time, wireless standards already assign each device a random, rotating ID after the initial IMSI exchange. This means that there are already some protections built into the system; making that first IMSI step more private would have far-reaching benefits for users.
Pretty Good Phone Privacy, whose name is a nod to the groundbreaking 1991 communication encryption program Pretty Good Privacy, aims to achieve just that by reimagining the billing check that networks perform. The researchers propose installing portals on every device—using an app or operating system function—that run regular checks with a billing server to confirm that a user is in good standing. The system would hand out digital tokens that don't identify the specific device, but simply indicate whether the attached wireless account is paid up. When the device attempts to connect to a cell tower, the exchange would funnel through this portal for a yes or no on whether to provide service. The researchers further realized that if the system has an alternate method of confirming billing status, it can accept the same IMSI number or any random ID for each user.
“When you attach to the network, you offer the IMSI number to show the backend database that you are a paying customer, and here are the services that you have subscribed to,” Schmitt says. “The system then informs the rest of the core to allow you onto the network. But what we do with PGPP changes the calculus. The subscriber database can verify that you’re a paying user without knowing who you are. We've decoupled and shifted billing and authentication.”
Reworking some billing systems and distributing an app to users would be far more manageable for carriers than deeper network overhauls. Raghavan and Schmitt are in the process of turning their research into a startup to make promoting the project easier among United States telecoms. They acknowledge that even with the ease of adoption, it's still a long shot that the whole industry would shift to PGPP anytime soon. But getting only a few carriers, they say, could still make a big difference. That's because bulk location data becomes much less reliable if any significant portion of the total set is tainted. If 9 million Boost Mobile subscribers, for instance, were to broadcast identical or randomized IMSI numbers, that would undermine the accuracy and usefulness of the entire data set.
The fact that small, virtual providers who don't even operate their own cell towers—known as MVNOs—could implement this scheme independently is significant, says cryptographer Bruce Schneier, who originally learned about PGPP in January and has recently become a project adviser.
“One carrier can do it on their own without anybody’s permission and without anybody else changing anything,” Schneier says. “I can imagine one of these smaller companies saying they're going to offer this as a value-add, because they want to differentiate. This is privacy at very little cost. That’s the neat thing.”
In the competitive, monolithic wireless market, standing apart on privacy could be appealing as a marketing tactic. It's possible that the big three carriers could attempt to block MVNOs from adopting something like PGPP through contractual moratoria. But the researchers say that some MVNOs have expressed interest in the proposal.
Between potential pressure from law enforcement and loss of data access—plus the need to distribute an app or get mobile operating systems to participate—carriers could have little incentive to adopt PGPP. To the extent that law enforcement might oppose such a scheme, Schmitt notes that it would still be possible for carriers to perform targeted location history lookups for specific phone numbers. And the researchers say they believe the approach would be legal in the US under the Communications Assistance for Law Enforcement Act. This is because one caveat of PGPP is that it only adds privacy protections for cell tower interactions that involve data networks like 4G or 5G. It doesn't attempt to interoperate with the historic telephony protocols that facilitate traditional phone calls and SMS text messages. Users would need to rely on VoIP calling and data-based messaging for maximum privacy.
The approach also focuses on IMSI numbers, along with their 5G counterparts known as Subscription Permanent Identifiers, or SUPI, and it doesn't protect or occlude static hardware identifiers like International Mobile Equipment Identity (IMEI) numbers or media access control (MAC) addresses. These aren't used in the cell tower interactions the researchers are trying to anonymize, but they could provide other avenues for tracking.
Having a simple and straightforward option to address one major location data exposure is still significant, though, after years of data misuse and rising privacy concerns.
“Just to be totally frank, the feeling for me now is, how did we not see this before?” Raghavan says. “It's not, ‘Wow, this was so difficult to figure out.’ It's obvious in retrospect.”
“That actually made us feel better as systems researchers,” Schmitt adds. “Ultimately, the simpler the system, the better the system.”