“When you attach to the network, you offer the IMSI number to show the backend database that you are a paying customer and here are the services that you have subscribed to,” Schmitt says. “The system then informs the rest of the core to allow you onto the network. But what we do with PGPP changes the calculus. The subscriber database can verify that you’re a paying user without knowing who you are. We’ve decoupled and shifted billing and authentication.”
Reworking some billing systems and distributing an app to users would be far more manageable for carriers than deeper network overhauls. Raghavan and Schmitt are in the process of turning their research into a startup to make promoting the project easier among United States telecoms. They acknowledge that even with the ease of adoption, it’s still a long shot that the whole industry would shift to PGPP anytime soon. But getting only a few carriers, they say, could still make a big difference. That’s because bulk location data becomes much less reliable if any significant portion of the total set is tainted. If 9 million Boost Mobile subscribers, for instance, were to broadcast identical or randomized IMSI numbers, that would undermine the accuracy and usefulness of the entire data set.
The fact that small, virtual providers who don’t even operate their own cell towers—known as MVNOs—could implement this scheme independently is significant, says cryptographer Bruce Schneier, who originally learned about PGPP in January and has recently become a project advisor.
“One carrier can do it on their own without anybody’s permission and without anybody else changing their anything,” Schneier says. “I can imagine one of these smaller companies saying they’re going to offer this as a value add, because they want to differentiate. This is privacy at very little cost, that’s the neat thing.”
In the competitive, monolithic wireless market, standing apart on privacy could be appealing as a marketing tactic. It’s possible that the big three carriers could attempt to block MVNOs from adopting something like PGPP through contractual moratoria. But the researchers say that some MVNOs have expressed interest in the proposal.
Between potential pressure from law enforcement and loss of data access—plus the need to distribute an app or get mobile operating systems to participate—carriers could have little incentive to adopt PGPP. To the extent that law enforcement might oppose such a scheme, Schmitt notes that it would still be possible for carriers to perform targeted location history lookups for specific phone numbers. And the researchers say they believe the approach would be legal in the US under the Communications Assistance for Law Enforcement Act. This is because one caveat of PGPP is that it only adds privacy protections for cell tower interactions that involve data networks like 4G or 5G. It doesn’t attempt to interoperate with the historic telephony protocols that facilitate traditional phone calls and SMS text messages. Users would need to rely on VoIP calling and data-based messaging for maximum privacy.
The approach also focuses on IMSI numbers, along with their 5G counterparts known as Subscription Permanent Identifier, or SUPI, and doesn’t protect or occlude static hardware identifiers like International Mobile Equipment Identity (IMEI) numbers or media access control (MAC) addresses. These aren’t used in the cell tower interactions the researchers are trying to anonymize, but they could provide other avenues for tracking.
Having a simple and straightforward option to address one major location data exposure is still significant, though, after years of data misuse and rising privacy concerns.
“Just to be totally frank, the feeling for me now is how did we not see this before?” Raghavan says. “It’s not, ‘wow, this was so difficult to figure out.’ It’s obvious in retrospect.”
“That actually made us feel better as systems researchers,” Schmitt adds. “Ultimately the simpler the system, the better the system.”
More Great WIRED Stories