8 with 8 posters participating
Location data sharing from wireless carriers has been a major privacy issue in recent years. Marketers, salespeople, and even bounty hunters were able to pay shadowy third-party companies to track where people have been, using information that carriers gathered from interactions between your phone and nearby cell towers. Even after promising to stop selling the data, the major carriers—AT&T, T-Mobile, and Verizon—reportedly continued the practice in the US until the Federal Communications Commission proposed nearly $200 million in combined fines. Carriers remain perennially hungry to know as much about you as they can. Now, researchers are proposing a simple plan to limit how much bulk location data they can get from cell towers.
Much of the third-party location data industry is fueled by apps that gain permission to access your GPS information, but the location data that carriers can collect from cell towers has often provided an alternative pipeline. For years, it’s seemed like little could be done about this leakage because cutting off access to this data would likely require the sort of systemic upgrades that carriers are loath to make.
At the Usenix security conference on Thursday, though, network security researchers Paul Schmitt of Princeton University and Barath Raghavan of the University of Southern California are presenting a scheme called Pretty Good Phone Privacy that can mask wireless users’ locations from carriers with a simple software upgrade that any carrier can adopt—no tectonic infrastructure shifts required.
“The primary problem we’re trying to address is bulk data collection and the sale of it,” Raghavan says. “We see it as a user privacy issue that carriers can amass this location data whether or not they are currently actively selling it. And our goal here was backward compatibility. We didn’t want the telecoms to have to roll out anything because we knew they weren’t going to.”
The opportunity to collect bulk location data from wireless networks arises from the fact that each SIM card has a permanent ID number, known as an “international mobile subscriber identity,” or IMSI number. When your device reboots, has been inactive for a while, or just needs to establish a fresh connection, it reaches out to the nearest cell tower and presents an IMSI number. This allows carriers to check whether you’ve paid your phone bill and should be allowed access to service, and it also tells the network which cell towers you’re close to. Surveillance tools known as “stingrays” or “IMSI catchers” take advantage of this same interaction to grab your physical location and even eavesdrop on your calls and texts.
Pretty Good Privacy, aims to achieve just that by reimagining the billing check that networks perform. The researchers propose installing portals on every device—using an app or operating system function—that run regular checks with a billing server to confirm that a user is in good standing. The system would hand out digital tokens that don’t identify the specific device but simply indicate whether the attached wireless account is paid up. When the device attempts to connect to a cell tower, the exchange would funnel through this portal for a “yes” or “no” on whether to provide service. The researchers further realized that if the system has an alternate method of confirming billing status, it can accept the same IMSI number or any random ID for each user.
“When you attach to the network, you offer the IMSI number to show the backend database that you are a paying customer, and here are the services that you have subscribed to,” Schmitt says. “The system then informs the rest of the core to allow you onto the network. But what we do with PGPP changes the calculus. The subscriber database can verify that you’re a paying user without knowing who you are. We’ve decoupled and shifted billing and authentication.”
Reworking some billing systems and distributing an app to users would be far more manageable for carriers than deeper network overhauls. Raghavan and Schmitt are in the process of turning their research into a startup to make promoting the project easier among United States telecoms. They acknowledge that even with the ease of adoption, it’s still a long shot that the whole industry would shift to PGPP anytime soon. But getting only a few carriers, they say, could still make a big difference. That’s because bulk location data becomes much less reliable if any significant portion of the total set is tainted. If 9 million Boost Mobile subscribers, for instance, were to broadcast identical or randomized IMSI numbers, that would undermine the accuracy and usefulness of the entire data set.