New Service Highlights Cellphone Privacy Issues
by Michael Dean Thompson
Corporations have turned cellphones into mobile snooping devices that monetize consumer habits and daily activity. A new service, Pretty Good Phone Privacy (“PGPP”), addresses some of the privacy concerns built into the cellular system.
The problem comes down to the architecture of the cellular networks, which were not designed with privacy in mind. Buried within the SIM card is an Internal Mobile Subscriber Identifier (“IMSI”), a globally unique code. The IMSI is used for many things, especially payment status. Essentially, the IMSI ties the device to the person.
Just about every second or so, your phone “pings” the nearby towers to discover which has the strongest signal, as well as which receives its signal best. Those pings carry the phone’s IMSI and generate a record that can be used to provide a rough triangulation of the phone’s location. While not as accurate as a GPS signal, it has found significant use by police who wish to establish the phone owner’s presence. The tower information is used by the carriers to route calls to and from the phone, as well as data requests. The carrier can tie the phone to a location when phone calls and text messages were sent and received, as well as plaintext data such as web searches and email, much of which are logged. Location data can reveal things about a user that corporations have no need to know, including political associations, habits, and religion. Far too much can all be extracted by drilling into cell tower affiliations and the IMSI.
Just as new technologies such as cellphones stepped forward to strip away any real sense of privacy, another set of technologies has come forward to guard it. Many of these tools have been around for ages, others are only just starting to mature. Secure tunneling, which is also known as a Virtual Private Network (“VPN”), allows a user to tunnel their data through an encrypted network connection. All the primary service provider sees is the device connecting to the VPN provider. At the endpoint of the VPN, however, the user is still susceptible to the VPN provider’s logging as well as the data the apps loaded on the device have collected and shared.
A newer privacy technology is the blind signature. When an author of an email or document wishes to state unequivocally that its contents are authentic, they can cryptographically sign the document while leaving it legible to anyone who wishes to read it. Should anyone alter the document, the signature would fail to authenticate. Unlike previous signature systems, blind signatures perform the same function but without the signatory’s identity embedded. Likewise, a zero-knowledge proof allows two people to communicate encrypted private data without needing to share their identities.
PGPP brings together some of these new and old privacy tools to sequester data transmissions. While PGPP can randomize the IMSI, traditional voice calls remain vulnerable to snooping. Nevertheless, with PGPP, a user can browse the web or send messages without PGPP knowing anything about the communication’s contents. For this reason, the tower operator cannot build information on the user. Neither can anyone demand information PGPP does not have. There is simply no way to consistently tie a user to the phone. As the ACLU said, “It cannot be sold, leaked, or hacked, let alone offered to overreaching law enforcement.” Unfortunately, PGPP will not work on iPhones, though Apple could fix that if they desired to do so.
There is a constant battle for your private data. In an age when predictive analytics can choose the song you want to hear next or the words you are most likely to type in your web search or text, and when advertisers can hyper-target 150 people from billions of users based on their specific preferences, we have to demand more privacy from the corporations who build our devices and provide the services upon which those devices rely. PGPP is a giant step in that direction, though still incomplete because privacy was ignored by those who designed the architecture all cellphones must use.
Source: ACLU.org