Pretty Good Phone Privacy: An easy fix to mask user location from carriers

Amid the deluge of news about third-party apps tracking users without their consent and profiting by selling their private information, it is easy to forget that user identity and location data is being collected by wireless carriers as well.

This means turning off GPS services to disable apps and companies from tracking our location does not stop the mobile device from revealing our personal information to cell towers owned by operators, which could result in non-consensual location data exposure to third parties.

The fix to this seemingly complicated issue could be a simple piece of software developed by network security researchers Paul Schmitt and Barath Raghavan.

Schmitt was a research faculty in computer science at Princeton University until recently and is now transitioning to the Information Sciences Institute of the University of Southern California. Raghavan is a computer science professor at USC, with years of experience in the networking and security space.

Their solution, which is called Pretty Good Phone Privacy (PGPP) in a nod to the 1991 communication encryption program Pretty Good Privacy, is designed to break the direct line between a user’s mobile device and cell towers with the aim of limiting bulk data collection and the sale of it.

Speaking to The Sociable, Raghavan said even security and networking experts thought this issue was not solvable, largely due to the assumption that cutting off access to this data would require major infrastructure shifts that carriers are unwilling to make.

A ‘unique’ solution

PGPP is a “first-of-its-kind” solution and part of the reason why this data privacy issue persists is the fact that cellular has become more software and much easier to change only in recent years, Schmitt says.

“I think a lot of people have stayed away and not thought about cellular all that much because it’s a very strange architecture. It doesn’t look like any other type of network,” he explained.

According to him, what lies at the heart of the problem is the fact that each SIM card has a permanent ID number, which is globally unique and never changes, meaning that it can basically identify a user forever.

“What we wanted to do is disconnect the link between the human and that number. We break it in a couple of different ways, depending on how we want to solve the issue. But the simplest way is to make everybody use the same number in the network so everybody’s identical instead of having unique numbers. It’d be impossible to tell who’s who if we all look the same from the network’s perspective.”

What happens to billing?

A question that arises here is: What happens to the regular billing check that networks perform to verify someone is a paying user if they are anonymous?

Schmitt said they have addressed this challenge by decoupling what is known as authentication—who you are—from your phone connectivity.

“In the protocol we have developed, the user pays the bills and gets a cryptographically signed token from the provider, which is anonymous. So the network doesn’t know who’s paying. They just know you’re a paying user and you belong to them.”

Rolling out a pilot

Schmitt and Raghavan have launched a startup called Invisv to further promote their solution and have prototyped and tested everything with real phones in the lab.

In addition, they have presented their proposal in a paper that was included in the proceedings of the 30th USENIX Security Symposium held as a virtual event in August. Their team is in the process of rolling out a pilot in a network in the Seattle area as it is identical to the lab environment.

Schmitt said they are trying to initially bring telecoms in the United States and Europe on board and plan to collaborate with large operators that build and run their own towers as well as smaller virtual operators who do not own or operate towers but resell access to cell towers.

Positive feedback

Asked how the response has been so far, Raghavan said, “Pretty much everyone we’ve talked to has said it would be a nice idea to put PGPP in the network, and it’s been an interesting split between the U.S. and Europe.”

There has been more interest in Europe where privacy is more important and there are stricter regulations but U.S. operators do not seem to be as careful with user data, he added.

They also intend to collaborate with wireless carriers in Canada and a number of other companies. 

“There’s fundamentally no difference between the way this technology works anywhere globally. So it could be rolled out anywhere. It’s just a matter of whether the networks or their partner businesses would like to work with us or not,” Schmitt said.

No impact on network performance

Raghavan emphasized that their analyses show PGPP does not negatively affect network performance because the service can manage tens of millions of phone users on a single server and would be deployed seamlessly to customers through the network operator.

He believes the momentum building around privacy can help them encourage more wireless service providers to adopt their solution and says getting only a few of them could still make a huge difference.

The reason, according to him, is that bulk location data becomes much less reliable if any considerable portion of the total set is tainted.

“For the first time in human history, almost every single human being on the planet can be tracked in real time, which is a fundamental shift,” Raghavan said, expressing hope that PGPP could shield users from data privacy abuses.