Just wanted to say hi – I’m one of the co-founders of this effort and would love to answer any questions or discuss further.
Also wanted to add, since this is a common question: does PGPP protect all identifiers or just some? As with most privacy systems, just some. Our aim is twofold: 1) to decouple a user's human identity from their network identities (mobile and Internet) and 2) randomize their network identities. We view decoupling as pretty fundamental to practical privacy -- to decouple who you are from what you do. Who you are in the context of the network is your human identity, often associated with the main point of contact you have with the network and billing -- your subscription and SIM, your broadband connection and its IP address and your home address, etc. That information has been used as the key upon which datasets can be attached.
The goal then is to decouple across entities -- the different parties who have data -- and across uses -- the different mechanisms of a network protocol, such as authentication and connectivity.
Other identifiers such as hardware identifiers aren't inherently attached to a person and aren't always used by networks, but even when they are, removing them is insufficient -- as our colleagues at UCSD found in recent work, phones can be identified at the PHY, without even using a unique hardware identifier.
Um what? Is PRZ involved? Is he ok with your using that name? He had something called PGPFone a long time ago, though it didn't get much traction. There have also been tons of other encrypted voice programs.
Obscuring traffic patterns without stupendous amounts of dummy traffic is quite difficult. That someone is connected to your network at all is already a huge giveaway. I have trouble seeing how something like this can work without a very big operator (think Cloudflare or AWS) being involved, and anything that size would have to get in bed with regulators. It's a lot easier if you're only trying to do low bandwidth text.
Hi barathr, thanks for joining the discussion! Having had a brief look at your paper and the Usenix slides[0], I've got three questions:
- Given that your Android app is security-critical for its users, are you planning on open-sourcing it in the near future?
- How exactly does your app work on Android? How does it rotate the IMSI? (I don't know a lot about eSIMs but I would have thought a regular app can't easily change the carrier/network settings.)
- As for the relay functionality, I suppose on Android this "simply" sets up a VPN once the network connection is established?
Your claim "we don't learn which eSIM your phone gets" is false. The eSIM update protocol, which is implemented in firmware which you do not control, will send you (the carrier) the eSIM's permanent ID (the EID), and you can't stop this. https://news.ycombinator.com/item?id=32416373
Moreover, you provide no protection whatsoever against IMEI tracking, which all carriers implement. IMEIs are reported to the carrier immediately after authentication/attach (AKA), and many will block invalid/unexpected IMEIs. You can't prevent this. Without a solution to IMEI tracking your work on IMSI tracking isn't much use. This won't protect anybody from the telcos. At best it might stop people using a stingray without assistance from the telco (i.e. almost nobody). https://news.ycombinator.com/item?id=32416308
The IMSI. We don't do anything with the IMEI ourselves (it's in the category of hardware identifiers that I'm mentioning above). Some phones can change them when rooted, some can't. The network attach process doesn't use the IMEI inherently by spec, but some cell cores can query for it (for example, to block stolen phones). It's not a network identifier, and strange things sometimes happen with the IMEI that don't even affect connectivity -- https://www.androidauthority.com/duplicate-imei-vivo-india-1...
Which means that the tower owners that PGPP partners with could absolutely still track users based on the IMEI if they configure their equipment to always ask for it. (It won't work in some edge cases like duplicate IMEIs but those are not super common).
They may not be doing it right now, but if this sort of thing catches on, it is likely that they will start trying to do it.
> The network attach process doesn't use the IMEI inherently by spec, but some cell cores can query for it (for example, to block stolen phones).
How widespread is this practice? Do the major US carriers know my IMEI?
I tend to believe that they do from what I've seen in their web interfaces, and that IMSI rotation alone is basically pointless from a privacy standpoint.
This is one of the problems with mobile -- there's isn't any one universally correct answer to this (or most questions), so I'll answer to the best of my knowledge. IMSIs are what are associated with your identity (because it's your SIM and service) in a normal mobile plan, and it's what was (is?) used by carriers when they aggregate / analyze / sell location data.
IMEIs can be queried by a network core (not the tower) and US carriers probably do this every once in a while to check against their stolen phone database. It can be changed on some devices but not others. It's not inherently tied to you as a person but of course it is tied to that device.
For those who don't need mobile data service of any sort, I think that PGPP Relay does what's needed -- decouples your IP from your identity -- and you can use WiFi networks without revealing anything.
> IMEIs can be queried by a network core (not the tower) and US carriers probably do this every once in a while to check against their stolen phone database. It can be changed on some devices but not others. It's not inherently tied to you as a person but of course it is tied to that device.
It's also linked to the rotating IMSI, so all of the rotating IMSIs that are used at the times the IMEI is interrogated are linked together from a metadata standpoint.
They're also all linked to every other IMSI that was ever used with that IMEI (at the times the IMEI is interrogated).
> US carriers probably do this every once in a while to check against their stolen phone database
Hourly? Daily? Monthly? Only on first-time seeing a new IMSI?
Carriers globally check at registration time to deny stolen phones access (via various shared databases) etc, this has been the case for a long time and someone selling mobile services should know this.
Probably on every connect, there are ways to randomize your IMEI on every boot on certain phones though (that might be not very legal in some countries)
IIRC changing the IMEI in the U.S. is legal. It may go against standards or something, but that's not a crime (though it would be an excuse for a carrier to kick you off their network, should they find out).
I would be shocked if there were real consequences for IMEI spoofing in the U.S. absent any crime (like stealing lots of phones and changing the IMEIs).
Ok so I should have said in sensible societies because IMEI changing does cause real issues like lack of 911 (in this case), however the 3gpp spec that governs all networks and devices, like your phone, prohibits IMEI changing -its not an innocuous operation as people assume
Edit: the FCC isn't specific about it but I'd imagine it falls under existing fraud regulations which may or may not be a federal thing.
A cursory Google suggests:
A bill was introduced in the United States by Senator Chuck Schumer in 2012 that would have made the changing of an IMEI illegal, but the bill was not enacted.
So in the USA specifically it is not a crime but in many places it is due to the aforementioned life at risk issue.
As devices are made for global .markets in general, the above does not apply anyway as you cannot change it without manufacturer tools anyway, at which point different regulation applies.
IMEI changes also have limited effect when fingerprinting is relatively easy.
The 911 issue seems small compared to the threat of totalitarian surveillance states, at least to me. I also have the strong intuition there's some way to implement emergency calling anonymously or pseudonymously using cryptographic trickery. In the end, I prefer living somewhere I can change the IMEI if I want
And a hint--I believe it's actually quite easy using an edXposed module if you want to root your Android phone.
Of course, then you've got a rooted phone, which is less secure.
> Ok so I should have said [that changing the IMEI of a phone is a criminal offense] in sensible societies because IMEI changing does cause real issues like lack of 911 (in this case)
This would mean that, in sensible societies, failing to carry a phone on your person is a criminal offense. It is a position only a true idiot could even articulate.
And again my point has been proven, you're assuming I'm making the argument that you've somehow come up with from what I said which does not even remotely match what i said, read it again and consider the possible reasons why 911 might not be usable.
Is no panacea to this problem everything has it's limits. Pairing an IMEI+IMSI rotation (which is perfectly lawful in many countries, grey in some and criminally prohibited in only a few) can be a very effective defense against network level threats to privacy.
This is incorrect. Changing your IMEI it is illegal in the USA under the Wireless Telephone Protection Act of 1998:
"Amends the Federal criminal code to prohibit knowingly using, producing, trafficking in, having control or custody of, or possessing hardware or software knowing that it has been configured to insert or modify telecommunication identifying information associated with or contained in a telecommunications instrument"
There are lots and lots of laws, though, that are either unenforceable because they're badly written or just not enforced. The sibling comment pointing out the part you left out is on point, and I would be surprised if any sort of prosecution would ever happen. I'm paying my phone bill and I want to change my IMEI, so what? I'm not defrauding anyone. I am inclined to believe two things:
1) Nobody would ever bother me about this, and
2) Courts would agree with me if push came to shove
Thanks for finding this, as non-US trying to find relevant laws in the mess of multiple levels of law etc is difficult, i assumed the FCC would regulate this as the telecoms regulátor but it appears not
To be fair you're leaving out the last part of that sentence "... so that such instrument may be used to obtain telecommunications service without authorization."
Authorization by whom? I think if I'm paying my bill I have the telco's authorization. They're trying to prevent fraud that gets you free phone service here.
What payment methods are available, and what data do you collect for billing?
Could I pick up an eSIM compatible Android tomorrow for cash at the local pawn shop, and get service using your system without handing over anything identifiable?
Right now we use Stripe (mostly because it's the the most rock solid choice for payments) -- we don't ask for name or email, though of course Stripe could know that as a card processor. But our approach goes back to decoupling human identity from network identity -- what that payment says is that the holder of that card is a subscriber of the service but not, for example, what network ID you got.
Once you accept some kind of privacy coin (monero) I'll be delighted to buy a years service upfront.
I imagine many others will be in the same position.
Obviously taking crypto will mean upfront prepayment of accounts (like prepaid mobile credit) instead of monthly billing and will require some reworking.
I don't see what was evasive, happy to answer in more detail if there's something you're seeing not answered above. We use Stripe as a credit card processor -- so we have what Stripe's (very well documented) APIs provide. That reveals that you purchased the service, but we don't know anything about the network identity you have nor your Internet usage, because architecturally we don't have that information.
I understand that revealing that information to Stripe may not be acceptable -- not sure what to say to that. We've gotten requests for other forms of payments and we can consider it, but we don't support anything other than credit cards at the moment. (There are credit cards that aren't linked to a person, if that's a better option.)
No. All payment cards in the United States require strong government identity and KYC, per US federal law. To activate these cards you must provide identity information. Providing false information is a crime.
No. Gift cards can be purchased in-person in the US, with cash. Said gift cards are activated at the register upon purchase. These can then be gifted to someone else, and further activation (or registering your personal information with the card) is not required.
Edit: I just checked the Visa gift card issuer's site for a card I have (and never had to activate or provide personal information to), and for shopping online it just says:
>In the Payment Method section, enter the Card information as you would a credit or debit card. In the Billing Address section, fill in your name and address.
So when I check out online, I can enter any information that I like, presumably as long as it ties back to a valid address of some kind - there is zero effort on the part of the card issuer to verify that I am who I say I am. I would only need a PIN when making purchases with it as a debit card in-person. I should make it clear that I'm not saying that providing false information is legal, just that the point about being required to provide "strong government identity" to activate gift cards has been false for a long time.
Ive never been asked for ID to buy a gift card in USA. I thought Europe was once renowned for it's strong financial privacy laws? my, things have changed.
Also wanted to add, since this is a common question: does PGPP protect all identifiers or just some? As with most privacy systems, just some. Our aim is twofold: 1) to decouple a user's human identity from their network identities (mobile and Internet) and 2) randomize their network identities. We view decoupling as pretty fundamental to practical privacy -- to decouple who you are from what you do. Who you are in the context of the network is your human identity, often associated with the main point of contact you have with the network and billing -- your subscription and SIM, your broadband connection and its IP address and your home address, etc. That information has been used as the key upon which datasets can be attached. The goal then is to decouple across entities -- the different parties who have data -- and across uses -- the different mechanisms of a network protocol, such as authentication and connectivity.
Other identifiers such as hardware identifiers aren't inherently attached to a person and aren't always used by networks, but even when they are, removing them is insufficient -- as our colleagues at UCSD found in recent work, phones can be identified at the PHY, without even using a unique hardware identifier.