Paul Schmitt of Princeton University and Barath Raghavan of the University of Southern California are two academics who are now also businessmen after launching INVISV, a mobile phone service based on the Pretty Good Phone Privacy (PGPP) technology they developed. INVISV offers Americans the opportunity to disrupt the tracking of their location by repeatedly changing the IMSI associated with their phone. The USD90 per month plan includes 30 IMSI changes and unlimited data, whilst the USD40 per month plan offers eight changes of the IMSI with a cap of 9GB data. Both plans exclude voice and SMS, but that might not matter to privacy enthusiasts who want extra protection whilst using encrypted OTT comms services like Signal and Telegram. The core sales pitch for INVISV is that US telcos have a bad record when it comes to selling location data, though often the purchaser of the data is a branch of law enforcement that wants to track people’s movements whilst dodging legal obstacles designed to prevent infringements of privacy. Customers of INVISV can undermine any attempts to track them by simply changing their apparent IMSI at a press of a button, so the networks they rely upon can no longer use the IMSI as an effective key for queries about the movements of a specific person.
As academics, Schmitt and Raghavan documented their PGPP research before they sought to commercialize it. A USENIX paper presented in 2021 captures the blueprint for what became INVISV.
Whereas prior generations of cellular networks ran on highly-specific hardware, many modern cellular core functions are run in software, making it more amenable to key changes.
In our approach, users are protected against location tracking, even by their own carrier. We decouple network connectivity from authentication and billing, which allows the carrier to run Next Generation Core (NGC) services that are unaware of the identity or location of their users but while still authenticating them for network use. Our architectural change allows us to nullify the value of the user’s SUPI, an often targeted identifier in the cellular ecosystem, as a unique identifier. We shift authentication and billing functionality to outside of the cellular core and separate traditional cellular credentials from credentials used to gain global connectivity.
Since it will take time for infrastructure and legislation to change, our work is explicitly not clean slate. We anticipate that our solution is most likely to be deployed by Mobile Virtual Network Operators (MVNOs), where the MVNO operates the core (NGC) while the base stations (gNodeBs) are operated by a Mobile Network Operator (MNO). This presents us with architectural independence as the MVNO can alter its core functionality, so long as the NGC conforms to LTE / 5G standards. While it is not strictly necessary for PGPP to be adopted by an MVNO, we assume that existing industry players (e.g., MNOs) are unlikely to adopt new technologies or have an interest in preserving user privacy unless legal remedies are instituted. As a result, we consider how privacy can be added on top of today’s mobile infrastructure by new industry entrants.
The essence of PGPP is to create a pseudo-network, much like that offered by any MVNO, but which also substitutes the data associated with a particular phone with other data drawn from a common pool. This means the details of individuals can be obfuscated, and the quality of the privacy depends on how often users change their associated IMSI, which is INVISV’s most expensive plan includes many more IMSI changes than the cheaper plan.
We decouple back-end connectivity from the authentication procedure that normally occurs at the AUSF when a UE attaches to the network. Instead, the PGPP operator issues SIM cards with identical SUPIs to all of its subscribers. In this model, the SUPI is used only to prove that a user has a valid SIM card to use the infrastructure and, in turn, the PGPP network can provide an IP address and connectivity and offer the client a GUTI, providing the user with a unique identity necessary for basic connectivity. Note that using identical SUPIs is only one technique for nullifying its value. We anticipate that a network could assign random SUPIs from a pool. Such a mechanism would require a sufficiently large pool, and would be enabled as more UEs employ eSIM capabilities, allowing their SIMs to be programmable from the network. We leave exploration into this as future work.
5G authentication is normally accomplished using SUPIs at the AUSF; however, all PGPP users share a single SUPI. Thus, to authenticate a user, we designed a post-attach oblivious authentication scheme to ensure that the PGPP operator is able to account for the user without knowing who they are.
PGPP obfuscates the location of each phone by exploiting a feature that was originally meant to reduce signaling overheads.
In PGPP, we exploit the tracking area list (TAL) concept, introduced in 3GPP Release 8. Using TALs, a UE no longer belongs to a single tracking area, but rather is given a list of up to 16 tracking areas that it can freely move through without triggering a tracking area update, essentially creating larger tracking areas. Whereas prior work has focused on using TALs to pre-compute optimal tracking area combinations for users, in PGPP, we use TALs to provide improved location anonymity. Typically, TALs consist of groups of adjacent tracking areas that are pre-computed, essentially growing the tracking area for a UE to the union of all tracking areas in the TAL. We do not use TALs in this way. Instead, we generate TALs on-the-fly and generate them uniquely for each UE. When a UE attaches or issues a tracking area update message, the AMF learns the gNodeB and tracking area the UE is currently attached to. The AMF then generates a unique TAL by iteratively selecting at random some number (up to the TAL limit of 16) of additional, adjacent tracking areas. By generating unique TALs for each user, attackers are unable to know a priori which set of tracking areas (or gNodeBs) that victim is within.
I could continue to explore Schmitt and Raghavan’s privacy methods in more detail, but you can read their research in your own time, or just watch their YouTube video. It is sufficient to state they have shown some ingenuity in developing their techniques, but they will gain little traction because they have failed to account for real world factors that influence how much privacy individuals can obtain in practice. Much of their paper reads like an advert for PGPP, and so suffers from a lack of objectivity that is unbecoming of academics. This exacerbates problems with the quality of Schmitt and Raghavan’s research. For example they state that “in recent years there has been a rise of cell-site simulators, also known as IMSI catchers”. This may be true, but they provide no citation to support this assertion. The law enforcement agencies and spies that use IMSI catchers do not publicly report on the use of this technology, begging the question of how anyone is supposed to monitor trends. It is not even clear if Schmitt and Raghavan’s observation is meant to apply to the USA or more generally. Like other lazy students of the communications industry, they present data that is specific to the USA alongside generalizations that are not specific to the USA, leaving the reader unable to determine if the authors genuinely believe the USA is representative of the whole world, or if the goal was to exaggerate the importance of their work. Their interest in IMSI-catchers is largely irrelevant anyway; PGPP offers a way to disrupt surveillance conducted at scale, whilst IMSI-catchers are used to track all the phones of a nearby target. It beggars belief that such spies would be fooled by a change in a target’s IMSI, any more than they would be fooled by their target switching one phone off and switching a second phone on.
INVISV seeks to capitalize on growing concern from US residents about data privacy in general and location tracking in particular. It also appears to have some heavyweight advisors in Bruce Schneier, a well-known commentator on cryptography for communications, and Jon Callas, Chief Scientist of the original PGP Inc. and co-founder of the Silent Circle encrypted comms service. But despite the experience of these two advisors, the sales pitch for INVISV is painfully naïve. Most of the sales rhetoric suggests the US government is largely indifferent as to whether telcos track users and might sometimes be supportive of enhancing privacy. The US government were actually the pioneers of using networks for mass surveillance, first per the instructions of President George W. Bush, and then his successor Barack Obama, whose agents went to great trouble to refine and extend the surveillance program. Telcos have always had a lot of data but operators only knew about users of their own networks, whilst it was the National Security Agency (NSA) that demanded the bulk supply of telco data which developed the analytical capability to track individuals across all networks.
Contrary to the ill-informed opinions of most Americans, telecommunications is a highly-regulated industry. If governments really want telcos to stop doing something, they will soon force them to stop doing it. The reason why US telcos can be so lax with data is because the US government wants telcos to act as a conduit for the government’s own information gathering. Callas should appreciate that fact; he decided to pre-emptively shut down Silent Circle’s encrypted email service in 2013 before the government could exploit it for surveillance.
If INVISV gained any significant number of customers, or started to serve as a model for the privacy-enhanced MVNOs envisaged in Schmitt and Raghavan’s paper, then the US government will shut them down quicker than you can say “just like its privacy-loving predecessors”. The government’s arguments will be straightforward:
- Criminals will be attracted to a service like this because it means law enforcement will not be able to obtain evidence showing a suspect’s location when a crime was occurring.
- The government cannot permit the exploitation of a legal ‘loophole’ where telcos are required to support lawful interception of voice calls and SMS messages but criminals then use encrypted OTT services running on top of INVISV’s data-only service.
- INVISV has promised not to interfere with determining the location of a phone used to call emergency services, but that provides no reassurance when there is a need to hurriedly locate the victim of a crime who is not making a 911 call.
We could certainly debate how valid these arguments are, but these are the arguments that the US government would put forward. Just as importantly, INVISV is not even much protection against governments and agencies determined to spy on a target’s phone. Spyware firms like NSO Group have shown they can subvert phones without requiring a single click from the victim, and whilst NSO Group is no longer popular with the US government, the idea of phone surveillance will not have diminished since US federal police conducted trials of NSO Group spyware. Perhaps Schmitt and Raghavan need to spend more time outside of academic environments, because the likeliest market for the painfully expensive INVISV will be wealthy university graduates who have come to believe big business is in cahoots with the government and that only brave young people like them can organize the protests that will restore democracy. I doubt many criminals will waste their money on INVISV because they have long utilized a more foolproof method of rotating their IMSI: buy burner phones and then throw them away.
The US has a problem with privacy. This will occasionally prompt bureaucrats to engage in a form of theater where they pretend to clamp down on telcos whilst some other part of government is secretly demanding even more personal data from the same telcos. The latest manifestation of this revolving hypocrisy is the FCC sending letters to telcos to demand information about their data collection and retention policies. They could have just asked the FBI to provide a review of what personal data can be obtained from telcos in actual practice. The underlying problem cannot be solved with new laws, new policies, or even with new technology, because none of these will heal a fundamental fault line in the culture of the USA. Nobody who can offer nationwide leadership is willing to do so, and those that offer leadership on a regional basis are easily undermined because it is easy to move data across state lines. The US is ruled by people who want to be popular, and they equally strive to be popular with privacy nerds and law enforcement junkies, despite the irreconcilable demands of both camps. That is why it hardly makes any difference if the government is led by Republicans or Democrats.
Some people crave privacy, whilst others give data away like they are dropping a penny into a tip jar. Despite the efforts of people like Schmitt and Raghavan, the operation of networks requires the same principles be applied to everyone. That is not just because of technology; it is because policy cannot be tailored for the desires of each individual without soon encountering resistance from stakeholders who want or need policies to be consistently applied. Rotating IMSIs from a pool is an interesting way of delivering privacy when observed in isolation. It soon appears unrealistic when you contemplate who makes the relevant decisions and where their motivations lie.