Computer science boffins have devised a way to prevent the location of mobile phone users from being snarfed and sold to marketers, though the technique won’t affect targeted nation-state surveillance.
“We solve something that had previously been thought impossible – achieving location privacy in mobile networks,” said Paul Schmitt, an associate research scholar at the Center for Information Technology Policy (CITP) at Princeton University, told The Register.
In “Pretty Good Phone Privacy,” [PDF] a paper scheduled to be presented on Thursday at the Usenix Security Symposium, Schmitt and Barath Raghavan, assistant professor of computer science at the University of Southern California, describe a way to re-engineer the mobile network software stack so that it doesn’t betray the location of mobile network customers.
“It’s always been thought that since cell towers need to talk to phones then all users have to accept the status quo in which mobile operators track our every movement and sell the data to data brokers (as has been extensively reported),” said Schmitt. “We show how it’s possible to protect users’ mobile privacy while at the same time providing normal connectivity, and to do so without changing any of the hardware in mobile networks.”
In recent years, mobile carriers have been routinely selling and leaking location data, to the detriment of customer privacy. Efforts to alter the status quo have been hampered by an uneven regulatory landscape, the resistance of data brokers that profit from the status quo, and the assumption that cellular network architecture requires knowing where customers are located.
But thanks to evolving networking technology, which has shifted many core cellular functions from hardware to software, it’s now possible to redesign mobile networks to limit the availability of location data.
The SUPI (Subscription Permanent Identifier), the paper explains, is the 5G equivalent of the IMSI (International Mobile Subscriber Identity) used in 4G LTE networks. The SUPI gets encrypted before transmission in 5G networks to create a Subscription Concealed Identifier (SUCI); but when connecting to legacy networks, the SUPI like the IMSI may be exposed.
Schmitt and Raghavan describe a new logical network entity called the Pretty Good Phone Privacy Gateway (PGPPGW), which sits between public internet and the UPF (User Plane Function), the gateway that provides global IP connectivity from the network core.
The purpose of Pretty Good Phone Privacy (PGPP) is to avoid using a unique identifier for authenticating customers and granting access to the network. It’s a technology that allows a Mobile Virtual Network Operator (MVNO) to issue SIM cards with identical SUPIs for every subscriber because the SUPI is only used to assess the validity of the SIM card. The PGPP network can then assign an IP address and a GUTI (Globally Unique Temporary Identifier) that can change in subsequent sessions, without telling the MVNO where the customer is located.
“We decouple network connectivity from authentication and billing, which allows the carrier to run Next Generation Core (NGC) services that are unaware of the identity or location of their users but while still authenticating them for network use,” the paper explains. “Our architectural change allows us to nullify the value of the user’s SUPI, an often targeted identifier in the cellular ecosystem, as a unique identifier.”
Not illegal, inventors claim
PGPP is not intended as a defense against law enforcement or intelligence agencies, though the researchers believe it would limit bulk surveillance of mobile customers. It’s primary focus is defending against the surreptitious sale of location data by network providers.
“Our aim is to improve privacy in line with prior societal norms and user expectations, and to present an approach in which privacy enhanced service can be seamlessly deployed,” the paper says.
The technology may improve the privacy of cellular network architecture but it leaves adjacent privacy issues unresolved. It does nothing to prevent apps from gathering location data, it doesn’t provide voice or text privacy, and it doesn’t address the tracking of hardware identifiers like IMEI.
The paper argues that PGPP is legal because while CALEA (Communications Assistance for Law Enforcement Act) requires that communication providers offer lawful interception of voice and SMS traffic, a PGPP-based carrier would be data-only, with third-party voice and messaging services, and CALEA compliance would be handled by providing access to communication data in the form of raw (and probably encrypted) network traffic via the UPF gateway.
But just because it’s legal doesn’t mean that MVNOs will rush to disavow data sales revenue and to implement technology that puts their customers’ interests above their own.
More realistically, Schmitt argues PGPP will help mobile operators comply with current and emerging data privacy regulations in US states like California, Colorado, and Virginia, and post-GDPR rules in Europe. ®