Location data sharing from wireless mobile devices has been a major privacy issue in recent years. Salespeople, marketers, and bounty hunters are paying shady third-party companies to track people’s locations. They gather this information from interactions between users’ phones with nearby cell towers.
What is happening?
Major companies like AT&T, Verizon, and T-Mobile continued selling the information even after making promises to stop the practice. This practice was stopped after the US Federal Communications Commission proposed almost $200M in combined fines. But, the carriers still have the urge to know as much as possible about the user. So, researchers propose a simple fix for the issue to limit the availability of bulk location data from the cell towers.
The third-party location industry is primarily dependent on apps that request access to the users’ GPS information. The location data gained by the carriers through cell towers provide an alternative for this. For long, not much could be done regarding this data leakage. This is because restricting access to this data would create the need for systemic upgrades. Carriers are unwilling to make such changes.
At the Unisex Security Conference on Thursday, 12th August 2021, network security researchers Barath Raghavan of the University of Southern California and Paul Schmitt of Princeton University presented a scheme called Pretty Good Phone Privacy. It can restrict data related to wireless users’ location from the carriers with a software upgrade. Any carrier can adopt this upgrade. This eliminates the requirement for tectonic shifts in infrastructure.
How is this happening?
Every SIM card has an International Mobile Subscriber Identity (IMSI) number. When an attempt to make a fresh connection is made, it searches for the nearest cell tower and presents the IMSI number. This allows the carrier to check the phone balance for continued service, and it also collects the information of which cell towers the phone is close to. IMSI catchers or Stingrays make use of this interaction to collect location data. They may even eavesdrop on text and calls.
How does PGPP help?
Every device now comes wireless standard which generates a random and rotating ID after the initial IMSI exchange has taken place. This adds a layer of privacy to the IMSI exchange which comes built-in to the system.
Pretty Good Phone Privacy is a communications encryption system that works by re-imagination of the billing check that the carriers perform. The researchers propose to install portals on every device. This will run checks with billing servers to confirm the standing of the users. The systems would hand out digital tokens that do not reveal the device’s identity. PGPP will only check if the wireless account is paid for. When a device attempts to connect to cell towers, the system will filter the interaction through the portal with a simple yes or no interaction. Depending on that interaction, whether to provide service or not is decided.
Raghavan and Schmitt are already in the process to turn their research into a startup. Their project could guarantee the protection of privacy of the user and also help the carriers to adopt this project without having to make major system changes.