I Don't Own a Cellphone. Can This Privacy-Focused Network Change That?

horde

Cape runs its own mobile core, all of the software necessary to route messages, authenticate users, and basically be a telecom. Ultimately, this gives Cape the control to do more privacy-enhancing things, such as periodically give its phones a new IMEI—a unique identifier for the phone—and new IMSI—a similar identifier but one attached to the SIM card (or eSIM in Cape’s case). The phone can also give itself a new mobile advertising identifier (MAID), which is an identifier advertising ecosystems and apps use to track peoples’ web browsing activity and is sometimes linked to their physical movement data. Cape said the IMEI and MAID rotation is handled by the custom Cape handset, which runs standard up-to-date Android.

Too good to be true? a honeypot?

de0u

horde Too good to be true?

According to the article, the good part will be restricted to special people:

For the offering to high-risk individuals at the moment, those users can get all of the IMSI, IMEI, and MAID rotations. Cape said when it rolls out more broadly to the public, that offering won’t include a physical phone or the same degree of identity obfuscation.

So maybe senators and FBI agents will get covered, but maybe not regular people.

ErnestThornhill

It's too good to be true based solely on the fact that laws in relation to changing IMEIs are not the same for all countries.

user1357

de0u
I sent Cape and email regarding some of the concerns raised here:

Hello,

In an article released Nov. 21 by 404media, Cape was paraphrased as stating "when it rolls out more broadly to the public, that offering won't include ... the same degree of identity obfuscation". What benefit do Cape's services provide without strict identity obfuscation?

Per your privacy policy, each time "your phone connects to a cellular base station" (presumably meaning a person uses your service), even though you do not store location data, your "physical infrastructure partners" do. Specifically your privacy policy states your "physical infrastructure partners" can (and will) collect:

Location - Time of Arrival (TOA)
Location - Angle of Arrival (AOA)
Observed Time Difference of Arrival (OTDOA)
Location - GPS Coordinates (on use of 911)
Location - Enhanced Cell ID (E-CID)

And your "network service providers" can (and will) collect:

Phone number
Location - Cell ID (which identifies a geographic area of coverage provided by a network tower)
Call Detail Records (CDRs, also known as call logs)
Subscriber SIM number (IMSI)
Device number (IMEI)

Without strict obfuscation, 3rd party providers now get un-obfuscated data, allowing for the correlation of all this information with an individual's identity--perpetuating the detrimental societal norm of mass surveillance which Cape states it hopes to help mitigate. Additionally, with 3rd party service providers storing this information, individuals are once again forced to trust their personal safety to the protections these service providers put on the data (mitigating data breaches, insider threats, etc.), something they are not historically known for being good at.

While I understand not all of this can be mitigated due to cross-network routing requirements, with all this in mind, I repeat my originally posed question: what benefit do your services provide without strict identity obfuscation techniques in place during a wide-spread public rollout?

Thank you for your time!

And to my surprise, they actually responded!

Hi there,

Thanks for the thoughtful question and detailed review of our privacy policy.

We decouple subscriber identities from other unique identifiers. Because we collect a minimal amount of information from subscribers, it's harder to tie information gleaned from cell towers, for example, to a specific individual. If an adversary cannot link identifiers to a subscriber identity, the data collected by the adversary becomes less useful and meaningful.

Furthermore, by minimizing data retention periods, it becomes harder for adversaries to piece together information from multiple sources. There is typically a significant lag between "harvesting" of sensitive data and its exploitation. For example, if an adversary collected detailed geolocation data from 6 months ago, it would be impossible to correlate that information with our call logs, which are deleted after two months.

The low retention periods don't defend against an APT, but we're hardened against insider threat via a minimal trust framework and defense in depth. We default to encrypting, including internal workflows and direct connect traffic, that typical telcos would not encrypt (as it makes it easier for them to debug performance issues). What this means is that even Cape engineers would not have access to sensitive subscriber data.

Therefore, even without the identify obfuscation feature, data collection minimization, short retention periods, and hardening against insider threat still provide significant mitigations that would suffice for most general consumers.

We hope this answers your questions, and please don't hesitate to reach back out.

An excellent response. While it didn't directly answer all of my questions, I think it provides an understanding that for a public rollout they are focusing on the security of their own infrastructure, rather than identity obfuscation from other providers--which is already far better than what current telecom providers are doing.

So while not perfectly ideal, it is still a significant improvement over the competition.

de0u

user1357 I sent Cape and email regarding some of the concerns raised here [...] And to my surprise, they actually responded!

Thanks for asking them, and posting their response!

user1357 If an adversary cannot link identifiers to a subscriber identity, the data collected by the adversary becomes less useful and meaningful.

Somewhat?

There has been a lot of work done on de-anonymization aka re-identification and some of the results are surprising. A simple observation is that if a location track starts at your house and goes to your workplace, it's probably you even if the data points are "100% anonymous" in the sense of being just points with no subscriber i.d. of any kind (unless there are at least two people who live in your building and work for the same employer). There are also some results about tire-pressure sensors in modern vehicles.

So, strictly speaking, "less useful" is true, but if a data stream is reduced from being 99% linkable to a specific user all the way down to being 95% linkable that is "less" but might not be operationally relevant.

The MVNO situation ("physical infrastructure partners" and "network service providers"), while not surprising, is a big limitation. Identity fencing / rotation would be a big improvement there, but only for people who are extended that privilege.