“When you connect to the network, you provide the IMSI number to show to the back-end database that you are a paying customer, and here is the service you subscribe to,” Schmidt said. “Then the system will notify the rest of the core and let you enter the network. But the changes we made to PGPP have changed calculus. The subscriber database can verify that you are a paying user without knowing who you are. We have decoupled And transferred billing and identity verification.”
For operators, it is much easier to transform some billing systems and distribute applications to users than a more in-depth network overhaul. Raghavan and Schmitt are turning their research into a start-up company to make it easier to promote the project among American telecommunications companies. They acknowledged that even if it is easy to adopt, it is still a long process for the entire industry to switch to PGPP soon. But they say that getting only a few operators can still make a big difference. This is because if any important part of the entire collection is contaminated, the bulk location data will become less reliable.if 9 million For example, Boost Mobile users will broadcast the same or random IMSI number, which will destroy the accuracy and usefulness of the entire data set.
Cryptographer Bruce Schneier (Bruce Schneier) first learned about PGPP in January and recently became a project consultant. He said that even small virtual providers (called MVNOs) that don’t operate their own cell towers can implement the solution independently. , This fact is of great significance.
“An operator can do it on its own without anyone’s permission, and no one else needs to change anything of theirs,” Schneier said. “I can imagine one of the smaller companies saying that they will provide this as a value-added service because they want to be different. This is a very clever way of getting privacy at a very small cost.”
In the highly competitive monolithic wireless market, standing out in terms of privacy may be an attractive marketing strategy. The three major operators may try to stop MVNOs from adopting PGPP and the like through contract suspension. But the researchers said that some MVNOs have expressed interest in the proposal.
Between the potential pressure of law enforcement and the loss of data access—plus the need to distribute applications or involve mobile operating systems—operators may not have the incentive to adopt PGPP. Schmitt pointed out that in cases where law enforcement agencies may object to such a plan, operators can still perform targeted location history queries on specific phone numbers. The researchers said they believe that this method is legal in the United States under the Law Enforcement Communications Assistance Act. This is because a warning from PGPP is that it only adds privacy protection for cellular tower interactions involving data networks such as 4G or 5G. It will not attempt to interoperate with the long-established telephone protocol that facilitates traditional telephone calls and SMS text messaging. Users will need to rely on VoIP calls and data-based messaging to maximize privacy.
The method also focuses on IMSI numbers, and 5G counterparts called subscription permanent identifiers or SUPIs, and does not protect or obscure static hardware identifiers, such as International Mobile Equipment Identity (IMEI) numbers or media access control (MAC) addresses. These were not used in the cell tower interactions that the researchers were trying to anonymize, but they could provide other avenues for tracking.
However, after years of data abuse and growing privacy issues, it is still important to have a simple and straightforward option to solve a major location data leakage problem.
“Frankly, my feeling now is, why didn’t we see this before?” Ragwan said. “It’s not,’Wow, this is too difficult to figure out.’ It’s obvious in retrospect.”
“This actually makes us feel better as system researchers,” Schmidt added. “In the end, the simpler the system, the better the system.”
More exciting connection stories