New Mobile Phone Service Shows We Can Have Both Privacy and Nice Things

Despite the desires of companies to monetize our data, we must insist that privacy be built into the technologies we depend on.

Daniel Kahn Gillmor, Senior Staff Technologist, ACLU Speech, Privacy, and Technology Project

Jay Stanley, Senior Policy Analyst, ACLU Speech, Privacy, and Technology Project

The recent launch of a new mobile phone service introduced significant new privacy protections into the mobile phone system. This exciting new approach highlights the failure of the existing mobile phone infrastructure to protect privacy, and points the way forward for a wide variety of technologies besides mobile phones.

Today’s cellphones are generally a privacy disaster. Partly that’s the result of the two companies that control the operating system software on the vast majority of the world’s pocket computers. The most common operating system, Android, is controlled by an advertising company (Google) and is notorious for leaking information about its users. Apple, which controls iOS, while excellent on privacy in many respects, is also becoming increasingly interested in monetizing its customers’ data, and lacks adequate controls to prevent rogue apps from many forms of spying. The result is that a lot of the activity we engage in on our phones is tracked.

Today’s cellphones are generally a privacy disaster.

There are already solutions out there for the privacy problems posed by Android and iOS: privacy-focused operating systems such as CalyxOS and GrapheneOS. Widespread adoption of those would be a step in the right direction. But the operating system can’t defend against another major obstacle to phone privacy: the architecture of the cellular network itself. In order for your carrier to route calls and data to your phone, the network needs to constantly know which cell tower your phone is near. And when you make a call or use data, the provider can see where that traffic is going. Cell carriers track and store this accidental byproduct of the technology in order to record people’s location history and network activity for marketing purposes and, in certain circumstances, for sharing with law enforcement.

This tracking happens through a standard identifier tied to each SIM card called an Internal Mobile Subscriber Identifier (IMSI) — basically an account number used, among other things, to verify that a phone’s mobile service is paid for. The new phone service, called Pretty Good Phone Privacy (PGPP), uses encryption techniques to deliberately blind itself so that it can’t know that the user of a mobile device is you, or what data you are sending from that phone. You connect to the PGPP service for payment, and that’s all.

Location data is so sensitive that the Supreme Court agreed with the ACLU that law enforcement should not be able to obtain it from the carriers without a warrant.

The service has some limitations. It covers data only, not voice calls. For complex technical reasons (that Apple could fix if it wanted to), it doesn’t work on iPhones, which represent about half of U.S. phones but only 16 percent of phones globally. And certain other techniques for tracking phones remain in place. Nonetheless, it is an important step forward in protecting privacy.

Location data is so sensitive that the Supreme Court agreed with the ACLU that law enforcement should not be able to obtain it from the carriers without a warrant. Such data can reveal things about our associations, our habits, and our political, sexual, religious, and medical lives that no telecom provider has a right to know just because of the way cellular technology happens to work. With PGPP’s approach, the carrier simply does not have the data to turn over to anyone. It cannot be sold, leaked, or hacked, let alone offered to overreaching law enforcement agencies.

And the fact that this service has been created by two determined technologists shows clearly that Verizon, T-Mobile, AT&T, and their smaller competitors could be offering such a privacy-protecting service, but don’t want to.

This service is also a harbinger of broader trends when it comes to privacy protection — namely, the expansion of privacy protection through the use of innovative developments in cryptography. Some of those developments are brand new, while others — including one used by the PGPP service — are decades old and just now being applied. With names like “zero-knowledge proofs” and “blind signatures,” these techniques can let us enjoy all the features and benefits of technology while still protecting our privacy. We can have our cake and eat it too.

For web browsing or messaging systems, for example, they allow us to exchange encrypted communications with anyone on earth, even though we haven’t previously met those people to agree on a secret code or encryption key. When it comes to identity systems, they can let us prove that we’re over 18 (or anything else) without actually revealing who we are. And now, in the case of the phone system, we know it can allow a service provider to send data to our phone through the cell tower that is closest to us, without the provider knowing who or where we are.

Originally, tracking our phones was the only way to deliver the service, but that’s not true anymore — now it’s just about the cell carriers lining their pockets by tracking us while turning a blind eye to readily available encryption techniques that can protect our privacy.

Where it is technologically possible to achieve legitimate administrative aims (such as making sure that a phone is authorized to connect to the network) while at the same time protecting privacy, there is absolutely no reason not to do so. That’s true for phones and for many other technologies as well. Despite the selfish desires of companies to monetize our data and the unbalanced and constitutionally suspect interests of security agencies in mass tracking of people’s activities, we need to insist that privacy be built into the architectures we depend on.