IMSI is not the only identifier available to mobile networks and attackers alike. Does PGPP provide IMEI randomization? What stops the mobile networks from tracking you using the IMEI associated to the ephemeral IMSIs?
Answer found in the linked paper:
"""
For many devices, the IMEI can be changed through soft- ware, often without root access. We envision a PGPP MVNO would allow for subscribers to present their unchanged de- vice IMEI, giving the PGPP operator the opportunity to check against a EIR to verify the phone has not been reported as stolen. At that point, the IMEI could be reprogrammed to a single value, similar to our changes to the SUPI. Additionally, PGPP users can readily switch SIMs to different handsets (IMEIs) at-will. Note that different jurisdictions have differ- ent rules about whether, how, and by whom an IMEI can be changed, so only in some cases IMEI changes require cooper- ation with the MVNO.
...
A PGPP-based carrier is data-only, with voice and messaging provided by third parties.
"""
So, the next question is: if voice is provided by third parties (i.e., relies on the actual IMSI/IMEI), what stops the mobile operator from correlating the presence of the IMSI/IMEI to the ephemeral IMSIs/IMEIs, so as to infer the real network identity behind the randomised IDs?
But you still need to make and receive regular OTA calls and SMS at times. This is where VOIP is needed such as voip.ms, Twilio, Google voice.. Voip.ms with Linphone app and SMS app called VOIP.MS on android have worked well for me. I occasionally and rarely use a burner sim but do everything over WIFI with VPN.
"In addition, law enforcement has long demanded backdoor access
to private user devices and user data [61].
We do not believe that users of PGPP, in its current form,
would be capable of withstanding targeted legal or extra-legal
attacks by nation-state organizations (e.g., the FBI or NSA)"
Randomizing the IMSI is great and all, but it only protects against >20-year old interception techniques (e.g. Stingrays). Nothing to see here.
> In addition, law enforcement has long demanded backdoor access to private user devices and user data
Law enforcement has long demanded all sorts of things, but the presence of such a demand doesn't mean that they have the backdoors which that statement insinuates. If anything, the fact that law enforcement is having to publicly beg for private access suggests that they don't already have it (unless you believe that is a bluff).
> capable of withstanding targeted legal or extra-legal attacks by nation-state organizations
If your threat model includes "nation states are going to break their own laws to attack me" then you're not safe even if you never use a phone. In fact, you're not safe even if you never commit a crime.
Perhaps someone can explain this. If Alice calls Bob, her carrier has to be able to locate Bob to make his phone ring. Therefore, Bob can always be tracked. I do not see how this can be overcome. Seems to me that this service is a perpetual motion machine.
There are many ways to solve this. The simplest one is that Bob owns a trusted server that always knows where he is. He uses a few proxies in series to connect to this server. When Alice wants to call Bob she contacts his server.
The branding is pretty revealing. They’re calling this “PGPP” because they want to sell to drug dealers.
Various “secured” encrypted phones have been sold as “PGP phones” for years now regardless of underlying the technology having anything to do with PGP.
We named it entirely as an homage to the original PGP. This was literally an academic research project we did, with the exact same name, for years before we made it into a service.
> We named it entirely as an homage to the original PGP.
Are you affiliated with any of the authors or developers of "the original PGP"? To be precise, Phil Zimmermann, PGP Inc, Network Associates, PGP Corp, or Broadcom Inc?
>They’re calling this “PGPP” because they want to sell to drug dealers.
Can you explain how this follows? It sounds like you're claiming that the only people who have an interest in privacy are drug dealers? Which would be a pretty ridiculous take, if that's what you're implying.
Drug dealers make up like 90+% of the market for expensive cryptophones.
There’s been a bunch of companies selling “PGP phones” specifically to drug dealers. Many of these have been shut down by LE. If you look, you’ll find that most of them unsurprisingly maintain physical storefronts in drug dealing hotspots like Marbella.
The idea isn’t that only drug dealers care about privacy, it’s that they’re the people with enough disposable cash and few enough brain cells to buy this stuff.
I think, especially in the wake of EFF's Fog Data broker investigation, the idea that drug dealers are the only market for a tracking resistant mobile device is untrue. (Although I guess I'd buy that drug dealers are more receptive than the general public to something branded as "PGP."
But I'm one of those strawmen on the other side of this debate (a journalist) and such a product is appealing to me. If it's not appealing to the general public that is IMO a lack of education on the topic.
That said, I have not reviewed how this is particular thing is supposed to work, and my assumption is that it is An0m v2 until proven otherwise. Additionally, doesn't Signal require a phone number to sign up? If this service provides no phone number how does that work?
So you can get 30 IMSI switches per month... that doesn't sound like anywhere near enough for me.
Also - what happens if you're on a low traffic cell site and make the change. Suddenly a new IMSI appears on that tower (With a big jump from it's last location). I'm pretty sure I could track someone with this service.
There are fundamental tradeoffs here, so it's good for users to know what they're interested in protecting against, compare against the security model that the system provides, and determine if it works for them and their needs.
Am I forgetting something or does merely changing the IMSI while doing nothing about IMEI just lead to a security theatre mentality when fake BTS can still track the device by the IMEI?
Answer found in the linked paper:
"""
For many devices, the IMEI can be changed through soft- ware, often without root access. We envision a PGPP MVNO would allow for subscribers to present their unchanged de- vice IMEI, giving the PGPP operator the opportunity to check against a EIR to verify the phone has not been reported as stolen. At that point, the IMEI could be reprogrammed to a single value, similar to our changes to the SUPI. Additionally, PGPP users can readily switch SIMs to different handsets (IMEIs) at-will. Note that different jurisdictions have differ- ent rules about whether, how, and by whom an IMEI can be changed, so only in some cases IMEI changes require cooper- ation with the MVNO.
...
A PGPP-based carrier is data-only, with voice and messaging provided by third parties.
"""
So, the next question is: if voice is provided by third parties (i.e., relies on the actual IMSI/IMEI), what stops the mobile operator from correlating the presence of the IMSI/IMEI to the ephemeral IMSIs/IMEIs, so as to infer the real network identity behind the randomised IDs?