Our phones are almost always tracking our location, even with the GPS services turned off. This is because to receive service, our phones disclose personal identifiers to cell towers owned by major network operators. This has resulted in a large amount of data-harvesting industries that sell users’ location data to third parties without user consent.
Recently, researchers at the University of Southern California (USC), Viterbi School of Engineering and Princeton University found a way to clog this privacy breach through existing cellular networks. It protects mobile privacy and still provides normal mobile connectivity. This work was presented at USENIX Security Conference on August 11th.
The new framework, referred to as ‘Pretty Good Phone Privacy’ or PGPP, decouples phone connectivity from authentication and billing by making anonymous personal identifiers sent to cell towers. It is a software-based solution which the researchers describe as an ‘architecture change’. It does not change cellular network hardware.
‘We’ve unwittingly accepted that our phones are tracking devices in disguise, but until now we’ve had no other option—using mobile devices meant accepting this tracking’, said co-author Barath Raghavan, Assistant Professor in Computer Science at USC. ‘We figured out how to decouple authentication from connectivity and ensure privacy while maintaining seamless connectivity, and it is all done in software.’
For your phone to function, the network has to have your location and identify you as a paying customer at all times. Major operators and data brokers have exploited this system to make money from selling sensitive user data. Currently, in the U.S., there are no federal laws hindering the use of location data.
‘Today, whenever your phone is receiving or sending data, radio signals go from your phone to the cell tower, then into the network’, said Raghavan. ‘The networks can scoop up all that data and sell it to companies or information-for-hire middlemen. Even if you stop apps tracking your location, the phone still talks to the tower, which means the carrier knows where you are. Until now, it seemed like a fundamental thing we could never get around.’
However, Raghavan and co-author Paul Schmitt discovered a way. Their key finding was that there is no reason why your personal identifier has to grant you network connectivity.
Their novel system works by breaking the direct chain of communication between the cellphone and cell tower. Rather than sending a personally identifiable signal to the cell tower, it sends an ‘anonymous token’ using a mobile virtual network operator, like Cricket or Boost as an intermediary.
‘The key is —if you want to be anonymous, how do they know you’re a paying customer?’ said Raghavan. ‘In the protocol we developed, the user pays the bills, and gets a cryptographically signed token from the provider, which is anonymous. Now the identity in a specific location is separated from the fact that there is a phone at that location.’
The duo tested their findings with real phones in the lab. Their approach adds almost none latency and doesn’t bring about any bottlenecks or challenges. The service could handle millions of users on a single server and would be deployed without issues to customers through the network operator.
Since the system works by stopping the identification of a user by the cellphone to the cell tower, all other location-based services still work as usual. The researchers are hopeful that the technology will be accepted by major networks, especially with mounting complaints and legal threats for the adoption of new privacy regulations.
‘For the first time in human history, almost every single human being on the planet can be tracked in real-time,’ said Raghavan. ‘Until now, we had to just silently accept this loss of control over our own data—we believe this new measure will help to restore some of that control.’
By Marvellous Iwendi.
Source: USC Viterbi