Who's tracking your cell phone? Probably more people than you're comfortable with. Working in a Guatemalan refugee camp, Paul Schmitt noticed an "IMSI catcher" at the entrance, presumably so authorities could track the residents' comings and going. These devices, also known as "Stingrays," are used by governments around the world to track citizens.
"Commercial surveillance" is also now in the government's crosshairs, as the FTC now seeks comment on "the business of collecting, analyzing, and profiting from information about people."
The IMSI (international mobile subscriber identifier) is the code attached to your SIM card that lets the network know you're a subscriber in good standing. Thing is, that number lets your mobile provider track you, and it can give that data to partners or authorities if it wants. Even worse, third parties can set up Stingrays, and collect subscriber IDs and locations for their own purposes.
So along with ex-Googler Barath Raghavan, Schmitt founded Invisv, a startup dedicated to figuring out how to cloak its users' IMSIs. Its new "pretty good phone privacy" product, available for Android phones that have eSIM capability, combines a virtual carrier (using AT&T's network in the US) with special software that lets you churn your IMSI.
"We were hopeful this would be picked up by the [phone] companies. We approached the telecoms, and the response wasn't what we hoped for," Schmitt says. "We wanted to show this is actually possible."
The company also offers a two-hop VPN service for Android that costs $5/month, to hide your internet traffic. (Apple's iOS doesn't offer third-party developers the APIs needed to do IMSI switching.)
So Invisv offers a mobile service, provided via eSIM, which has an app that cycles your IMSI. For $40/month, you get 9GB of data and eight IMSI changes per month; for $90/month, you get unlimited data and 30 IMSI changes. Essentially, you'd appear to the network as a different person each day.
The actual connectivity is provided through various physical networks. In the US right now that's AT&T, with T-Mobile coming on board down the road. They make a deal with Invisv, and they never see your actual subscriber information.
That's paired with a two-hop VPN, also available as a $5 separate service. A two-hop VPN sends data to Invisv, which then hides your IP address and sends your data to VPN firm Fastly, which finally sends it to the target website. It then becomes very hard to connect your requests with any traffic heading to the destination.
"There's mobile privacy, there's internet privacy, and there's app privacy," Raghavan says. "We're trying to solve the two [mobile and internet] which nobody has addressed."
5 Ways They Track You
There are a lot of ways carriers, platform providers, and application providers track your phone, and a lot of ways that data can be sold to brokers. Invisv's premier product takes care of a particularly tricky one, and Schmitt walked me through some of the others.
1. MSISDN (Your Phone Number)
Along with your IMSI, every phone with a voice line has an MSISDN, otherwise known as a phone number. It's easy enough for your carrier to track your phone by MSISDN even if you cycle your IMSI. Invisv's data-only SIMs have no phone number. If you want to make calls or send texts, you sign up with a cloud-based provider such as Line2.
2. SS7 Attacks
There's a massive flaw in 2G and 3G networks that lets well-resourced attackers—typically, spy agencies—intercept traffic. The newer Diameter protocol, introduced with 4G, closes that hole, but it can open up any time someone makes a call or sends a text (because those functions often use parts of the 2G or 3G system.) Schmitt says he avoids that by buying only 4G and 5G service; if there's no 4G coverage, the phone shows no signal.
3. GMS (Google Mobile Services)
The core Google service on mainstream Android smartphones, GMS "fingerprints" your device so its own ad products, and clients' ad products, can target you. The way to avoid this is by loading a "non Googled" Android OS on your phone. Schmitt says Invisv works on Graphene and Calyx. Raghavan says the app will be available through the F-Droid store and as a direct APK download, to avoid Google Play.
4. App-Based Tracking SDKs
Many third-party apps on your phone collect personal and location data, which the app makers then resell to brokers. (The New York Times has a terrifying example of the kind of precise location data the brokers can provide.) The answer for this one is to say no when apps on your phone ask for your location. An even better solution would be to use a feature phone with no apps, but Schmitt says "there's not a huge market" for feature phones.
5. Behavioral Fingerprinting
Unfortunately, this last one is very difficult to avoid. Even if you don't give apps permission, they may be "fingerprinting" your behavior using data available through the platform APIs, combining that information into a unique identifier. In the wake of its location-data story, the Times Times recommended the app Disconnect.me to block these trackers.
"We would suggest that in addition to using PGPP, privacy-conscious users should use better apps—such as Signal or Matrix for communication and a privacy-preserving mobile browser, etc. (But they won't need the VPN service from such apps.) These are complementary privacy practices, as we see privacy as a layered problem," Raghavan says.
Invisv's plan is now available on the Google Play Store.