I don't like that this is piggybacking on the recognizable name of an open standard and not-for-profit software while being considerably less open (Where's the RFC? Where's the source code?) and being for-profit.
This is a bit like calling your company "Red Cross Pharmaceuticals" despite not being affiliated with them.
I'm pretty sure you shouldn't try to piggyback off of a for-profit company's name either.
In fact atleast over here in Finland naming one's company is specifically reviewed by the patent and registry bureau to make sure it doesen't resemble any existing companies. It costs around 100-450€ and is mandatory for any new company
> It was on this day in 1991 that I sent the first release of PGP to a couple of my friends for uploading to the Internet. First, I sent it to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized in grassroots political organizations, mainly in the peace movement. [...] Then, I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code.
Symantec later bought it and things changed, but thanks to there being an open standard (OpenPGP) and RFCs, people can and did write compatible software. With varying degrees of compatibility, admittedly.
Just wanted to say hi – I’m one of the co-founders of this effort and would love to answer any questions or discuss further.
Also wanted to add, since this is a common question: does PGPP protect all identifiers or just some? As with most privacy systems, just some. Our aim is twofold: 1) to decouple a user's human identity from their network identities (mobile and Internet) and 2) randomize their network identities. We view decoupling as pretty fundamental to practical privacy -- to decouple who you are from what you do. Who you are in the context of the network is your human identity, often associated with the main point of contact you have with the network and billing -- your subscription and SIM, your broadband connection and its IP address and your home address, etc. That information has been used as the key upon which datasets can be attached.
The goal then is to decouple across entities -- the different parties who have data -- and across uses -- the different mechanisms of a network protocol, such as authentication and connectivity.
Other identifiers such as hardware identifiers aren't inherently attached to a person and aren't always used by networks, but even when they are, removing them is insufficient -- as our colleagues at UCSD found in recent work, phones can be identified at the PHY, without even using a unique hardware identifier.
Um what? Is PRZ involved? Is he ok with your using that name? He had something called PGPFone a long time ago, though it didn't get much traction. There have also been tons of other encrypted voice programs.
Obscuring traffic patterns without stupendous amounts of dummy traffic is quite difficult. That someone is connected to your network at all is already a huge giveaway. I have trouble seeing how something like this can work without a very big operator (think Cloudflare or AWS) being involved, and anything that size would have to get in bed with regulators. It's a lot easier if you're only trying to do low bandwidth text.
Hi barathr, thanks for joining the discussion! Having had a brief look at your paper and the Usenix slides[0], I've got three questions:
- Given that your Android app is security-critical for its users, are you planning on open-sourcing it in the near future?
- How exactly does your app work on Android? How does it rotate the IMSI? (I don't know a lot about eSIMs but I would have thought a regular app can't easily change the carrier/network settings.)
- As for the relay functionality, I suppose on Android this "simply" sets up a VPN once the network connection is established?
Your claim "we don't learn which eSIM your phone gets" is false. The eSIM update protocol, which is implemented in firmware which you do not control, will send you (the carrier) the eSIM's permanent ID (the EID), and you can't stop this. https://news.ycombinator.com/item?id=32416373
Moreover, you provide no protection whatsoever against IMEI tracking, which all carriers implement. IMEIs are reported to the carrier immediately after authentication/attach (AKA), and many will block invalid/unexpected IMEIs. You can't prevent this. Without a solution to IMEI tracking your work on IMSI tracking isn't much use. This won't protect anybody from the telcos. At best it might stop people using a stingray without assistance from the telco (i.e. almost nobody). https://news.ycombinator.com/item?id=32416308
The IMSI. We don't do anything with the IMEI ourselves (it's in the category of hardware identifiers that I'm mentioning above). Some phones can change them when rooted, some can't. The network attach process doesn't use the IMEI inherently by spec, but some cell cores can query for it (for example, to block stolen phones). It's not a network identifier, and strange things sometimes happen with the IMEI that don't even affect connectivity -- https://www.androidauthority.com/duplicate-imei-vivo-india-1...
Which means that the tower owners that PGPP partners with could absolutely still track users based on the IMEI if they configure their equipment to always ask for it. (It won't work in some edge cases like duplicate IMEIs but those are not super common).
They may not be doing it right now, but if this sort of thing catches on, it is likely that they will start trying to do it.
> The network attach process doesn't use the IMEI inherently by spec, but some cell cores can query for it (for example, to block stolen phones).
How widespread is this practice? Do the major US carriers know my IMEI?
I tend to believe that they do from what I've seen in their web interfaces, and that IMSI rotation alone is basically pointless from a privacy standpoint.
This is one of the problems with mobile -- there's isn't any one universally correct answer to this (or most questions), so I'll answer to the best of my knowledge. IMSIs are what are associated with your identity (because it's your SIM and service) in a normal mobile plan, and it's what was (is?) used by carriers when they aggregate / analyze / sell location data.
IMEIs can be queried by a network core (not the tower) and US carriers probably do this every once in a while to check against their stolen phone database. It can be changed on some devices but not others. It's not inherently tied to you as a person but of course it is tied to that device.
For those who don't need mobile data service of any sort, I think that PGPP Relay does what's needed -- decouples your IP from your identity -- and you can use WiFi networks without revealing anything.
> IMEIs can be queried by a network core (not the tower) and US carriers probably do this every once in a while to check against their stolen phone database. It can be changed on some devices but not others. It's not inherently tied to you as a person but of course it is tied to that device.
It's also linked to the rotating IMSI, so all of the rotating IMSIs that are used at the times the IMEI is interrogated are linked together from a metadata standpoint.
They're also all linked to every other IMSI that was ever used with that IMEI (at the times the IMEI is interrogated).
> US carriers probably do this every once in a while to check against their stolen phone database
Hourly? Daily? Monthly? Only on first-time seeing a new IMSI?
Carriers globally check at registration time to deny stolen phones access (via various shared databases) etc, this has been the case for a long time and someone selling mobile services should know this.
Probably on every connect, there are ways to randomize your IMEI on every boot on certain phones though (that might be not very legal in some countries)
IIRC changing the IMEI in the U.S. is legal. It may go against standards or something, but that's not a crime (though it would be an excuse for a carrier to kick you off their network, should they find out).
I would be shocked if there were real consequences for IMEI spoofing in the U.S. absent any crime (like stealing lots of phones and changing the IMEIs).
Ok so I should have said in sensible societies because IMEI changing does cause real issues like lack of 911 (in this case), however the 3gpp spec that governs all networks and devices, like your phone, prohibits IMEI changing -its not an innocuous operation as people assume
Edit: the FCC isn't specific about it but I'd imagine it falls under existing fraud regulations which may or may not be a federal thing.
A cursory Google suggests:
A bill was introduced in the United States by Senator Chuck Schumer in 2012 that would have made the changing of an IMEI illegal, but the bill was not enacted.
So in the USA specifically it is not a crime but in many places it is due to the aforementioned life at risk issue.
As devices are made for global .markets in general, the above does not apply anyway as you cannot change it without manufacturer tools anyway, at which point different regulation applies.
IMEI changes also have limited effect when fingerprinting is relatively easy.
The 911 issue seems small compared to the threat of totalitarian surveillance states, at least to me. I also have the strong intuition there's some way to implement emergency calling anonymously or pseudonymously using cryptographic trickery. In the end, I prefer living somewhere I can change the IMEI if I want
And a hint--I believe it's actually quite easy using an edXposed module if you want to root your Android phone.
Of course, then you've got a rooted phone, which is less secure.
> Ok so I should have said [that changing the IMEI of a phone is a criminal offense] in sensible societies because IMEI changing does cause real issues like lack of 911 (in this case)
This would mean that, in sensible societies, failing to carry a phone on your person is a criminal offense. It is a position only a true idiot could even articulate.
And again my point has been proven, you're assuming I'm making the argument that you've somehow come up with from what I said which does not even remotely match what i said, read it again and consider the possible reasons why 911 might not be usable.
Is no panacea to this problem everything has it's limits. Pairing an IMEI+IMSI rotation (which is perfectly lawful in many countries, grey in some and criminally prohibited in only a few) can be a very effective defense against network level threats to privacy.
This is incorrect. Changing your IMEI it is illegal in the USA under the Wireless Telephone Protection Act of 1998:
"Amends the Federal criminal code to prohibit knowingly using, producing, trafficking in, having control or custody of, or possessing hardware or software knowing that it has been configured to insert or modify telecommunication identifying information associated with or contained in a telecommunications instrument"
There are lots and lots of laws, though, that are either unenforceable because they're badly written or just not enforced. The sibling comment pointing out the part you left out is on point, and I would be surprised if any sort of prosecution would ever happen. I'm paying my phone bill and I want to change my IMEI, so what? I'm not defrauding anyone. I am inclined to believe two things:
1) Nobody would ever bother me about this, and
2) Courts would agree with me if push came to shove
Thanks for finding this, as non-US trying to find relevant laws in the mess of multiple levels of law etc is difficult, i assumed the FCC would regulate this as the telecoms regulátor but it appears not
To be fair you're leaving out the last part of that sentence "... so that such instrument may be used to obtain telecommunications service without authorization."
Authorization by whom? I think if I'm paying my bill I have the telco's authorization. They're trying to prevent fraud that gets you free phone service here.
What payment methods are available, and what data do you collect for billing?
Could I pick up an eSIM compatible Android tomorrow for cash at the local pawn shop, and get service using your system without handing over anything identifiable?
Right now we use Stripe (mostly because it's the the most rock solid choice for payments) -- we don't ask for name or email, though of course Stripe could know that as a card processor. But our approach goes back to decoupling human identity from network identity -- what that payment says is that the holder of that card is a subscriber of the service but not, for example, what network ID you got.
Once you accept some kind of privacy coin (monero) I'll be delighted to buy a years service upfront.
I imagine many others will be in the same position.
Obviously taking crypto will mean upfront prepayment of accounts (like prepaid mobile credit) instead of monthly billing and will require some reworking.
I don't see what was evasive, happy to answer in more detail if there's something you're seeing not answered above. We use Stripe as a credit card processor -- so we have what Stripe's (very well documented) APIs provide. That reveals that you purchased the service, but we don't know anything about the network identity you have nor your Internet usage, because architecturally we don't have that information.
I understand that revealing that information to Stripe may not be acceptable -- not sure what to say to that. We've gotten requests for other forms of payments and we can consider it, but we don't support anything other than credit cards at the moment. (There are credit cards that aren't linked to a person, if that's a better option.)
No. All payment cards in the United States require strong government identity and KYC, per US federal law. To activate these cards you must provide identity information. Providing false information is a crime.
No. Gift cards can be purchased in-person in the US, with cash. Said gift cards are activated at the register upon purchase. These can then be gifted to someone else, and further activation (or registering your personal information with the card) is not required.
Edit: I just checked the Visa gift card issuer's site for a card I have (and never had to activate or provide personal information to), and for shopping online it just says:
>In the Payment Method section, enter the Card information as you would a credit or debit card. In the Billing Address section, fill in your name and address.
So when I check out online, I can enter any information that I like, presumably as long as it ties back to a valid address of some kind - there is zero effort on the part of the card issuer to verify that I am who I say I am. I would only need a PIN when making purchases with it as a debit card in-person. I should make it clear that I'm not saying that providing false information is legal, just that the point about being required to provide "strong government identity" to activate gift cards has been false for a long time.
Ive never been asked for ID to buy a gift card in USA. I thought Europe was once renowned for it's strong financial privacy laws? my, things have changed.
>PGPP does not support traditional phone calling/SMS and doesn’t include a phone number. Instead we recommend that users install and use more secure apps such as Signal and Matrix for voice and video.
Doesn't signal require a phone number to use? Or did they fix that?
Just a little feedback (worth a dime or a damn, you decide), but I come here for the comments first to judge whether clicking the link is worthwhile. The problem discussed in the parent comments would completely rule me out as a user: solving privacy is not a technical problem, it has always been a usability problem. This is primarily why your namesake failed - variations on wizardry that ultimately result in a user still having to jump through hoops to accomplish simple tasks sounds like the same thing all over again to me
I tend to not take this as a black and white matter -- I see privacy as a layered problem -- at multiple network/software layers -- and as a policy and user behavior question. No single response, whether user education, policy, technology, etc. can perfectly solve something as complex and nebulous as privacy. (It gets worse when we think about the contextual nature of privacy -- that what we want out of it depends on the parties involved, even the time of day.)
A service with throwaway numbers would be nice... a lot like https://www.emailnator.com/ does for email. But it would be even better if they wouldn't require a phone number or email.
I would love to buy your product, but won't yet. I need a few things:
1) You should explicitly test with privacy-respecting Android flavors like GrapheneOS. I assume it would work using the sandboxed play services hack, but I'm not sure.
2) You need another exit aside from London. U.K. has weak data protections, facilitates U.S. spying, doesn't even offer access to the real internet any more (they run a firewall and mandate various other kinds of nannying), and, generally, seems like it's sliding down the path towards some sort of oppressive surveillance state.
3) I need to be able to pay with cryptocurrency, ideally Monero.
1) we have tested with GrapheneOS and it does work. Relay works well with GrapheneOS. With some amount of configuration, the mobile plans also work, though it can be a bit tricky to set up.
2) We have many egresses (via Fastly) -- across North America, South America, Europe, and Asia -- and more planned. The London egress is used when you're on mobile data by default, but if you're on WiFi then you can egress elsewhere.
3) Not sure about that at the moment, but we've gotten the request from multiple folks.
Has the app been tested to work with GrapheneOS (without requiring Google Play Services). This question applies to both the esim function and/or the relay feature.
> You need another exit aside from London. U.K. has weak data protections, facilitates U.S. spying, doesn't even offer access to the real internet any more (they run a firewall and mandate various other kinds of nannying), and, generally, seems like it's sliding down the path towards some sort of oppressive surveillance state.
"UK mobile phone operators began filtering Internet content in 2004[9] when Ofcom published a "UK code of practice for the self-regulation of new forms of content on mobiles".[107] This provided a means of classifying mobile Internet content to enable consistency in filtering. All major UK operators now voluntarily filter content by default."
It's Wikipedia, so take it with a grain of salt, but...
Actually to save everyone else's time I'll explain the actual real world implications:
The "big 4" (over x customers) must implement "best effort" blocking, which varies between network (it's all useless because DNS is easy and satisfied the law), however unlike the USA, the UK has 100s if not 1000s of ISPs who are not subject to said regulation and can do what they want. This is because in the UK we do not stomp on competition which means independent ISPs are allowed to exist and pay the same price as everyone else for the same access.
While I'm here, there has never and never will be a "firewall" - the free market design of UK telecoms does not allow it to happen and there are no central points to filter, anyone who disagrees otherwise is a genuine moron or willfully ignorant, it doesn't matter the result is the same, since the reality trump's opinion.
If you'd like to discuss these things in real detail I have contact ability so message me instead of absolute nonsense on here - there is no excuse to be ignorant we live in an informational society.
Definitely want to try this, but the full feature cost is much more than my monthly phone bill. Does this route through a server at all (overhead costs) or is everything contained locally? Trying to understand the level of rationale for such a cost.
If it's contained locally, it's likely you could make more in volume than with a higher price.
Also, it's deceptive/leaves a bad taste in mouth with having the Play Store show an "Install" button rather than purchase, only to open the app to a paywall. Using this dark pattern could end up hurting user perception/the app's reviews.
The $5/month price is for the Relay functionality which provides the 2-hop traffic tunneling. I'm guessing(?) that's not more than your monthly phone bill?
The $90/month price is for unlimited mobile data, so it would in theory replace your phone bill entirely.
Hmm, thanks for that feedback. I think (hope?) people wouldn't think that service like this was free (the prices reflect the costs). We say pretty clearly on our site what the prices are and are trying to be upfront. It's true that the payment isn't handled by Google but by Stripe, so you aren't buying it on the Play Store, but that's because it's a network service, something that isn't under Google's normal payment processing.
I still do find it disingenuous to omit it entirely as it implies that all possible issues are averted which they absolutely are not, even if IMEI wasn't a factor.
It looks like the U.S. trademark for "PRETTY GOOD PRIVACY" (Registration Number 2015027) has "Cancellation Date April 24, 2020" even though the one for "PGP" (Registration Number 1914615 - with the identical "computer programs for data communications applications, and for the encryption and authentication of electronic information" description) isn't canceled.
Was this relevant to making the "likelihood of confusion" low enough that there's no risk of needing to rename the Pretty Good Phone Privacy product?
By decoupling the user identity from a permanent, globally unique IMSI, we make IMSI catcher / Stingray attacks less "useful" as the IMSI is changing and isn't tied to the user. They can attack your IMSI, but it won't be tied to you and it is ephemeral.
This is great if you are using an old SIM that still operates using IMSI on the sNode B Tower, its also bad because this is simply another overlay band-aid fix which bloats and slows your phone down, the privacy phones made by Obsidian Intelligence Group (obsidianintel.com) don't have this problem and they are also impervious to the SS7 network, I would check them out.. You can find more info on their twitter page @Obsidian_Intel as well.. I picked one up a few weeks ago and it is fantastic I couldn't be happier with it.
Can you give a run-down what's involved in getting service? Would I need to register with you and get an app or something? Which devices are supported? Do I need rooted device?
You can just install the app on a normal device and subscribe to the service on first run. For PGPP Relay, almost any Android device (and maybe even Chromebooks) works fine. For PGPP Mobile plans, you'd need an eSIM capable device (e.g. Pixel 4 or newer or Samsung S22).
The IMSI change is only truly effective if paired with an IMEI rotation - which as others have noted is legal (usa). So now we have a service provider that supports IMSI rotation I guess it is up to folks who can work on the hardware level to add support for IMEI rotation. I heard that GrapheneOS is developing its own hardware. It's possible we may have a very effective defense against cellular layer privacy attacks in the near future.
So what happens when the major mobile networks decide to stop allowing PGPP to use their network?
I seen this happen before. I used to use the "Private Buyer" Payment service to anonymously pay for services privately. They had issues with payment processors preventing their payments from going through. I gather largely due to the privacy aspects of the service. That was in the early 2000 and I think the went out of business after 3-5 years.
It's true, they could. The one thing that is perhaps helping at this moment is that they've come under scrutiny for their (bad) privacy practices -- both from the media and from the FCC. Ultimately we see privacy as a layered problem, from a technological standpoint and a social standpoint -- we need layers of protection across the network and software stack and also a combination of policy, technology, and user behavioral changes.
Since "one of the co-founders of this effort" seems not to grasp the realities of IMSI's & TMSI's and the reliance of network operators (read: billing) on these, I would strongly advice to treat this "solution" as experimental at best.
Part of the 3GPP standardization process is to ensure law enforcement stays efficient. So this IMSI change is totally futile. Sorry guys. If that 'co-founder' wants to speak, dm.
Are the codebases behind this project open source? Would be great to have the eSIM code, the client side and the two relay codebases publicly released.
Yes. With a traditional VPN you are trusting that VPN provider with all of your traffic. They know your identity and everything you do. The two hop architecture we use decouples that information such that neither hop has both the user's identity and their usage information. In our case, the second hop is Fastly.
This was a research project that we undertook while at our respective universities. We decided to spin it out as we think it's useful. We are not funded by the government or Princeton (while Princeton owns the IP).
This is a bit like calling your company "Red Cross Pharmaceuticals" despite not being affiliated with them.