The IMSI. We don't do anything with the IMEI ourselves (it's in the category of hardware identifiers that I'm mentioning above). Some phones can change them when rooted, some can't. The network attach process doesn't use the IMEI inherently by spec, but some cell cores can query for it (for example, to block stolen phones). It's not a network identifier, and strange things sometimes happen with the IMEI that don't even affect connectivity -- https://www.androidauthority.com/duplicate-imei-vivo-india-1...
Which means that the tower owners that PGPP partners with could absolutely still track users based on the IMEI if they configure their equipment to always ask for it. (It won't work in some edge cases like duplicate IMEIs but those are not super common).
They may not be doing it right now, but if this sort of thing catches on, it is likely that they will start trying to do it.
> The network attach process doesn't use the IMEI inherently by spec, but some cell cores can query for it (for example, to block stolen phones).
How widespread is this practice? Do the major US carriers know my IMEI?
I tend to believe that they do from what I've seen in their web interfaces, and that IMSI rotation alone is basically pointless from a privacy standpoint.
This is one of the problems with mobile -- there's isn't any one universally correct answer to this (or most questions), so I'll answer to the best of my knowledge. IMSIs are what are associated with your identity (because it's your SIM and service) in a normal mobile plan, and it's what was (is?) used by carriers when they aggregate / analyze / sell location data.
IMEIs can be queried by a network core (not the tower) and US carriers probably do this every once in a while to check against their stolen phone database. It can be changed on some devices but not others. It's not inherently tied to you as a person but of course it is tied to that device.
For those who don't need mobile data service of any sort, I think that PGPP Relay does what's needed -- decouples your IP from your identity -- and you can use WiFi networks without revealing anything.
> IMEIs can be queried by a network core (not the tower) and US carriers probably do this every once in a while to check against their stolen phone database. It can be changed on some devices but not others. It's not inherently tied to you as a person but of course it is tied to that device.
It's also linked to the rotating IMSI, so all of the rotating IMSIs that are used at the times the IMEI is interrogated are linked together from a metadata standpoint.
They're also all linked to every other IMSI that was ever used with that IMEI (at the times the IMEI is interrogated).
> US carriers probably do this every once in a while to check against their stolen phone database
Hourly? Daily? Monthly? Only on first-time seeing a new IMSI?
Carriers globally check at registration time to deny stolen phones access (via various shared databases) etc, this has been the case for a long time and someone selling mobile services should know this.
Probably on every connect, there are ways to randomize your IMEI on every boot on certain phones though (that might be not very legal in some countries)
IIRC changing the IMEI in the U.S. is legal. It may go against standards or something, but that's not a crime (though it would be an excuse for a carrier to kick you off their network, should they find out).
I would be shocked if there were real consequences for IMEI spoofing in the U.S. absent any crime (like stealing lots of phones and changing the IMEIs).
Ok so I should have said in sensible societies because IMEI changing does cause real issues like lack of 911 (in this case), however the 3gpp spec that governs all networks and devices, like your phone, prohibits IMEI changing -its not an innocuous operation as people assume
Edit: the FCC isn't specific about it but I'd imagine it falls under existing fraud regulations which may or may not be a federal thing.
A cursory Google suggests:
A bill was introduced in the United States by Senator Chuck Schumer in 2012 that would have made the changing of an IMEI illegal, but the bill was not enacted.
So in the USA specifically it is not a crime but in many places it is due to the aforementioned life at risk issue.
As devices are made for global .markets in general, the above does not apply anyway as you cannot change it without manufacturer tools anyway, at which point different regulation applies.
IMEI changes also have limited effect when fingerprinting is relatively easy.
The 911 issue seems small compared to the threat of totalitarian surveillance states, at least to me. I also have the strong intuition there's some way to implement emergency calling anonymously or pseudonymously using cryptographic trickery. In the end, I prefer living somewhere I can change the IMEI if I want
And a hint--I believe it's actually quite easy using an edXposed module if you want to root your Android phone.
Of course, then you've got a rooted phone, which is less secure.
> Ok so I should have said [that changing the IMEI of a phone is a criminal offense] in sensible societies because IMEI changing does cause real issues like lack of 911 (in this case)
This would mean that, in sensible societies, failing to carry a phone on your person is a criminal offense. It is a position only a true idiot could even articulate.
And again my point has been proven, you're assuming I'm making the argument that you've somehow come up with from what I said which does not even remotely match what i said, read it again and consider the possible reasons why 911 might not be usable.
Is no panacea to this problem everything has it's limits. Pairing an IMEI+IMSI rotation (which is perfectly lawful in many countries, grey in some and criminally prohibited in only a few) can be a very effective defense against network level threats to privacy.
This is incorrect. Changing your IMEI it is illegal in the USA under the Wireless Telephone Protection Act of 1998:
"Amends the Federal criminal code to prohibit knowingly using, producing, trafficking in, having control or custody of, or possessing hardware or software knowing that it has been configured to insert or modify telecommunication identifying information associated with or contained in a telecommunications instrument"
There are lots and lots of laws, though, that are either unenforceable because they're badly written or just not enforced. The sibling comment pointing out the part you left out is on point, and I would be surprised if any sort of prosecution would ever happen. I'm paying my phone bill and I want to change my IMEI, so what? I'm not defrauding anyone. I am inclined to believe two things:
1) Nobody would ever bother me about this, and
2) Courts would agree with me if push came to shove
Thanks for finding this, as non-US trying to find relevant laws in the mess of multiple levels of law etc is difficult, i assumed the FCC would regulate this as the telecoms regulátor but it appears not
To be fair you're leaving out the last part of that sentence "... so that such instrument may be used to obtain telecommunications service without authorization."
Authorization by whom? I think if I'm paying my bill I have the telco's authorization. They're trying to prevent fraud that gets you free phone service here.
