This privacy service tries to stop your mobile carrier from tracking you
Who is tracking your cell phone? Probably more people than you are comfortable with. Working in a Guatemalan refugee camp, Paul Schmitt noticed an “IMSI sensor” at the entrance, presumably so authorities could track the whereabouts of residents. These devices, also known as “Stingrays”, are used by governments around the world(Opens in a new window) follow the citizens.
“Commercial surveillance” is also now in the government’s sights, as the FTC now seeks comment on “the activity of collecting, analyzing, and profiting from information about people.”
The IMSI (International Mobile Subscriber Identifier) is the code attached to your SIM card that lets the network know that you are a subscriber in good standing. The fact is that this number allows your mobile operator to track you, and they can pass this data on to partners or the authorities if they wish. Worse, third parties can set up Stingrays and collect subscriber IDs and locations for their own purposes.
So, with former Googler Barath Raghavan, Schmitt founded Invisv, a startup dedicated to figuring out how to hide its users’ IMSIs. Its new “pretty good phone privacy” product, available for Android phones with eSIM capability, combines a virtual carrier (using AT&T’s network in the US) with special software that lets you transform your IMSI.
“We were hoping it would be picked up by the [phone] companies. We approached telecoms, and the response was not what we expected,” says Schmitt. “We wanted to show that it is actually possible.
The company also offers a two-hop VPN service for Android that costs $5/month, to hide your internet traffic. (Apple’s iOS does not offer third-party developers the APIs needed to perform IMSI switching.)
Invisv therefore offers a mobile service, provided via eSIM, which has an application that cycles your IMSI. For $40/month, you get 9GB of data and eight IMSI changes per month; for $90/month you get unlimited data and 30 IMSI changes. Essentially, you would appear on the network as a different person every day.
The actual connectivity is provided by various physical networks. In the US right now it’s AT&T, with T-Mobile coming soon. They make a deal with Invisv and never see your actual subscriber information.
This is paired with a two-hop VPN, also available as a separate $5 service. A two-hop VPN sends data to Invisv, which then masks your IP address and sends your data to VPN company Fastly, which ultimately sends it to the target website. It then becomes very difficult to connect your requests to any traffic heading to the destination.
“There’s mobile privacy, there’s internet privacy, and there’s app privacy,” says Raghavan. “We are trying to solve both [mobile and internet] which no one addressed.”
The application has a very simple interface. (Credit: Invisv)
5 Ways They Follow You
There are plenty of ways for carriers, platform providers, and app providers to track your phone, and plenty of ways to sell the data to brokers. Invisv’s first product takes care of a particularly tricky problem, and Schmitt walked me through some of the others.
1. MSISDN (your phone number)
In addition to your IMSI, every phone with a voice line has an MSISDN, also known as a phone number. It’s quite easy for your carrier to track your phone by MSISDN even if you scroll down your IMSI. Invisv’s data-only SIM cards do not have a phone number. If you want to make calls or send texts, you sign up with a cloud-based provider like Line2.
2. SS7 Attacks
There is a huge flaw(Opens in a new window) in 2G and 3G networks that allows well-resourced attackers, usually spy agencies, to intercept traffic. The new Diameter protocol, introduced with 4G, fills this hole, but it can open up every time someone makes a call or sends an SMS (because these functions often use parts of the 2G or 3G system.) Schmitt says it avoids this by buying 4G and 5G service only; if there is no 4G coverage, the phone shows no signal.
3. GMS (Google mobile services)
Recommended by our editors
Google’s main service on consumer Android smartphones, GMS “fingerprints” your device(Opens in a new window) so that its own advertising products and the advertising products of its clients can target you. The way to avoid this is to load an “ungoogled” Android OS on your phone. Schmitt says Invisv works on graphene and chalice. Raghavan says the app will be available through the F-Droid store and as a direct APK download, to avoid Google Play.
4. App-Based Tracking SDKs
Many third-party apps on your phone collect personal and location data, which app makers then sell to brokers. (The New York Times has a terrifying example(Opens in a new window) the type of precise location data that brokers can provide.) The answer to this one is to say no when apps on your phone ask for your location. An even better solution would be to use a feature phone without apps, but Schmitt says “there’s not a huge market” for feature phones.
5. Behavioral fingerprinting
Unfortunately, the latter is very difficult to avoid. Even if you don’t authorize apps, they can “fingerprint” your behavior using data available through the platform’s APIs, combining that information into a unique identifier. In the wake of its history of location data, the Time (Opens in a new window)recommended the Disconnect.me app to block these trackers.
“We suggest that in addition to using PGPP, privacy-conscious users should use better apps, such as Signal or Matrix for communication and a privacy-preserving mobile browser, etc. (But they won’t need of these apps’ VPN service.) These are complementary privacy practices because we view privacy as a multi-layered issue,” Raghavan says.
Invisv’s plan is now available on the Google Play Store(Opens in a new window).
Do you like what you read ?
Register for fully mobilized newsletter to get our top mobile tech stories straight to your inbox.