Mobile phones give users a reassuring button that tells them they can keep apps and companies from tracking their location. Unfortunately, researchers at the University of Southern California say our phones are revealing this GPS data anyway. To stop it, a team has devised a way to finally separate a phone user’s network connectivity from their personal privacy.
For the first time ever, researchers from USC’s Viterbi School of Engineering and Princeton University have stopped this privacy breach using existing cell networks. Their study reveals that the problem with mobile phones starts with how modern phones receive service.
They explain that to get service, phones reveal personal identifiers to cell towers owned by major network providers — even if you turn the GPS services off. The team says this leads to largely unregulated data-harvesting industries selling user location data to third parties without their consent.
“We’ve unwittingly accepted that our phones are tracking devices in disguise, but until now we’ve had no other option—using mobile devices meant accepting this tracking,” says study co-author Barath Raghavan, an assistant professor in computer science at USC, in a university release. “We figured out how to decouple authentication from connectivity and ensure privacy while maintaining seamless connectivity, and it is all done in software.”
Bringing order to the lawless cellular network
Right now, researchers say networks have to know your location in order to identify you as a paying customer and send service to your phone. This means, whether you “disabled” the GPS settings or not, mobile providers are tracking both your identity and your location.
As a result, data brokers and major operators continue to take advantage of the system by profiting off of selling private information. Moreover, study authors say there are no federal laws restricting the usage of private location data in the U.S.
“Today, whenever your phone is receiving or sending data, radio signals go from your phone to the cell tower, then into the network,” Raghavan adds. “The networks can scoop up all that data and sell it to companies or information-for-hire middlemen. Even if you stop apps tracking your location, the phone still talks to the tower, which means the carrier knows where you are. Until now, it seemed like a fundamental thing we could never get around.”
Raghavan and study co-author Paul Schmitt discovered that, despite the status quo, there’s no reason personal identifiers are a requirement to grant network access. Their new system breaks the direct line between a user’s cell phone and cell towers. Instead, PGPP sends an anonymous “token” to the tower, using a virtual network operator like Cricket or Boost as a middle-man.
“The key is – if you want to be anonymous, how do they know you’re a paying customer?” Raghavan explains. “In the protocol we developed, the user pays the bills, and gets a cryptographically signed token from the provider, which is anonymous. Now the identity in a specific location is separated from the fact that there is a phone at that location.”
Giving control back to users
The team has launched a startup called Invisv which has tested the system using real phones in a lab. Their findings reveal PGPP does not affect the performance of networks and the service could handle tens of millions of mobile phone users on a single server.
“For the first time in human history, almost every single human being on the planet can be tracked in real-time,” Raghavan concludes. “Until now, we had to just silently accept this loss of control over our own data—we believe this new measure will help to restore some of that control.”
The team presented their new system at the USENIX Security conference.