American researchers have launched the Pretty Good Phone Privacy (PGPP) service, which has the neat idea of decoupling subscriber authentication from your network connection. No more geolocation by IMSI identifier!
We all have a smartphone and, therefore, we are all permanently geolocated by our mobile phone operator. How ? Thanks to a unique identifier stored on the SIM card and transferred to the operator when the terminal connects to the network through a repeater antenna. In 4G this identifier is called IMSI (International Global Subscriber Identity), in 5G it becomes SUPI (Subscription Permanent Identifier).
Thanks to this transfer, the operator can authenticate the user and verify that he actually has the right to access the network. And by the way, you can thus know where this subscriber is, since you know the repeater antenna where it is connected. For the police it is obviously a godsend, because they can locate suspects, either in real time or later as part of a judicial investigation. In police parlance, this is called a “phone line.”
IMSI becomes useless
But for the paranoid and freedom activists, this architecture is an absolute horror, worthy of appearing in a Georges Orwell novel. That is why two American researchers, Paul Schmitt and Barath Raghavan, created another. Called “Pretty Good Phone Privacy” (PGPP), it breaks this surveillance and makes subscriber movements much harder to detect. They presented their technology in 2021, at the Usenix conference. A year later they are already implementing it with the launch of a commercial service in beta version, through their company “Invisv”.
It is a virtual mobile operator that interconnects with most operators in Europe and the United States and only offers mobile data services. There is no traditional telephony, nor SMS, because the routing of these two services is based on the IMSI/SUPI. However, the architecture imagined by the two researchers ignores precisely this identifier. It exists, but it is useless. This is why Invisv can assign it a random value that changes periodically, or at the request of the client.
To manage the connection to the network, and incidentally billing and roaming, the researchers created a gateway called “PGPP-GW”. It receives from subscribers access tokens called “PGPP Tokens” that have been previously distributed and that are not linked to the identity of the subscriber. An internal kitchen then allows the operators to be remunerated according to the use made.
By decoupling authentication and network connection in this way, it is much more difficult for the underlying mobile operators to track someone. This technology also reduces the risk of local monitoring by IMSI Catcher, although this risk should disappear anyway with 5G where IMSI/SUPI are end-to-end encrypted. But Invisv doesn’t stop there.
IP address anonymization
Their service also includes an anonymization of the IP address, thanks to the use of a double proxy. Requests are first sent to Invisv without being decrypted, then routed to the Fastly provider, before going to the requested server. ” Neither Invisv nor Fastly can link your IP address to your Internet traffic, which means that, unlike a VPN, there is no single point of surveillance. “, we can read on the company’s website.
The Invisv service currently only works with Android devices that support eSIM technology. To access it, it’s simple: just install the mobile application “PGPP – Mobile Privacy” on Google Play. However, you have to have deep pockets. The service costs at least $40 per month. At this price, the subscriber benefits every month from a traffic volume of 9 GB and 8 IMSI/SUPI changes. For $90 per month you can have unlimited traffic volume and 30 IMSI/SUPI changes. This is the price to pay for evading general surveillance.
#PGPP #lappli #mobile #qui #rend #vos #déplacements #invisibles