Hardware:
* Tablet, or smartphone with baseband disabled.
* Cellular-wifi router (i.e., wifi hotspot), prepaid so the provider doesn't need your personal info.
.
Software:
* Android with per-app permissions controlled by user (e.g., user can enable/disable access to location data for particular apps). This could be a fork of Android or maybe there is security software that could be installed, such as on a rooted phone.
* VOIP app on phone
* VPN
.
By decoupling the baseband from the handheld computer (i.e., by keeping the tablet and cellular connection on different devices), using the cellular service without providing identifying info, and sending only encrypted data over the cellular connection (via VPN), you would protect your confidentiality from the cellular provider.
Because your phone number is decoupled from your cellular service (because you use VOIP over a VPN), nobody can tie your phone number to your location.
Of course someone who is determined could track you down. Your identity needs to be tied to your phone number or nobody will know how to call you; and your VOIP vendor could point someone to your VPN provider, who could point them to your cellular provider, who could figure out which hotspot you use. But I think it does protect you from everyday mass surveillance.
Any thoughts on how practical or effective this would be?
Practically, this solution you've come up with is too fragile to be relied upon. It's only secure if you can maintain this level of care with every operation you perform on the phone. This is why the NSA's data collection is so insidious -- it only takes one slip-up to connect everything you ever did anonymously to your "profile".
With the type of data collection that is done today, it's nearly impossible to avoid unless you use the Internet in a very different way than the average person. Avoiding data collection through technical means is a futile exercise at this point -- if you object to the data collection, public policy is the best avenue to prevent it at this point.
It's reasonable to assume, that any network provider will, for billing, internal use (eg: document/fight network abuse) and/or as mandated by data tracking laws store IMEI, MAC and IMSEI numbers, along with connection meta-data (tower, exact location if available, timestamp etc).
I don't think it's possible to get meaningful privacy from an attacker that either a) is your service provider, or b) works with your service provider (eg: NSA, buyers of data for "advertising")?
You could use TOR - but you'd have to use it for everything -- which pretty much rules out real-time voice/video chat AFAIK. Perhaps a VPN that crosses jurisdictions and corporate ownership would help against "commercial" attackers (eg: the ad networks). I'm doubtful how effective such a "single-hop" defense would be against state actors.
Not that I necessarily think all threat models should try to circumvent illegal government wieretaps - just pointing out that if that is wanted in addition to just un-linking meta-data on data/communication from meta-data/data on shopping/banking -- the needed security measures are likely to be inconvenient.
[1] https://en.wikipedia.org/wiki/International_Mobile_Station_E...
Assuming the user can get an anonymous pre-paid service (which I agree isn't certain), why would they need to change SIMs? The cellular provider only sees an unknown person sending encrypted data to a VPN hosting service.
[0] https://blog.torproject.org/blog/mission-impossible-hardenin...
I don't think this is possible in the USA anymore. I tried with ATT Verizon and Tmobile but I'm sure they are smaller players. All required somewhat my personal info altho for prepaid Tmobile did not ask for SSN. All told me this is due to the fact you're getting equipment "practically free". When offered to actually pay for it, I was always told "we don't have option like that".
Europe is much simpler. I walked into Play store [1], put $60 on table, and got USB dongle with prepaid scratch card of 6GB on a 3G network. No IDs, no documentation, nothing. Refills are very simple - you purchase a scratch offs for 3/6/9 GB or more, over the counter, no ID required.
In 2010, I purchased a dumb phone/sim card for use on a prepaid plan. At the time it was the only way to get onto a super cheap prepaid plan since they wouldn't sell you a sim/the plan directly. I then put the sim into my own purchased smart phones(multiple nexus devices and a one plus one). For convenience reasons, I refill my account online with a cc but I technically could simply buy the t-mobile refill cards for cash then activate the time on them.
As far as I know, there's nothing stopping me from doing this fresh again with a new prepaid phone and then never associating my real identity in any way.
I didn't have a clear direction after that, so I proceeded with the works-right-now solution of Google Hangouts (with all of its associated proctology). I haven't done much else with it besides backslide a bit by getting a cheap SIM so that it would ring reliably (Hangouts is a flaky POS).
Location tracking is my biggest concern (Getting on the PSTN anonymously seems like a completely different problem, and I'm less interested in tackling it), but I don't see much way around it when you're using the cell network for backhaul. Unless you religiously shut off your wifi point, pay for a new wifi point + plan in cash every few weeks, and get enough people doing this that you can blend in.
IMHO all of these guides that talk about prepaid sims and burner phones really only work for exceptional situations where someone is willing to jump through many opsec hoops. They aren't congruent with people's standard expectations of cell phones. Any solution has to roughly work with people's expectations to be adopted, since most people only casually want to defend their privacy.
The proper privacy-preserving cell solution would use bearer tokens to pay for network access, and have no device identifier tokens. This is obviously a pipe dream. The only advance I see on the horizon is as more wifi points open up, ideally coupled with software control of your identifiable cell radio that would selectively allow tracking for checking in if it had been too long since seeing a wifi spot. Most people are probably only out of the range of wifi for an hour at most times, so if it was acceptable to delay reception of messages that long, a lot of every day privacy could be practically achieved.
If you had $100M perhaps it would be possible to start a privacy-preserving MVNO with devices that shuffled identifying information every day.
An unexpected obstacle about the privacy-protective MVNO that I heard about from someone who was investigating this is taxes on "telephone lines" that the MVNO is supposed to pay whenever it "activates" a "line". It may be difficult to reconcile this with changing subscriber identities every day (assuming you can get ahold of devices that change device identity every day).
Whenever I talk about this I say: it's too late to change the cell phone network cheaply now (though we should still be vocal about the problem and not give up: we shouldn't accept that there is someone who knows where almost everyone is almost all of the time, which is the case today). If you're designing a new communications system, make sure that it starts with privacy protection and user and device anonymity, and layers optional identity on top where needed, rather than the reverse! Let's not be saying in 2030 "oh, if only people in 2015 had thought about the privacy issues with this technology...".
If the cellular provider doesn't know who you are, why does it matter if they track your location? Under my proposed plan, they won't know who you are because the prepaid cellular service is anonymous and all your data on the wire is encrypted and going to the same VPN host.
> Getting on the PSTN anonymously seems like a completely different problem, and I'm less interested in solving it
Is there a VOIP service that will take bitcoin or some other anonymous currency? The problem is that you have to give people your name and phone number (unless you do only outgoing calls); inevitably they will become associated in many databases.
But most times, I want to use the phone just to make/receive calls/text & have good battery. No need for a big display or other stuff.
Some commenters mentioned that you can still get burner SIMs in Europe, but last time I checked it was incredibly hard anywhere in the world (maybe I don't know where to look) - even in China they want your official documents to sell you a prepaid card. The reason I always been told, that sounds plausible to me, is that easy access to burner phones leads to too much mess with criminals using them for their criminal things, and with random pranksters calling in fake bomb alerts.
I was never asked for any sort of ID to get a SIM in Mexico or Vietnam. In any case, retail mobile store workers don't care enough / can't tell a real document from a fake one.
This is a built-in feature in Marshmallow [0].
[0]: http://www.greenbot.com/article/2990078/android/how-to-toggl...
I know that's outside the scope of your comment, but I wanted to point out that the baseband is not a thing the operating system really controls in any meaningful fashion.
permissions: Android Marshmallow has this bog standard, no root needed, so might have to watch to make sure it's available on whatever device you choose.
voip: google voice/hangouts can make this possible, also skype, hangouts, and a number of others.
VPN: basically anything android compatible.
It's not a terribly convenient thing to initially setup but it's not difficult either anymore, I actually did this for a few months when I broke my phone and just decided to go all IP instead of buying a new phone (had the tablet, and the hotspot device, previous phone didn't have data). It worked well enough in the Los Angeles area, but outside a city it was basically non-functional.
The other points about 911 and such are bigger issues than this.
* Regarding the VPN: Inevitably it adds an extra hop but with a VPN that provides sufficient bandwidth, low latency, and sufficient processing resources to decrypt/encrypt at wire speed -- I assume that either it will cost extra or will be something the user has to setup at a good hosting provider -- couldn't performance be sufficient for voice? IIRC, from long ago, voice needs ~80 Kbps.
* Regarding cellular data: Cellular connections are very widely used for voice, of course. Cellular data connections are used now (e.g., VoLTE). On one hand I'd have the same doubts you do; on the other it seems to work. Aren't there already VOIP apps?
First there's state level surveillance.It's a hard technical challenge and I'm not even sure those steps would help.
Second , there's what this article talks about. Probably using VPN(and maybe some software that turns down 3G/4G connection unless it's strictly necessary) would neutralize most of this issue - because planting baseband malware and maybe risking exposure doesn't seems to be worth it just for ads.
If the state is determined to track or identify the user, I agree this doesn't help. It might delay them a little. But I don't mind the state investigating people for legitimate reasons (e.g., under a warrant); I'm not trying to protect criminals. Also this won't protect people persecuted by repressive states - that's a very valuable goal, but outside the scope of this idea.
For dragnet surveillance I suspect this would work, simply by adding enough complexity to the task that it's not worth it for one more data point among billions.
Of course anyone could make a social graph based on my phone calls and learn a lot that way, but I don't think anonymous phone calls are possible. If I want to receive incoming calls then I have to give out my phone number; my name and number inevitably become associated. (I can think of a few weak solutions, such as having many phone numbers, but that's imperfect and impractical.)
There is a piece in WSJ that discusses how one fund, two sigma, uses cell phone tracking data, as well as many other sources of data to build trading signals.
http://www.wsj.com/articles/how-computers-trawl-a-sea-of-dat...
In fact, I think the biggest funds are putting more effort into this type of big data exploration from funds than they are into trying to glean more information out of the time series data provided by the exchanges data feeds.
10 years ago, being able to scrape the web was a competitive advantage for funds, 5 years ago it was real time sentiment analysis of news reports.
Today, its being able to consume 100's of disparate data feeds and build alpha generating signals from it.
Tracking A, B, and C-level executives should be very profitable. Who meets with whom is valuable info. Especially when you also have their phone call metadata. The activity in advance of a merger should be quite visible.
Tracking elected officials should reveal who influences whom, and who's bribing whom. It may be possible to detect bribery to the level of establishing probable cause for an investigation in that way.
> Tracking elected officials should reveal who influences whom, and who's bribing whom. It may be possible to detect bribery to the level of establishing probable cause for an investigation in that way.
The way political fundraising is done in the US, most bribes look like legitimate campaign finance money. In some states, it's even legal for a candidate to simply redirect whatever is in his campaign fund directly into his own bank account after the election. And even in states where that is illegal, 501(c)4 / SuperPACs allow politicians to do whatever they want with the money with no oversight.
With laws like that, why even bother to investigate bribery?
at least that's more demographic/general, in my opinion. what you suggest is bordering "creepy".
People are being tracked for trading advantage and that is not at all illegal? Not inside trading at all? How the hell did we get _here_?
How do they validate that this has any connection to reality? Or those who had budgets to spend doesn't ask such silly questions?
So there are 50 different signals before you even start up your servers for the day.
Since there is no one true currency market most HFT funds make their own currency signal from anywhere from 5 - 20 different feeds, lets call it 10 to bring our list of data feeds to 60 before we get into any futures and bond markets or to Europe and Asia.
Consuming the above mentioned brings us close to 100 already.
Add in feeds from
- google trends
- analytic s about consumer trends from say 5 different providers each covering say 5 demographics across 5 sectors
- twitter data feeds aplenty, following 2-300 different hash tags representing stock #APPL
- twitter following for news feeds, like AP, Reuters, etc to do sentament analysis.
- don't forget your machine readable news feeds
- now lets get into government data. FRED has 100's of data sets to parse to use as model inputs. See: https://research.stlouisfed.org/fred2/
What are we up to, 200-300 different signals and we haven't really broken a sweat yet.
What sort of source would you like me to provide other than what I see on my computer screen and do for a living?
I think a more accurate adage would be that if companies can get away with ads (or gathering and selling personal data), then they will do so. Unfortunately it would appear that giving money directly to service providers does not actually protect you from such things, and I suspect the reason is fairly straightforward: All companies are driven to increase margins as much as possible, and will eventually feel financial pressure to try such measures. Unless consumers object strongly (i.e.: leave the service in numbers large enough to offset the benefits of a measure under consideration), such measures will in general find their way into use.
So what we're really saying is consumers need to pay companies more than the money would get otherwise. If consumers aren't willing to pay that price (and it shouldn't surprise us if they aren't---this can be a lot of money), then we shouldn't be surprised if such things show up, regardless of whether the service is paid or not.
That's mostly a myth. The original purpose of cable was to get TV signal in areas where broadcast didn't go. The first basic cable channels were TBS--which had advertisements--and Christian Broadcast Network--which probably didn't. The unfiltered cable stations, for the most part, had advertisements.
You are likely remembering HBO, Cinemax, The Movie Channel advertisements. They didn't have advertisements because you had to pay per channel.
And what will stop them from running ads on top of that anyway?
Now that it's a viable model, why would anyone choose to have N-1 revenue streams when they could have N? It's not like businesses always act on principle over profits.
Combine the consumer's low perceived value of privacy (thanks to intentional and unintentional actions of the businesses doing the surveillance), the fact privacy is largely a market for lemons, and the low number of options in the marketplace. Together you get service providers that rarely lose business for choosing to survival their customers.
Nothing the telcos might do would be amazing to me anymore.
What are you going to do? Go to a TelCo that doesn't? It's a gamble, but considering the limited alternatives it's not much of one.
If you ask me, I'd rather Amazon retarget a bag of chips at me via a 300x250 display ad than Verizon sell my location breadcrumbs to some unknown entity.
"The Contribute Plug-in enables your iOS device to use our free VPN service that helps to secure your mobile data. In exchange for providing you with this free service, we collect and analyze some of your mobile data that passes through our VPN to gain insights and understand how consumers like you use mobile apps and mobile devices. We may also combine profile data from your Contribute account with your mobile data."
1: http://help.surveymonkey.com/articles/en_US/kb/SurveyMonkey-...
Lets not forget who SM was tightly leaning in with...
/tinfoil
The location breadcrumbs ... well, it's not that I really want those shared. But at least it happens entirely in the background. I'm not even sure I care that much, given that I never even see the precision ad it theorectically enables.
Why is this story a surprise? I assumed it has been happening for a long time.
[1] http://www.defenseone.com/technology/2015/10/african-states-...
It's just such a useless statement. "Why is this a surprise?"
Well, first of all, I'm sure there are plenty of people who might not have had any idea cell data was being used this way and on this scale. Second, I'm willing to bet of the many who might have had a vague idea, this gives a more concrete background with rough numbers to solidify the idea. Third, It's not a surprise to those of us who have been paying attention, but the problem is when we have said something in the past it almost invariably has been ignored or dismissed as paranoid or crazy... At least until a good story or leak comes out and gets enough attention to grab enough media mindshare. Edward Snowden was a classic example of this at work. Sure, many of use knew about tempest and echelon and five-eyes, knew about cell tower metadata issues via watching ownership of said towers. Everytime with few exceptions though, publicly stating these things got us called "conspiracy theorists".
Maybe you just use this as a rhetorical and are one of us that have been paying attention, but this statement is not condusive whatsoever to intellectual discussion of a subject, and we need to address it's fallacy when we see it because it's too pervasive.
> It's well known that a very widely used strategy is to collect as much information as possible about end users by businesses for targeted sales and marketing
Yes, but it's usually limited to free services, or low cost services. It's rarely applied wholesale to a group who is already paying through the nose for crappy service.
Why would you expect that? There's nothing about increased privacy levels in ToS or in product marketing, nor there was ever in history an actual, significant demand for privacy services. It may change now, as all the stories broken over the years slowly make people care about tracking. But why would anyone assume that if you pay for something, you get special treatment? You get only the minimum required treatment that's spelled in the contract. That's how it always has been everywhere.
Why is it relevant whether the story is a "surprise"?
Expressing your blasé attitude does nothing but downplay the significance of this.
The type of people that express arguments like this are the reason that these sort of things continue to happen.
"Oh, the Iraq war was based on lies? Yeah, everyone knows that".
Just because it's an accepted reality does not mean that you should just let things get a free pass. That's how you allow the same things to keep happening.
Congratulations on not being surprised. Everyone is very impressed.
Sorry for the rant. This is probably my #1 pet peeve.
Edit: I got curious and it looks like fi excludes call data from being shared with other Google services. https://support.google.com/fi/answer/6181037?hl=en
Disclaimer: I work for Google (not of fi) so take my opinion with whatever size gain of salt you feel is appropriate.
e.g.: T-mobile? I have less hopes for AT&T...
Thanks for joining us here. I'd love to hear more.
That you can get an audience on Hacker News isn't surprising, but how much interest is there from the general public? My very limited experience with non-technical people I talk to is that they don't know anything about it, don't understand the implications, and don't want to bother to figure it out. I'm hoping your much broader experience is more encouraging!
By the way, if you post something to the top level of the discussion identifying yourself, you'll probably get plenty of feedback and interest (unless it's too late for this discussion). Where you posted is buried too deep to be found by most HN readers.
I am glad this story is out, I have seen airsage data and it is easy to deanonymize. This company shouldn't be in business.
The other day I was in UK at a Tesco open doors event. They talked mainly about tribes and agile, but also demoed a couple of new technologies.
Turns out they have face tracking operational on all their petrol stations. And they have, in lab, cameras and software that does face recognition and eye tracking. They plan to send targeted ads and coupons, based on what shelve products caught customer's attention.
Carriers get into analytics, which is a strategic threat to google.
The headline is misleading- I think the carriers have been pretty upfront with their shareholders about their intention to get into this space.
In a world with facebook, google, et.al., writing an article like this without that context is incredibly cynical.
DJB's hilarious talk on this topic. ("I AM the man in the middle!")
For example Orange in Jordan adds an HTTP header with the phone number of the client to every connection. And there are technical people out there still saying HTTPS/TLS should not be mandatory…
Telcos are dead and they don't want to admit it. I'd bet my money on super cheap mobile ISPs raising soon. Based on a completely different technology and making better use of the mostly empty spectrum.
