Pretty Good Phone Privacy

Paul SchmittPrinceton University

Barath RaghavanUniversity of Southern California

AbstractTo receive service in todayrsquos cellular architecture phonesuniquely identify themselves to towers and thus to operatorsThis is now a cause of major privacy violations as operatorssell and leak identity and location data of hundreds of millionsof mobile users

In this paper we take an end-to-end perspective on thecellular architecture and find key points of decoupling thatenable us to protect user identity and location privacy with nochanges to physical infrastructure no added latency and norequirement of direct cooperation from existing operators

We describe Pretty Good Phone Privacy (PGPP) anddemonstrate how our modified backend stack (NGC) workswith real phones to provide ordinary yet privacy-preservingconnectivity We explore inherent privacy and efficiency trade-offs in a simulation of a large metropolitan region We showhow PGPP maintains todayrsquos control overheads while signifi-cantly improving user identity and location privacy

1 IntroductionCellular phone and data networks are an essential part of the

global communications infrastructure In the United Statesthere are 124 cellular subscriptions for every 100 people andthe total number of cellular subscriptions worldwide nowstands at over 82 billion [5] Unfortunately todayrsquos cellulararchitecture embeds privacy assumptions of a bygone era Indecades past providers were highly regulated and centralizedfew users had mobile devices and data broker ecosystemswere undeveloped As a result except for law enforcementaccess to phone records user privacy was generally preservedProtocols that underpin cellular communication embed anassumption of trusted hardware and infrastructure [2] andspecifications for cellular backend infrastructure contain fewformal prescriptions for preserving user data privacy Theresult is that the locations of all users are constantly trackedas they simply carry a phone in their pocket without evenusing it

Much has been made of privacy enhancements in recentcellular standards (eg 5G) but such changes do nothing to

prevent cellular carriers from tracking user locations Worsestill the 5G push toward small cells results in much finer-grained location information and thus tracking than previousgenerations

Privacy violations by carriers In recent years it has beenextensively reported that mobile carriers have been routinelyselling and leaking mobile location data and call metadata ofhundreds of millions of users [1819396670] Unfortunatelyfor users this behavior by the operators appears to have beenlegal and has left mobile users without a means of recoursedue to the confluence of a deregulated industry high mobileuse and the proliferation of data brokers in the landscape Asa result in many countries every mobile user can be physicallylocated by anyone with a few dollars to spend This privacyloss is ongoing and is independent of leakage by apps thatusers choose to install on their phones (which is a related butorthogonal issue)

While this major privacy issue has long been present in thearchitecture the practical reality of the problem and lack oftechnical countermeasures against bulk surveillance is beyondwhat was known before However there is a fundamentaltechnical challenge at the root of this problem even if stepswere taken to limit the sale or disclosure of user data suchas by passing legislation the cellular architecture generallyand operators specifically would still seemingly need to knowwhere users are located in order to provide connectivity Thusas things stand users must trust that cellular network operatorswill do the right thing with respect to privacy despite nothaving done so to date

Architectural deployable solution We identify points ofdecoupling in the cellular architecture to protect user pri-vacy in a way that is immediately deployable In this weare aided by the industry-wide shift toward software-basedcellular cores Whereas prior generations of cellular networksran on highly-specific hardware many modern cellular corefunctions are run in software making it more amenable tokey changes

1

arX

iv2

009

0903

5v3

[cs

NI]

28

Dec

202

0

In our approach users are protected against location track-ing even by their own carrier We decouple network con-nectivity from authentication and billing which allows thecarrier to run Next Generation Core (NGC) services that areunaware of the identity or location of their users but whilestill authenticating them for network use Our architecturalchange allows us to nullify the value of the userrsquos IMSI anoften targeted identifier in the cellular ecosystem as a uniqueidentifier We shift authentication and billing functionality tooutside of the cellular core and separate traditional cellularcredentials from credentials used to gain global connectivity

Since it will take time for infrastructure and legislation tochange our work is explicitly not clean slate We anticipatethat our solution is most likely to be deployed by MobileVirtual Network Operators (MVNOs) where the MVNO op-erates the core (NGC) while the base stations (gNodeBs)are operated by a Mobile Network Operator (MNO) Thispresents us with architectural independence as the MVNOcan alter its core functionality so long as the NGC conformsto LTE 5G standards While it is not strictly necessary forPGPP to be adopted by an MVNO we assume that existingindustry players (eg MNOs) are unlikely to adopt new tech-nologies or have an interest in preserving user privacy unlesslegal remedies are instituted As a result we consider howprivacy can be added on top of todayrsquos mobile infrastructureby new industry entrants

Contributions We describe our prototype implementationPretty Good Phone Privacy (PGPP) In doing so we examineseveral key challenges in achieving privacy in todayrsquos cellarchitecture In particular we consider 1) which personalidentifiers are stored and transmitted within the cellular in-frastructure 2) which core network entities have visibilityinto them (and how this can be mitigated) 3) which entitieshave the ability to provide privacy and with what guaranteesand 4) how we can provide privacy while maintaining com-patibility with todayrsquos infrastructure and without requiringthe cooperation of established providers

We show PGPPrsquos impact on control traffic and on useranonymity We show that by altering the network coveragemap we are able to gain control traffic headroom comparedwith todayrsquos networks we then consume that headroom inexchange for improved anonymity We analyze the privacyimprovements against a variety of common cellular attacksincluding those based on bulk surveillance as well as targetedattacks We find that PGPP significantly increases anonymitywhere there is none today We find that an example PGPPnetwork is able to increase the geographic area that an attackercould believe a victim to be within by ~1200 with littlechange in control load

Our contributions are as follows

bull We design a new architecture that decouples connectivityfrom authentication and billing functionality allowing

NG-RAN NGC

AMF

AUSF

SMF

UPF

gNodeB

gNodeB

ControlAuthenticationConnectivity

PGPP-GW

PGPPUE

ConventionalUE

Figure 1 Simplified 5G architecture with and without PGPPPGPP decouples authentication and connectivity credentialsand shifts authentication to a new external entity the PGPP-GW Details of the PGPP-GW are found in sect51

us to alter the identifiers used to gain connectivity (sect51)and enable PGPP-based operators to continue to authen-ticate and bill users (sect51) without identifying them

bull We adapt existing mechanisms to grow control trafficbroadcast domains thus enhancing user location privacywhile maintaining backwards compatibility (sect52)

bull We quantify the impacts of PGPP on both user privacyand network control traffic through simulation (sect6) anddemonstrate PGPPrsquos feasibility in a lab testbed

2 BackgroundHere we provide a brief overview of the cellular architec-

ture and describe the inherent privacy challenges For simplic-ity we focus on 5G though the fundamental challenges alsoexist in legacy standards

21 Cellular architecture overviewThe 5G architecture can be divided into two areas the

Next Generation Radio Access Network (NG-RAN) whichis responsible for radio access and the Next Generation Core(NGC) which includes the entities responsible for authentica-tion and connectivity to the network core Figure 1 shows asimplified architecture for both conventional cellular as wellas with PGPP PGPP moves authentication and billing to anew entity the PGPP-GW that is external to the NGC Wedetail PGPPrsquos specific changes in sect5 We include a glossaryof cellular terms in Appendix 9

NG-RAN The NG-RAN is the network that facilitatesconnectivity between user devices (UEs)mdashcommonly a cellphone with a SIM card installedmdashand the serving base station(gNodeB) The NG-RAN is responsible for providing UEs ameans of connecting to the NGC via gNodeBs

NGC The NGC is the core of the 5G cellular network andincludes entities that provide authentication billing voiceSMS and data connectivity The NGC entities relevant to ourdiscussion are the Access and Mobility Management Func-tion (AMF) the Authentication Server Function (AUSF) theSession Management Function (SMF) and the User Plane

2

Function (UPF) The AMF is the main point of contact fora UE and is responsible for orchestrating mobility and con-nectivity UEs authenticate to the network by sending anidentifier that is stored in the SIM to the AMF The AUSF isthen queried to verify that the UE is a valid subscriber Oncethe UE is authenticated the AMF assigns the UE to an SMFand UPF which offer an IP address and connectivity to theInternet Note that 5G networks can include many copies ofthese entities and contain many more entities however forthe purposes of our discussion this simplified model suffices

MVNOs We design our solution to be implemented bya Mobile Virtual Network Operator (MVNO) MVNOs arevirtual in that they offer cellular service without owning theinfrastructure itself Rather MVNOs pay to share capacity onthe infrastructure that an underlying carrier operates MVNOscan choose whether they wish to operate their own core enti-ties such as the AMF AUSF and UPF which is the type of op-eration we propose MVNOs that run their own core networkare often called ldquofullrdquo MVNOs Critically our architecture isnow feasible as the industry moves toward ldquowhiteboxrdquo gN-odeBs that connect to a central office that is a datacenter withvirtualized NGC services as in the Open Networking Foun-dationrsquos M-CORD project [26] Recent work has shown thatdramatic performance gains are possible using such newerarchitectures [54 55]

22 Privacy in the cellular architectureMaintaining user privacy is challenging in cellular net-

works both past and present as it is not a primary goal ofthe architecture In order to authenticate users for access andbilling purposes networks use globally unique client identi-fiers Likewise the cellular infrastructure itself must alwaysldquoknowrdquo the location of a user in order to minimize latencywhen providing connectivity We briefly discuss cellular iden-tifiers as well as location information available from the per-spective of the cell network in this section We use acronymsfrom the 5G architecture as it is the newest standard howeversimilar entities exist in all generations (2G 3G 4G LTE)

User and device identifiers There are multiple identifiersthat can be used to associate network usage with a givensubscriber Identifiers can be assigned by various actors in theecosystem they can vary in degree of permanence and theycan be globally unique across all cellular operators or theycan be locally unique within a given network Table 1 showsthese identifiers their allocators and their permanence

The International Mobile Subscriber Identity (IMSI) is theidentifier used to gain access to the network when a phone(UE) performs initial attachment The IMSI is globally uniquepermanent and is stored on the SIM card Carriers maintaina AUSF database containing the list of IMSIs that are pro-visioned for use on the network and subscription details foreach Because the IMSI is globally unique and permanent itis seen as a high-value target for those who wish to surveil

Identifier Allocator DurationIMSI Operator PermanentGUTI AMF TemporaryIP Address (static) Operator PermanentIP Address (dynamic) UPF TemporaryRNTI gNodeB Temporary

Table 1 User identifiers in LTE

cellular users For example in recent years there has beena rise of cell-site simulators also known as IMSI catchersThese devices offer what appears to be a legitimate base sta-tion (gNodeB) signal Since UE baseband radios are naiumlveand automatically connect to the strongest signal they will at-tempt to attach to the IMSI catcher and offer their IMSI IMSIcatchers have been used extensively by law enforcement aswell as nation-state adversaries to identify and eavesdrop oncellular users [52]

Given the IMSIrsquos importance and sensitivity temporaryidentifiers are often used instead The Globally Unique Tem-porary Identifier (GUTI) can be thought of as a temporaryreplacement for an IMSI Once a phone attaches to the net-work the Access and Mobility Management Function (AMF)generates a GUTI value that is sent to the UE which storesthe value The UE uses the GUTI rather than the IMSI whenit attaches to the network in the future The GUTI can bechanged by the AMF periodically Prior work recently foundthat GUTIs are often predictable with consistent patterns thusoffering little privacy [31] but this can be remedied with alightweight fix that we expect will be used going forward

The 5G network is IP-based meaning UEs must be givenIP addresses in order to connect IPs can be either staticallyor dynamically assigned to UEs Statically assigned IPs arestored in a backend core database During the attach proce-dure the AMF retrieves the static IP address assigned to theUE from the backend Conversely dynamic addresses areassigned by the SMF when the UE attaches Providers canassociate a user with an IP address in the network by monitor-ing traffic at the UPF which offers a convenient location toplace a network tap

In order to connect with the gNodeB over the NG-RANUErsquos must be assigned radio resources at layer 2 includ-ing a temporary unique identifier the RNTI Prior work hasshown that layer 2 information used on the NG-RAN canbe used to link RNTIs with temporary identifiers at higherlayers (eg GUTIs) provided the attacker knows the GUTIbeforehand [60] This attack is specific to the coverage areaof a single cell and can be mitigated by changing the GUTIfrequently as discussed in [31]

User location information Cellular networks maintainknowledge of the physical location of each UE Locationinformation is necessary to support mobility and to quicklyfind the UE when there is an incoming call SMS or data

3

100 101 102

Number of times IMSI was paged

00

02

04

06

08

10

CD

F

(a) IMSI page counts

100 101 102 103 104 105

Interval between IMSI pages (s)

00

02

04

06

08

10

CD

F

AllMinimumMaximum

(b) Intervals between pages (c) User locations over time

Figure 2 Analysis of IMSI broadcasts based on cellular traces captured in measurement study

for a user The mechanism used to locate a UE is known asldquopagingrdquo and it relies on logical groupings of similarly locatedgNodeBrsquos known as ldquotracking areasrdquo (TAs) Each gNodeB isassigned to a single TA TAs can be thought of as broadcastdomains for paging traffic If there is incoming data for an idleUE the paging procedure is used where the network sendsa paging message to all gNodeBs in the userrsquos last-knownTA Prior work has shown that the paging mechanism can beleveraged by attackers that know an identifier of the victim(eg phone number WhatsApp ID) to generate paging mes-sages intended for the victim which enables an unprivilegedattacker to identify a specific userrsquos location [42] From anexternal perspective the vantage point of remote servers onthe web can also be leveraged to localize mobile users giventiming information from applications on their devices [64]

Cellular operators often store location metadata for sub-scriber giving them the ability to trace user movement andlocation history This bulk surveillance mechanism has beenused to establish a userrsquos past location by law enforcement [9]

3 The need for privacy enhancementsIn this section we demonstrate the privacy leakage that

exists in todayrsquos cellular architecture by conducting a mea-surement study while acting as a relatively weak attacker in areal-world environment Recall from sect22 that the IMSI is aglobally unique permanent identifier Unfortunately for userprivacy the traditional cellular architecture uses IMSIs forauthentication and billing as well as providing connectivitycausing the IMSI to be transmitted for multiple reasons

Because of its importance and permanence the IMSI isseen as a high-value target for those who wish to surveilcellular users For example in recent years there has been aproliferation of cell-site simulators also known as IMSI catch-ers These devices offer what appears to be a legitimate basestation (gNodeB) signal Since UE baseband radios are naiumlveand automatically connect to the strongest signal they at-tempt to attach to the IMSI catcher and offer their IMSI IMSIcatchers have been used extensively by law enforcement andstate-level surveillance agencies with and without warrants

to identify track and eavesdrop on cellular users [52]

Dataset We analyze a dataset of cellular broadcast tracesthat our team gathered in a small densely populated area withroughly 80000 residents over the course of several days in2015 The traces include messages that were sent on broad-cast channels in plaintext for three cellular providers that offerservice in the area Traces were captured using software de-fined radios and mobile phones The trace dataset provides avantage point that is akin to an IMSI catcher1

IMSIs are often broadcast in-the-clear We discover thatwhile the architecture is designed to largely use temporaryGUTIs once UEs are connected IMSIs are often presentin paging messages Overall we see 588921 total pagingmessages with 38917 containing IMSIs (66 of all pages)Of those messages we see 11873 unique IMSIs We trackthe number of times each individual IMSI was paged andplot a CDF in Figure 2a As shown more than 60 of IMSIswere paged more than once in the traces Note that we countmultiple pages seen within one second as a single page Giventhis network behavior even a passive eavesdropper couldlearn the permanent identifiers of nearby users

IMSIs can be tracked over time Given that IMSIs areregularly broadcast an eavesdropper can track the presenceor absence of users over time We investigate the intervalsbetween pages containing individual IMSIs In Figure 2b weplot a CDF of intervals (greater than one second) betweensubsequent pages of individual IMSIs Overall we see thatIMSIs are repeatedly broadcast over time even though thedesign of the architecture should dictate that IMSIs should beused sparingly in favor of temporary GUTIs

Individuals can be tracked over time Given that we cantrack IMSIs over time a passive attacker can track individualsrsquo

1Trace collection methodology and analysis received IRB approval ex-traneous details omitted for blind review

4

movements Figure 2c shows locations of base stations thatbroadcast the IMSI for a single user in the traces As shownwe saw the user in multiple locations over the course of twodays Location A was recorded at 10am on a Monday locationB was thirty minutes later The user connected to a base stationat location C at noon that same day Locations D and E wererecorded the following day at noon and 130pm respectivelyFrom this we see that a passive observer unaffiliated with acellular carrier can over time record the presence and locationof nearby users This attacker is weak with a relatively smallvantage point In reality carriers can and do maintain thisinformation for all of their users

4 ScopeWe believe that many designs are possible to increase pri-

vacy in mobile networks and no architecture today or in thefuture is likely to provide perfect privacy Nevertheless belowwe discuss various properties that PGPP strives to achieve

Prior work examined the security vulnerabilities in moderncell networks [334263] and revealed a number of flaws in thearchitecture itself In addition data brokers and major opera-tors alike have taken advantage of the cellular architecturersquosvulnerabilities to profit off of revealing sensitive user dataWe believe mobile networks should aim to at a minimumprovide one or both of the following privacy properties

bull Identity privacy A network can aim to protect usersrsquoidentity Networksmdashas well as third party attackersmdashidentify users through IMSIs which are intended to beuniquely identifying

bull Location privacy A network can aim to protect informa-tion about the whereabouts of a phone

Naturally these privacy properties do not exist in isolationthey intersect in critical ways For example attackers oftenaim to learn not only who a user is but where a specific useris currently located or where a user was when a specific callwas made Also the definition of an attacker or adversary is acomplex one and depending on context may include individu-als aiming to steal user data mobile carriers and data brokerslooking to profit off of user data governments seeking to per-form bulk surveillance law enforcement seeking to monitora user with or without due process and many others Dueto context dependence we do not expect all privacy-focusedmobile networks to make the same choice of tradeoffs

41 Cellular privacy threat modelGiven the above discussion we distinguish between bulk

and targeted data collection We define bulk collection tobe the collection of information from existing cellular archi-tecture traffic without the introduction of attack traffic thusbulk collection is passive Bulk attacks commonly target useridentities (eg IMSIs) PGPPrsquos core aim is to protect against

Attack typeBulk Targeted

Vis

ibili

ty Global Carrier logs [18 19 39 70] Government Surveillance [9]

Carrier Paging

Local SDR [3 50 69] IMSI Catcher [37 52]

Paging attack [34 42]

Table 2 Common cellular attacks

bulk attacks Targeted attacks are active and require injec-tion of traffic to attack specific targets Targeted attacks areoften aimed at discovering a victimrsquos location We also de-lineate attacks by the adversaryrsquos capabilities as they mayhave visibility into an entire network (global) versus for anunprivileged attacker some smaller subset of a networkrsquos in-frastructure (local) Table 2 gives the taxonomy of attacks

Carriers and governments are the most common global-bulk attackers Such bulk surveillance is commonplace incellular networks and has been at the center of recent lawsuitsand privacy concerns Attacks that employ IMSI catchers orpassively listen to broadcasts using software-defined radiosare considered local-bulk Here an IMSI catcher is only ableto monitor phones that connect directly to it so its visibilityis limited to its radio range Similarly SDR-based passivesnooping (as in the example in sect3) is only able to monitornearby base stations and will miss portions of the network Wedesign PGPP with a primary focus on thwarting bulk attacksby nullifying the value of IMSIs (sect51)

Local-targeted attacks can be carried out by ordinary usersby generating traffic that causes a network to page a victim(eg phone call to the victim) As local-targeted attackersdo not have visibility into the entire network they must relyupon knowledge of the geographic area that is encompassedby a tracking area Due to the prevalence of such attacksas an enhancement an operator can provide functionality incooperation with the user that reduces the efficacy of local-targeted attacks through the use of TALs (sect52)

Global-targeted attacks represent a very powerful attackerwho can actively probe a victim while having global visibilityof the network We envision defenses against such attackswould require fundamental changes to to communication mod-els PGPP does not mitigate global-targeted attacks as wefocus on immediately deployable solutions we leave this tofuture work

42 AimsNext we discuss the aims of PGPP by considering several

common questions that ariseWhat sort of privacy does PGPP provide As its name

suggests PGPP aims to provide ldquopretty goodrdquo privacy wedonrsquot believe there is a solution that provides perfect privacycauses no service changes (ie does not increase latency)and is incrementally deployable on todayrsquos cellular networksThe main focus is to offer privacy against global-bulk surveil-lance of mobility and location a practice by carriers that is

5

widespread and pernicious We thwart this via eliminating theIMSI as an individual identifier and decoupling the authentica-tion and connectivity mechanisms in the cellular architecture

Isnrsquot 5G more secure than legacy generations The 5Gstandard includes enhancements focused on user privacy andsystem performance over legacy cellular generations How-ever the enhancements do not offer location privacy benefitsfrom the carriers

Encrypted IMSIs 5G includes the addition of encryptedIMSIs where public key cryptography along with ephemeralkeys generated on the SIM is used to encrypt the IMSI whensending it to the network This protects user IMSIs fromeavesdroppers However encrypted IMSIs do not preventthe cellular provider itself from knowing the userrsquos identityAn analogy for encrypted IMSIs can be found in DNS overHTTPS (DoH) eavesdroppers cannot see unencrypted trafficyet the endpoints (the DNS resolver for DoH the cellular corein 5G) still can The goal of this work is to not only thwartlocal-bulk attacks but also protect user privacy from mobileoperators that would otherwise violate it (ie global-bulkattacks)

Small cell location privacy The 5G standard strives forreduced latencies as well as much higher data throughputsThis necessitates the use of cells that cover smaller areas inhigher frequency spectrum in order to overcome interferencecompared with previous cellular generations that used macro-cells to provide coverage to large areas A (likely unintended)byproduct of 5Grsquos use of smaller cells is a dramatic reductionin location privacy for users As the 5G network providermaintains state pertaining to the location in the network fora given user for the purposes of paging smaller cells resultin the operator or attacker knowing user locations at a muchhigher precision compared with previous generations

What about active | traffic analysis | signaling attacksWhile active targeted attacks arenrsquot our main focus we im-prove privacy in the face of them by leveraging TALs toincrease and randomize the broadcast domain for paging traf-fic making it more difficult for attackers to know where avictim is located (analyzed in sect62) Further the goal of manyactive attacks is to learn usersrsquo IMSIs and our nullification ofIMSIs renders such attacks meaningless

An attacker with a tap at the network edge could use trafficanalysis attacks to reduce user privacy We largely view thisas out of scope as users can tunnel traffic and use other meansto hide their data usage patterns

Cellular networks rely on signaling protocols such as Sig-naling System 7 (SS7) and Diameter when managing mobilityas well as voice and SMS setup and teardown These protocolsenable interoperability between carriers needed for roamingand connectivity across carriers Unfortunately these proto-cols were designed with inherent trust in the network playersand have thus been used to reduce user privacy and disruptconnectivity [24 30 49 53 62] We design PGPP for 4G5Gdata only which renders legacy SS7 compatibility moot Our

PGPP design expects users to use outside messaging servicesrather than an in-NGC IMS system

Can PGPP support roaming Yes While we envision thatmany PGPP users would explicitly not wish to roam as roam-ing partners may not provide privacy guarantees roaming ispossible using a Diameter edge agent that only allows forhome routed roaming forcing traffic to route from the visitednetworkrsquos SMF back to the PGPP operatorrsquos UPF rather thanlocal breakout due to our authentication mechanism (sect51)Roaming and international roaming in particular adds billingcomplexities for the PGPP operator Typically the visitednetwork collects call data records for each roaming user on itsnetwork and calculates the wholesale charges payable by thehome network The visited network then sends a TransferredAccount Procedure (TAP) file to the home network via a dataclearing house The home network then pays the visited net-work In PGPP the individual identity of the user that roamedis not known yet the PGPP operator remains able to pay theappropriate fees to visited networks

How does PGPP protect user privacy for voice or textservice Out of the box PGPP doesnrsquot provide protection forsuch service Instead PGPP aims provide privacy from thecellular architecture itself and in doing so users are free touse a third party VoIP provider (in which case the phone willoperate identically to a normal phone for telephony servicefrom a userrsquos perspective) or use recent systems by Lazar etal [44 45] that provide strong metadata privacy guaranteesfor communications or similar systems such as [16174668]We view PGPP as complementary to such systems

How does PGPP protect users against leaky apps PGPPdoesnrsquot as it is about providing protection in the cellularinfrastructure Even without leaky apps users can always in-tentionally or inadvertently reveal their identity and locationLeaky apps make this worse as they collect and sometimes di-vulge sensitive user information We see PGPP as complemen-tary to work that has targeted privacy in mobile app ecosys-tems Further apps are not as fundamental as connectivitymdashusers can choose whether to install and run a leaky app andcan constrain app permissions However phones are by theirnature always connected to carrier networks and those verynetworks have been selling user data to third parties

If users canrsquot be identified by carriers how can carriersstill make money We introduce PGPP tokens in sect51 as amechanism for a PGPP operator to charge customers whileprotecting user anonymity

Canrsquot phone hardware be tracked as well Phones have anInternational Mobile Equipment Identity (IMEI) The IMEIis assigned to the hardware by the manufacturer and identifiesthe manufacturer model and serial number of a given deviceSome operators keep an IMEI database to check whether adevice has been reported as stolen known as an equipmentidentity register (EIR) IMEIs in the database are blacklisted

For many devices the IMEI can be changed through soft-ware often without root access We envision a PGPP MVNO

6

would allow for subscribers to present their unchanged de-vice IMEI giving the PGPP operator the opportunity to checkagainst a EIR to verify the phone has not been reported asstolen At that point the IMEI could be reprogrammed to asingle value similar to our changes to the IMSI Note thatdifferent jurisdictions have different rules about whether howand by whom an IMEI can be changed so only in some casesIMEI changes require cooperation with the MVNO

Is PGPP legal Legality varies by jurisdiction For ex-ample US law (CALEA [1]) requires providers to offerlawful interception of voice and SMS traffic A PGPP-basedcarrier is data-only with voice and messaging provided bythird parties CALEA requires the provider to offer content ofcommunication data at the UPF eg raw (likely-encrypted)network traffic This is supported by PGPP

5 DesignIn this section we describe the mechanisms PGPP em-

ploys to increase user identity and location privacy UltimatelyPGPPrsquos design choices appear obvious in retrospect We be-lieve its simplicity is an asset as PGPP is compatible withexisting networks and immediately deployable

In order to provide identity privacy against bulk attackswe nullify the value of the IMSI as it is the most commontarget identifier for attackers In our design we choose to setall PGPP user IMSIs to an identical value to break the linkbetween IMSI and individual users This change requires afundamental shift in the architecture as IMSIs are currentlyused for connectivity as well as authentication billing andvoiceSMS routing We design a new cellular entity for billingand authentication that preserves identity privacy Fortunatelythe industry push for software-based NGCs makes our archi-tecture feasible We describe the architecture in sect51

To provide location privacy from targeted attacks PGPPleverages an existing mechanism (TALs) in the cellular spec-ification in order to grow the broadcast domain for controltraffic (sect52) By changing the broadcast domain for everyuser the potential location of a victim is broadened from theattackerrsquos vantage point

51 User identity privacyAs discussed in sect22 IMSIs are globally unique permanent

identifiers As such they are routinely targeted by attackersboth legal and illegal In this section we re-architect the net-work in order to thwart bulk attacks introduced in sect41 thatare based on identifying individuals via IMSI

We decouple back-end connectivity from the authentica-tion procedure that normally occurs at the AUSF when a UEattaches to the network Instead the PGPP operator issuesSIM cards with identical IMSIs to all of its subscribers Inthis model the IMSI is used only to prove that a user has avalid SIM card to use the infrastructure and in turn the PGPPnetwork can provide an IP address and connectivity and offer

Scheme Customer Anonymous UniqueStandard auth bullGroupring sig bull bullLinkable ring sig bull bullCryptocurrency bull bullPGPP tokens bull bull bull

Table 3 Three properties needed for user authentication in aprivacy-preserving cell network and schemes to achieve them

the client a GUTI providing the user with a unique identitynecessary for basic connectivity

5G authentication is normally accomplished using IMSIs atthe AUSF however all PGPP users share a single IMSI Thusto authenticate a user we designed a post-attach obliviousauthentication scheme to ensure that the PGPP operator isable to account for the user without knowing who they are

PGPP Gateway In order to perform this authentication wecreate a new logical entity called a PGPP Gateway (PGPP-GW) shown in Figure 1 which sits between the UPF and thepublic Internet The UPF is configured to have a fixed tunnelto a PGPP-GW which can be located outside of the PGPP op-eratorrsquos network Using this mechanism the PGPP-GW onlysees an IP address which is typically NATed and whetherthat IP address is a valid user Notably it does not have any in-formation about the userrsquos IMSI The PGPP-GW design alsoallows for many different architectures For instance multiplePGPP-GWs could be placed in multiple datacenters or evenuse a privacy service such as Tor2

Authentication properties From the perspective of thePGPP-GW there are multiple properties an authenticationscheme must guarantee (1) the gateway can authenticate thata user is indeed a valid customer3 (2) the gateway andor anyother entities cannot determine the userrsquos identity and thuscannot link the userrsquos credentialsauthentication data with auser identity and (3) the gateway can determine whether auser is unique or if two users are sharing credentials

As we show in Table 3 the challenge is that standard ap-proaches for authentication only provide one of the threerequired properties and widely-studied cryptographic mech-anisms only provide two of the three properties For exam-ple an ordinary authentication protocol (of which there aremany [736]) can provide property 1) but not 2) and 3) A cryp-tographic mechanism such as group signatures [8 12] or ringsignatures [2059] can protect the userrsquos identity upon authen-tication providing properties 1) and 2) but not 3) as providingthe last property would violate the security of the signaturescheme Similarly traitor tracing schemes [14] (such as for

2We leave exploration into such scenarios to future work3Due to ldquoKnow Your Customerrdquo rules in some jurisdictions the provider

may need to have a customer list necessitating that the user authenticationscheme be compatible with periodic explicit customer billing

7

broadcast encryption [25]) can provide all three propertiesbut in practice cannot provide property 3) as the traitor trac-ing would require actual physical confiscation of the ldquotraitorrdquophone by the MVNO which is infeasible A variation on ringsignatures known as linkable ring signatures [48] providesthe ability for a userrsquos identity to be revealed if the user signsmultiple messages with the same key While this is useful inestablishing that the user is unique and hasnrsquot shared theircredentials it also partially violates the userrsquos anonymity asthat key cannot be used again

Effective authentication There are two approaches thatwe view as viable depending on the circumstances Ananonymity-preserving cryptocurrency can provide properties2) and 3) but not 1) as a cryptocurrency would combinebilling and authentication at the PGPP-GW For MVNOsthat are not required to know their customers an anonymity-preserving cryptocurrency may be the ideal solution for bothuser authentication and payment though even the best coinsprovide imperfect anonymity guarantees [38]

To provide all three properties we develop a simple schemecalled PGPP tokens that helps us sidestep the issues with al-ternative approaches The choice of authentication scheme isdeployment-context specific With PGPP tokens when pay-ing a monthly bill a user retrieves authentication tokens thatare blind-signed using Chaumrsquos classic scheme [6 11] by thebilling system Later when authenticating to the service theuser presents tokens and the service (the PGPP-GW) verifiestheir signature before allowing the user to use the networkThe token scheme ensures that the service can check thevalidity of tokens without identifying the user requesting ac-cess The user then presents the next token in advance soas to ensure seamless service Note that PGPP tokens disal-low the post-pay model for cellular billing as the networkwould be required to know the identity of users in order toaccurately charge them for usage Therefore PGPP is pre-payonly though this can be adjusted to emulate post-payment(eg users pre-pay for tokens on an ongoing basis rather thanonly monthly and tokens are valid for a longer time periodsuch as a year rather than for only one billing period)

Each token represents a unit of access as is appropriatefor the service provider Some providers may choose to offerflat-rate unlimited-data service in which case each tokenrepresents a fixed period of time this is the default approachthat we use to describe the scheme below Other providersmay choose to offer metered service in which case each tokenrepresents a fixed unit of data such as 100 MB or 1 GB ratherthan a period of time Still others may choose to provide two-tiered service priority by marking each token with a prioritybit in addition to either unlimited data or metered data servicesuch prioritization does come with slight privacy loss as theMVNO and MNO alike would be able to differentiate whichpriority level was in use The privacy loss of two-tiered datapriority can be partially mitigated by offering all users some

amount of time or GB of high-priority service after whichthey must fall back to low-priority service such a serviceplan structure is fairly standard in the industry today In sucha setting each user would have both high-priority and low-priority tokens and thus would not be clearly stratified intotwo identifiable groups of users

At the beginning of a billing period the billing system de-fines s time slices (eg corresponding to hours) or anotherunit of access (eg a unit of data) and generates s RSA key-pairs for performing blind signatures using Chaumrsquos schemeIt then appends the public keys for this time period to a well-known public repository that is externally maintained (eg onGitHub) and these are fetched by users The user generatess tokens where each token takes the form ir where i is thetime slice index as a 256-bit unsigned value zero indexedfrom the beginning of the billing period and r is a 256-bitrandom value chosen by the user The user then blinds thesetokens The user pays the bill using a conventional means ofpayment (eg credit card) and presents the blinded tokens tothe billing system to be signed the system signs each tokenwith the corresponding time slice key and returns these valuesto the user The user unblinds the response values and verifiesthe signatures for each

Upon later authentication to the service the user presentsits signed token for the current time slice to the PGPP-GWwhich verifies the signature and if valid begins forwardingthe userrsquos traffic onto the Internet Since the token signaturewas generated using Chaumrsquos scheme the service cannotdetermine which human user corresponds to which signedtoken If the same token is used by two different users duringthe same time period then the service can conclude that a userhas shared their credentials and is attempting to cheat

The costs of this scheme to both the PGPP operator andthe user are low The operator stores the list of used tokensin a standard consistent and replicated cloud database so theservice can operate multiple PGPP-GWs though it is likelythat a small number of PGPP-GWs can serve a large numberof users we benchmarked the 2048-bit RSA signature veri-fication used here at 31micros per call using Crypto++ [21] on asingle core of a 26GHz Intel Xeon E5-2640 CPU and thuswith a single CPU core the PGPP-GW can handle token veri-fication for tens of millions of users The tokens themselvesare small and the storage cost to the provider is about 15 MB user per time period which is a small amount for any userrsquosphone to store and for a provider even hundreds of millionsof tokens amounts to mere GBs of data in cloud storage

User device agent To automate the process of authenti-cating with the PGPP-GW we create a simple agent thatruns as background job on the user device This agent lever-ages the Android JobScheduler API in the event of cellularconnectivity the JobScheduler triggers PGPP-token-basedauthentication with the PGPP-GW The agent establishes aTLS connection to the PGPP-GW and then sends the token

8

for the current time slice Once the user presents a valid to-ken the PGPP-GW begins forwarding traffic for that userand thus this behavior is akin to a captive portal though theauthentication is automatic and unseen by the user

52 Location privacyAs described in sect22 cellular operators track user location

in the form of tracking areas for UEs in order to quickly findusers when there is incoming content PGPP leverages anexisting mechanism in the cellular standard to reduce theeffectiveness of local-targeted attacks described in sect41

Paging has been exploited in the past to discover user lo-cation by adversaries However the use of tracking areas isuseful for the cellular provider in that it confines the signal-ing message load (ie paging messages) to a relatively smallsubset of the infrastructure Tracking areas reduce mobilitysignaling from UEs as they move through the coverage zoneof a single tracking area Note that emergency calling rep-resents a special case in cellular networks When a devicedials 911 the phone and network attempt to estimate accuratelocation information In this work we do not alter this func-tionality as we anticipate that users dialing 911 are willing toreveal their location

In PGPP we exploit the tracking area list (TAL) concept in-troduced in 3GPP Release 8 [2] Using TALs a UE no longerbelongs to a single tracking area but rather is given a list ofup to 16 tracking areas that it can freely move through withouttriggering a tracking area update essentially creating largertracking areas Whereas prior work has focused on usingTALs to pre-compute optimal tracking area combinations forusers [56ndash58] in PGPP we use TALs to provide provide im-proved location anonymity Typically TALs consist of groupsof adjacent tracking areas that are pre-computed essentiallygrowing the tracking area for a UE to the union of all trackingareas in the TAL We do not use TALs in this way Insteadwe generate TALs on-the-fly and generate them uniquely foreach UE When a UE attaches or issues a tracking area updatemessage the AMF learns the gNodeB and tracking area theUE is currently attached to The AMF then generates a uniqueTAL by iteratively selecting at random some number (up tothe TAL limit of 16) of additional adjacent tracking areas Bygenerating unique TALs for each user attackers are unable toknow a priori which set of tracking areas (or gNodeBs) thatvictim is within We explore tradeoffs in terms of TAL lengthcontrol traffic overhead and location anonymity in the nextsection

6 AnalysisTo study the implications of a PGPP deployment we create

a simulation to model users mobility and cell infrastructureWe study the impact of PGPPrsquos design on various cellular at-tacks that occur today We then analyze the inherent tradeoffsfrom the PGPP operatorrsquos perspective as improved privacy

Figure 3 Partial simulation map Cells are shaded by ATampTtracking area

0 10 20 30gNodeBs Visited

Cars

Pedestrians

Figure 4 gNodeBs visited by simulated mobile users

comes at the price of increased control traffic Lastly weexamine PGPP in a lab testbed on real devices

61 Simulation configurationgNodeB dataset We select Los Angeles County California

as the region for our simulation which provides a mix of bothhighly urban areas as well as rural areas For gNodeB locationinformation we use OpenCellID [43] an open database thatincludes tower locations and carrier information To simplifythe simulation we select base stations from the database thatare listed as providing LTE from ATampT the provider withthe most LTE eNodeBs (22437) in the region We use LTEeNodeBs as the number of gNodeBs deployed remains small

Given their geographic coordinates we estimate coverageareas for every gNodeB using a Voronoi diagram During thesimulation a UE is assigned to the gNodeB that correspondsto the region the UE is located within While such discretiza-tion is not likely in reality as UEs remain associated withan gNodeB based on received signal strength this techniqueprovides us with a tractable mobility simulation A partialmap of the simulation region is shown in Figure 3 ENodeBregions are shaded based on the tracking area value in theOpenCellID database

Mobility traces To simulate realistic mobility patterns(ie users must follow available paths) we generate mobil-ity traces using the Google Places [29] and Directions [28]APIs First we use the Places API to find locations in thesimulation region that are available when searching for ldquopostofficerdquo Each place is associated with latitudinal and longitudi-nal coordinates We then generate mobility traces by randomlyselecting start and end points and use the Directions API toobtain a polyline with coordinates along with estimated times

9

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

In our approach users are protected against location track-ing even by their own carrier We decouple network con-nectivity from authentication and billing which allows thecarrier to run Next Generation Core (NGC) services that areunaware of the identity or location of their users but whilestill authenticating them for network use Our architecturalchange allows us to nullify the value of the userrsquos IMSI anoften targeted identifier in the cellular ecosystem as a uniqueidentifier We shift authentication and billing functionality tooutside of the cellular core and separate traditional cellularcredentials from credentials used to gain global connectivity

Since it will take time for infrastructure and legislation tochange our work is explicitly not clean slate We anticipatethat our solution is most likely to be deployed by MobileVirtual Network Operators (MVNOs) where the MVNO op-erates the core (NGC) while the base stations (gNodeBs)are operated by a Mobile Network Operator (MNO) Thispresents us with architectural independence as the MVNOcan alter its core functionality so long as the NGC conformsto LTE 5G standards While it is not strictly necessary forPGPP to be adopted by an MVNO we assume that existingindustry players (eg MNOs) are unlikely to adopt new tech-nologies or have an interest in preserving user privacy unlesslegal remedies are instituted As a result we consider howprivacy can be added on top of todayrsquos mobile infrastructureby new industry entrants

Contributions We describe our prototype implementationPretty Good Phone Privacy (PGPP) In doing so we examineseveral key challenges in achieving privacy in todayrsquos cellarchitecture In particular we consider 1) which personalidentifiers are stored and transmitted within the cellular in-frastructure 2) which core network entities have visibilityinto them (and how this can be mitigated) 3) which entitieshave the ability to provide privacy and with what guaranteesand 4) how we can provide privacy while maintaining com-patibility with todayrsquos infrastructure and without requiringthe cooperation of established providers

We show PGPPrsquos impact on control traffic and on useranonymity We show that by altering the network coveragemap we are able to gain control traffic headroom comparedwith todayrsquos networks we then consume that headroom inexchange for improved anonymity We analyze the privacyimprovements against a variety of common cellular attacksincluding those based on bulk surveillance as well as targetedattacks We find that PGPP significantly increases anonymitywhere there is none today We find that an example PGPPnetwork is able to increase the geographic area that an attackercould believe a victim to be within by ~1200 with littlechange in control load

Our contributions are as follows

bull We design a new architecture that decouples connectivityfrom authentication and billing functionality allowing

NG-RAN NGC

AMF

AUSF

SMF

UPF

gNodeB

gNodeB

ControlAuthenticationConnectivity

PGPP-GW

PGPPUE

ConventionalUE

Figure 1 Simplified 5G architecture with and without PGPPPGPP decouples authentication and connectivity credentialsand shifts authentication to a new external entity the PGPP-GW Details of the PGPP-GW are found in sect51

us to alter the identifiers used to gain connectivity (sect51)and enable PGPP-based operators to continue to authen-ticate and bill users (sect51) without identifying them

bull We adapt existing mechanisms to grow control trafficbroadcast domains thus enhancing user location privacywhile maintaining backwards compatibility (sect52)

bull We quantify the impacts of PGPP on both user privacyand network control traffic through simulation (sect6) anddemonstrate PGPPrsquos feasibility in a lab testbed

2 BackgroundHere we provide a brief overview of the cellular architec-

ture and describe the inherent privacy challenges For simplic-ity we focus on 5G though the fundamental challenges alsoexist in legacy standards

21 Cellular architecture overviewThe 5G architecture can be divided into two areas the

Next Generation Radio Access Network (NG-RAN) whichis responsible for radio access and the Next Generation Core(NGC) which includes the entities responsible for authentica-tion and connectivity to the network core Figure 1 shows asimplified architecture for both conventional cellular as wellas with PGPP PGPP moves authentication and billing to anew entity the PGPP-GW that is external to the NGC Wedetail PGPPrsquos specific changes in sect5 We include a glossaryof cellular terms in Appendix 9

NG-RAN The NG-RAN is the network that facilitatesconnectivity between user devices (UEs)mdashcommonly a cellphone with a SIM card installedmdashand the serving base station(gNodeB) The NG-RAN is responsible for providing UEs ameans of connecting to the NGC via gNodeBs

NGC The NGC is the core of the 5G cellular network andincludes entities that provide authentication billing voiceSMS and data connectivity The NGC entities relevant to ourdiscussion are the Access and Mobility Management Func-tion (AMF) the Authentication Server Function (AUSF) theSession Management Function (SMF) and the User Plane

2

Function (UPF) The AMF is the main point of contact fora UE and is responsible for orchestrating mobility and con-nectivity UEs authenticate to the network by sending anidentifier that is stored in the SIM to the AMF The AUSF isthen queried to verify that the UE is a valid subscriber Oncethe UE is authenticated the AMF assigns the UE to an SMFand UPF which offer an IP address and connectivity to theInternet Note that 5G networks can include many copies ofthese entities and contain many more entities however forthe purposes of our discussion this simplified model suffices

MVNOs We design our solution to be implemented bya Mobile Virtual Network Operator (MVNO) MVNOs arevirtual in that they offer cellular service without owning theinfrastructure itself Rather MVNOs pay to share capacity onthe infrastructure that an underlying carrier operates MVNOscan choose whether they wish to operate their own core enti-ties such as the AMF AUSF and UPF which is the type of op-eration we propose MVNOs that run their own core networkare often called ldquofullrdquo MVNOs Critically our architecture isnow feasible as the industry moves toward ldquowhiteboxrdquo gN-odeBs that connect to a central office that is a datacenter withvirtualized NGC services as in the Open Networking Foun-dationrsquos M-CORD project [26] Recent work has shown thatdramatic performance gains are possible using such newerarchitectures [54 55]

22 Privacy in the cellular architectureMaintaining user privacy is challenging in cellular net-

works both past and present as it is not a primary goal ofthe architecture In order to authenticate users for access andbilling purposes networks use globally unique client identi-fiers Likewise the cellular infrastructure itself must alwaysldquoknowrdquo the location of a user in order to minimize latencywhen providing connectivity We briefly discuss cellular iden-tifiers as well as location information available from the per-spective of the cell network in this section We use acronymsfrom the 5G architecture as it is the newest standard howeversimilar entities exist in all generations (2G 3G 4G LTE)

User and device identifiers There are multiple identifiersthat can be used to associate network usage with a givensubscriber Identifiers can be assigned by various actors in theecosystem they can vary in degree of permanence and theycan be globally unique across all cellular operators or theycan be locally unique within a given network Table 1 showsthese identifiers their allocators and their permanence

The International Mobile Subscriber Identity (IMSI) is theidentifier used to gain access to the network when a phone(UE) performs initial attachment The IMSI is globally uniquepermanent and is stored on the SIM card Carriers maintaina AUSF database containing the list of IMSIs that are pro-visioned for use on the network and subscription details foreach Because the IMSI is globally unique and permanent itis seen as a high-value target for those who wish to surveil

Identifier Allocator DurationIMSI Operator PermanentGUTI AMF TemporaryIP Address (static) Operator PermanentIP Address (dynamic) UPF TemporaryRNTI gNodeB Temporary

Table 1 User identifiers in LTE

cellular users For example in recent years there has beena rise of cell-site simulators also known as IMSI catchersThese devices offer what appears to be a legitimate base sta-tion (gNodeB) signal Since UE baseband radios are naiumlveand automatically connect to the strongest signal they will at-tempt to attach to the IMSI catcher and offer their IMSI IMSIcatchers have been used extensively by law enforcement aswell as nation-state adversaries to identify and eavesdrop oncellular users [52]

Given the IMSIrsquos importance and sensitivity temporaryidentifiers are often used instead The Globally Unique Tem-porary Identifier (GUTI) can be thought of as a temporaryreplacement for an IMSI Once a phone attaches to the net-work the Access and Mobility Management Function (AMF)generates a GUTI value that is sent to the UE which storesthe value The UE uses the GUTI rather than the IMSI whenit attaches to the network in the future The GUTI can bechanged by the AMF periodically Prior work recently foundthat GUTIs are often predictable with consistent patterns thusoffering little privacy [31] but this can be remedied with alightweight fix that we expect will be used going forward

The 5G network is IP-based meaning UEs must be givenIP addresses in order to connect IPs can be either staticallyor dynamically assigned to UEs Statically assigned IPs arestored in a backend core database During the attach proce-dure the AMF retrieves the static IP address assigned to theUE from the backend Conversely dynamic addresses areassigned by the SMF when the UE attaches Providers canassociate a user with an IP address in the network by monitor-ing traffic at the UPF which offers a convenient location toplace a network tap

In order to connect with the gNodeB over the NG-RANUErsquos must be assigned radio resources at layer 2 includ-ing a temporary unique identifier the RNTI Prior work hasshown that layer 2 information used on the NG-RAN canbe used to link RNTIs with temporary identifiers at higherlayers (eg GUTIs) provided the attacker knows the GUTIbeforehand [60] This attack is specific to the coverage areaof a single cell and can be mitigated by changing the GUTIfrequently as discussed in [31]

User location information Cellular networks maintainknowledge of the physical location of each UE Locationinformation is necessary to support mobility and to quicklyfind the UE when there is an incoming call SMS or data

3

100 101 102

Number of times IMSI was paged

00

02

04

06

08

10

CD

F

(a) IMSI page counts

100 101 102 103 104 105

Interval between IMSI pages (s)

00

02

04

06

08

10

CD

F

AllMinimumMaximum

(b) Intervals between pages (c) User locations over time

Figure 2 Analysis of IMSI broadcasts based on cellular traces captured in measurement study

for a user The mechanism used to locate a UE is known asldquopagingrdquo and it relies on logical groupings of similarly locatedgNodeBrsquos known as ldquotracking areasrdquo (TAs) Each gNodeB isassigned to a single TA TAs can be thought of as broadcastdomains for paging traffic If there is incoming data for an idleUE the paging procedure is used where the network sendsa paging message to all gNodeBs in the userrsquos last-knownTA Prior work has shown that the paging mechanism can beleveraged by attackers that know an identifier of the victim(eg phone number WhatsApp ID) to generate paging mes-sages intended for the victim which enables an unprivilegedattacker to identify a specific userrsquos location [42] From anexternal perspective the vantage point of remote servers onthe web can also be leveraged to localize mobile users giventiming information from applications on their devices [64]

Cellular operators often store location metadata for sub-scriber giving them the ability to trace user movement andlocation history This bulk surveillance mechanism has beenused to establish a userrsquos past location by law enforcement [9]

3 The need for privacy enhancementsIn this section we demonstrate the privacy leakage that

exists in todayrsquos cellular architecture by conducting a mea-surement study while acting as a relatively weak attacker in areal-world environment Recall from sect22 that the IMSI is aglobally unique permanent identifier Unfortunately for userprivacy the traditional cellular architecture uses IMSIs forauthentication and billing as well as providing connectivitycausing the IMSI to be transmitted for multiple reasons

Because of its importance and permanence the IMSI isseen as a high-value target for those who wish to surveilcellular users For example in recent years there has been aproliferation of cell-site simulators also known as IMSI catch-ers These devices offer what appears to be a legitimate basestation (gNodeB) signal Since UE baseband radios are naiumlveand automatically connect to the strongest signal they at-tempt to attach to the IMSI catcher and offer their IMSI IMSIcatchers have been used extensively by law enforcement andstate-level surveillance agencies with and without warrants

to identify track and eavesdrop on cellular users [52]

Dataset We analyze a dataset of cellular broadcast tracesthat our team gathered in a small densely populated area withroughly 80000 residents over the course of several days in2015 The traces include messages that were sent on broad-cast channels in plaintext for three cellular providers that offerservice in the area Traces were captured using software de-fined radios and mobile phones The trace dataset provides avantage point that is akin to an IMSI catcher1

IMSIs are often broadcast in-the-clear We discover thatwhile the architecture is designed to largely use temporaryGUTIs once UEs are connected IMSIs are often presentin paging messages Overall we see 588921 total pagingmessages with 38917 containing IMSIs (66 of all pages)Of those messages we see 11873 unique IMSIs We trackthe number of times each individual IMSI was paged andplot a CDF in Figure 2a As shown more than 60 of IMSIswere paged more than once in the traces Note that we countmultiple pages seen within one second as a single page Giventhis network behavior even a passive eavesdropper couldlearn the permanent identifiers of nearby users

IMSIs can be tracked over time Given that IMSIs areregularly broadcast an eavesdropper can track the presenceor absence of users over time We investigate the intervalsbetween pages containing individual IMSIs In Figure 2b weplot a CDF of intervals (greater than one second) betweensubsequent pages of individual IMSIs Overall we see thatIMSIs are repeatedly broadcast over time even though thedesign of the architecture should dictate that IMSIs should beused sparingly in favor of temporary GUTIs

Individuals can be tracked over time Given that we cantrack IMSIs over time a passive attacker can track individualsrsquo

1Trace collection methodology and analysis received IRB approval ex-traneous details omitted for blind review

4

movements Figure 2c shows locations of base stations thatbroadcast the IMSI for a single user in the traces As shownwe saw the user in multiple locations over the course of twodays Location A was recorded at 10am on a Monday locationB was thirty minutes later The user connected to a base stationat location C at noon that same day Locations D and E wererecorded the following day at noon and 130pm respectivelyFrom this we see that a passive observer unaffiliated with acellular carrier can over time record the presence and locationof nearby users This attacker is weak with a relatively smallvantage point In reality carriers can and do maintain thisinformation for all of their users

4 ScopeWe believe that many designs are possible to increase pri-

vacy in mobile networks and no architecture today or in thefuture is likely to provide perfect privacy Nevertheless belowwe discuss various properties that PGPP strives to achieve

Prior work examined the security vulnerabilities in moderncell networks [334263] and revealed a number of flaws in thearchitecture itself In addition data brokers and major opera-tors alike have taken advantage of the cellular architecturersquosvulnerabilities to profit off of revealing sensitive user dataWe believe mobile networks should aim to at a minimumprovide one or both of the following privacy properties

bull Identity privacy A network can aim to protect usersrsquoidentity Networksmdashas well as third party attackersmdashidentify users through IMSIs which are intended to beuniquely identifying

bull Location privacy A network can aim to protect informa-tion about the whereabouts of a phone

Naturally these privacy properties do not exist in isolationthey intersect in critical ways For example attackers oftenaim to learn not only who a user is but where a specific useris currently located or where a user was when a specific callwas made Also the definition of an attacker or adversary is acomplex one and depending on context may include individu-als aiming to steal user data mobile carriers and data brokerslooking to profit off of user data governments seeking to per-form bulk surveillance law enforcement seeking to monitora user with or without due process and many others Dueto context dependence we do not expect all privacy-focusedmobile networks to make the same choice of tradeoffs

41 Cellular privacy threat modelGiven the above discussion we distinguish between bulk

and targeted data collection We define bulk collection tobe the collection of information from existing cellular archi-tecture traffic without the introduction of attack traffic thusbulk collection is passive Bulk attacks commonly target useridentities (eg IMSIs) PGPPrsquos core aim is to protect against

Attack typeBulk Targeted

Vis

ibili

ty Global Carrier logs [18 19 39 70] Government Surveillance [9]

Carrier Paging

Local SDR [3 50 69] IMSI Catcher [37 52]

Paging attack [34 42]

Table 2 Common cellular attacks

bulk attacks Targeted attacks are active and require injec-tion of traffic to attack specific targets Targeted attacks areoften aimed at discovering a victimrsquos location We also de-lineate attacks by the adversaryrsquos capabilities as they mayhave visibility into an entire network (global) versus for anunprivileged attacker some smaller subset of a networkrsquos in-frastructure (local) Table 2 gives the taxonomy of attacks

Carriers and governments are the most common global-bulk attackers Such bulk surveillance is commonplace incellular networks and has been at the center of recent lawsuitsand privacy concerns Attacks that employ IMSI catchers orpassively listen to broadcasts using software-defined radiosare considered local-bulk Here an IMSI catcher is only ableto monitor phones that connect directly to it so its visibilityis limited to its radio range Similarly SDR-based passivesnooping (as in the example in sect3) is only able to monitornearby base stations and will miss portions of the network Wedesign PGPP with a primary focus on thwarting bulk attacksby nullifying the value of IMSIs (sect51)

Local-targeted attacks can be carried out by ordinary usersby generating traffic that causes a network to page a victim(eg phone call to the victim) As local-targeted attackersdo not have visibility into the entire network they must relyupon knowledge of the geographic area that is encompassedby a tracking area Due to the prevalence of such attacksas an enhancement an operator can provide functionality incooperation with the user that reduces the efficacy of local-targeted attacks through the use of TALs (sect52)

Global-targeted attacks represent a very powerful attackerwho can actively probe a victim while having global visibilityof the network We envision defenses against such attackswould require fundamental changes to to communication mod-els PGPP does not mitigate global-targeted attacks as wefocus on immediately deployable solutions we leave this tofuture work

42 AimsNext we discuss the aims of PGPP by considering several

common questions that ariseWhat sort of privacy does PGPP provide As its name

suggests PGPP aims to provide ldquopretty goodrdquo privacy wedonrsquot believe there is a solution that provides perfect privacycauses no service changes (ie does not increase latency)and is incrementally deployable on todayrsquos cellular networksThe main focus is to offer privacy against global-bulk surveil-lance of mobility and location a practice by carriers that is

5

widespread and pernicious We thwart this via eliminating theIMSI as an individual identifier and decoupling the authentica-tion and connectivity mechanisms in the cellular architecture

Isnrsquot 5G more secure than legacy generations The 5Gstandard includes enhancements focused on user privacy andsystem performance over legacy cellular generations How-ever the enhancements do not offer location privacy benefitsfrom the carriers

Encrypted IMSIs 5G includes the addition of encryptedIMSIs where public key cryptography along with ephemeralkeys generated on the SIM is used to encrypt the IMSI whensending it to the network This protects user IMSIs fromeavesdroppers However encrypted IMSIs do not preventthe cellular provider itself from knowing the userrsquos identityAn analogy for encrypted IMSIs can be found in DNS overHTTPS (DoH) eavesdroppers cannot see unencrypted trafficyet the endpoints (the DNS resolver for DoH the cellular corein 5G) still can The goal of this work is to not only thwartlocal-bulk attacks but also protect user privacy from mobileoperators that would otherwise violate it (ie global-bulkattacks)

Small cell location privacy The 5G standard strives forreduced latencies as well as much higher data throughputsThis necessitates the use of cells that cover smaller areas inhigher frequency spectrum in order to overcome interferencecompared with previous cellular generations that used macro-cells to provide coverage to large areas A (likely unintended)byproduct of 5Grsquos use of smaller cells is a dramatic reductionin location privacy for users As the 5G network providermaintains state pertaining to the location in the network fora given user for the purposes of paging smaller cells resultin the operator or attacker knowing user locations at a muchhigher precision compared with previous generations

What about active | traffic analysis | signaling attacksWhile active targeted attacks arenrsquot our main focus we im-prove privacy in the face of them by leveraging TALs toincrease and randomize the broadcast domain for paging traf-fic making it more difficult for attackers to know where avictim is located (analyzed in sect62) Further the goal of manyactive attacks is to learn usersrsquo IMSIs and our nullification ofIMSIs renders such attacks meaningless

An attacker with a tap at the network edge could use trafficanalysis attacks to reduce user privacy We largely view thisas out of scope as users can tunnel traffic and use other meansto hide their data usage patterns

Cellular networks rely on signaling protocols such as Sig-naling System 7 (SS7) and Diameter when managing mobilityas well as voice and SMS setup and teardown These protocolsenable interoperability between carriers needed for roamingand connectivity across carriers Unfortunately these proto-cols were designed with inherent trust in the network playersand have thus been used to reduce user privacy and disruptconnectivity [24 30 49 53 62] We design PGPP for 4G5Gdata only which renders legacy SS7 compatibility moot Our

PGPP design expects users to use outside messaging servicesrather than an in-NGC IMS system

Can PGPP support roaming Yes While we envision thatmany PGPP users would explicitly not wish to roam as roam-ing partners may not provide privacy guarantees roaming ispossible using a Diameter edge agent that only allows forhome routed roaming forcing traffic to route from the visitednetworkrsquos SMF back to the PGPP operatorrsquos UPF rather thanlocal breakout due to our authentication mechanism (sect51)Roaming and international roaming in particular adds billingcomplexities for the PGPP operator Typically the visitednetwork collects call data records for each roaming user on itsnetwork and calculates the wholesale charges payable by thehome network The visited network then sends a TransferredAccount Procedure (TAP) file to the home network via a dataclearing house The home network then pays the visited net-work In PGPP the individual identity of the user that roamedis not known yet the PGPP operator remains able to pay theappropriate fees to visited networks

How does PGPP protect user privacy for voice or textservice Out of the box PGPP doesnrsquot provide protection forsuch service Instead PGPP aims provide privacy from thecellular architecture itself and in doing so users are free touse a third party VoIP provider (in which case the phone willoperate identically to a normal phone for telephony servicefrom a userrsquos perspective) or use recent systems by Lazar etal [44 45] that provide strong metadata privacy guaranteesfor communications or similar systems such as [16174668]We view PGPP as complementary to such systems

How does PGPP protect users against leaky apps PGPPdoesnrsquot as it is about providing protection in the cellularinfrastructure Even without leaky apps users can always in-tentionally or inadvertently reveal their identity and locationLeaky apps make this worse as they collect and sometimes di-vulge sensitive user information We see PGPP as complemen-tary to work that has targeted privacy in mobile app ecosys-tems Further apps are not as fundamental as connectivitymdashusers can choose whether to install and run a leaky app andcan constrain app permissions However phones are by theirnature always connected to carrier networks and those verynetworks have been selling user data to third parties

If users canrsquot be identified by carriers how can carriersstill make money We introduce PGPP tokens in sect51 as amechanism for a PGPP operator to charge customers whileprotecting user anonymity

Canrsquot phone hardware be tracked as well Phones have anInternational Mobile Equipment Identity (IMEI) The IMEIis assigned to the hardware by the manufacturer and identifiesthe manufacturer model and serial number of a given deviceSome operators keep an IMEI database to check whether adevice has been reported as stolen known as an equipmentidentity register (EIR) IMEIs in the database are blacklisted

For many devices the IMEI can be changed through soft-ware often without root access We envision a PGPP MVNO

6

would allow for subscribers to present their unchanged de-vice IMEI giving the PGPP operator the opportunity to checkagainst a EIR to verify the phone has not been reported asstolen At that point the IMEI could be reprogrammed to asingle value similar to our changes to the IMSI Note thatdifferent jurisdictions have different rules about whether howand by whom an IMEI can be changed so only in some casesIMEI changes require cooperation with the MVNO

Is PGPP legal Legality varies by jurisdiction For ex-ample US law (CALEA [1]) requires providers to offerlawful interception of voice and SMS traffic A PGPP-basedcarrier is data-only with voice and messaging provided bythird parties CALEA requires the provider to offer content ofcommunication data at the UPF eg raw (likely-encrypted)network traffic This is supported by PGPP

5 DesignIn this section we describe the mechanisms PGPP em-

ploys to increase user identity and location privacy UltimatelyPGPPrsquos design choices appear obvious in retrospect We be-lieve its simplicity is an asset as PGPP is compatible withexisting networks and immediately deployable

In order to provide identity privacy against bulk attackswe nullify the value of the IMSI as it is the most commontarget identifier for attackers In our design we choose to setall PGPP user IMSIs to an identical value to break the linkbetween IMSI and individual users This change requires afundamental shift in the architecture as IMSIs are currentlyused for connectivity as well as authentication billing andvoiceSMS routing We design a new cellular entity for billingand authentication that preserves identity privacy Fortunatelythe industry push for software-based NGCs makes our archi-tecture feasible We describe the architecture in sect51

To provide location privacy from targeted attacks PGPPleverages an existing mechanism (TALs) in the cellular spec-ification in order to grow the broadcast domain for controltraffic (sect52) By changing the broadcast domain for everyuser the potential location of a victim is broadened from theattackerrsquos vantage point

51 User identity privacyAs discussed in sect22 IMSIs are globally unique permanent

identifiers As such they are routinely targeted by attackersboth legal and illegal In this section we re-architect the net-work in order to thwart bulk attacks introduced in sect41 thatare based on identifying individuals via IMSI

We decouple back-end connectivity from the authentica-tion procedure that normally occurs at the AUSF when a UEattaches to the network Instead the PGPP operator issuesSIM cards with identical IMSIs to all of its subscribers Inthis model the IMSI is used only to prove that a user has avalid SIM card to use the infrastructure and in turn the PGPPnetwork can provide an IP address and connectivity and offer

Scheme Customer Anonymous UniqueStandard auth bullGroupring sig bull bullLinkable ring sig bull bullCryptocurrency bull bullPGPP tokens bull bull bull

Table 3 Three properties needed for user authentication in aprivacy-preserving cell network and schemes to achieve them

the client a GUTI providing the user with a unique identitynecessary for basic connectivity

5G authentication is normally accomplished using IMSIs atthe AUSF however all PGPP users share a single IMSI Thusto authenticate a user we designed a post-attach obliviousauthentication scheme to ensure that the PGPP operator isable to account for the user without knowing who they are

PGPP Gateway In order to perform this authentication wecreate a new logical entity called a PGPP Gateway (PGPP-GW) shown in Figure 1 which sits between the UPF and thepublic Internet The UPF is configured to have a fixed tunnelto a PGPP-GW which can be located outside of the PGPP op-eratorrsquos network Using this mechanism the PGPP-GW onlysees an IP address which is typically NATed and whetherthat IP address is a valid user Notably it does not have any in-formation about the userrsquos IMSI The PGPP-GW design alsoallows for many different architectures For instance multiplePGPP-GWs could be placed in multiple datacenters or evenuse a privacy service such as Tor2

Authentication properties From the perspective of thePGPP-GW there are multiple properties an authenticationscheme must guarantee (1) the gateway can authenticate thata user is indeed a valid customer3 (2) the gateway andor anyother entities cannot determine the userrsquos identity and thuscannot link the userrsquos credentialsauthentication data with auser identity and (3) the gateway can determine whether auser is unique or if two users are sharing credentials

As we show in Table 3 the challenge is that standard ap-proaches for authentication only provide one of the threerequired properties and widely-studied cryptographic mech-anisms only provide two of the three properties For exam-ple an ordinary authentication protocol (of which there aremany [736]) can provide property 1) but not 2) and 3) A cryp-tographic mechanism such as group signatures [8 12] or ringsignatures [2059] can protect the userrsquos identity upon authen-tication providing properties 1) and 2) but not 3) as providingthe last property would violate the security of the signaturescheme Similarly traitor tracing schemes [14] (such as for

2We leave exploration into such scenarios to future work3Due to ldquoKnow Your Customerrdquo rules in some jurisdictions the provider

may need to have a customer list necessitating that the user authenticationscheme be compatible with periodic explicit customer billing

7

broadcast encryption [25]) can provide all three propertiesbut in practice cannot provide property 3) as the traitor trac-ing would require actual physical confiscation of the ldquotraitorrdquophone by the MVNO which is infeasible A variation on ringsignatures known as linkable ring signatures [48] providesthe ability for a userrsquos identity to be revealed if the user signsmultiple messages with the same key While this is useful inestablishing that the user is unique and hasnrsquot shared theircredentials it also partially violates the userrsquos anonymity asthat key cannot be used again

Effective authentication There are two approaches thatwe view as viable depending on the circumstances Ananonymity-preserving cryptocurrency can provide properties2) and 3) but not 1) as a cryptocurrency would combinebilling and authentication at the PGPP-GW For MVNOsthat are not required to know their customers an anonymity-preserving cryptocurrency may be the ideal solution for bothuser authentication and payment though even the best coinsprovide imperfect anonymity guarantees [38]

To provide all three properties we develop a simple schemecalled PGPP tokens that helps us sidestep the issues with al-ternative approaches The choice of authentication scheme isdeployment-context specific With PGPP tokens when pay-ing a monthly bill a user retrieves authentication tokens thatare blind-signed using Chaumrsquos classic scheme [6 11] by thebilling system Later when authenticating to the service theuser presents tokens and the service (the PGPP-GW) verifiestheir signature before allowing the user to use the networkThe token scheme ensures that the service can check thevalidity of tokens without identifying the user requesting ac-cess The user then presents the next token in advance soas to ensure seamless service Note that PGPP tokens disal-low the post-pay model for cellular billing as the networkwould be required to know the identity of users in order toaccurately charge them for usage Therefore PGPP is pre-payonly though this can be adjusted to emulate post-payment(eg users pre-pay for tokens on an ongoing basis rather thanonly monthly and tokens are valid for a longer time periodsuch as a year rather than for only one billing period)

Each token represents a unit of access as is appropriatefor the service provider Some providers may choose to offerflat-rate unlimited-data service in which case each tokenrepresents a fixed period of time this is the default approachthat we use to describe the scheme below Other providersmay choose to offer metered service in which case each tokenrepresents a fixed unit of data such as 100 MB or 1 GB ratherthan a period of time Still others may choose to provide two-tiered service priority by marking each token with a prioritybit in addition to either unlimited data or metered data servicesuch prioritization does come with slight privacy loss as theMVNO and MNO alike would be able to differentiate whichpriority level was in use The privacy loss of two-tiered datapriority can be partially mitigated by offering all users some

amount of time or GB of high-priority service after whichthey must fall back to low-priority service such a serviceplan structure is fairly standard in the industry today In sucha setting each user would have both high-priority and low-priority tokens and thus would not be clearly stratified intotwo identifiable groups of users

At the beginning of a billing period the billing system de-fines s time slices (eg corresponding to hours) or anotherunit of access (eg a unit of data) and generates s RSA key-pairs for performing blind signatures using Chaumrsquos schemeIt then appends the public keys for this time period to a well-known public repository that is externally maintained (eg onGitHub) and these are fetched by users The user generatess tokens where each token takes the form ir where i is thetime slice index as a 256-bit unsigned value zero indexedfrom the beginning of the billing period and r is a 256-bitrandom value chosen by the user The user then blinds thesetokens The user pays the bill using a conventional means ofpayment (eg credit card) and presents the blinded tokens tothe billing system to be signed the system signs each tokenwith the corresponding time slice key and returns these valuesto the user The user unblinds the response values and verifiesthe signatures for each

Upon later authentication to the service the user presentsits signed token for the current time slice to the PGPP-GWwhich verifies the signature and if valid begins forwardingthe userrsquos traffic onto the Internet Since the token signaturewas generated using Chaumrsquos scheme the service cannotdetermine which human user corresponds to which signedtoken If the same token is used by two different users duringthe same time period then the service can conclude that a userhas shared their credentials and is attempting to cheat

The costs of this scheme to both the PGPP operator andthe user are low The operator stores the list of used tokensin a standard consistent and replicated cloud database so theservice can operate multiple PGPP-GWs though it is likelythat a small number of PGPP-GWs can serve a large numberof users we benchmarked the 2048-bit RSA signature veri-fication used here at 31micros per call using Crypto++ [21] on asingle core of a 26GHz Intel Xeon E5-2640 CPU and thuswith a single CPU core the PGPP-GW can handle token veri-fication for tens of millions of users The tokens themselvesare small and the storage cost to the provider is about 15 MB user per time period which is a small amount for any userrsquosphone to store and for a provider even hundreds of millionsof tokens amounts to mere GBs of data in cloud storage

User device agent To automate the process of authenti-cating with the PGPP-GW we create a simple agent thatruns as background job on the user device This agent lever-ages the Android JobScheduler API in the event of cellularconnectivity the JobScheduler triggers PGPP-token-basedauthentication with the PGPP-GW The agent establishes aTLS connection to the PGPP-GW and then sends the token

8

for the current time slice Once the user presents a valid to-ken the PGPP-GW begins forwarding traffic for that userand thus this behavior is akin to a captive portal though theauthentication is automatic and unseen by the user

52 Location privacyAs described in sect22 cellular operators track user location

in the form of tracking areas for UEs in order to quickly findusers when there is incoming content PGPP leverages anexisting mechanism in the cellular standard to reduce theeffectiveness of local-targeted attacks described in sect41

Paging has been exploited in the past to discover user lo-cation by adversaries However the use of tracking areas isuseful for the cellular provider in that it confines the signal-ing message load (ie paging messages) to a relatively smallsubset of the infrastructure Tracking areas reduce mobilitysignaling from UEs as they move through the coverage zoneof a single tracking area Note that emergency calling rep-resents a special case in cellular networks When a devicedials 911 the phone and network attempt to estimate accuratelocation information In this work we do not alter this func-tionality as we anticipate that users dialing 911 are willing toreveal their location

In PGPP we exploit the tracking area list (TAL) concept in-troduced in 3GPP Release 8 [2] Using TALs a UE no longerbelongs to a single tracking area but rather is given a list ofup to 16 tracking areas that it can freely move through withouttriggering a tracking area update essentially creating largertracking areas Whereas prior work has focused on usingTALs to pre-compute optimal tracking area combinations forusers [56ndash58] in PGPP we use TALs to provide provide im-proved location anonymity Typically TALs consist of groupsof adjacent tracking areas that are pre-computed essentiallygrowing the tracking area for a UE to the union of all trackingareas in the TAL We do not use TALs in this way Insteadwe generate TALs on-the-fly and generate them uniquely foreach UE When a UE attaches or issues a tracking area updatemessage the AMF learns the gNodeB and tracking area theUE is currently attached to The AMF then generates a uniqueTAL by iteratively selecting at random some number (up tothe TAL limit of 16) of additional adjacent tracking areas Bygenerating unique TALs for each user attackers are unable toknow a priori which set of tracking areas (or gNodeBs) thatvictim is within We explore tradeoffs in terms of TAL lengthcontrol traffic overhead and location anonymity in the nextsection

6 AnalysisTo study the implications of a PGPP deployment we create

a simulation to model users mobility and cell infrastructureWe study the impact of PGPPrsquos design on various cellular at-tacks that occur today We then analyze the inherent tradeoffsfrom the PGPP operatorrsquos perspective as improved privacy

Figure 3 Partial simulation map Cells are shaded by ATampTtracking area

0 10 20 30gNodeBs Visited

Cars

Pedestrians

Figure 4 gNodeBs visited by simulated mobile users

comes at the price of increased control traffic Lastly weexamine PGPP in a lab testbed on real devices

61 Simulation configurationgNodeB dataset We select Los Angeles County California

as the region for our simulation which provides a mix of bothhighly urban areas as well as rural areas For gNodeB locationinformation we use OpenCellID [43] an open database thatincludes tower locations and carrier information To simplifythe simulation we select base stations from the database thatare listed as providing LTE from ATampT the provider withthe most LTE eNodeBs (22437) in the region We use LTEeNodeBs as the number of gNodeBs deployed remains small

Given their geographic coordinates we estimate coverageareas for every gNodeB using a Voronoi diagram During thesimulation a UE is assigned to the gNodeB that correspondsto the region the UE is located within While such discretiza-tion is not likely in reality as UEs remain associated withan gNodeB based on received signal strength this techniqueprovides us with a tractable mobility simulation A partialmap of the simulation region is shown in Figure 3 ENodeBregions are shaded based on the tracking area value in theOpenCellID database

Mobility traces To simulate realistic mobility patterns(ie users must follow available paths) we generate mobil-ity traces using the Google Places [29] and Directions [28]APIs First we use the Places API to find locations in thesimulation region that are available when searching for ldquopostofficerdquo Each place is associated with latitudinal and longitudi-nal coordinates We then generate mobility traces by randomlyselecting start and end points and use the Directions API toobtain a polyline with coordinates along with estimated times

9

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

Function (UPF) The AMF is the main point of contact fora UE and is responsible for orchestrating mobility and con-nectivity UEs authenticate to the network by sending anidentifier that is stored in the SIM to the AMF The AUSF isthen queried to verify that the UE is a valid subscriber Oncethe UE is authenticated the AMF assigns the UE to an SMFand UPF which offer an IP address and connectivity to theInternet Note that 5G networks can include many copies ofthese entities and contain many more entities however forthe purposes of our discussion this simplified model suffices

MVNOs We design our solution to be implemented bya Mobile Virtual Network Operator (MVNO) MVNOs arevirtual in that they offer cellular service without owning theinfrastructure itself Rather MVNOs pay to share capacity onthe infrastructure that an underlying carrier operates MVNOscan choose whether they wish to operate their own core enti-ties such as the AMF AUSF and UPF which is the type of op-eration we propose MVNOs that run their own core networkare often called ldquofullrdquo MVNOs Critically our architecture isnow feasible as the industry moves toward ldquowhiteboxrdquo gN-odeBs that connect to a central office that is a datacenter withvirtualized NGC services as in the Open Networking Foun-dationrsquos M-CORD project [26] Recent work has shown thatdramatic performance gains are possible using such newerarchitectures [54 55]

22 Privacy in the cellular architectureMaintaining user privacy is challenging in cellular net-

works both past and present as it is not a primary goal ofthe architecture In order to authenticate users for access andbilling purposes networks use globally unique client identi-fiers Likewise the cellular infrastructure itself must alwaysldquoknowrdquo the location of a user in order to minimize latencywhen providing connectivity We briefly discuss cellular iden-tifiers as well as location information available from the per-spective of the cell network in this section We use acronymsfrom the 5G architecture as it is the newest standard howeversimilar entities exist in all generations (2G 3G 4G LTE)

User and device identifiers There are multiple identifiersthat can be used to associate network usage with a givensubscriber Identifiers can be assigned by various actors in theecosystem they can vary in degree of permanence and theycan be globally unique across all cellular operators or theycan be locally unique within a given network Table 1 showsthese identifiers their allocators and their permanence

The International Mobile Subscriber Identity (IMSI) is theidentifier used to gain access to the network when a phone(UE) performs initial attachment The IMSI is globally uniquepermanent and is stored on the SIM card Carriers maintaina AUSF database containing the list of IMSIs that are pro-visioned for use on the network and subscription details foreach Because the IMSI is globally unique and permanent itis seen as a high-value target for those who wish to surveil

Identifier Allocator DurationIMSI Operator PermanentGUTI AMF TemporaryIP Address (static) Operator PermanentIP Address (dynamic) UPF TemporaryRNTI gNodeB Temporary

Table 1 User identifiers in LTE

cellular users For example in recent years there has beena rise of cell-site simulators also known as IMSI catchersThese devices offer what appears to be a legitimate base sta-tion (gNodeB) signal Since UE baseband radios are naiumlveand automatically connect to the strongest signal they will at-tempt to attach to the IMSI catcher and offer their IMSI IMSIcatchers have been used extensively by law enforcement aswell as nation-state adversaries to identify and eavesdrop oncellular users [52]

Given the IMSIrsquos importance and sensitivity temporaryidentifiers are often used instead The Globally Unique Tem-porary Identifier (GUTI) can be thought of as a temporaryreplacement for an IMSI Once a phone attaches to the net-work the Access and Mobility Management Function (AMF)generates a GUTI value that is sent to the UE which storesthe value The UE uses the GUTI rather than the IMSI whenit attaches to the network in the future The GUTI can bechanged by the AMF periodically Prior work recently foundthat GUTIs are often predictable with consistent patterns thusoffering little privacy [31] but this can be remedied with alightweight fix that we expect will be used going forward

The 5G network is IP-based meaning UEs must be givenIP addresses in order to connect IPs can be either staticallyor dynamically assigned to UEs Statically assigned IPs arestored in a backend core database During the attach proce-dure the AMF retrieves the static IP address assigned to theUE from the backend Conversely dynamic addresses areassigned by the SMF when the UE attaches Providers canassociate a user with an IP address in the network by monitor-ing traffic at the UPF which offers a convenient location toplace a network tap

In order to connect with the gNodeB over the NG-RANUErsquos must be assigned radio resources at layer 2 includ-ing a temporary unique identifier the RNTI Prior work hasshown that layer 2 information used on the NG-RAN canbe used to link RNTIs with temporary identifiers at higherlayers (eg GUTIs) provided the attacker knows the GUTIbeforehand [60] This attack is specific to the coverage areaof a single cell and can be mitigated by changing the GUTIfrequently as discussed in [31]

User location information Cellular networks maintainknowledge of the physical location of each UE Locationinformation is necessary to support mobility and to quicklyfind the UE when there is an incoming call SMS or data

3

100 101 102

Number of times IMSI was paged

00

02

04

06

08

10

CD

F

(a) IMSI page counts

100 101 102 103 104 105

Interval between IMSI pages (s)

00

02

04

06

08

10

CD

F

AllMinimumMaximum

(b) Intervals between pages (c) User locations over time

Figure 2 Analysis of IMSI broadcasts based on cellular traces captured in measurement study

for a user The mechanism used to locate a UE is known asldquopagingrdquo and it relies on logical groupings of similarly locatedgNodeBrsquos known as ldquotracking areasrdquo (TAs) Each gNodeB isassigned to a single TA TAs can be thought of as broadcastdomains for paging traffic If there is incoming data for an idleUE the paging procedure is used where the network sendsa paging message to all gNodeBs in the userrsquos last-knownTA Prior work has shown that the paging mechanism can beleveraged by attackers that know an identifier of the victim(eg phone number WhatsApp ID) to generate paging mes-sages intended for the victim which enables an unprivilegedattacker to identify a specific userrsquos location [42] From anexternal perspective the vantage point of remote servers onthe web can also be leveraged to localize mobile users giventiming information from applications on their devices [64]

Cellular operators often store location metadata for sub-scriber giving them the ability to trace user movement andlocation history This bulk surveillance mechanism has beenused to establish a userrsquos past location by law enforcement [9]

3 The need for privacy enhancementsIn this section we demonstrate the privacy leakage that

exists in todayrsquos cellular architecture by conducting a mea-surement study while acting as a relatively weak attacker in areal-world environment Recall from sect22 that the IMSI is aglobally unique permanent identifier Unfortunately for userprivacy the traditional cellular architecture uses IMSIs forauthentication and billing as well as providing connectivitycausing the IMSI to be transmitted for multiple reasons

Because of its importance and permanence the IMSI isseen as a high-value target for those who wish to surveilcellular users For example in recent years there has been aproliferation of cell-site simulators also known as IMSI catch-ers These devices offer what appears to be a legitimate basestation (gNodeB) signal Since UE baseband radios are naiumlveand automatically connect to the strongest signal they at-tempt to attach to the IMSI catcher and offer their IMSI IMSIcatchers have been used extensively by law enforcement andstate-level surveillance agencies with and without warrants

to identify track and eavesdrop on cellular users [52]

Dataset We analyze a dataset of cellular broadcast tracesthat our team gathered in a small densely populated area withroughly 80000 residents over the course of several days in2015 The traces include messages that were sent on broad-cast channels in plaintext for three cellular providers that offerservice in the area Traces were captured using software de-fined radios and mobile phones The trace dataset provides avantage point that is akin to an IMSI catcher1

IMSIs are often broadcast in-the-clear We discover thatwhile the architecture is designed to largely use temporaryGUTIs once UEs are connected IMSIs are often presentin paging messages Overall we see 588921 total pagingmessages with 38917 containing IMSIs (66 of all pages)Of those messages we see 11873 unique IMSIs We trackthe number of times each individual IMSI was paged andplot a CDF in Figure 2a As shown more than 60 of IMSIswere paged more than once in the traces Note that we countmultiple pages seen within one second as a single page Giventhis network behavior even a passive eavesdropper couldlearn the permanent identifiers of nearby users

IMSIs can be tracked over time Given that IMSIs areregularly broadcast an eavesdropper can track the presenceor absence of users over time We investigate the intervalsbetween pages containing individual IMSIs In Figure 2b weplot a CDF of intervals (greater than one second) betweensubsequent pages of individual IMSIs Overall we see thatIMSIs are repeatedly broadcast over time even though thedesign of the architecture should dictate that IMSIs should beused sparingly in favor of temporary GUTIs

Individuals can be tracked over time Given that we cantrack IMSIs over time a passive attacker can track individualsrsquo

1Trace collection methodology and analysis received IRB approval ex-traneous details omitted for blind review

4

movements Figure 2c shows locations of base stations thatbroadcast the IMSI for a single user in the traces As shownwe saw the user in multiple locations over the course of twodays Location A was recorded at 10am on a Monday locationB was thirty minutes later The user connected to a base stationat location C at noon that same day Locations D and E wererecorded the following day at noon and 130pm respectivelyFrom this we see that a passive observer unaffiliated with acellular carrier can over time record the presence and locationof nearby users This attacker is weak with a relatively smallvantage point In reality carriers can and do maintain thisinformation for all of their users

4 ScopeWe believe that many designs are possible to increase pri-

vacy in mobile networks and no architecture today or in thefuture is likely to provide perfect privacy Nevertheless belowwe discuss various properties that PGPP strives to achieve

Prior work examined the security vulnerabilities in moderncell networks [334263] and revealed a number of flaws in thearchitecture itself In addition data brokers and major opera-tors alike have taken advantage of the cellular architecturersquosvulnerabilities to profit off of revealing sensitive user dataWe believe mobile networks should aim to at a minimumprovide one or both of the following privacy properties

bull Identity privacy A network can aim to protect usersrsquoidentity Networksmdashas well as third party attackersmdashidentify users through IMSIs which are intended to beuniquely identifying

bull Location privacy A network can aim to protect informa-tion about the whereabouts of a phone

Naturally these privacy properties do not exist in isolationthey intersect in critical ways For example attackers oftenaim to learn not only who a user is but where a specific useris currently located or where a user was when a specific callwas made Also the definition of an attacker or adversary is acomplex one and depending on context may include individu-als aiming to steal user data mobile carriers and data brokerslooking to profit off of user data governments seeking to per-form bulk surveillance law enforcement seeking to monitora user with or without due process and many others Dueto context dependence we do not expect all privacy-focusedmobile networks to make the same choice of tradeoffs

41 Cellular privacy threat modelGiven the above discussion we distinguish between bulk

and targeted data collection We define bulk collection tobe the collection of information from existing cellular archi-tecture traffic without the introduction of attack traffic thusbulk collection is passive Bulk attacks commonly target useridentities (eg IMSIs) PGPPrsquos core aim is to protect against

Attack typeBulk Targeted

Vis

ibili

ty Global Carrier logs [18 19 39 70] Government Surveillance [9]

Carrier Paging

Local SDR [3 50 69] IMSI Catcher [37 52]

Paging attack [34 42]

Table 2 Common cellular attacks

bulk attacks Targeted attacks are active and require injec-tion of traffic to attack specific targets Targeted attacks areoften aimed at discovering a victimrsquos location We also de-lineate attacks by the adversaryrsquos capabilities as they mayhave visibility into an entire network (global) versus for anunprivileged attacker some smaller subset of a networkrsquos in-frastructure (local) Table 2 gives the taxonomy of attacks

Carriers and governments are the most common global-bulk attackers Such bulk surveillance is commonplace incellular networks and has been at the center of recent lawsuitsand privacy concerns Attacks that employ IMSI catchers orpassively listen to broadcasts using software-defined radiosare considered local-bulk Here an IMSI catcher is only ableto monitor phones that connect directly to it so its visibilityis limited to its radio range Similarly SDR-based passivesnooping (as in the example in sect3) is only able to monitornearby base stations and will miss portions of the network Wedesign PGPP with a primary focus on thwarting bulk attacksby nullifying the value of IMSIs (sect51)

Local-targeted attacks can be carried out by ordinary usersby generating traffic that causes a network to page a victim(eg phone call to the victim) As local-targeted attackersdo not have visibility into the entire network they must relyupon knowledge of the geographic area that is encompassedby a tracking area Due to the prevalence of such attacksas an enhancement an operator can provide functionality incooperation with the user that reduces the efficacy of local-targeted attacks through the use of TALs (sect52)

Global-targeted attacks represent a very powerful attackerwho can actively probe a victim while having global visibilityof the network We envision defenses against such attackswould require fundamental changes to to communication mod-els PGPP does not mitigate global-targeted attacks as wefocus on immediately deployable solutions we leave this tofuture work

42 AimsNext we discuss the aims of PGPP by considering several

common questions that ariseWhat sort of privacy does PGPP provide As its name

suggests PGPP aims to provide ldquopretty goodrdquo privacy wedonrsquot believe there is a solution that provides perfect privacycauses no service changes (ie does not increase latency)and is incrementally deployable on todayrsquos cellular networksThe main focus is to offer privacy against global-bulk surveil-lance of mobility and location a practice by carriers that is

5

widespread and pernicious We thwart this via eliminating theIMSI as an individual identifier and decoupling the authentica-tion and connectivity mechanisms in the cellular architecture

Isnrsquot 5G more secure than legacy generations The 5Gstandard includes enhancements focused on user privacy andsystem performance over legacy cellular generations How-ever the enhancements do not offer location privacy benefitsfrom the carriers

Encrypted IMSIs 5G includes the addition of encryptedIMSIs where public key cryptography along with ephemeralkeys generated on the SIM is used to encrypt the IMSI whensending it to the network This protects user IMSIs fromeavesdroppers However encrypted IMSIs do not preventthe cellular provider itself from knowing the userrsquos identityAn analogy for encrypted IMSIs can be found in DNS overHTTPS (DoH) eavesdroppers cannot see unencrypted trafficyet the endpoints (the DNS resolver for DoH the cellular corein 5G) still can The goal of this work is to not only thwartlocal-bulk attacks but also protect user privacy from mobileoperators that would otherwise violate it (ie global-bulkattacks)

Small cell location privacy The 5G standard strives forreduced latencies as well as much higher data throughputsThis necessitates the use of cells that cover smaller areas inhigher frequency spectrum in order to overcome interferencecompared with previous cellular generations that used macro-cells to provide coverage to large areas A (likely unintended)byproduct of 5Grsquos use of smaller cells is a dramatic reductionin location privacy for users As the 5G network providermaintains state pertaining to the location in the network fora given user for the purposes of paging smaller cells resultin the operator or attacker knowing user locations at a muchhigher precision compared with previous generations

What about active | traffic analysis | signaling attacksWhile active targeted attacks arenrsquot our main focus we im-prove privacy in the face of them by leveraging TALs toincrease and randomize the broadcast domain for paging traf-fic making it more difficult for attackers to know where avictim is located (analyzed in sect62) Further the goal of manyactive attacks is to learn usersrsquo IMSIs and our nullification ofIMSIs renders such attacks meaningless

An attacker with a tap at the network edge could use trafficanalysis attacks to reduce user privacy We largely view thisas out of scope as users can tunnel traffic and use other meansto hide their data usage patterns

Cellular networks rely on signaling protocols such as Sig-naling System 7 (SS7) and Diameter when managing mobilityas well as voice and SMS setup and teardown These protocolsenable interoperability between carriers needed for roamingand connectivity across carriers Unfortunately these proto-cols were designed with inherent trust in the network playersand have thus been used to reduce user privacy and disruptconnectivity [24 30 49 53 62] We design PGPP for 4G5Gdata only which renders legacy SS7 compatibility moot Our

PGPP design expects users to use outside messaging servicesrather than an in-NGC IMS system

Can PGPP support roaming Yes While we envision thatmany PGPP users would explicitly not wish to roam as roam-ing partners may not provide privacy guarantees roaming ispossible using a Diameter edge agent that only allows forhome routed roaming forcing traffic to route from the visitednetworkrsquos SMF back to the PGPP operatorrsquos UPF rather thanlocal breakout due to our authentication mechanism (sect51)Roaming and international roaming in particular adds billingcomplexities for the PGPP operator Typically the visitednetwork collects call data records for each roaming user on itsnetwork and calculates the wholesale charges payable by thehome network The visited network then sends a TransferredAccount Procedure (TAP) file to the home network via a dataclearing house The home network then pays the visited net-work In PGPP the individual identity of the user that roamedis not known yet the PGPP operator remains able to pay theappropriate fees to visited networks

How does PGPP protect user privacy for voice or textservice Out of the box PGPP doesnrsquot provide protection forsuch service Instead PGPP aims provide privacy from thecellular architecture itself and in doing so users are free touse a third party VoIP provider (in which case the phone willoperate identically to a normal phone for telephony servicefrom a userrsquos perspective) or use recent systems by Lazar etal [44 45] that provide strong metadata privacy guaranteesfor communications or similar systems such as [16174668]We view PGPP as complementary to such systems

How does PGPP protect users against leaky apps PGPPdoesnrsquot as it is about providing protection in the cellularinfrastructure Even without leaky apps users can always in-tentionally or inadvertently reveal their identity and locationLeaky apps make this worse as they collect and sometimes di-vulge sensitive user information We see PGPP as complemen-tary to work that has targeted privacy in mobile app ecosys-tems Further apps are not as fundamental as connectivitymdashusers can choose whether to install and run a leaky app andcan constrain app permissions However phones are by theirnature always connected to carrier networks and those verynetworks have been selling user data to third parties

If users canrsquot be identified by carriers how can carriersstill make money We introduce PGPP tokens in sect51 as amechanism for a PGPP operator to charge customers whileprotecting user anonymity

Canrsquot phone hardware be tracked as well Phones have anInternational Mobile Equipment Identity (IMEI) The IMEIis assigned to the hardware by the manufacturer and identifiesthe manufacturer model and serial number of a given deviceSome operators keep an IMEI database to check whether adevice has been reported as stolen known as an equipmentidentity register (EIR) IMEIs in the database are blacklisted

For many devices the IMEI can be changed through soft-ware often without root access We envision a PGPP MVNO

6

would allow for subscribers to present their unchanged de-vice IMEI giving the PGPP operator the opportunity to checkagainst a EIR to verify the phone has not been reported asstolen At that point the IMEI could be reprogrammed to asingle value similar to our changes to the IMSI Note thatdifferent jurisdictions have different rules about whether howand by whom an IMEI can be changed so only in some casesIMEI changes require cooperation with the MVNO

Is PGPP legal Legality varies by jurisdiction For ex-ample US law (CALEA [1]) requires providers to offerlawful interception of voice and SMS traffic A PGPP-basedcarrier is data-only with voice and messaging provided bythird parties CALEA requires the provider to offer content ofcommunication data at the UPF eg raw (likely-encrypted)network traffic This is supported by PGPP

5 DesignIn this section we describe the mechanisms PGPP em-

ploys to increase user identity and location privacy UltimatelyPGPPrsquos design choices appear obvious in retrospect We be-lieve its simplicity is an asset as PGPP is compatible withexisting networks and immediately deployable

In order to provide identity privacy against bulk attackswe nullify the value of the IMSI as it is the most commontarget identifier for attackers In our design we choose to setall PGPP user IMSIs to an identical value to break the linkbetween IMSI and individual users This change requires afundamental shift in the architecture as IMSIs are currentlyused for connectivity as well as authentication billing andvoiceSMS routing We design a new cellular entity for billingand authentication that preserves identity privacy Fortunatelythe industry push for software-based NGCs makes our archi-tecture feasible We describe the architecture in sect51

To provide location privacy from targeted attacks PGPPleverages an existing mechanism (TALs) in the cellular spec-ification in order to grow the broadcast domain for controltraffic (sect52) By changing the broadcast domain for everyuser the potential location of a victim is broadened from theattackerrsquos vantage point

51 User identity privacyAs discussed in sect22 IMSIs are globally unique permanent

identifiers As such they are routinely targeted by attackersboth legal and illegal In this section we re-architect the net-work in order to thwart bulk attacks introduced in sect41 thatare based on identifying individuals via IMSI

We decouple back-end connectivity from the authentica-tion procedure that normally occurs at the AUSF when a UEattaches to the network Instead the PGPP operator issuesSIM cards with identical IMSIs to all of its subscribers Inthis model the IMSI is used only to prove that a user has avalid SIM card to use the infrastructure and in turn the PGPPnetwork can provide an IP address and connectivity and offer

Scheme Customer Anonymous UniqueStandard auth bullGroupring sig bull bullLinkable ring sig bull bullCryptocurrency bull bullPGPP tokens bull bull bull

Table 3 Three properties needed for user authentication in aprivacy-preserving cell network and schemes to achieve them

the client a GUTI providing the user with a unique identitynecessary for basic connectivity

5G authentication is normally accomplished using IMSIs atthe AUSF however all PGPP users share a single IMSI Thusto authenticate a user we designed a post-attach obliviousauthentication scheme to ensure that the PGPP operator isable to account for the user without knowing who they are

PGPP Gateway In order to perform this authentication wecreate a new logical entity called a PGPP Gateway (PGPP-GW) shown in Figure 1 which sits between the UPF and thepublic Internet The UPF is configured to have a fixed tunnelto a PGPP-GW which can be located outside of the PGPP op-eratorrsquos network Using this mechanism the PGPP-GW onlysees an IP address which is typically NATed and whetherthat IP address is a valid user Notably it does not have any in-formation about the userrsquos IMSI The PGPP-GW design alsoallows for many different architectures For instance multiplePGPP-GWs could be placed in multiple datacenters or evenuse a privacy service such as Tor2

Authentication properties From the perspective of thePGPP-GW there are multiple properties an authenticationscheme must guarantee (1) the gateway can authenticate thata user is indeed a valid customer3 (2) the gateway andor anyother entities cannot determine the userrsquos identity and thuscannot link the userrsquos credentialsauthentication data with auser identity and (3) the gateway can determine whether auser is unique or if two users are sharing credentials

As we show in Table 3 the challenge is that standard ap-proaches for authentication only provide one of the threerequired properties and widely-studied cryptographic mech-anisms only provide two of the three properties For exam-ple an ordinary authentication protocol (of which there aremany [736]) can provide property 1) but not 2) and 3) A cryp-tographic mechanism such as group signatures [8 12] or ringsignatures [2059] can protect the userrsquos identity upon authen-tication providing properties 1) and 2) but not 3) as providingthe last property would violate the security of the signaturescheme Similarly traitor tracing schemes [14] (such as for

2We leave exploration into such scenarios to future work3Due to ldquoKnow Your Customerrdquo rules in some jurisdictions the provider

may need to have a customer list necessitating that the user authenticationscheme be compatible with periodic explicit customer billing

7

broadcast encryption [25]) can provide all three propertiesbut in practice cannot provide property 3) as the traitor trac-ing would require actual physical confiscation of the ldquotraitorrdquophone by the MVNO which is infeasible A variation on ringsignatures known as linkable ring signatures [48] providesthe ability for a userrsquos identity to be revealed if the user signsmultiple messages with the same key While this is useful inestablishing that the user is unique and hasnrsquot shared theircredentials it also partially violates the userrsquos anonymity asthat key cannot be used again

Effective authentication There are two approaches thatwe view as viable depending on the circumstances Ananonymity-preserving cryptocurrency can provide properties2) and 3) but not 1) as a cryptocurrency would combinebilling and authentication at the PGPP-GW For MVNOsthat are not required to know their customers an anonymity-preserving cryptocurrency may be the ideal solution for bothuser authentication and payment though even the best coinsprovide imperfect anonymity guarantees [38]

To provide all three properties we develop a simple schemecalled PGPP tokens that helps us sidestep the issues with al-ternative approaches The choice of authentication scheme isdeployment-context specific With PGPP tokens when pay-ing a monthly bill a user retrieves authentication tokens thatare blind-signed using Chaumrsquos classic scheme [6 11] by thebilling system Later when authenticating to the service theuser presents tokens and the service (the PGPP-GW) verifiestheir signature before allowing the user to use the networkThe token scheme ensures that the service can check thevalidity of tokens without identifying the user requesting ac-cess The user then presents the next token in advance soas to ensure seamless service Note that PGPP tokens disal-low the post-pay model for cellular billing as the networkwould be required to know the identity of users in order toaccurately charge them for usage Therefore PGPP is pre-payonly though this can be adjusted to emulate post-payment(eg users pre-pay for tokens on an ongoing basis rather thanonly monthly and tokens are valid for a longer time periodsuch as a year rather than for only one billing period)

Each token represents a unit of access as is appropriatefor the service provider Some providers may choose to offerflat-rate unlimited-data service in which case each tokenrepresents a fixed period of time this is the default approachthat we use to describe the scheme below Other providersmay choose to offer metered service in which case each tokenrepresents a fixed unit of data such as 100 MB or 1 GB ratherthan a period of time Still others may choose to provide two-tiered service priority by marking each token with a prioritybit in addition to either unlimited data or metered data servicesuch prioritization does come with slight privacy loss as theMVNO and MNO alike would be able to differentiate whichpriority level was in use The privacy loss of two-tiered datapriority can be partially mitigated by offering all users some

amount of time or GB of high-priority service after whichthey must fall back to low-priority service such a serviceplan structure is fairly standard in the industry today In sucha setting each user would have both high-priority and low-priority tokens and thus would not be clearly stratified intotwo identifiable groups of users

At the beginning of a billing period the billing system de-fines s time slices (eg corresponding to hours) or anotherunit of access (eg a unit of data) and generates s RSA key-pairs for performing blind signatures using Chaumrsquos schemeIt then appends the public keys for this time period to a well-known public repository that is externally maintained (eg onGitHub) and these are fetched by users The user generatess tokens where each token takes the form ir where i is thetime slice index as a 256-bit unsigned value zero indexedfrom the beginning of the billing period and r is a 256-bitrandom value chosen by the user The user then blinds thesetokens The user pays the bill using a conventional means ofpayment (eg credit card) and presents the blinded tokens tothe billing system to be signed the system signs each tokenwith the corresponding time slice key and returns these valuesto the user The user unblinds the response values and verifiesthe signatures for each

Upon later authentication to the service the user presentsits signed token for the current time slice to the PGPP-GWwhich verifies the signature and if valid begins forwardingthe userrsquos traffic onto the Internet Since the token signaturewas generated using Chaumrsquos scheme the service cannotdetermine which human user corresponds to which signedtoken If the same token is used by two different users duringthe same time period then the service can conclude that a userhas shared their credentials and is attempting to cheat

The costs of this scheme to both the PGPP operator andthe user are low The operator stores the list of used tokensin a standard consistent and replicated cloud database so theservice can operate multiple PGPP-GWs though it is likelythat a small number of PGPP-GWs can serve a large numberof users we benchmarked the 2048-bit RSA signature veri-fication used here at 31micros per call using Crypto++ [21] on asingle core of a 26GHz Intel Xeon E5-2640 CPU and thuswith a single CPU core the PGPP-GW can handle token veri-fication for tens of millions of users The tokens themselvesare small and the storage cost to the provider is about 15 MB user per time period which is a small amount for any userrsquosphone to store and for a provider even hundreds of millionsof tokens amounts to mere GBs of data in cloud storage

User device agent To automate the process of authenti-cating with the PGPP-GW we create a simple agent thatruns as background job on the user device This agent lever-ages the Android JobScheduler API in the event of cellularconnectivity the JobScheduler triggers PGPP-token-basedauthentication with the PGPP-GW The agent establishes aTLS connection to the PGPP-GW and then sends the token

8

for the current time slice Once the user presents a valid to-ken the PGPP-GW begins forwarding traffic for that userand thus this behavior is akin to a captive portal though theauthentication is automatic and unseen by the user

52 Location privacyAs described in sect22 cellular operators track user location

in the form of tracking areas for UEs in order to quickly findusers when there is incoming content PGPP leverages anexisting mechanism in the cellular standard to reduce theeffectiveness of local-targeted attacks described in sect41

Paging has been exploited in the past to discover user lo-cation by adversaries However the use of tracking areas isuseful for the cellular provider in that it confines the signal-ing message load (ie paging messages) to a relatively smallsubset of the infrastructure Tracking areas reduce mobilitysignaling from UEs as they move through the coverage zoneof a single tracking area Note that emergency calling rep-resents a special case in cellular networks When a devicedials 911 the phone and network attempt to estimate accuratelocation information In this work we do not alter this func-tionality as we anticipate that users dialing 911 are willing toreveal their location

In PGPP we exploit the tracking area list (TAL) concept in-troduced in 3GPP Release 8 [2] Using TALs a UE no longerbelongs to a single tracking area but rather is given a list ofup to 16 tracking areas that it can freely move through withouttriggering a tracking area update essentially creating largertracking areas Whereas prior work has focused on usingTALs to pre-compute optimal tracking area combinations forusers [56ndash58] in PGPP we use TALs to provide provide im-proved location anonymity Typically TALs consist of groupsof adjacent tracking areas that are pre-computed essentiallygrowing the tracking area for a UE to the union of all trackingareas in the TAL We do not use TALs in this way Insteadwe generate TALs on-the-fly and generate them uniquely foreach UE When a UE attaches or issues a tracking area updatemessage the AMF learns the gNodeB and tracking area theUE is currently attached to The AMF then generates a uniqueTAL by iteratively selecting at random some number (up tothe TAL limit of 16) of additional adjacent tracking areas Bygenerating unique TALs for each user attackers are unable toknow a priori which set of tracking areas (or gNodeBs) thatvictim is within We explore tradeoffs in terms of TAL lengthcontrol traffic overhead and location anonymity in the nextsection

6 AnalysisTo study the implications of a PGPP deployment we create

a simulation to model users mobility and cell infrastructureWe study the impact of PGPPrsquos design on various cellular at-tacks that occur today We then analyze the inherent tradeoffsfrom the PGPP operatorrsquos perspective as improved privacy

Figure 3 Partial simulation map Cells are shaded by ATampTtracking area

0 10 20 30gNodeBs Visited

Cars

Pedestrians

Figure 4 gNodeBs visited by simulated mobile users

comes at the price of increased control traffic Lastly weexamine PGPP in a lab testbed on real devices

61 Simulation configurationgNodeB dataset We select Los Angeles County California

as the region for our simulation which provides a mix of bothhighly urban areas as well as rural areas For gNodeB locationinformation we use OpenCellID [43] an open database thatincludes tower locations and carrier information To simplifythe simulation we select base stations from the database thatare listed as providing LTE from ATampT the provider withthe most LTE eNodeBs (22437) in the region We use LTEeNodeBs as the number of gNodeBs deployed remains small

Given their geographic coordinates we estimate coverageareas for every gNodeB using a Voronoi diagram During thesimulation a UE is assigned to the gNodeB that correspondsto the region the UE is located within While such discretiza-tion is not likely in reality as UEs remain associated withan gNodeB based on received signal strength this techniqueprovides us with a tractable mobility simulation A partialmap of the simulation region is shown in Figure 3 ENodeBregions are shaded based on the tracking area value in theOpenCellID database

Mobility traces To simulate realistic mobility patterns(ie users must follow available paths) we generate mobil-ity traces using the Google Places [29] and Directions [28]APIs First we use the Places API to find locations in thesimulation region that are available when searching for ldquopostofficerdquo Each place is associated with latitudinal and longitudi-nal coordinates We then generate mobility traces by randomlyselecting start and end points and use the Directions API toobtain a polyline with coordinates along with estimated times

9

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

100 101 102

Number of times IMSI was paged

00

02

04

06

08

10

CD

F

(a) IMSI page counts

100 101 102 103 104 105

Interval between IMSI pages (s)

00

02

04

06

08

10

CD

F

AllMinimumMaximum

(b) Intervals between pages (c) User locations over time

Figure 2 Analysis of IMSI broadcasts based on cellular traces captured in measurement study

for a user The mechanism used to locate a UE is known asldquopagingrdquo and it relies on logical groupings of similarly locatedgNodeBrsquos known as ldquotracking areasrdquo (TAs) Each gNodeB isassigned to a single TA TAs can be thought of as broadcastdomains for paging traffic If there is incoming data for an idleUE the paging procedure is used where the network sendsa paging message to all gNodeBs in the userrsquos last-knownTA Prior work has shown that the paging mechanism can beleveraged by attackers that know an identifier of the victim(eg phone number WhatsApp ID) to generate paging mes-sages intended for the victim which enables an unprivilegedattacker to identify a specific userrsquos location [42] From anexternal perspective the vantage point of remote servers onthe web can also be leveraged to localize mobile users giventiming information from applications on their devices [64]

Cellular operators often store location metadata for sub-scriber giving them the ability to trace user movement andlocation history This bulk surveillance mechanism has beenused to establish a userrsquos past location by law enforcement [9]

3 The need for privacy enhancementsIn this section we demonstrate the privacy leakage that

exists in todayrsquos cellular architecture by conducting a mea-surement study while acting as a relatively weak attacker in areal-world environment Recall from sect22 that the IMSI is aglobally unique permanent identifier Unfortunately for userprivacy the traditional cellular architecture uses IMSIs forauthentication and billing as well as providing connectivitycausing the IMSI to be transmitted for multiple reasons

Because of its importance and permanence the IMSI isseen as a high-value target for those who wish to surveilcellular users For example in recent years there has been aproliferation of cell-site simulators also known as IMSI catch-ers These devices offer what appears to be a legitimate basestation (gNodeB) signal Since UE baseband radios are naiumlveand automatically connect to the strongest signal they at-tempt to attach to the IMSI catcher and offer their IMSI IMSIcatchers have been used extensively by law enforcement andstate-level surveillance agencies with and without warrants

to identify track and eavesdrop on cellular users [52]

Dataset We analyze a dataset of cellular broadcast tracesthat our team gathered in a small densely populated area withroughly 80000 residents over the course of several days in2015 The traces include messages that were sent on broad-cast channels in plaintext for three cellular providers that offerservice in the area Traces were captured using software de-fined radios and mobile phones The trace dataset provides avantage point that is akin to an IMSI catcher1

IMSIs are often broadcast in-the-clear We discover thatwhile the architecture is designed to largely use temporaryGUTIs once UEs are connected IMSIs are often presentin paging messages Overall we see 588921 total pagingmessages with 38917 containing IMSIs (66 of all pages)Of those messages we see 11873 unique IMSIs We trackthe number of times each individual IMSI was paged andplot a CDF in Figure 2a As shown more than 60 of IMSIswere paged more than once in the traces Note that we countmultiple pages seen within one second as a single page Giventhis network behavior even a passive eavesdropper couldlearn the permanent identifiers of nearby users

IMSIs can be tracked over time Given that IMSIs areregularly broadcast an eavesdropper can track the presenceor absence of users over time We investigate the intervalsbetween pages containing individual IMSIs In Figure 2b weplot a CDF of intervals (greater than one second) betweensubsequent pages of individual IMSIs Overall we see thatIMSIs are repeatedly broadcast over time even though thedesign of the architecture should dictate that IMSIs should beused sparingly in favor of temporary GUTIs

Individuals can be tracked over time Given that we cantrack IMSIs over time a passive attacker can track individualsrsquo

1Trace collection methodology and analysis received IRB approval ex-traneous details omitted for blind review

4

movements Figure 2c shows locations of base stations thatbroadcast the IMSI for a single user in the traces As shownwe saw the user in multiple locations over the course of twodays Location A was recorded at 10am on a Monday locationB was thirty minutes later The user connected to a base stationat location C at noon that same day Locations D and E wererecorded the following day at noon and 130pm respectivelyFrom this we see that a passive observer unaffiliated with acellular carrier can over time record the presence and locationof nearby users This attacker is weak with a relatively smallvantage point In reality carriers can and do maintain thisinformation for all of their users

4 ScopeWe believe that many designs are possible to increase pri-

vacy in mobile networks and no architecture today or in thefuture is likely to provide perfect privacy Nevertheless belowwe discuss various properties that PGPP strives to achieve

Prior work examined the security vulnerabilities in moderncell networks [334263] and revealed a number of flaws in thearchitecture itself In addition data brokers and major opera-tors alike have taken advantage of the cellular architecturersquosvulnerabilities to profit off of revealing sensitive user dataWe believe mobile networks should aim to at a minimumprovide one or both of the following privacy properties

bull Identity privacy A network can aim to protect usersrsquoidentity Networksmdashas well as third party attackersmdashidentify users through IMSIs which are intended to beuniquely identifying

bull Location privacy A network can aim to protect informa-tion about the whereabouts of a phone

Naturally these privacy properties do not exist in isolationthey intersect in critical ways For example attackers oftenaim to learn not only who a user is but where a specific useris currently located or where a user was when a specific callwas made Also the definition of an attacker or adversary is acomplex one and depending on context may include individu-als aiming to steal user data mobile carriers and data brokerslooking to profit off of user data governments seeking to per-form bulk surveillance law enforcement seeking to monitora user with or without due process and many others Dueto context dependence we do not expect all privacy-focusedmobile networks to make the same choice of tradeoffs

41 Cellular privacy threat modelGiven the above discussion we distinguish between bulk

and targeted data collection We define bulk collection tobe the collection of information from existing cellular archi-tecture traffic without the introduction of attack traffic thusbulk collection is passive Bulk attacks commonly target useridentities (eg IMSIs) PGPPrsquos core aim is to protect against

Attack typeBulk Targeted

Vis

ibili

ty Global Carrier logs [18 19 39 70] Government Surveillance [9]

Carrier Paging

Local SDR [3 50 69] IMSI Catcher [37 52]

Paging attack [34 42]

Table 2 Common cellular attacks

bulk attacks Targeted attacks are active and require injec-tion of traffic to attack specific targets Targeted attacks areoften aimed at discovering a victimrsquos location We also de-lineate attacks by the adversaryrsquos capabilities as they mayhave visibility into an entire network (global) versus for anunprivileged attacker some smaller subset of a networkrsquos in-frastructure (local) Table 2 gives the taxonomy of attacks

Carriers and governments are the most common global-bulk attackers Such bulk surveillance is commonplace incellular networks and has been at the center of recent lawsuitsand privacy concerns Attacks that employ IMSI catchers orpassively listen to broadcasts using software-defined radiosare considered local-bulk Here an IMSI catcher is only ableto monitor phones that connect directly to it so its visibilityis limited to its radio range Similarly SDR-based passivesnooping (as in the example in sect3) is only able to monitornearby base stations and will miss portions of the network Wedesign PGPP with a primary focus on thwarting bulk attacksby nullifying the value of IMSIs (sect51)

Local-targeted attacks can be carried out by ordinary usersby generating traffic that causes a network to page a victim(eg phone call to the victim) As local-targeted attackersdo not have visibility into the entire network they must relyupon knowledge of the geographic area that is encompassedby a tracking area Due to the prevalence of such attacksas an enhancement an operator can provide functionality incooperation with the user that reduces the efficacy of local-targeted attacks through the use of TALs (sect52)

Global-targeted attacks represent a very powerful attackerwho can actively probe a victim while having global visibilityof the network We envision defenses against such attackswould require fundamental changes to to communication mod-els PGPP does not mitigate global-targeted attacks as wefocus on immediately deployable solutions we leave this tofuture work

42 AimsNext we discuss the aims of PGPP by considering several

common questions that ariseWhat sort of privacy does PGPP provide As its name

suggests PGPP aims to provide ldquopretty goodrdquo privacy wedonrsquot believe there is a solution that provides perfect privacycauses no service changes (ie does not increase latency)and is incrementally deployable on todayrsquos cellular networksThe main focus is to offer privacy against global-bulk surveil-lance of mobility and location a practice by carriers that is

5

widespread and pernicious We thwart this via eliminating theIMSI as an individual identifier and decoupling the authentica-tion and connectivity mechanisms in the cellular architecture

Isnrsquot 5G more secure than legacy generations The 5Gstandard includes enhancements focused on user privacy andsystem performance over legacy cellular generations How-ever the enhancements do not offer location privacy benefitsfrom the carriers

Encrypted IMSIs 5G includes the addition of encryptedIMSIs where public key cryptography along with ephemeralkeys generated on the SIM is used to encrypt the IMSI whensending it to the network This protects user IMSIs fromeavesdroppers However encrypted IMSIs do not preventthe cellular provider itself from knowing the userrsquos identityAn analogy for encrypted IMSIs can be found in DNS overHTTPS (DoH) eavesdroppers cannot see unencrypted trafficyet the endpoints (the DNS resolver for DoH the cellular corein 5G) still can The goal of this work is to not only thwartlocal-bulk attacks but also protect user privacy from mobileoperators that would otherwise violate it (ie global-bulkattacks)

Small cell location privacy The 5G standard strives forreduced latencies as well as much higher data throughputsThis necessitates the use of cells that cover smaller areas inhigher frequency spectrum in order to overcome interferencecompared with previous cellular generations that used macro-cells to provide coverage to large areas A (likely unintended)byproduct of 5Grsquos use of smaller cells is a dramatic reductionin location privacy for users As the 5G network providermaintains state pertaining to the location in the network fora given user for the purposes of paging smaller cells resultin the operator or attacker knowing user locations at a muchhigher precision compared with previous generations

What about active | traffic analysis | signaling attacksWhile active targeted attacks arenrsquot our main focus we im-prove privacy in the face of them by leveraging TALs toincrease and randomize the broadcast domain for paging traf-fic making it more difficult for attackers to know where avictim is located (analyzed in sect62) Further the goal of manyactive attacks is to learn usersrsquo IMSIs and our nullification ofIMSIs renders such attacks meaningless

An attacker with a tap at the network edge could use trafficanalysis attacks to reduce user privacy We largely view thisas out of scope as users can tunnel traffic and use other meansto hide their data usage patterns

Cellular networks rely on signaling protocols such as Sig-naling System 7 (SS7) and Diameter when managing mobilityas well as voice and SMS setup and teardown These protocolsenable interoperability between carriers needed for roamingand connectivity across carriers Unfortunately these proto-cols were designed with inherent trust in the network playersand have thus been used to reduce user privacy and disruptconnectivity [24 30 49 53 62] We design PGPP for 4G5Gdata only which renders legacy SS7 compatibility moot Our

PGPP design expects users to use outside messaging servicesrather than an in-NGC IMS system

Can PGPP support roaming Yes While we envision thatmany PGPP users would explicitly not wish to roam as roam-ing partners may not provide privacy guarantees roaming ispossible using a Diameter edge agent that only allows forhome routed roaming forcing traffic to route from the visitednetworkrsquos SMF back to the PGPP operatorrsquos UPF rather thanlocal breakout due to our authentication mechanism (sect51)Roaming and international roaming in particular adds billingcomplexities for the PGPP operator Typically the visitednetwork collects call data records for each roaming user on itsnetwork and calculates the wholesale charges payable by thehome network The visited network then sends a TransferredAccount Procedure (TAP) file to the home network via a dataclearing house The home network then pays the visited net-work In PGPP the individual identity of the user that roamedis not known yet the PGPP operator remains able to pay theappropriate fees to visited networks

How does PGPP protect user privacy for voice or textservice Out of the box PGPP doesnrsquot provide protection forsuch service Instead PGPP aims provide privacy from thecellular architecture itself and in doing so users are free touse a third party VoIP provider (in which case the phone willoperate identically to a normal phone for telephony servicefrom a userrsquos perspective) or use recent systems by Lazar etal [44 45] that provide strong metadata privacy guaranteesfor communications or similar systems such as [16174668]We view PGPP as complementary to such systems

How does PGPP protect users against leaky apps PGPPdoesnrsquot as it is about providing protection in the cellularinfrastructure Even without leaky apps users can always in-tentionally or inadvertently reveal their identity and locationLeaky apps make this worse as they collect and sometimes di-vulge sensitive user information We see PGPP as complemen-tary to work that has targeted privacy in mobile app ecosys-tems Further apps are not as fundamental as connectivitymdashusers can choose whether to install and run a leaky app andcan constrain app permissions However phones are by theirnature always connected to carrier networks and those verynetworks have been selling user data to third parties

If users canrsquot be identified by carriers how can carriersstill make money We introduce PGPP tokens in sect51 as amechanism for a PGPP operator to charge customers whileprotecting user anonymity

Canrsquot phone hardware be tracked as well Phones have anInternational Mobile Equipment Identity (IMEI) The IMEIis assigned to the hardware by the manufacturer and identifiesthe manufacturer model and serial number of a given deviceSome operators keep an IMEI database to check whether adevice has been reported as stolen known as an equipmentidentity register (EIR) IMEIs in the database are blacklisted

For many devices the IMEI can be changed through soft-ware often without root access We envision a PGPP MVNO

6

would allow for subscribers to present their unchanged de-vice IMEI giving the PGPP operator the opportunity to checkagainst a EIR to verify the phone has not been reported asstolen At that point the IMEI could be reprogrammed to asingle value similar to our changes to the IMSI Note thatdifferent jurisdictions have different rules about whether howand by whom an IMEI can be changed so only in some casesIMEI changes require cooperation with the MVNO

Is PGPP legal Legality varies by jurisdiction For ex-ample US law (CALEA [1]) requires providers to offerlawful interception of voice and SMS traffic A PGPP-basedcarrier is data-only with voice and messaging provided bythird parties CALEA requires the provider to offer content ofcommunication data at the UPF eg raw (likely-encrypted)network traffic This is supported by PGPP

5 DesignIn this section we describe the mechanisms PGPP em-

ploys to increase user identity and location privacy UltimatelyPGPPrsquos design choices appear obvious in retrospect We be-lieve its simplicity is an asset as PGPP is compatible withexisting networks and immediately deployable

In order to provide identity privacy against bulk attackswe nullify the value of the IMSI as it is the most commontarget identifier for attackers In our design we choose to setall PGPP user IMSIs to an identical value to break the linkbetween IMSI and individual users This change requires afundamental shift in the architecture as IMSIs are currentlyused for connectivity as well as authentication billing andvoiceSMS routing We design a new cellular entity for billingand authentication that preserves identity privacy Fortunatelythe industry push for software-based NGCs makes our archi-tecture feasible We describe the architecture in sect51

To provide location privacy from targeted attacks PGPPleverages an existing mechanism (TALs) in the cellular spec-ification in order to grow the broadcast domain for controltraffic (sect52) By changing the broadcast domain for everyuser the potential location of a victim is broadened from theattackerrsquos vantage point

51 User identity privacyAs discussed in sect22 IMSIs are globally unique permanent

identifiers As such they are routinely targeted by attackersboth legal and illegal In this section we re-architect the net-work in order to thwart bulk attacks introduced in sect41 thatare based on identifying individuals via IMSI

We decouple back-end connectivity from the authentica-tion procedure that normally occurs at the AUSF when a UEattaches to the network Instead the PGPP operator issuesSIM cards with identical IMSIs to all of its subscribers Inthis model the IMSI is used only to prove that a user has avalid SIM card to use the infrastructure and in turn the PGPPnetwork can provide an IP address and connectivity and offer

Scheme Customer Anonymous UniqueStandard auth bullGroupring sig bull bullLinkable ring sig bull bullCryptocurrency bull bullPGPP tokens bull bull bull

Table 3 Three properties needed for user authentication in aprivacy-preserving cell network and schemes to achieve them

the client a GUTI providing the user with a unique identitynecessary for basic connectivity

5G authentication is normally accomplished using IMSIs atthe AUSF however all PGPP users share a single IMSI Thusto authenticate a user we designed a post-attach obliviousauthentication scheme to ensure that the PGPP operator isable to account for the user without knowing who they are

PGPP Gateway In order to perform this authentication wecreate a new logical entity called a PGPP Gateway (PGPP-GW) shown in Figure 1 which sits between the UPF and thepublic Internet The UPF is configured to have a fixed tunnelto a PGPP-GW which can be located outside of the PGPP op-eratorrsquos network Using this mechanism the PGPP-GW onlysees an IP address which is typically NATed and whetherthat IP address is a valid user Notably it does not have any in-formation about the userrsquos IMSI The PGPP-GW design alsoallows for many different architectures For instance multiplePGPP-GWs could be placed in multiple datacenters or evenuse a privacy service such as Tor2

Authentication properties From the perspective of thePGPP-GW there are multiple properties an authenticationscheme must guarantee (1) the gateway can authenticate thata user is indeed a valid customer3 (2) the gateway andor anyother entities cannot determine the userrsquos identity and thuscannot link the userrsquos credentialsauthentication data with auser identity and (3) the gateway can determine whether auser is unique or if two users are sharing credentials

As we show in Table 3 the challenge is that standard ap-proaches for authentication only provide one of the threerequired properties and widely-studied cryptographic mech-anisms only provide two of the three properties For exam-ple an ordinary authentication protocol (of which there aremany [736]) can provide property 1) but not 2) and 3) A cryp-tographic mechanism such as group signatures [8 12] or ringsignatures [2059] can protect the userrsquos identity upon authen-tication providing properties 1) and 2) but not 3) as providingthe last property would violate the security of the signaturescheme Similarly traitor tracing schemes [14] (such as for

2We leave exploration into such scenarios to future work3Due to ldquoKnow Your Customerrdquo rules in some jurisdictions the provider

may need to have a customer list necessitating that the user authenticationscheme be compatible with periodic explicit customer billing

7

broadcast encryption [25]) can provide all three propertiesbut in practice cannot provide property 3) as the traitor trac-ing would require actual physical confiscation of the ldquotraitorrdquophone by the MVNO which is infeasible A variation on ringsignatures known as linkable ring signatures [48] providesthe ability for a userrsquos identity to be revealed if the user signsmultiple messages with the same key While this is useful inestablishing that the user is unique and hasnrsquot shared theircredentials it also partially violates the userrsquos anonymity asthat key cannot be used again

Effective authentication There are two approaches thatwe view as viable depending on the circumstances Ananonymity-preserving cryptocurrency can provide properties2) and 3) but not 1) as a cryptocurrency would combinebilling and authentication at the PGPP-GW For MVNOsthat are not required to know their customers an anonymity-preserving cryptocurrency may be the ideal solution for bothuser authentication and payment though even the best coinsprovide imperfect anonymity guarantees [38]

To provide all three properties we develop a simple schemecalled PGPP tokens that helps us sidestep the issues with al-ternative approaches The choice of authentication scheme isdeployment-context specific With PGPP tokens when pay-ing a monthly bill a user retrieves authentication tokens thatare blind-signed using Chaumrsquos classic scheme [6 11] by thebilling system Later when authenticating to the service theuser presents tokens and the service (the PGPP-GW) verifiestheir signature before allowing the user to use the networkThe token scheme ensures that the service can check thevalidity of tokens without identifying the user requesting ac-cess The user then presents the next token in advance soas to ensure seamless service Note that PGPP tokens disal-low the post-pay model for cellular billing as the networkwould be required to know the identity of users in order toaccurately charge them for usage Therefore PGPP is pre-payonly though this can be adjusted to emulate post-payment(eg users pre-pay for tokens on an ongoing basis rather thanonly monthly and tokens are valid for a longer time periodsuch as a year rather than for only one billing period)

Each token represents a unit of access as is appropriatefor the service provider Some providers may choose to offerflat-rate unlimited-data service in which case each tokenrepresents a fixed period of time this is the default approachthat we use to describe the scheme below Other providersmay choose to offer metered service in which case each tokenrepresents a fixed unit of data such as 100 MB or 1 GB ratherthan a period of time Still others may choose to provide two-tiered service priority by marking each token with a prioritybit in addition to either unlimited data or metered data servicesuch prioritization does come with slight privacy loss as theMVNO and MNO alike would be able to differentiate whichpriority level was in use The privacy loss of two-tiered datapriority can be partially mitigated by offering all users some

amount of time or GB of high-priority service after whichthey must fall back to low-priority service such a serviceplan structure is fairly standard in the industry today In sucha setting each user would have both high-priority and low-priority tokens and thus would not be clearly stratified intotwo identifiable groups of users

At the beginning of a billing period the billing system de-fines s time slices (eg corresponding to hours) or anotherunit of access (eg a unit of data) and generates s RSA key-pairs for performing blind signatures using Chaumrsquos schemeIt then appends the public keys for this time period to a well-known public repository that is externally maintained (eg onGitHub) and these are fetched by users The user generatess tokens where each token takes the form ir where i is thetime slice index as a 256-bit unsigned value zero indexedfrom the beginning of the billing period and r is a 256-bitrandom value chosen by the user The user then blinds thesetokens The user pays the bill using a conventional means ofpayment (eg credit card) and presents the blinded tokens tothe billing system to be signed the system signs each tokenwith the corresponding time slice key and returns these valuesto the user The user unblinds the response values and verifiesthe signatures for each

Upon later authentication to the service the user presentsits signed token for the current time slice to the PGPP-GWwhich verifies the signature and if valid begins forwardingthe userrsquos traffic onto the Internet Since the token signaturewas generated using Chaumrsquos scheme the service cannotdetermine which human user corresponds to which signedtoken If the same token is used by two different users duringthe same time period then the service can conclude that a userhas shared their credentials and is attempting to cheat

The costs of this scheme to both the PGPP operator andthe user are low The operator stores the list of used tokensin a standard consistent and replicated cloud database so theservice can operate multiple PGPP-GWs though it is likelythat a small number of PGPP-GWs can serve a large numberof users we benchmarked the 2048-bit RSA signature veri-fication used here at 31micros per call using Crypto++ [21] on asingle core of a 26GHz Intel Xeon E5-2640 CPU and thuswith a single CPU core the PGPP-GW can handle token veri-fication for tens of millions of users The tokens themselvesare small and the storage cost to the provider is about 15 MB user per time period which is a small amount for any userrsquosphone to store and for a provider even hundreds of millionsof tokens amounts to mere GBs of data in cloud storage

User device agent To automate the process of authenti-cating with the PGPP-GW we create a simple agent thatruns as background job on the user device This agent lever-ages the Android JobScheduler API in the event of cellularconnectivity the JobScheduler triggers PGPP-token-basedauthentication with the PGPP-GW The agent establishes aTLS connection to the PGPP-GW and then sends the token

8

for the current time slice Once the user presents a valid to-ken the PGPP-GW begins forwarding traffic for that userand thus this behavior is akin to a captive portal though theauthentication is automatic and unseen by the user

52 Location privacyAs described in sect22 cellular operators track user location

in the form of tracking areas for UEs in order to quickly findusers when there is incoming content PGPP leverages anexisting mechanism in the cellular standard to reduce theeffectiveness of local-targeted attacks described in sect41

Paging has been exploited in the past to discover user lo-cation by adversaries However the use of tracking areas isuseful for the cellular provider in that it confines the signal-ing message load (ie paging messages) to a relatively smallsubset of the infrastructure Tracking areas reduce mobilitysignaling from UEs as they move through the coverage zoneof a single tracking area Note that emergency calling rep-resents a special case in cellular networks When a devicedials 911 the phone and network attempt to estimate accuratelocation information In this work we do not alter this func-tionality as we anticipate that users dialing 911 are willing toreveal their location

In PGPP we exploit the tracking area list (TAL) concept in-troduced in 3GPP Release 8 [2] Using TALs a UE no longerbelongs to a single tracking area but rather is given a list ofup to 16 tracking areas that it can freely move through withouttriggering a tracking area update essentially creating largertracking areas Whereas prior work has focused on usingTALs to pre-compute optimal tracking area combinations forusers [56ndash58] in PGPP we use TALs to provide provide im-proved location anonymity Typically TALs consist of groupsof adjacent tracking areas that are pre-computed essentiallygrowing the tracking area for a UE to the union of all trackingareas in the TAL We do not use TALs in this way Insteadwe generate TALs on-the-fly and generate them uniquely foreach UE When a UE attaches or issues a tracking area updatemessage the AMF learns the gNodeB and tracking area theUE is currently attached to The AMF then generates a uniqueTAL by iteratively selecting at random some number (up tothe TAL limit of 16) of additional adjacent tracking areas Bygenerating unique TALs for each user attackers are unable toknow a priori which set of tracking areas (or gNodeBs) thatvictim is within We explore tradeoffs in terms of TAL lengthcontrol traffic overhead and location anonymity in the nextsection

6 AnalysisTo study the implications of a PGPP deployment we create

a simulation to model users mobility and cell infrastructureWe study the impact of PGPPrsquos design on various cellular at-tacks that occur today We then analyze the inherent tradeoffsfrom the PGPP operatorrsquos perspective as improved privacy

Figure 3 Partial simulation map Cells are shaded by ATampTtracking area

0 10 20 30gNodeBs Visited

Cars

Pedestrians

Figure 4 gNodeBs visited by simulated mobile users

comes at the price of increased control traffic Lastly weexamine PGPP in a lab testbed on real devices

61 Simulation configurationgNodeB dataset We select Los Angeles County California

as the region for our simulation which provides a mix of bothhighly urban areas as well as rural areas For gNodeB locationinformation we use OpenCellID [43] an open database thatincludes tower locations and carrier information To simplifythe simulation we select base stations from the database thatare listed as providing LTE from ATampT the provider withthe most LTE eNodeBs (22437) in the region We use LTEeNodeBs as the number of gNodeBs deployed remains small

Given their geographic coordinates we estimate coverageareas for every gNodeB using a Voronoi diagram During thesimulation a UE is assigned to the gNodeB that correspondsto the region the UE is located within While such discretiza-tion is not likely in reality as UEs remain associated withan gNodeB based on received signal strength this techniqueprovides us with a tractable mobility simulation A partialmap of the simulation region is shown in Figure 3 ENodeBregions are shaded based on the tracking area value in theOpenCellID database

Mobility traces To simulate realistic mobility patterns(ie users must follow available paths) we generate mobil-ity traces using the Google Places [29] and Directions [28]APIs First we use the Places API to find locations in thesimulation region that are available when searching for ldquopostofficerdquo Each place is associated with latitudinal and longitudi-nal coordinates We then generate mobility traces by randomlyselecting start and end points and use the Directions API toobtain a polyline with coordinates along with estimated times

9

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

movements Figure 2c shows locations of base stations thatbroadcast the IMSI for a single user in the traces As shownwe saw the user in multiple locations over the course of twodays Location A was recorded at 10am on a Monday locationB was thirty minutes later The user connected to a base stationat location C at noon that same day Locations D and E wererecorded the following day at noon and 130pm respectivelyFrom this we see that a passive observer unaffiliated with acellular carrier can over time record the presence and locationof nearby users This attacker is weak with a relatively smallvantage point In reality carriers can and do maintain thisinformation for all of their users

4 ScopeWe believe that many designs are possible to increase pri-

vacy in mobile networks and no architecture today or in thefuture is likely to provide perfect privacy Nevertheless belowwe discuss various properties that PGPP strives to achieve

Prior work examined the security vulnerabilities in moderncell networks [334263] and revealed a number of flaws in thearchitecture itself In addition data brokers and major opera-tors alike have taken advantage of the cellular architecturersquosvulnerabilities to profit off of revealing sensitive user dataWe believe mobile networks should aim to at a minimumprovide one or both of the following privacy properties

bull Identity privacy A network can aim to protect usersrsquoidentity Networksmdashas well as third party attackersmdashidentify users through IMSIs which are intended to beuniquely identifying

bull Location privacy A network can aim to protect informa-tion about the whereabouts of a phone

Naturally these privacy properties do not exist in isolationthey intersect in critical ways For example attackers oftenaim to learn not only who a user is but where a specific useris currently located or where a user was when a specific callwas made Also the definition of an attacker or adversary is acomplex one and depending on context may include individu-als aiming to steal user data mobile carriers and data brokerslooking to profit off of user data governments seeking to per-form bulk surveillance law enforcement seeking to monitora user with or without due process and many others Dueto context dependence we do not expect all privacy-focusedmobile networks to make the same choice of tradeoffs

41 Cellular privacy threat modelGiven the above discussion we distinguish between bulk

and targeted data collection We define bulk collection tobe the collection of information from existing cellular archi-tecture traffic without the introduction of attack traffic thusbulk collection is passive Bulk attacks commonly target useridentities (eg IMSIs) PGPPrsquos core aim is to protect against

Attack typeBulk Targeted

Vis

ibili

ty Global Carrier logs [18 19 39 70] Government Surveillance [9]

Carrier Paging

Local SDR [3 50 69] IMSI Catcher [37 52]

Paging attack [34 42]

Table 2 Common cellular attacks

bulk attacks Targeted attacks are active and require injec-tion of traffic to attack specific targets Targeted attacks areoften aimed at discovering a victimrsquos location We also de-lineate attacks by the adversaryrsquos capabilities as they mayhave visibility into an entire network (global) versus for anunprivileged attacker some smaller subset of a networkrsquos in-frastructure (local) Table 2 gives the taxonomy of attacks

Carriers and governments are the most common global-bulk attackers Such bulk surveillance is commonplace incellular networks and has been at the center of recent lawsuitsand privacy concerns Attacks that employ IMSI catchers orpassively listen to broadcasts using software-defined radiosare considered local-bulk Here an IMSI catcher is only ableto monitor phones that connect directly to it so its visibilityis limited to its radio range Similarly SDR-based passivesnooping (as in the example in sect3) is only able to monitornearby base stations and will miss portions of the network Wedesign PGPP with a primary focus on thwarting bulk attacksby nullifying the value of IMSIs (sect51)

Local-targeted attacks can be carried out by ordinary usersby generating traffic that causes a network to page a victim(eg phone call to the victim) As local-targeted attackersdo not have visibility into the entire network they must relyupon knowledge of the geographic area that is encompassedby a tracking area Due to the prevalence of such attacksas an enhancement an operator can provide functionality incooperation with the user that reduces the efficacy of local-targeted attacks through the use of TALs (sect52)

Global-targeted attacks represent a very powerful attackerwho can actively probe a victim while having global visibilityof the network We envision defenses against such attackswould require fundamental changes to to communication mod-els PGPP does not mitigate global-targeted attacks as wefocus on immediately deployable solutions we leave this tofuture work

42 AimsNext we discuss the aims of PGPP by considering several

common questions that ariseWhat sort of privacy does PGPP provide As its name

suggests PGPP aims to provide ldquopretty goodrdquo privacy wedonrsquot believe there is a solution that provides perfect privacycauses no service changes (ie does not increase latency)and is incrementally deployable on todayrsquos cellular networksThe main focus is to offer privacy against global-bulk surveil-lance of mobility and location a practice by carriers that is

5

widespread and pernicious We thwart this via eliminating theIMSI as an individual identifier and decoupling the authentica-tion and connectivity mechanisms in the cellular architecture

Isnrsquot 5G more secure than legacy generations The 5Gstandard includes enhancements focused on user privacy andsystem performance over legacy cellular generations How-ever the enhancements do not offer location privacy benefitsfrom the carriers

Encrypted IMSIs 5G includes the addition of encryptedIMSIs where public key cryptography along with ephemeralkeys generated on the SIM is used to encrypt the IMSI whensending it to the network This protects user IMSIs fromeavesdroppers However encrypted IMSIs do not preventthe cellular provider itself from knowing the userrsquos identityAn analogy for encrypted IMSIs can be found in DNS overHTTPS (DoH) eavesdroppers cannot see unencrypted trafficyet the endpoints (the DNS resolver for DoH the cellular corein 5G) still can The goal of this work is to not only thwartlocal-bulk attacks but also protect user privacy from mobileoperators that would otherwise violate it (ie global-bulkattacks)

Small cell location privacy The 5G standard strives forreduced latencies as well as much higher data throughputsThis necessitates the use of cells that cover smaller areas inhigher frequency spectrum in order to overcome interferencecompared with previous cellular generations that used macro-cells to provide coverage to large areas A (likely unintended)byproduct of 5Grsquos use of smaller cells is a dramatic reductionin location privacy for users As the 5G network providermaintains state pertaining to the location in the network fora given user for the purposes of paging smaller cells resultin the operator or attacker knowing user locations at a muchhigher precision compared with previous generations

What about active | traffic analysis | signaling attacksWhile active targeted attacks arenrsquot our main focus we im-prove privacy in the face of them by leveraging TALs toincrease and randomize the broadcast domain for paging traf-fic making it more difficult for attackers to know where avictim is located (analyzed in sect62) Further the goal of manyactive attacks is to learn usersrsquo IMSIs and our nullification ofIMSIs renders such attacks meaningless

An attacker with a tap at the network edge could use trafficanalysis attacks to reduce user privacy We largely view thisas out of scope as users can tunnel traffic and use other meansto hide their data usage patterns

Cellular networks rely on signaling protocols such as Sig-naling System 7 (SS7) and Diameter when managing mobilityas well as voice and SMS setup and teardown These protocolsenable interoperability between carriers needed for roamingand connectivity across carriers Unfortunately these proto-cols were designed with inherent trust in the network playersand have thus been used to reduce user privacy and disruptconnectivity [24 30 49 53 62] We design PGPP for 4G5Gdata only which renders legacy SS7 compatibility moot Our

PGPP design expects users to use outside messaging servicesrather than an in-NGC IMS system

Can PGPP support roaming Yes While we envision thatmany PGPP users would explicitly not wish to roam as roam-ing partners may not provide privacy guarantees roaming ispossible using a Diameter edge agent that only allows forhome routed roaming forcing traffic to route from the visitednetworkrsquos SMF back to the PGPP operatorrsquos UPF rather thanlocal breakout due to our authentication mechanism (sect51)Roaming and international roaming in particular adds billingcomplexities for the PGPP operator Typically the visitednetwork collects call data records for each roaming user on itsnetwork and calculates the wholesale charges payable by thehome network The visited network then sends a TransferredAccount Procedure (TAP) file to the home network via a dataclearing house The home network then pays the visited net-work In PGPP the individual identity of the user that roamedis not known yet the PGPP operator remains able to pay theappropriate fees to visited networks

How does PGPP protect user privacy for voice or textservice Out of the box PGPP doesnrsquot provide protection forsuch service Instead PGPP aims provide privacy from thecellular architecture itself and in doing so users are free touse a third party VoIP provider (in which case the phone willoperate identically to a normal phone for telephony servicefrom a userrsquos perspective) or use recent systems by Lazar etal [44 45] that provide strong metadata privacy guaranteesfor communications or similar systems such as [16174668]We view PGPP as complementary to such systems

How does PGPP protect users against leaky apps PGPPdoesnrsquot as it is about providing protection in the cellularinfrastructure Even without leaky apps users can always in-tentionally or inadvertently reveal their identity and locationLeaky apps make this worse as they collect and sometimes di-vulge sensitive user information We see PGPP as complemen-tary to work that has targeted privacy in mobile app ecosys-tems Further apps are not as fundamental as connectivitymdashusers can choose whether to install and run a leaky app andcan constrain app permissions However phones are by theirnature always connected to carrier networks and those verynetworks have been selling user data to third parties

If users canrsquot be identified by carriers how can carriersstill make money We introduce PGPP tokens in sect51 as amechanism for a PGPP operator to charge customers whileprotecting user anonymity

Canrsquot phone hardware be tracked as well Phones have anInternational Mobile Equipment Identity (IMEI) The IMEIis assigned to the hardware by the manufacturer and identifiesthe manufacturer model and serial number of a given deviceSome operators keep an IMEI database to check whether adevice has been reported as stolen known as an equipmentidentity register (EIR) IMEIs in the database are blacklisted

For many devices the IMEI can be changed through soft-ware often without root access We envision a PGPP MVNO

6

would allow for subscribers to present their unchanged de-vice IMEI giving the PGPP operator the opportunity to checkagainst a EIR to verify the phone has not been reported asstolen At that point the IMEI could be reprogrammed to asingle value similar to our changes to the IMSI Note thatdifferent jurisdictions have different rules about whether howand by whom an IMEI can be changed so only in some casesIMEI changes require cooperation with the MVNO

Is PGPP legal Legality varies by jurisdiction For ex-ample US law (CALEA [1]) requires providers to offerlawful interception of voice and SMS traffic A PGPP-basedcarrier is data-only with voice and messaging provided bythird parties CALEA requires the provider to offer content ofcommunication data at the UPF eg raw (likely-encrypted)network traffic This is supported by PGPP

5 DesignIn this section we describe the mechanisms PGPP em-

ploys to increase user identity and location privacy UltimatelyPGPPrsquos design choices appear obvious in retrospect We be-lieve its simplicity is an asset as PGPP is compatible withexisting networks and immediately deployable

In order to provide identity privacy against bulk attackswe nullify the value of the IMSI as it is the most commontarget identifier for attackers In our design we choose to setall PGPP user IMSIs to an identical value to break the linkbetween IMSI and individual users This change requires afundamental shift in the architecture as IMSIs are currentlyused for connectivity as well as authentication billing andvoiceSMS routing We design a new cellular entity for billingand authentication that preserves identity privacy Fortunatelythe industry push for software-based NGCs makes our archi-tecture feasible We describe the architecture in sect51

To provide location privacy from targeted attacks PGPPleverages an existing mechanism (TALs) in the cellular spec-ification in order to grow the broadcast domain for controltraffic (sect52) By changing the broadcast domain for everyuser the potential location of a victim is broadened from theattackerrsquos vantage point

51 User identity privacyAs discussed in sect22 IMSIs are globally unique permanent

identifiers As such they are routinely targeted by attackersboth legal and illegal In this section we re-architect the net-work in order to thwart bulk attacks introduced in sect41 thatare based on identifying individuals via IMSI

We decouple back-end connectivity from the authentica-tion procedure that normally occurs at the AUSF when a UEattaches to the network Instead the PGPP operator issuesSIM cards with identical IMSIs to all of its subscribers Inthis model the IMSI is used only to prove that a user has avalid SIM card to use the infrastructure and in turn the PGPPnetwork can provide an IP address and connectivity and offer

Scheme Customer Anonymous UniqueStandard auth bullGroupring sig bull bullLinkable ring sig bull bullCryptocurrency bull bullPGPP tokens bull bull bull

Table 3 Three properties needed for user authentication in aprivacy-preserving cell network and schemes to achieve them

the client a GUTI providing the user with a unique identitynecessary for basic connectivity

5G authentication is normally accomplished using IMSIs atthe AUSF however all PGPP users share a single IMSI Thusto authenticate a user we designed a post-attach obliviousauthentication scheme to ensure that the PGPP operator isable to account for the user without knowing who they are

PGPP Gateway In order to perform this authentication wecreate a new logical entity called a PGPP Gateway (PGPP-GW) shown in Figure 1 which sits between the UPF and thepublic Internet The UPF is configured to have a fixed tunnelto a PGPP-GW which can be located outside of the PGPP op-eratorrsquos network Using this mechanism the PGPP-GW onlysees an IP address which is typically NATed and whetherthat IP address is a valid user Notably it does not have any in-formation about the userrsquos IMSI The PGPP-GW design alsoallows for many different architectures For instance multiplePGPP-GWs could be placed in multiple datacenters or evenuse a privacy service such as Tor2

Authentication properties From the perspective of thePGPP-GW there are multiple properties an authenticationscheme must guarantee (1) the gateway can authenticate thata user is indeed a valid customer3 (2) the gateway andor anyother entities cannot determine the userrsquos identity and thuscannot link the userrsquos credentialsauthentication data with auser identity and (3) the gateway can determine whether auser is unique or if two users are sharing credentials

As we show in Table 3 the challenge is that standard ap-proaches for authentication only provide one of the threerequired properties and widely-studied cryptographic mech-anisms only provide two of the three properties For exam-ple an ordinary authentication protocol (of which there aremany [736]) can provide property 1) but not 2) and 3) A cryp-tographic mechanism such as group signatures [8 12] or ringsignatures [2059] can protect the userrsquos identity upon authen-tication providing properties 1) and 2) but not 3) as providingthe last property would violate the security of the signaturescheme Similarly traitor tracing schemes [14] (such as for

2We leave exploration into such scenarios to future work3Due to ldquoKnow Your Customerrdquo rules in some jurisdictions the provider

may need to have a customer list necessitating that the user authenticationscheme be compatible with periodic explicit customer billing

7

broadcast encryption [25]) can provide all three propertiesbut in practice cannot provide property 3) as the traitor trac-ing would require actual physical confiscation of the ldquotraitorrdquophone by the MVNO which is infeasible A variation on ringsignatures known as linkable ring signatures [48] providesthe ability for a userrsquos identity to be revealed if the user signsmultiple messages with the same key While this is useful inestablishing that the user is unique and hasnrsquot shared theircredentials it also partially violates the userrsquos anonymity asthat key cannot be used again

Effective authentication There are two approaches thatwe view as viable depending on the circumstances Ananonymity-preserving cryptocurrency can provide properties2) and 3) but not 1) as a cryptocurrency would combinebilling and authentication at the PGPP-GW For MVNOsthat are not required to know their customers an anonymity-preserving cryptocurrency may be the ideal solution for bothuser authentication and payment though even the best coinsprovide imperfect anonymity guarantees [38]

To provide all three properties we develop a simple schemecalled PGPP tokens that helps us sidestep the issues with al-ternative approaches The choice of authentication scheme isdeployment-context specific With PGPP tokens when pay-ing a monthly bill a user retrieves authentication tokens thatare blind-signed using Chaumrsquos classic scheme [6 11] by thebilling system Later when authenticating to the service theuser presents tokens and the service (the PGPP-GW) verifiestheir signature before allowing the user to use the networkThe token scheme ensures that the service can check thevalidity of tokens without identifying the user requesting ac-cess The user then presents the next token in advance soas to ensure seamless service Note that PGPP tokens disal-low the post-pay model for cellular billing as the networkwould be required to know the identity of users in order toaccurately charge them for usage Therefore PGPP is pre-payonly though this can be adjusted to emulate post-payment(eg users pre-pay for tokens on an ongoing basis rather thanonly monthly and tokens are valid for a longer time periodsuch as a year rather than for only one billing period)

Each token represents a unit of access as is appropriatefor the service provider Some providers may choose to offerflat-rate unlimited-data service in which case each tokenrepresents a fixed period of time this is the default approachthat we use to describe the scheme below Other providersmay choose to offer metered service in which case each tokenrepresents a fixed unit of data such as 100 MB or 1 GB ratherthan a period of time Still others may choose to provide two-tiered service priority by marking each token with a prioritybit in addition to either unlimited data or metered data servicesuch prioritization does come with slight privacy loss as theMVNO and MNO alike would be able to differentiate whichpriority level was in use The privacy loss of two-tiered datapriority can be partially mitigated by offering all users some

amount of time or GB of high-priority service after whichthey must fall back to low-priority service such a serviceplan structure is fairly standard in the industry today In sucha setting each user would have both high-priority and low-priority tokens and thus would not be clearly stratified intotwo identifiable groups of users

At the beginning of a billing period the billing system de-fines s time slices (eg corresponding to hours) or anotherunit of access (eg a unit of data) and generates s RSA key-pairs for performing blind signatures using Chaumrsquos schemeIt then appends the public keys for this time period to a well-known public repository that is externally maintained (eg onGitHub) and these are fetched by users The user generatess tokens where each token takes the form ir where i is thetime slice index as a 256-bit unsigned value zero indexedfrom the beginning of the billing period and r is a 256-bitrandom value chosen by the user The user then blinds thesetokens The user pays the bill using a conventional means ofpayment (eg credit card) and presents the blinded tokens tothe billing system to be signed the system signs each tokenwith the corresponding time slice key and returns these valuesto the user The user unblinds the response values and verifiesthe signatures for each

Upon later authentication to the service the user presentsits signed token for the current time slice to the PGPP-GWwhich verifies the signature and if valid begins forwardingthe userrsquos traffic onto the Internet Since the token signaturewas generated using Chaumrsquos scheme the service cannotdetermine which human user corresponds to which signedtoken If the same token is used by two different users duringthe same time period then the service can conclude that a userhas shared their credentials and is attempting to cheat

The costs of this scheme to both the PGPP operator andthe user are low The operator stores the list of used tokensin a standard consistent and replicated cloud database so theservice can operate multiple PGPP-GWs though it is likelythat a small number of PGPP-GWs can serve a large numberof users we benchmarked the 2048-bit RSA signature veri-fication used here at 31micros per call using Crypto++ [21] on asingle core of a 26GHz Intel Xeon E5-2640 CPU and thuswith a single CPU core the PGPP-GW can handle token veri-fication for tens of millions of users The tokens themselvesare small and the storage cost to the provider is about 15 MB user per time period which is a small amount for any userrsquosphone to store and for a provider even hundreds of millionsof tokens amounts to mere GBs of data in cloud storage

User device agent To automate the process of authenti-cating with the PGPP-GW we create a simple agent thatruns as background job on the user device This agent lever-ages the Android JobScheduler API in the event of cellularconnectivity the JobScheduler triggers PGPP-token-basedauthentication with the PGPP-GW The agent establishes aTLS connection to the PGPP-GW and then sends the token

8

for the current time slice Once the user presents a valid to-ken the PGPP-GW begins forwarding traffic for that userand thus this behavior is akin to a captive portal though theauthentication is automatic and unseen by the user

52 Location privacyAs described in sect22 cellular operators track user location

in the form of tracking areas for UEs in order to quickly findusers when there is incoming content PGPP leverages anexisting mechanism in the cellular standard to reduce theeffectiveness of local-targeted attacks described in sect41

Paging has been exploited in the past to discover user lo-cation by adversaries However the use of tracking areas isuseful for the cellular provider in that it confines the signal-ing message load (ie paging messages) to a relatively smallsubset of the infrastructure Tracking areas reduce mobilitysignaling from UEs as they move through the coverage zoneof a single tracking area Note that emergency calling rep-resents a special case in cellular networks When a devicedials 911 the phone and network attempt to estimate accuratelocation information In this work we do not alter this func-tionality as we anticipate that users dialing 911 are willing toreveal their location

In PGPP we exploit the tracking area list (TAL) concept in-troduced in 3GPP Release 8 [2] Using TALs a UE no longerbelongs to a single tracking area but rather is given a list ofup to 16 tracking areas that it can freely move through withouttriggering a tracking area update essentially creating largertracking areas Whereas prior work has focused on usingTALs to pre-compute optimal tracking area combinations forusers [56ndash58] in PGPP we use TALs to provide provide im-proved location anonymity Typically TALs consist of groupsof adjacent tracking areas that are pre-computed essentiallygrowing the tracking area for a UE to the union of all trackingareas in the TAL We do not use TALs in this way Insteadwe generate TALs on-the-fly and generate them uniquely foreach UE When a UE attaches or issues a tracking area updatemessage the AMF learns the gNodeB and tracking area theUE is currently attached to The AMF then generates a uniqueTAL by iteratively selecting at random some number (up tothe TAL limit of 16) of additional adjacent tracking areas Bygenerating unique TALs for each user attackers are unable toknow a priori which set of tracking areas (or gNodeBs) thatvictim is within We explore tradeoffs in terms of TAL lengthcontrol traffic overhead and location anonymity in the nextsection

6 AnalysisTo study the implications of a PGPP deployment we create

a simulation to model users mobility and cell infrastructureWe study the impact of PGPPrsquos design on various cellular at-tacks that occur today We then analyze the inherent tradeoffsfrom the PGPP operatorrsquos perspective as improved privacy

Figure 3 Partial simulation map Cells are shaded by ATampTtracking area

0 10 20 30gNodeBs Visited

Cars

Pedestrians

Figure 4 gNodeBs visited by simulated mobile users

comes at the price of increased control traffic Lastly weexamine PGPP in a lab testbed on real devices

61 Simulation configurationgNodeB dataset We select Los Angeles County California

as the region for our simulation which provides a mix of bothhighly urban areas as well as rural areas For gNodeB locationinformation we use OpenCellID [43] an open database thatincludes tower locations and carrier information To simplifythe simulation we select base stations from the database thatare listed as providing LTE from ATampT the provider withthe most LTE eNodeBs (22437) in the region We use LTEeNodeBs as the number of gNodeBs deployed remains small

Given their geographic coordinates we estimate coverageareas for every gNodeB using a Voronoi diagram During thesimulation a UE is assigned to the gNodeB that correspondsto the region the UE is located within While such discretiza-tion is not likely in reality as UEs remain associated withan gNodeB based on received signal strength this techniqueprovides us with a tractable mobility simulation A partialmap of the simulation region is shown in Figure 3 ENodeBregions are shaded based on the tracking area value in theOpenCellID database

Mobility traces To simulate realistic mobility patterns(ie users must follow available paths) we generate mobil-ity traces using the Google Places [29] and Directions [28]APIs First we use the Places API to find locations in thesimulation region that are available when searching for ldquopostofficerdquo Each place is associated with latitudinal and longitudi-nal coordinates We then generate mobility traces by randomlyselecting start and end points and use the Directions API toobtain a polyline with coordinates along with estimated times

9

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

widespread and pernicious We thwart this via eliminating theIMSI as an individual identifier and decoupling the authentica-tion and connectivity mechanisms in the cellular architecture

Isnrsquot 5G more secure than legacy generations The 5Gstandard includes enhancements focused on user privacy andsystem performance over legacy cellular generations How-ever the enhancements do not offer location privacy benefitsfrom the carriers

Encrypted IMSIs 5G includes the addition of encryptedIMSIs where public key cryptography along with ephemeralkeys generated on the SIM is used to encrypt the IMSI whensending it to the network This protects user IMSIs fromeavesdroppers However encrypted IMSIs do not preventthe cellular provider itself from knowing the userrsquos identityAn analogy for encrypted IMSIs can be found in DNS overHTTPS (DoH) eavesdroppers cannot see unencrypted trafficyet the endpoints (the DNS resolver for DoH the cellular corein 5G) still can The goal of this work is to not only thwartlocal-bulk attacks but also protect user privacy from mobileoperators that would otherwise violate it (ie global-bulkattacks)

Small cell location privacy The 5G standard strives forreduced latencies as well as much higher data throughputsThis necessitates the use of cells that cover smaller areas inhigher frequency spectrum in order to overcome interferencecompared with previous cellular generations that used macro-cells to provide coverage to large areas A (likely unintended)byproduct of 5Grsquos use of smaller cells is a dramatic reductionin location privacy for users As the 5G network providermaintains state pertaining to the location in the network fora given user for the purposes of paging smaller cells resultin the operator or attacker knowing user locations at a muchhigher precision compared with previous generations

What about active | traffic analysis | signaling attacksWhile active targeted attacks arenrsquot our main focus we im-prove privacy in the face of them by leveraging TALs toincrease and randomize the broadcast domain for paging traf-fic making it more difficult for attackers to know where avictim is located (analyzed in sect62) Further the goal of manyactive attacks is to learn usersrsquo IMSIs and our nullification ofIMSIs renders such attacks meaningless

An attacker with a tap at the network edge could use trafficanalysis attacks to reduce user privacy We largely view thisas out of scope as users can tunnel traffic and use other meansto hide their data usage patterns

Cellular networks rely on signaling protocols such as Sig-naling System 7 (SS7) and Diameter when managing mobilityas well as voice and SMS setup and teardown These protocolsenable interoperability between carriers needed for roamingand connectivity across carriers Unfortunately these proto-cols were designed with inherent trust in the network playersand have thus been used to reduce user privacy and disruptconnectivity [24 30 49 53 62] We design PGPP for 4G5Gdata only which renders legacy SS7 compatibility moot Our

PGPP design expects users to use outside messaging servicesrather than an in-NGC IMS system

Can PGPP support roaming Yes While we envision thatmany PGPP users would explicitly not wish to roam as roam-ing partners may not provide privacy guarantees roaming ispossible using a Diameter edge agent that only allows forhome routed roaming forcing traffic to route from the visitednetworkrsquos SMF back to the PGPP operatorrsquos UPF rather thanlocal breakout due to our authentication mechanism (sect51)Roaming and international roaming in particular adds billingcomplexities for the PGPP operator Typically the visitednetwork collects call data records for each roaming user on itsnetwork and calculates the wholesale charges payable by thehome network The visited network then sends a TransferredAccount Procedure (TAP) file to the home network via a dataclearing house The home network then pays the visited net-work In PGPP the individual identity of the user that roamedis not known yet the PGPP operator remains able to pay theappropriate fees to visited networks

How does PGPP protect user privacy for voice or textservice Out of the box PGPP doesnrsquot provide protection forsuch service Instead PGPP aims provide privacy from thecellular architecture itself and in doing so users are free touse a third party VoIP provider (in which case the phone willoperate identically to a normal phone for telephony servicefrom a userrsquos perspective) or use recent systems by Lazar etal [44 45] that provide strong metadata privacy guaranteesfor communications or similar systems such as [16174668]We view PGPP as complementary to such systems

How does PGPP protect users against leaky apps PGPPdoesnrsquot as it is about providing protection in the cellularinfrastructure Even without leaky apps users can always in-tentionally or inadvertently reveal their identity and locationLeaky apps make this worse as they collect and sometimes di-vulge sensitive user information We see PGPP as complemen-tary to work that has targeted privacy in mobile app ecosys-tems Further apps are not as fundamental as connectivitymdashusers can choose whether to install and run a leaky app andcan constrain app permissions However phones are by theirnature always connected to carrier networks and those verynetworks have been selling user data to third parties

If users canrsquot be identified by carriers how can carriersstill make money We introduce PGPP tokens in sect51 as amechanism for a PGPP operator to charge customers whileprotecting user anonymity

Canrsquot phone hardware be tracked as well Phones have anInternational Mobile Equipment Identity (IMEI) The IMEIis assigned to the hardware by the manufacturer and identifiesthe manufacturer model and serial number of a given deviceSome operators keep an IMEI database to check whether adevice has been reported as stolen known as an equipmentidentity register (EIR) IMEIs in the database are blacklisted

For many devices the IMEI can be changed through soft-ware often without root access We envision a PGPP MVNO

6

would allow for subscribers to present their unchanged de-vice IMEI giving the PGPP operator the opportunity to checkagainst a EIR to verify the phone has not been reported asstolen At that point the IMEI could be reprogrammed to asingle value similar to our changes to the IMSI Note thatdifferent jurisdictions have different rules about whether howand by whom an IMEI can be changed so only in some casesIMEI changes require cooperation with the MVNO

Is PGPP legal Legality varies by jurisdiction For ex-ample US law (CALEA [1]) requires providers to offerlawful interception of voice and SMS traffic A PGPP-basedcarrier is data-only with voice and messaging provided bythird parties CALEA requires the provider to offer content ofcommunication data at the UPF eg raw (likely-encrypted)network traffic This is supported by PGPP

5 DesignIn this section we describe the mechanisms PGPP em-

ploys to increase user identity and location privacy UltimatelyPGPPrsquos design choices appear obvious in retrospect We be-lieve its simplicity is an asset as PGPP is compatible withexisting networks and immediately deployable

In order to provide identity privacy against bulk attackswe nullify the value of the IMSI as it is the most commontarget identifier for attackers In our design we choose to setall PGPP user IMSIs to an identical value to break the linkbetween IMSI and individual users This change requires afundamental shift in the architecture as IMSIs are currentlyused for connectivity as well as authentication billing andvoiceSMS routing We design a new cellular entity for billingand authentication that preserves identity privacy Fortunatelythe industry push for software-based NGCs makes our archi-tecture feasible We describe the architecture in sect51

To provide location privacy from targeted attacks PGPPleverages an existing mechanism (TALs) in the cellular spec-ification in order to grow the broadcast domain for controltraffic (sect52) By changing the broadcast domain for everyuser the potential location of a victim is broadened from theattackerrsquos vantage point

51 User identity privacyAs discussed in sect22 IMSIs are globally unique permanent

identifiers As such they are routinely targeted by attackersboth legal and illegal In this section we re-architect the net-work in order to thwart bulk attacks introduced in sect41 thatare based on identifying individuals via IMSI

We decouple back-end connectivity from the authentica-tion procedure that normally occurs at the AUSF when a UEattaches to the network Instead the PGPP operator issuesSIM cards with identical IMSIs to all of its subscribers Inthis model the IMSI is used only to prove that a user has avalid SIM card to use the infrastructure and in turn the PGPPnetwork can provide an IP address and connectivity and offer

Scheme Customer Anonymous UniqueStandard auth bullGroupring sig bull bullLinkable ring sig bull bullCryptocurrency bull bullPGPP tokens bull bull bull

Table 3 Three properties needed for user authentication in aprivacy-preserving cell network and schemes to achieve them

the client a GUTI providing the user with a unique identitynecessary for basic connectivity

5G authentication is normally accomplished using IMSIs atthe AUSF however all PGPP users share a single IMSI Thusto authenticate a user we designed a post-attach obliviousauthentication scheme to ensure that the PGPP operator isable to account for the user without knowing who they are

PGPP Gateway In order to perform this authentication wecreate a new logical entity called a PGPP Gateway (PGPP-GW) shown in Figure 1 which sits between the UPF and thepublic Internet The UPF is configured to have a fixed tunnelto a PGPP-GW which can be located outside of the PGPP op-eratorrsquos network Using this mechanism the PGPP-GW onlysees an IP address which is typically NATed and whetherthat IP address is a valid user Notably it does not have any in-formation about the userrsquos IMSI The PGPP-GW design alsoallows for many different architectures For instance multiplePGPP-GWs could be placed in multiple datacenters or evenuse a privacy service such as Tor2

Authentication properties From the perspective of thePGPP-GW there are multiple properties an authenticationscheme must guarantee (1) the gateway can authenticate thata user is indeed a valid customer3 (2) the gateway andor anyother entities cannot determine the userrsquos identity and thuscannot link the userrsquos credentialsauthentication data with auser identity and (3) the gateway can determine whether auser is unique or if two users are sharing credentials

As we show in Table 3 the challenge is that standard ap-proaches for authentication only provide one of the threerequired properties and widely-studied cryptographic mech-anisms only provide two of the three properties For exam-ple an ordinary authentication protocol (of which there aremany [736]) can provide property 1) but not 2) and 3) A cryp-tographic mechanism such as group signatures [8 12] or ringsignatures [2059] can protect the userrsquos identity upon authen-tication providing properties 1) and 2) but not 3) as providingthe last property would violate the security of the signaturescheme Similarly traitor tracing schemes [14] (such as for

2We leave exploration into such scenarios to future work3Due to ldquoKnow Your Customerrdquo rules in some jurisdictions the provider

may need to have a customer list necessitating that the user authenticationscheme be compatible with periodic explicit customer billing

7

broadcast encryption [25]) can provide all three propertiesbut in practice cannot provide property 3) as the traitor trac-ing would require actual physical confiscation of the ldquotraitorrdquophone by the MVNO which is infeasible A variation on ringsignatures known as linkable ring signatures [48] providesthe ability for a userrsquos identity to be revealed if the user signsmultiple messages with the same key While this is useful inestablishing that the user is unique and hasnrsquot shared theircredentials it also partially violates the userrsquos anonymity asthat key cannot be used again

Effective authentication There are two approaches thatwe view as viable depending on the circumstances Ananonymity-preserving cryptocurrency can provide properties2) and 3) but not 1) as a cryptocurrency would combinebilling and authentication at the PGPP-GW For MVNOsthat are not required to know their customers an anonymity-preserving cryptocurrency may be the ideal solution for bothuser authentication and payment though even the best coinsprovide imperfect anonymity guarantees [38]

To provide all three properties we develop a simple schemecalled PGPP tokens that helps us sidestep the issues with al-ternative approaches The choice of authentication scheme isdeployment-context specific With PGPP tokens when pay-ing a monthly bill a user retrieves authentication tokens thatare blind-signed using Chaumrsquos classic scheme [6 11] by thebilling system Later when authenticating to the service theuser presents tokens and the service (the PGPP-GW) verifiestheir signature before allowing the user to use the networkThe token scheme ensures that the service can check thevalidity of tokens without identifying the user requesting ac-cess The user then presents the next token in advance soas to ensure seamless service Note that PGPP tokens disal-low the post-pay model for cellular billing as the networkwould be required to know the identity of users in order toaccurately charge them for usage Therefore PGPP is pre-payonly though this can be adjusted to emulate post-payment(eg users pre-pay for tokens on an ongoing basis rather thanonly monthly and tokens are valid for a longer time periodsuch as a year rather than for only one billing period)

Each token represents a unit of access as is appropriatefor the service provider Some providers may choose to offerflat-rate unlimited-data service in which case each tokenrepresents a fixed period of time this is the default approachthat we use to describe the scheme below Other providersmay choose to offer metered service in which case each tokenrepresents a fixed unit of data such as 100 MB or 1 GB ratherthan a period of time Still others may choose to provide two-tiered service priority by marking each token with a prioritybit in addition to either unlimited data or metered data servicesuch prioritization does come with slight privacy loss as theMVNO and MNO alike would be able to differentiate whichpriority level was in use The privacy loss of two-tiered datapriority can be partially mitigated by offering all users some

amount of time or GB of high-priority service after whichthey must fall back to low-priority service such a serviceplan structure is fairly standard in the industry today In sucha setting each user would have both high-priority and low-priority tokens and thus would not be clearly stratified intotwo identifiable groups of users

At the beginning of a billing period the billing system de-fines s time slices (eg corresponding to hours) or anotherunit of access (eg a unit of data) and generates s RSA key-pairs for performing blind signatures using Chaumrsquos schemeIt then appends the public keys for this time period to a well-known public repository that is externally maintained (eg onGitHub) and these are fetched by users The user generatess tokens where each token takes the form ir where i is thetime slice index as a 256-bit unsigned value zero indexedfrom the beginning of the billing period and r is a 256-bitrandom value chosen by the user The user then blinds thesetokens The user pays the bill using a conventional means ofpayment (eg credit card) and presents the blinded tokens tothe billing system to be signed the system signs each tokenwith the corresponding time slice key and returns these valuesto the user The user unblinds the response values and verifiesthe signatures for each

Upon later authentication to the service the user presentsits signed token for the current time slice to the PGPP-GWwhich verifies the signature and if valid begins forwardingthe userrsquos traffic onto the Internet Since the token signaturewas generated using Chaumrsquos scheme the service cannotdetermine which human user corresponds to which signedtoken If the same token is used by two different users duringthe same time period then the service can conclude that a userhas shared their credentials and is attempting to cheat

The costs of this scheme to both the PGPP operator andthe user are low The operator stores the list of used tokensin a standard consistent and replicated cloud database so theservice can operate multiple PGPP-GWs though it is likelythat a small number of PGPP-GWs can serve a large numberof users we benchmarked the 2048-bit RSA signature veri-fication used here at 31micros per call using Crypto++ [21] on asingle core of a 26GHz Intel Xeon E5-2640 CPU and thuswith a single CPU core the PGPP-GW can handle token veri-fication for tens of millions of users The tokens themselvesare small and the storage cost to the provider is about 15 MB user per time period which is a small amount for any userrsquosphone to store and for a provider even hundreds of millionsof tokens amounts to mere GBs of data in cloud storage

User device agent To automate the process of authenti-cating with the PGPP-GW we create a simple agent thatruns as background job on the user device This agent lever-ages the Android JobScheduler API in the event of cellularconnectivity the JobScheduler triggers PGPP-token-basedauthentication with the PGPP-GW The agent establishes aTLS connection to the PGPP-GW and then sends the token

8

for the current time slice Once the user presents a valid to-ken the PGPP-GW begins forwarding traffic for that userand thus this behavior is akin to a captive portal though theauthentication is automatic and unseen by the user

52 Location privacyAs described in sect22 cellular operators track user location

in the form of tracking areas for UEs in order to quickly findusers when there is incoming content PGPP leverages anexisting mechanism in the cellular standard to reduce theeffectiveness of local-targeted attacks described in sect41

Paging has been exploited in the past to discover user lo-cation by adversaries However the use of tracking areas isuseful for the cellular provider in that it confines the signal-ing message load (ie paging messages) to a relatively smallsubset of the infrastructure Tracking areas reduce mobilitysignaling from UEs as they move through the coverage zoneof a single tracking area Note that emergency calling rep-resents a special case in cellular networks When a devicedials 911 the phone and network attempt to estimate accuratelocation information In this work we do not alter this func-tionality as we anticipate that users dialing 911 are willing toreveal their location

In PGPP we exploit the tracking area list (TAL) concept in-troduced in 3GPP Release 8 [2] Using TALs a UE no longerbelongs to a single tracking area but rather is given a list ofup to 16 tracking areas that it can freely move through withouttriggering a tracking area update essentially creating largertracking areas Whereas prior work has focused on usingTALs to pre-compute optimal tracking area combinations forusers [56ndash58] in PGPP we use TALs to provide provide im-proved location anonymity Typically TALs consist of groupsof adjacent tracking areas that are pre-computed essentiallygrowing the tracking area for a UE to the union of all trackingareas in the TAL We do not use TALs in this way Insteadwe generate TALs on-the-fly and generate them uniquely foreach UE When a UE attaches or issues a tracking area updatemessage the AMF learns the gNodeB and tracking area theUE is currently attached to The AMF then generates a uniqueTAL by iteratively selecting at random some number (up tothe TAL limit of 16) of additional adjacent tracking areas Bygenerating unique TALs for each user attackers are unable toknow a priori which set of tracking areas (or gNodeBs) thatvictim is within We explore tradeoffs in terms of TAL lengthcontrol traffic overhead and location anonymity in the nextsection

6 AnalysisTo study the implications of a PGPP deployment we create

a simulation to model users mobility and cell infrastructureWe study the impact of PGPPrsquos design on various cellular at-tacks that occur today We then analyze the inherent tradeoffsfrom the PGPP operatorrsquos perspective as improved privacy

Figure 3 Partial simulation map Cells are shaded by ATampTtracking area

0 10 20 30gNodeBs Visited

Cars

Pedestrians

Figure 4 gNodeBs visited by simulated mobile users

comes at the price of increased control traffic Lastly weexamine PGPP in a lab testbed on real devices

61 Simulation configurationgNodeB dataset We select Los Angeles County California

as the region for our simulation which provides a mix of bothhighly urban areas as well as rural areas For gNodeB locationinformation we use OpenCellID [43] an open database thatincludes tower locations and carrier information To simplifythe simulation we select base stations from the database thatare listed as providing LTE from ATampT the provider withthe most LTE eNodeBs (22437) in the region We use LTEeNodeBs as the number of gNodeBs deployed remains small

Given their geographic coordinates we estimate coverageareas for every gNodeB using a Voronoi diagram During thesimulation a UE is assigned to the gNodeB that correspondsto the region the UE is located within While such discretiza-tion is not likely in reality as UEs remain associated withan gNodeB based on received signal strength this techniqueprovides us with a tractable mobility simulation A partialmap of the simulation region is shown in Figure 3 ENodeBregions are shaded based on the tracking area value in theOpenCellID database

Mobility traces To simulate realistic mobility patterns(ie users must follow available paths) we generate mobil-ity traces using the Google Places [29] and Directions [28]APIs First we use the Places API to find locations in thesimulation region that are available when searching for ldquopostofficerdquo Each place is associated with latitudinal and longitudi-nal coordinates We then generate mobility traces by randomlyselecting start and end points and use the Directions API toobtain a polyline with coordinates along with estimated times

9

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

would allow for subscribers to present their unchanged de-vice IMEI giving the PGPP operator the opportunity to checkagainst a EIR to verify the phone has not been reported asstolen At that point the IMEI could be reprogrammed to asingle value similar to our changes to the IMSI Note thatdifferent jurisdictions have different rules about whether howand by whom an IMEI can be changed so only in some casesIMEI changes require cooperation with the MVNO

Is PGPP legal Legality varies by jurisdiction For ex-ample US law (CALEA [1]) requires providers to offerlawful interception of voice and SMS traffic A PGPP-basedcarrier is data-only with voice and messaging provided bythird parties CALEA requires the provider to offer content ofcommunication data at the UPF eg raw (likely-encrypted)network traffic This is supported by PGPP

5 DesignIn this section we describe the mechanisms PGPP em-

ploys to increase user identity and location privacy UltimatelyPGPPrsquos design choices appear obvious in retrospect We be-lieve its simplicity is an asset as PGPP is compatible withexisting networks and immediately deployable

In order to provide identity privacy against bulk attackswe nullify the value of the IMSI as it is the most commontarget identifier for attackers In our design we choose to setall PGPP user IMSIs to an identical value to break the linkbetween IMSI and individual users This change requires afundamental shift in the architecture as IMSIs are currentlyused for connectivity as well as authentication billing andvoiceSMS routing We design a new cellular entity for billingand authentication that preserves identity privacy Fortunatelythe industry push for software-based NGCs makes our archi-tecture feasible We describe the architecture in sect51

To provide location privacy from targeted attacks PGPPleverages an existing mechanism (TALs) in the cellular spec-ification in order to grow the broadcast domain for controltraffic (sect52) By changing the broadcast domain for everyuser the potential location of a victim is broadened from theattackerrsquos vantage point

51 User identity privacyAs discussed in sect22 IMSIs are globally unique permanent

identifiers As such they are routinely targeted by attackersboth legal and illegal In this section we re-architect the net-work in order to thwart bulk attacks introduced in sect41 thatare based on identifying individuals via IMSI

We decouple back-end connectivity from the authentica-tion procedure that normally occurs at the AUSF when a UEattaches to the network Instead the PGPP operator issuesSIM cards with identical IMSIs to all of its subscribers Inthis model the IMSI is used only to prove that a user has avalid SIM card to use the infrastructure and in turn the PGPPnetwork can provide an IP address and connectivity and offer

Scheme Customer Anonymous UniqueStandard auth bullGroupring sig bull bullLinkable ring sig bull bullCryptocurrency bull bullPGPP tokens bull bull bull

Table 3 Three properties needed for user authentication in aprivacy-preserving cell network and schemes to achieve them

the client a GUTI providing the user with a unique identitynecessary for basic connectivity

5G authentication is normally accomplished using IMSIs atthe AUSF however all PGPP users share a single IMSI Thusto authenticate a user we designed a post-attach obliviousauthentication scheme to ensure that the PGPP operator isable to account for the user without knowing who they are

PGPP Gateway In order to perform this authentication wecreate a new logical entity called a PGPP Gateway (PGPP-GW) shown in Figure 1 which sits between the UPF and thepublic Internet The UPF is configured to have a fixed tunnelto a PGPP-GW which can be located outside of the PGPP op-eratorrsquos network Using this mechanism the PGPP-GW onlysees an IP address which is typically NATed and whetherthat IP address is a valid user Notably it does not have any in-formation about the userrsquos IMSI The PGPP-GW design alsoallows for many different architectures For instance multiplePGPP-GWs could be placed in multiple datacenters or evenuse a privacy service such as Tor2

Authentication properties From the perspective of thePGPP-GW there are multiple properties an authenticationscheme must guarantee (1) the gateway can authenticate thata user is indeed a valid customer3 (2) the gateway andor anyother entities cannot determine the userrsquos identity and thuscannot link the userrsquos credentialsauthentication data with auser identity and (3) the gateway can determine whether auser is unique or if two users are sharing credentials

As we show in Table 3 the challenge is that standard ap-proaches for authentication only provide one of the threerequired properties and widely-studied cryptographic mech-anisms only provide two of the three properties For exam-ple an ordinary authentication protocol (of which there aremany [736]) can provide property 1) but not 2) and 3) A cryp-tographic mechanism such as group signatures [8 12] or ringsignatures [2059] can protect the userrsquos identity upon authen-tication providing properties 1) and 2) but not 3) as providingthe last property would violate the security of the signaturescheme Similarly traitor tracing schemes [14] (such as for

2We leave exploration into such scenarios to future work3Due to ldquoKnow Your Customerrdquo rules in some jurisdictions the provider

may need to have a customer list necessitating that the user authenticationscheme be compatible with periodic explicit customer billing

7

broadcast encryption [25]) can provide all three propertiesbut in practice cannot provide property 3) as the traitor trac-ing would require actual physical confiscation of the ldquotraitorrdquophone by the MVNO which is infeasible A variation on ringsignatures known as linkable ring signatures [48] providesthe ability for a userrsquos identity to be revealed if the user signsmultiple messages with the same key While this is useful inestablishing that the user is unique and hasnrsquot shared theircredentials it also partially violates the userrsquos anonymity asthat key cannot be used again

Effective authentication There are two approaches thatwe view as viable depending on the circumstances Ananonymity-preserving cryptocurrency can provide properties2) and 3) but not 1) as a cryptocurrency would combinebilling and authentication at the PGPP-GW For MVNOsthat are not required to know their customers an anonymity-preserving cryptocurrency may be the ideal solution for bothuser authentication and payment though even the best coinsprovide imperfect anonymity guarantees [38]

To provide all three properties we develop a simple schemecalled PGPP tokens that helps us sidestep the issues with al-ternative approaches The choice of authentication scheme isdeployment-context specific With PGPP tokens when pay-ing a monthly bill a user retrieves authentication tokens thatare blind-signed using Chaumrsquos classic scheme [6 11] by thebilling system Later when authenticating to the service theuser presents tokens and the service (the PGPP-GW) verifiestheir signature before allowing the user to use the networkThe token scheme ensures that the service can check thevalidity of tokens without identifying the user requesting ac-cess The user then presents the next token in advance soas to ensure seamless service Note that PGPP tokens disal-low the post-pay model for cellular billing as the networkwould be required to know the identity of users in order toaccurately charge them for usage Therefore PGPP is pre-payonly though this can be adjusted to emulate post-payment(eg users pre-pay for tokens on an ongoing basis rather thanonly monthly and tokens are valid for a longer time periodsuch as a year rather than for only one billing period)

Each token represents a unit of access as is appropriatefor the service provider Some providers may choose to offerflat-rate unlimited-data service in which case each tokenrepresents a fixed period of time this is the default approachthat we use to describe the scheme below Other providersmay choose to offer metered service in which case each tokenrepresents a fixed unit of data such as 100 MB or 1 GB ratherthan a period of time Still others may choose to provide two-tiered service priority by marking each token with a prioritybit in addition to either unlimited data or metered data servicesuch prioritization does come with slight privacy loss as theMVNO and MNO alike would be able to differentiate whichpriority level was in use The privacy loss of two-tiered datapriority can be partially mitigated by offering all users some

amount of time or GB of high-priority service after whichthey must fall back to low-priority service such a serviceplan structure is fairly standard in the industry today In sucha setting each user would have both high-priority and low-priority tokens and thus would not be clearly stratified intotwo identifiable groups of users

At the beginning of a billing period the billing system de-fines s time slices (eg corresponding to hours) or anotherunit of access (eg a unit of data) and generates s RSA key-pairs for performing blind signatures using Chaumrsquos schemeIt then appends the public keys for this time period to a well-known public repository that is externally maintained (eg onGitHub) and these are fetched by users The user generatess tokens where each token takes the form ir where i is thetime slice index as a 256-bit unsigned value zero indexedfrom the beginning of the billing period and r is a 256-bitrandom value chosen by the user The user then blinds thesetokens The user pays the bill using a conventional means ofpayment (eg credit card) and presents the blinded tokens tothe billing system to be signed the system signs each tokenwith the corresponding time slice key and returns these valuesto the user The user unblinds the response values and verifiesthe signatures for each

Upon later authentication to the service the user presentsits signed token for the current time slice to the PGPP-GWwhich verifies the signature and if valid begins forwardingthe userrsquos traffic onto the Internet Since the token signaturewas generated using Chaumrsquos scheme the service cannotdetermine which human user corresponds to which signedtoken If the same token is used by two different users duringthe same time period then the service can conclude that a userhas shared their credentials and is attempting to cheat

The costs of this scheme to both the PGPP operator andthe user are low The operator stores the list of used tokensin a standard consistent and replicated cloud database so theservice can operate multiple PGPP-GWs though it is likelythat a small number of PGPP-GWs can serve a large numberof users we benchmarked the 2048-bit RSA signature veri-fication used here at 31micros per call using Crypto++ [21] on asingle core of a 26GHz Intel Xeon E5-2640 CPU and thuswith a single CPU core the PGPP-GW can handle token veri-fication for tens of millions of users The tokens themselvesare small and the storage cost to the provider is about 15 MB user per time period which is a small amount for any userrsquosphone to store and for a provider even hundreds of millionsof tokens amounts to mere GBs of data in cloud storage

User device agent To automate the process of authenti-cating with the PGPP-GW we create a simple agent thatruns as background job on the user device This agent lever-ages the Android JobScheduler API in the event of cellularconnectivity the JobScheduler triggers PGPP-token-basedauthentication with the PGPP-GW The agent establishes aTLS connection to the PGPP-GW and then sends the token

8

for the current time slice Once the user presents a valid to-ken the PGPP-GW begins forwarding traffic for that userand thus this behavior is akin to a captive portal though theauthentication is automatic and unseen by the user

52 Location privacyAs described in sect22 cellular operators track user location

in the form of tracking areas for UEs in order to quickly findusers when there is incoming content PGPP leverages anexisting mechanism in the cellular standard to reduce theeffectiveness of local-targeted attacks described in sect41

Paging has been exploited in the past to discover user lo-cation by adversaries However the use of tracking areas isuseful for the cellular provider in that it confines the signal-ing message load (ie paging messages) to a relatively smallsubset of the infrastructure Tracking areas reduce mobilitysignaling from UEs as they move through the coverage zoneof a single tracking area Note that emergency calling rep-resents a special case in cellular networks When a devicedials 911 the phone and network attempt to estimate accuratelocation information In this work we do not alter this func-tionality as we anticipate that users dialing 911 are willing toreveal their location

In PGPP we exploit the tracking area list (TAL) concept in-troduced in 3GPP Release 8 [2] Using TALs a UE no longerbelongs to a single tracking area but rather is given a list ofup to 16 tracking areas that it can freely move through withouttriggering a tracking area update essentially creating largertracking areas Whereas prior work has focused on usingTALs to pre-compute optimal tracking area combinations forusers [56ndash58] in PGPP we use TALs to provide provide im-proved location anonymity Typically TALs consist of groupsof adjacent tracking areas that are pre-computed essentiallygrowing the tracking area for a UE to the union of all trackingareas in the TAL We do not use TALs in this way Insteadwe generate TALs on-the-fly and generate them uniquely foreach UE When a UE attaches or issues a tracking area updatemessage the AMF learns the gNodeB and tracking area theUE is currently attached to The AMF then generates a uniqueTAL by iteratively selecting at random some number (up tothe TAL limit of 16) of additional adjacent tracking areas Bygenerating unique TALs for each user attackers are unable toknow a priori which set of tracking areas (or gNodeBs) thatvictim is within We explore tradeoffs in terms of TAL lengthcontrol traffic overhead and location anonymity in the nextsection

6 AnalysisTo study the implications of a PGPP deployment we create

a simulation to model users mobility and cell infrastructureWe study the impact of PGPPrsquos design on various cellular at-tacks that occur today We then analyze the inherent tradeoffsfrom the PGPP operatorrsquos perspective as improved privacy

Figure 3 Partial simulation map Cells are shaded by ATampTtracking area

0 10 20 30gNodeBs Visited

Cars

Pedestrians

Figure 4 gNodeBs visited by simulated mobile users

comes at the price of increased control traffic Lastly weexamine PGPP in a lab testbed on real devices

61 Simulation configurationgNodeB dataset We select Los Angeles County California

as the region for our simulation which provides a mix of bothhighly urban areas as well as rural areas For gNodeB locationinformation we use OpenCellID [43] an open database thatincludes tower locations and carrier information To simplifythe simulation we select base stations from the database thatare listed as providing LTE from ATampT the provider withthe most LTE eNodeBs (22437) in the region We use LTEeNodeBs as the number of gNodeBs deployed remains small

Given their geographic coordinates we estimate coverageareas for every gNodeB using a Voronoi diagram During thesimulation a UE is assigned to the gNodeB that correspondsto the region the UE is located within While such discretiza-tion is not likely in reality as UEs remain associated withan gNodeB based on received signal strength this techniqueprovides us with a tractable mobility simulation A partialmap of the simulation region is shown in Figure 3 ENodeBregions are shaded based on the tracking area value in theOpenCellID database

Mobility traces To simulate realistic mobility patterns(ie users must follow available paths) we generate mobil-ity traces using the Google Places [29] and Directions [28]APIs First we use the Places API to find locations in thesimulation region that are available when searching for ldquopostofficerdquo Each place is associated with latitudinal and longitudi-nal coordinates We then generate mobility traces by randomlyselecting start and end points and use the Directions API toobtain a polyline with coordinates along with estimated times

9

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

broadcast encryption [25]) can provide all three propertiesbut in practice cannot provide property 3) as the traitor trac-ing would require actual physical confiscation of the ldquotraitorrdquophone by the MVNO which is infeasible A variation on ringsignatures known as linkable ring signatures [48] providesthe ability for a userrsquos identity to be revealed if the user signsmultiple messages with the same key While this is useful inestablishing that the user is unique and hasnrsquot shared theircredentials it also partially violates the userrsquos anonymity asthat key cannot be used again

Effective authentication There are two approaches thatwe view as viable depending on the circumstances Ananonymity-preserving cryptocurrency can provide properties2) and 3) but not 1) as a cryptocurrency would combinebilling and authentication at the PGPP-GW For MVNOsthat are not required to know their customers an anonymity-preserving cryptocurrency may be the ideal solution for bothuser authentication and payment though even the best coinsprovide imperfect anonymity guarantees [38]

To provide all three properties we develop a simple schemecalled PGPP tokens that helps us sidestep the issues with al-ternative approaches The choice of authentication scheme isdeployment-context specific With PGPP tokens when pay-ing a monthly bill a user retrieves authentication tokens thatare blind-signed using Chaumrsquos classic scheme [6 11] by thebilling system Later when authenticating to the service theuser presents tokens and the service (the PGPP-GW) verifiestheir signature before allowing the user to use the networkThe token scheme ensures that the service can check thevalidity of tokens without identifying the user requesting ac-cess The user then presents the next token in advance soas to ensure seamless service Note that PGPP tokens disal-low the post-pay model for cellular billing as the networkwould be required to know the identity of users in order toaccurately charge them for usage Therefore PGPP is pre-payonly though this can be adjusted to emulate post-payment(eg users pre-pay for tokens on an ongoing basis rather thanonly monthly and tokens are valid for a longer time periodsuch as a year rather than for only one billing period)

Each token represents a unit of access as is appropriatefor the service provider Some providers may choose to offerflat-rate unlimited-data service in which case each tokenrepresents a fixed period of time this is the default approachthat we use to describe the scheme below Other providersmay choose to offer metered service in which case each tokenrepresents a fixed unit of data such as 100 MB or 1 GB ratherthan a period of time Still others may choose to provide two-tiered service priority by marking each token with a prioritybit in addition to either unlimited data or metered data servicesuch prioritization does come with slight privacy loss as theMVNO and MNO alike would be able to differentiate whichpriority level was in use The privacy loss of two-tiered datapriority can be partially mitigated by offering all users some

amount of time or GB of high-priority service after whichthey must fall back to low-priority service such a serviceplan structure is fairly standard in the industry today In sucha setting each user would have both high-priority and low-priority tokens and thus would not be clearly stratified intotwo identifiable groups of users

At the beginning of a billing period the billing system de-fines s time slices (eg corresponding to hours) or anotherunit of access (eg a unit of data) and generates s RSA key-pairs for performing blind signatures using Chaumrsquos schemeIt then appends the public keys for this time period to a well-known public repository that is externally maintained (eg onGitHub) and these are fetched by users The user generatess tokens where each token takes the form ir where i is thetime slice index as a 256-bit unsigned value zero indexedfrom the beginning of the billing period and r is a 256-bitrandom value chosen by the user The user then blinds thesetokens The user pays the bill using a conventional means ofpayment (eg credit card) and presents the blinded tokens tothe billing system to be signed the system signs each tokenwith the corresponding time slice key and returns these valuesto the user The user unblinds the response values and verifiesthe signatures for each

Upon later authentication to the service the user presentsits signed token for the current time slice to the PGPP-GWwhich verifies the signature and if valid begins forwardingthe userrsquos traffic onto the Internet Since the token signaturewas generated using Chaumrsquos scheme the service cannotdetermine which human user corresponds to which signedtoken If the same token is used by two different users duringthe same time period then the service can conclude that a userhas shared their credentials and is attempting to cheat

The costs of this scheme to both the PGPP operator andthe user are low The operator stores the list of used tokensin a standard consistent and replicated cloud database so theservice can operate multiple PGPP-GWs though it is likelythat a small number of PGPP-GWs can serve a large numberof users we benchmarked the 2048-bit RSA signature veri-fication used here at 31micros per call using Crypto++ [21] on asingle core of a 26GHz Intel Xeon E5-2640 CPU and thuswith a single CPU core the PGPP-GW can handle token veri-fication for tens of millions of users The tokens themselvesare small and the storage cost to the provider is about 15 MB user per time period which is a small amount for any userrsquosphone to store and for a provider even hundreds of millionsof tokens amounts to mere GBs of data in cloud storage

User device agent To automate the process of authenti-cating with the PGPP-GW we create a simple agent thatruns as background job on the user device This agent lever-ages the Android JobScheduler API in the event of cellularconnectivity the JobScheduler triggers PGPP-token-basedauthentication with the PGPP-GW The agent establishes aTLS connection to the PGPP-GW and then sends the token

8

for the current time slice Once the user presents a valid to-ken the PGPP-GW begins forwarding traffic for that userand thus this behavior is akin to a captive portal though theauthentication is automatic and unseen by the user

52 Location privacyAs described in sect22 cellular operators track user location

in the form of tracking areas for UEs in order to quickly findusers when there is incoming content PGPP leverages anexisting mechanism in the cellular standard to reduce theeffectiveness of local-targeted attacks described in sect41

Paging has been exploited in the past to discover user lo-cation by adversaries However the use of tracking areas isuseful for the cellular provider in that it confines the signal-ing message load (ie paging messages) to a relatively smallsubset of the infrastructure Tracking areas reduce mobilitysignaling from UEs as they move through the coverage zoneof a single tracking area Note that emergency calling rep-resents a special case in cellular networks When a devicedials 911 the phone and network attempt to estimate accuratelocation information In this work we do not alter this func-tionality as we anticipate that users dialing 911 are willing toreveal their location

In PGPP we exploit the tracking area list (TAL) concept in-troduced in 3GPP Release 8 [2] Using TALs a UE no longerbelongs to a single tracking area but rather is given a list ofup to 16 tracking areas that it can freely move through withouttriggering a tracking area update essentially creating largertracking areas Whereas prior work has focused on usingTALs to pre-compute optimal tracking area combinations forusers [56ndash58] in PGPP we use TALs to provide provide im-proved location anonymity Typically TALs consist of groupsof adjacent tracking areas that are pre-computed essentiallygrowing the tracking area for a UE to the union of all trackingareas in the TAL We do not use TALs in this way Insteadwe generate TALs on-the-fly and generate them uniquely foreach UE When a UE attaches or issues a tracking area updatemessage the AMF learns the gNodeB and tracking area theUE is currently attached to The AMF then generates a uniqueTAL by iteratively selecting at random some number (up tothe TAL limit of 16) of additional adjacent tracking areas Bygenerating unique TALs for each user attackers are unable toknow a priori which set of tracking areas (or gNodeBs) thatvictim is within We explore tradeoffs in terms of TAL lengthcontrol traffic overhead and location anonymity in the nextsection

6 AnalysisTo study the implications of a PGPP deployment we create

a simulation to model users mobility and cell infrastructureWe study the impact of PGPPrsquos design on various cellular at-tacks that occur today We then analyze the inherent tradeoffsfrom the PGPP operatorrsquos perspective as improved privacy

Figure 3 Partial simulation map Cells are shaded by ATampTtracking area

0 10 20 30gNodeBs Visited

Cars

Pedestrians

Figure 4 gNodeBs visited by simulated mobile users

comes at the price of increased control traffic Lastly weexamine PGPP in a lab testbed on real devices

61 Simulation configurationgNodeB dataset We select Los Angeles County California

as the region for our simulation which provides a mix of bothhighly urban areas as well as rural areas For gNodeB locationinformation we use OpenCellID [43] an open database thatincludes tower locations and carrier information To simplifythe simulation we select base stations from the database thatare listed as providing LTE from ATampT the provider withthe most LTE eNodeBs (22437) in the region We use LTEeNodeBs as the number of gNodeBs deployed remains small

Given their geographic coordinates we estimate coverageareas for every gNodeB using a Voronoi diagram During thesimulation a UE is assigned to the gNodeB that correspondsto the region the UE is located within While such discretiza-tion is not likely in reality as UEs remain associated withan gNodeB based on received signal strength this techniqueprovides us with a tractable mobility simulation A partialmap of the simulation region is shown in Figure 3 ENodeBregions are shaded based on the tracking area value in theOpenCellID database

Mobility traces To simulate realistic mobility patterns(ie users must follow available paths) we generate mobil-ity traces using the Google Places [29] and Directions [28]APIs First we use the Places API to find locations in thesimulation region that are available when searching for ldquopostofficerdquo Each place is associated with latitudinal and longitudi-nal coordinates We then generate mobility traces by randomlyselecting start and end points and use the Directions API toobtain a polyline with coordinates along with estimated times

9

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

for the current time slice Once the user presents a valid to-ken the PGPP-GW begins forwarding traffic for that userand thus this behavior is akin to a captive portal though theauthentication is automatic and unseen by the user

52 Location privacyAs described in sect22 cellular operators track user location

in the form of tracking areas for UEs in order to quickly findusers when there is incoming content PGPP leverages anexisting mechanism in the cellular standard to reduce theeffectiveness of local-targeted attacks described in sect41

Paging has been exploited in the past to discover user lo-cation by adversaries However the use of tracking areas isuseful for the cellular provider in that it confines the signal-ing message load (ie paging messages) to a relatively smallsubset of the infrastructure Tracking areas reduce mobilitysignaling from UEs as they move through the coverage zoneof a single tracking area Note that emergency calling rep-resents a special case in cellular networks When a devicedials 911 the phone and network attempt to estimate accuratelocation information In this work we do not alter this func-tionality as we anticipate that users dialing 911 are willing toreveal their location

In PGPP we exploit the tracking area list (TAL) concept in-troduced in 3GPP Release 8 [2] Using TALs a UE no longerbelongs to a single tracking area but rather is given a list ofup to 16 tracking areas that it can freely move through withouttriggering a tracking area update essentially creating largertracking areas Whereas prior work has focused on usingTALs to pre-compute optimal tracking area combinations forusers [56ndash58] in PGPP we use TALs to provide provide im-proved location anonymity Typically TALs consist of groupsof adjacent tracking areas that are pre-computed essentiallygrowing the tracking area for a UE to the union of all trackingareas in the TAL We do not use TALs in this way Insteadwe generate TALs on-the-fly and generate them uniquely foreach UE When a UE attaches or issues a tracking area updatemessage the AMF learns the gNodeB and tracking area theUE is currently attached to The AMF then generates a uniqueTAL by iteratively selecting at random some number (up tothe TAL limit of 16) of additional adjacent tracking areas Bygenerating unique TALs for each user attackers are unable toknow a priori which set of tracking areas (or gNodeBs) thatvictim is within We explore tradeoffs in terms of TAL lengthcontrol traffic overhead and location anonymity in the nextsection

6 AnalysisTo study the implications of a PGPP deployment we create

a simulation to model users mobility and cell infrastructureWe study the impact of PGPPrsquos design on various cellular at-tacks that occur today We then analyze the inherent tradeoffsfrom the PGPP operatorrsquos perspective as improved privacy

Figure 3 Partial simulation map Cells are shaded by ATampTtracking area

0 10 20 30gNodeBs Visited

Cars

Pedestrians

Figure 4 gNodeBs visited by simulated mobile users

comes at the price of increased control traffic Lastly weexamine PGPP in a lab testbed on real devices

61 Simulation configurationgNodeB dataset We select Los Angeles County California

as the region for our simulation which provides a mix of bothhighly urban areas as well as rural areas For gNodeB locationinformation we use OpenCellID [43] an open database thatincludes tower locations and carrier information To simplifythe simulation we select base stations from the database thatare listed as providing LTE from ATampT the provider withthe most LTE eNodeBs (22437) in the region We use LTEeNodeBs as the number of gNodeBs deployed remains small

Given their geographic coordinates we estimate coverageareas for every gNodeB using a Voronoi diagram During thesimulation a UE is assigned to the gNodeB that correspondsto the region the UE is located within While such discretiza-tion is not likely in reality as UEs remain associated withan gNodeB based on received signal strength this techniqueprovides us with a tractable mobility simulation A partialmap of the simulation region is shown in Figure 3 ENodeBregions are shaded based on the tracking area value in theOpenCellID database

Mobility traces To simulate realistic mobility patterns(ie users must follow available paths) we generate mobil-ity traces using the Google Places [29] and Directions [28]APIs First we use the Places API to find locations in thesimulation region that are available when searching for ldquopostofficerdquo Each place is associated with latitudinal and longitudi-nal coordinates We then generate mobility traces by randomlyselecting start and end points and use the Directions API toobtain a polyline with coordinates along with estimated times

9

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

to reach points along the line We generate 50000 mobilitytraces 25000 cars and 25000 pedestrians We then use ns-3to process the mobility traces and generate coordinates foreach trace at 5-second intervals in a method similar to [10]We use this output along with the gNodeB Voronoi diagramto assign each simulated UE to an gNodeB for every 5-secondinterval in the mobility trace Figure 4 shows the distributionof the number of gNodeBs visited by UEs in the simulationAs expected car trips result in a significantly higher numberof gNodeBs for a UE compared with pedestrian trips

Synthetic traffic We simulate one hour To create controltraffic at every 5-second interval we randomly select 5 ofthe user population to receive a ldquocallrdquo A call results in apaging message that is sent to all gNodeBs in the UErsquos track-ing area Each paged user enters a 3-minute ldquocallrdquo if it isnot already in one at which point further paging messagesare suppressed for that user until the call is complete Werun the simulation with PGPP enabled as well as with theconventional infrastructure setup

Custom TAs As we detail further in sect63 large TALs in-crease control traffic loads which lowers the networkrsquos usercapacity Therefore we generate new tracking areas in theunderlying network in order to mitigate the control traffic bur-den As tracking areas normally consist of groups of adjacentgNodeBs we need a method by which we can cluster nearbygNodeBs into logical groupings To do so we use k-meansclustering with the gNodeB geographic coordinates allowingfor Euclidean distance to be calculated between gNodeBs Wegenerate several underlying tracking area maps with the num-ber of TAs (ie k-means centers) ranging from 25 to 1000For comparison the ATampT LTE network in the simulation iscomposed of 113 TAs

62 Cellular privacy attack analysisGiven the taxonomy we presented in sect41 we analyze the

identity and location privacy benefits of PGPP in the simulatedenvironment

Global-bulk attacks By nullifying the value of IMSIs sep-arating authentication with connectivity and increasing thebroadcast domain for users we increase user identity privacyeven with an adversary that is capable of bulk surveillanceover an entire network (eg operators governments)

Anonymity analysis We measure the anonymity of a userwhen under bulk attacks using degree of anonymity [22] Thedegree of anonymity value ranges from zero to one withideal anonymity being one meaning the user could be anymember of the population with equal probability In this casewe consider the IMSI value to be the target identity The sizeof the anonymity set for a population of N users will result ina maximum entropy of

HM = log2(N) (1)

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000S

00

02

04

06

08

10

Deg

ree

of A

nony

mity

N=22437

ConventionalTAs 25TAs 50TAs 100TAs 200TAs 500TAs 1000

(b) Custom TAs

Figure 5 Degree of anonymity using TALs and custom TAs

The degree of anonymity is determined based on the size ofthe subset of user identities S that an attacker could possiblybelieve the victim to be

d =H(X)

HM=

log2(S)log2(N)

(2)

Given global visibility into the network we can reasonabout the anonymity set using the number of gNodeBs thata victim could possibly be connected to This is because acellular carrier can know the exact base station that a user isconnected to once the UE enters an active state As a baselinethe anonymity set for traditional cellular is log2(1)

log2(22437) = 0 aseach IMSI is a unique value With PGPP IMSIs are identicalso from the perspective of the carrier the victim could beconnected to any gNodeB that has at least one PGPP clientconnected to it Using our simulated environment we collectfor each paging message the number of gNodeBs that hadusers within their range and use the median value to calculatethe degree of anonymity Figures 5a and 5b show the degree ofanonymity using different configurations of TALs and customTAs respectively We see that high degrees of anonymity areattainable despite an attackerrsquos global visibility For instancewith TALs of length 8 the degree of anonymity is 0748

Local-bulk attacks PGPPrsquos use of identical IMSIs reducesthe importance of IMSIs and by extension the usefulness oflocal bulk attacks on user identity An attacker that can viewtraffic at the gNodeB(s) can gain insight into nearby IMSIs

In traditional cell networks each user has a globally uniqueIMSI (S = 1) resulting in a degree of anonymity of zero asthe victim could only be one user In our measurement study(sect3) we showed that IMSIs are routinely broadcast over cellnetworks making an IMSI catcher or SDR attack powerfulThe subset S in PGPP on the other hand is the size of thepopulation of PGPP users in a given location as all IMSIvalues are identical and a local bulk attacker cannot knowthe true identity of a single user To get an idea of S we cancalculate the number of PGPP users connected to each gN-odeB in the simulation Over the course of the simulation

10

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled)TAL Length 4TAL Length 8TAL Length 12TAL Length 16

(a) TALs

0 5000 10000 15000 20000

Page Area Anonymity (km^2)

00

02

04

06

08

10

CD

F

Conventional(TAL disabled) TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000

(b) Custom TAs

Figure 6 Area anonymity using TALs and custom TAs

we find a mean value of 22309 users connected to each gN-odeB that has users which results in a degree of anonymitylog2(22309)log2(50000) = 050 While this value is somewhat low com-pared to the ideal value of 1 it is a drastic improvement overconventional cellular architecture and is dependent on theoverall user population in the network As more PGPP usersexist the degree of anonymity increases

Local-targeted attacks In PGPP local-targeted attacks todiscover a userrsquos location are diminished in two ways firstIMSIs are no longer a useful ID so identifying an individualamong all users is challenging and second we use TALs toincrease the paging broadcast domain for a given UE Froman attackerrsquos point of view this broadens the scope of wherethe target UE may be located

In Figure 6a we plot the CDF of geographic areas in whichpages are broadcast as we increase TAL lengths using thebase map consisting of 113 tracking areas We calculate thearea by generating a bounding box around all gNodeBs thatare included in the broadcast domain As shown large TALsresult in drastically higher area anonymity compared withTALs disabled particularly considering the number of UEsthat could potentially be located in the larger geographic areasFor instance the median area for the conventional simulationis 37809 km2 whereas TAL lengths of 8 and 16 result inmedian areas of 587696 and 958517 km2 respectively

We analyze anonymity with TALs of length 16 while theunderlying map is varied using custom TAs Figure 6b showsour results We observe that as the number of tracking areas in-crease resulting in smaller tracking areas the area anonymitydecreases However despite the decrease the area anonymityremains considerably larger than anonymity with TALs dis-abled as TALs include additional tracking areas For instancethe median area for the conventional case is 37809 km2

whereas the median area for a base map of 500 tracking areaswith TAL 16 is 489108 km2 a nearly 13-fold increase fromthe perspective of a local targeted attacker

0100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

ConventionalTAL Length 4TAL Length 8TAL Length 12TAL Length 16Max pagess

(a) Control traffic with TALs

1 2 4 6 8 10 12 14 16TAL Length

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Capacity with TALs

Figure 7 Control traffic and system capacities leveragingPGPP TALs in the simulated environment

63 Impact of PGPP on network capacityFrom an operational perspective the privacy benefits de-

livered by PGPP must coincide with feasibility in terms ofcontrol overhead in order for it to be deployable Control traf-fic determines network capacity in terms of the number ofusers that are serviceable in a given area In this section weexplore control traffic load when using TALs

631 Control overhead with PGPP TALsWe first seek to quantify control message overhead while

we leverage tracking area lists to provide location anonymityagainst local-targeted attacks Recall from sect52 that we ran-domly select additional tracking areas from the simulatedcoverage area to create TALs which increases the broadcastdomain for a page Increased control traffic impacts both gN-odeBs and AMFs however from our experience with realcellular networks the control traffic capacity at gNodeBs isthe bottleneck as AMFs have much higher capacity Thus wefocus on gNodeB control load

Figure 7a shows a cumulative distribution function (CDF)for the number of pages broadcast by the simulated gNodeBsIn the figure ldquoConventionalrdquo corresponds to disabling TALfunctionality As expected larger TAL lengths result in in-creased control traffic for gNodeBs as they are more likely tobe included in the paging broadcast domain for a given UE

To gain insight into the control limitations of real gNodeBswe consider the capabilities of a Huawei BTS3202E eN-odeB [32] which is limited to 750 pages per second Whencapacity planning it is commonplace to budget paging trafficheadroom accordingly we estimate the maximum pagingcapacity for an gNodeB to be 525 pages per second (70 ofthe BTS3202E capacity) This value is depicted in the verticalred line in the figure (525 pages times 3600 seconds = 1890000pageshour) The simulation allows us to illustrate the userpopulation that could be supported by the network provided apopulation with similar mobility and traffic profiles as definedin sect61 Recall that we simulate 50000 users both pedestriansand cars We consider the paging load for the network andselect the gNodeBs with the maximum paging load the 95th

11

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

0 100 101 102 103 104 105 106

Control Traffic (pages)

00

02

04

06

08

10

CD

F

Conventional TAs 25 TAs 50 TAs 100 TAs 200 TAs 500 TAs 1000Max pagess

(a) Custom TAs Control traffic

0 200 400 600 800 1000

of TAs in Underlying Map

0

5

10

15

20

25

Use

r C

apac

ity (

mill

ions

)

Median95th percentileMax

(b) Custom TAs Capacity

Figure 8 Control traffic and system capacities with customtracking areas in the simulated environment

percentile and the median to estimate the number of userseach could theoretically support by taking into account themax page limitation of the BS3202E Figure 7b shows theuser capacity as TAL lengths are increased A TAL length ofone shows the conventional network as the TAL is composedof a single tracking area As expected larger TALs result ina reduction in the number of users the gNodeBs can handlecompared with performance when TALs are disabled due toincreased paging load

632 Control overhead with custom tracking areasAs wersquove demonstrated large TALs result in gNodeBs

with higher control traffic load effectively reducing the usercapacity the network To explore whether we can re-gaincontrol traffic we again consider new custom tracking areamaps that are generated using k-means where we vary thenumber of unique tracking areas in the simulated network

We run the simulation with various custom tracking areamaps with all UEs using TAL lengths of 16 The resultsare shown in Figures 8a and 8b We observe that a basemapconsisting of 25 tracking areas leads to even higher controltraffic compared with the conventional (ie ATampT) trackingarea map A map consisting of more tracking areas resultsin TAs with fewer gNodeBs thus reducing the paging loadWe see that a map of 500 TAs even with a TAL of length 16results in similar paging load compared with the conventionalmap with TAL disabled Correspondingly the user capacityof the network with a higher number of tracking areas nearsthe conventional capacity from Figure 7b

64 Testbed analysisWe study our PGPP design on a lab testbed in order to

understand potential drawbacks We implement a software-based NGC and connect commodity phones to the software-defined radio-based gNodeB

Prototype We create our prototype code on srsLTE [27]an open-source platform that implements LTE-compliant basestation and core network functionality and can be run using

Figure 9 PGPP prototype test hardware

software-defined radios4 Our testbed shown in Figure 9consists of an Intel Core i7 machine running Linux and aUSRP B210 radio We use off-the-shelf commodity phones(Moto X4 Samsung Galaxy S6 and two OnePlus 5s) withprogrammable SIM cards installed to allow the phones toconnect to the PGPP network

SrsLTE maintains contexts for each connected UE relatedto mobility and connectivity The contexts are stored as structsthat include the UE IMSI in a simple key-value store with theIMSI serving as the key When the AMF receives mobility-related messages it checks against the appropriate contextsto handle the requests We add an additional value a PGP-PIMSI into the context structs The PGPPIMSI is generatedby combining the IMSI with a temporary value that is uniqueto the individual UE-gNodeB-AMF connection Accordinglyeach UE has a unique PGPPIMSI which then allows us tolook up the correct context when managing states

Identical IMSIs and Shared Keys Given identical IMSIvalues for all users the PGPP attach procedure can result inadditional steps compared with the traditional attach Thisis caused by sequence number synchronization checks dur-ing the authentication and key agreement (AKA) procedurewhich is designed to allow the UE and the network to authen-ticate each other The fundamental issue is that the AUSF andthe SIM maintain a sequence number (SQN) value that bothentities increment with each successful attach As multipledevices use the same IMSIs the sequence numbers held atthe AUSF and on individual devices will no longer matchcausing an authentication failure (known as a sync_failure)At that point the UE re-synchronizes with the AUSF

We explore the delay introduced by sync_failures usingour testbed Figure 10 shows a PDF of the delays to con-nection completion for UEs that hold identical IMSIs andattempt to authenticate simultaneously In order to triggermany simultaneous authentication requests we use openairin-terface5G [51] to create 100 simulated UEs We observe in

4We build our prototype on a 4G LTE platform as we are not awareof any platforms that fully implement 5G and are sufficiently mature forexperimentation with real hardware

12

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

00 02 04 06 08 10

Time to Connection Complete (s)

0

2

4P

DF

Figure 10 Connection delays due to sync_failure

that the first successful UE usually takes roughly 200 ms toconnect while subsequent UEs that experienced sync_failuresexperience additional delays In our relatively small experi-ment the UEs all successfully connect to the network within11 seconds In a large-scale production network the numberof UEs that simultaneously attempt to connect would be largerPGPP-based networks can mitigate the issue by using moreAUSFes which would reduce the number of UEs that eachAUSF is responsible for Fortunately the push for 5G willlend itself to many AUSFes as the core network entities arebeing redesigned to be virtualized and located nearer to UEs

7 Related WorkPrior work on anonymous communications often traded off

latency and anonymity [16174668] Likewise Tor [23] andMixnets [13] also result in increased latency while improvinganonymity However such solutions are inappropriate for cel-lular systems as apart from SMS cellular use cases requirelow latency Additionally the architecture continues to uti-lize identifiers (eg IMSI) that can expose the user to IMSIcatcher attack or allow for location tracking by the operator

There has been extensive prior work on finding securityand privacy issues in cellular networks [33 42 47 60 63]We decouple the IMSI from the subscriber by setting it to asingle value for all users of the network Altering the IMSI tospecifically thwart IMSI catcher and similar passive attackshas been previously proposed [4406567] These techniquesuse pseudo-IMSIs (PMSIs) which are kept synchronized be-tween the SIM and the AUSF or hypothetical virtual SIMsallowing for user identification We aim to go beyond thwart-ing IMSI catchers and do so while considering active attackswithout requiring fundamental changes on the UE we protectusers from the operator itself

Hussain et al introduce the TORPEDO attack [34] whichallows attackers to identify the page frame index and usingthat the presence or absence of a victim in a paging broad-cast area (ie a tracking area) However our use of track-ing area lists to provide additional paging anonymity (sect52)increases the location in which a victim could potentiallybe reducing the effectiveness of third-party paging-relatedlocalization attacks The authors also define the PIERCERattack which enables the attacker to reveal a victimrsquos IMSI

with only their phone number PGPP nullifies this attack bymaking all IMSIs identical Cellular signaling protocols havebeen demonstrated by multiple works to leave usersrsquo privacyvulnerable to attack [24 30 49 53 62] Our initial designavoids signaling protocol vulnerabilities by providing data-only rather than voiceSMS and roaming to other networkscan be enabled by requiring home-routing rather than localbreakout Hussain et al identifies a 5G vulnerability thatallows an attacker to neutralize GUTI refreshment in [35]However this requires a MiTM attack (eg IMSI catcher)which necessarily means the attacker knows the victimrsquos loca-tion Additionally the GUTI is a temporary identifier and isnot associated with a specific user

Choudhury and Koslashien alter IMSI values however bothrequire substantial changes to network entities [15 41] Weargue that a privacy-preserving architecture must be fullycompatible with existing infrastructure as the global telecominfrastructure is truly a network of networks comprised ofmultiple operators that connect via well-known APIs

8 Concluding RemarksUser privacy is a hotly contested topic today especially as

law enforcement organizations particularly in authoritarianstates insist upon increasingly ubiquitous surveillance In ad-dition law enforcement has long demanded backdoor accessto private user devices and user data [61]

We do not believe that users of PGPP in its current formwould be capable of withstanding targeted legal or extra-legalattacks by nation-state organizations (eg the FBI or NSA)though PGPP would likely limit the ability of such organi-zations to continue to operate a regime of mass surveillanceof user mobility In addition a more common and problem-atic form of privacy loss today is due to the surreptitioussale of user data by network providers this is a matter PGPPaddresses in a manner that aligns with user autonomy Ouraim is to improve privacy in line with prior societal normsand user expectations and to present an approach in whichprivacy-enhanced service can be seamlessly deployed

References[1] 103rd Congress 2nd Session 1994 Communications

Assistance for Law Enforcement Act (CALEA) 47USC 1001-1010 Public Law 103-414

[2] 3GPP General Packet Radio Service (GPRS) enhance-ments for Evolved Universal Terrestrial Radio AccessNetwork (E-UTRAN) access Technical Specification(TS) 23401 3rd Generation Partnership Project (3GPP)01 2015

[3] S Aragon F Kuhlmann and T Villa SDR-basednetwork impersonation attack in GSM-compatible net-works In 2015 IEEE 81st Vehicular Technology Con-ference (VTC Spring) 2015

13

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

[4] Myrto Arapinis Loretta Mancini Eike Ritter MarkRyan Nico Golde Kevin Redon and Ravishankar Bor-gaonkar New privacy issues in mobile telephony Fixand verification In Proceedings of the 2012 ACM Con-ference on Computer and Communications SecurityCCS rsquo12 Raleigh North Carolina USA 2012

[5] World Bank International telecommunicationunion world telecommunicationict development re-port and database httpsdataworldbankorgindicatorITCELSETS 2019

[6] Mihir Bellare Chanathip Namprempre DavidPointcheval and Michael Semanko The one-more-rsa-inversion problems and the security of chaumrsquos blindsignature scheme Journal of Cryptology 16(3) 2003

[7] Mihir Bellare and Phillip Rogaway Entity authentica-tion and key distribution In CRYPTO 1993

[8] Dan Boneh Xavier Boyen and Hovav Shacham Shortgroup signatures In CRYPTO 2004

[9] Carpenter v United States Number 16-402 Jun 2018

[10] Tiago Cerqueira and Michele Albano Routesmobility-model Easy realistic mobility simulation using externalinformation services In Proceedings of the 2015 Work-shop on Ns-3 WNS3 rsquo15 2015

[11] David Chaum Blind signatures for untraceable pay-ments In CRYPTO 1983

[12] David Chaum and Eugegravene Van Heyst Group signa-tures In Workshop on the Theory and Application ofof Cryptographic Techniques pages 257ndash265 Springer1991

[13] David L Chaum Untraceable electronic mail returnaddresses and digital pseudonyms Communications ofthe ACM 24(2)84ndash90 1981

[14] Benny Chor Amos Fiat and Moni Naor Tracing traitorsIn CRYPTO 1994

[15] Hiten Choudhury Basav Roychoudhury and Dilip KrSaikia Enhancing user identity privacy in lte In Pro-ceedings of the 2012 IEEE 11th International Confer-ence on Trust Security and Privacy in Computing andCommunications TRUSTCOM rsquo12 Washington DCUSA 2012

[16] Henry Corrigan-Gibbs Dan Boneh and David MaziegraveresRiposte An anonymous messaging system handlingmillions of users In Proceedings of the 2015 IEEESymposium on Security and Privacy SP rsquo15 2015

[17] Henry Corrigan-Gibbs and Bryan Ford Dissent ac-countable anonymous group messaging In Proceedingsof ACM CCS 2010

[18] Joseph Cox I Gave a Bounty Hunter$300 Then He Located Our Phone httpsmotherboardvicecomen_usarticlenepxbzi-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobileJanuary 2019

[19] Joseph Cox Stalkers and Debt CollectorsImpersonate Cops to Trick Big TelecomInto Giving Them Cell Phone Location Datahttpswwwvicecomen_usarticlepanvkzstalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data March2019

[20] Ronald Cramer Ivan Damgaringrd and Berry Schoenmak-ers Proofs of partial knowledge and simplified designof witness hiding protocols In CRYPTO 1994

[21] Crypto++ 82 2019 httpswwwcryptoppcom

[22] Claudia Diacuteaz Stefaan Seys Joris Claessens and BartPreneel Towards measuring anonymity In Proceed-ings of the 2nd International Conference on PrivacyEnhancing Technologies PETrsquo02 page 54ndash68 BerlinHeidelberg 2002 Springer-Verlag

[23] Roger Dingledine Nick Mathewson and Paul SyversonTor The second-generation onion router In Proceed-ings of USENIX Security 2004

[24] Tobias Engel Locating mobile phones using signallingsystem 7 In 25th Chaos communication congress 2008

[25] Amos Fiat and Moni Naor Broadcast encryption InAnnual International Cryptology Conference pages 480ndash491 Springer 1993

[26] Open Networking Foundation M-cord open sourcereference solution for 5g mobile wireless networkshttpswwwopennetworkingorgm-cord 2019

[27] Ismael Gomez-Miguelez Andres Garcia-SaavedraPaul D Sutton Pablo Serrano Cristina Cano andDoug J Leith srslte An open-source platform forlte evolution and experimentation In WiNTECH rsquo16New York City New York 2016

[28] Google Get started | directions api | google de-velopers httpsdevelopersgooglecommapsdocumentationdirectionsstart 2019

[29] Google Overview | places api | google devel-opers httpsdevelopersgooglecomplacesweb-serviceintro 2019

14

[30] S Holtmans B Kotte and S Rao Detach me not-dosattacks against 4g cellular users from your desk InBlackhat Europe 2016 2016

[31] Byeongdo Hong Sangwook Bae and Yongdae KimGuti reallocation demystified Cellular location trackingwith changing temporary identifier In Network and Dis-tributed System Security Symposium NDSS San DiegoCalifornia USA Feb 2018

[32] Huawei BTS3202E eNodeB 2019 httpsupporthuaweicomhdxhdxdodocid=SE0000758199amplang=en

[33] Syed Rafiul Hussain Omar Chowdhury ShaguftaMehnaz and Elisa Bertino LTEInspector A systematicapproach for adversarial testing of 4G LTE In Networkand Distributed System Security Symposium NDSS SanDiego California USA Feb 2018

[34] Syed Rafiul Hussain Mitziu Echeverria Omar Chowd-hury Ninghui Li and Elisa Bertino Privacy Attacksto the 4G and 5G Cellular Paging Protocols Using SideChannel Information In Network and Distributed Sys-tem Security Symposium NDSS San Diego CaliforniaUSA Feb 2019

[35] Syed Rafiul Hussain Mitziu Echeverria Imtiaz KarimOmar Chowdhury and Elisa Bertino 5GReasoner Aproperty-directed security and privacy analysis frame-work for 5G cellular network protocol In Proceedingsof the 2019 ACM SIGSAC Conference on Computer andCommunications Security CCS rsquo19 London UnitedKingdom 2019

[36] Markus Jakobsson and David Pointcheval Mutual au-thentication for low-power mobile devices In Interna-tional Conference on Financial Cryptography pages178ndash195 Springer 2001

[37] F Joachim and B Rainer Method for identifying a mo-bile phone user or for eavesdropping on outgoing callsEPO Patent EP1051053 2003

[38] George Kappos Haaroon Yousaf Mary Maller andSarah Meiklejohn An empirical analysis of anonymityin zcash arXiv preprint arXiv180503180 2018

[39] Kate Kaye The $24 Billion Data Busi-ness That Telcos Donrsquot Want to Talk Abouthttpsadagecomarticledatadriven-marketing24-billion-data-business-telcos-discuss301058mod=article_inline October2015

[40] Mohammed Shafiul Alam Khan and Chris J MitchellTrashing imsi catchers in mobile networks In Pro-ceedings of the 10th ACM Conference on Security andPrivacy in Wireless and Mobile Networks WiSec rsquo17Boston Massachusetts 2017

[41] G M Koslashien Privacy enhanced mutual authenticationin lte In 2013 IEEE 9th International Conference onWireless and Mobile Computing Networking and Com-munications (WiMob) Lyon France Oct 2013

[42] Denis Foo Kune John Koelndorfer Nicholas Hopperand Yongdae Kim Location leaks on the gsm air inter-face ISOC NDSS (Feb 2012) 2012

[43] Unwired Labs Opencellid - open database of cell towersamp geolocation httpswwwopencellidorg 2019

[44] David Lazar Yossi Gilad and Nickolai ZeldovichKaraoke Distributed private messaging immune to pas-sive traffic analysis In Proceedings of the 12th USENIXConference on Operating Systems Design and Imple-mentation OSDIrsquo18 Carlsbad CA USA 2018

[45] David Lazar Yossi Gilad and Nickolai Zeldovich Yo-del Strong metadata security for voice calls In Pro-ceedings of the 27th ACM Symposium on Operating Sys-tems Principles SOSP rsquo19 Huntsville Ontario Canada2019

[46] David Lazar and Nickolai Zeldovich Alpenhorn Boot-strapping secure communication without leaking meta-data In 12th USENIX Symposium on Operating SystemsDesign and Implementation (OSDI 16) pages 571ndash586Savannah GA 2016 USENIX Association

[47] P P C Lee T Bu and T Woo On the detection ofsignaling dos attacks on 3g wireless networks In IEEEINFOCOM 2007 - 26th IEEE International Conferenceon Computer Communications May 2007

[48] Joseph K Liu Victor K Wei and Duncan S Wong Link-able spontaneous anonymous group signature for ad hocgroups In Australasian Conference on InformationSecurity and Privacy pages 325ndash335 Springer 2004

[49] G Lorenz T Moore G Manes J Hale and S Shenoi Se-curing ss7 telecommunications networks In Workshopon Information Assurance and Security volume 2 page1115 2001

[50] Stig F Mjoslashlsnes and Ruxandra F Olimid Easy 4GLTEIMSI catchers for non-programmers In InternationalConference on Mathematical Methods Models and Ar-chitectures for Computer Network Security pages 235ndash246 Springer 2017

15

[51] Navid Nikaein Mahesh K Marina Saravana ManickamAlex Dawson Raymond Knopp and Christian BonnetOpenairinterface A flexible platform for 5G researchACM SIGCOMM Computer Communication Review44(5)33ndash38 2014

[52] Kristin Paget Practical cellphone spying Def Con 182010

[53] C Peeters H Abdullah N Scaife J Bowers P TraynorB Reaves and K Butler Sonar Detecting SS7 Redi-rection Attacks with Audio-Based Distance BoundingIn 2018 IEEE Symposium on Security and Privacy (SP)May 2018

[54] Zafar Ayyub Qazi Phani Krishna Penumarthi VyasSekar Vijay Gopalakrishnan Kaustubh Joshi andSamir R Das Klein A minimally disruptive designfor an elastic cellular core In Proceedings of the Sym-posium on SDN Research SOSR rsquo16 Santa Clara CAUSA 2016

[55] Zafar Ayyub Qazi Melvin Walls Aurojit Panda VyasSekar Sylvia Ratnasamy and Scott Shenker A highperformance packet core for next generation cellularnetworks In SIGCOMM rsquo17 Los Angeles CA USAaug 2017

[56] S M Razavi and D Yuan Reducing signaling overheadby overlapping tracking area list in lte In 2014 7th IFIPWireless and Mobile Networking Conference (WMNC)Vilamoura Algarve Portugal May 2014

[57] S M Razavi D Yuan F Gunnarsson and J Moe Dy-namic tracking area list configuration and performanceevaluation in lte In 2010 IEEE Globecom WorkshopsMiamiFL Dec 2010

[58] S M Razavi D Yuan F Gunnarsson and J Moe Ex-ploiting tracking area list for improving signaling over-head in lte In IEEE Vehicular Technology ConferenceVTC2010 Taipei Taiwan May 2010

[59] Ronald L Rivest Adi Shamir and Yael Tauman How toleak a secret In International Conference on the Theoryand Application of Cryptology and Information SecuritySpringer 2001

[60] D Rupprecht K Kohls T Holz and C Poumlpper Break-ing LTE on layer two In 2019 IEEE Symposium onSecurity and Privacy (SP) May 2019

[61] Stefan Savage Lawful device access without masssurveillance risk A technical design discussion In ACMSIGSAC Conference on Computer and CommunicationsSecurity CCS rsquo18 Toronto Canada Oct 2018

[62] Hemant Sengar Ram Dantu Duminda Wijesekera andSushil Jajodia Ss7 over ip signaling interworking vul-nerabilities IEEE Network 20(6)32ndash41 2006

[63] Altaf Shaik Ravishankar Borgaonkar N Asokan Valt-teri Niemi and Jean-Pierre Seifert Practical attacksagainst privacy and availability in 4glte mobile commu-nication systems CoRR abs151007563 2015

[64] K Sung J Biswas E Learned-Miller B N Levineand M Liberatore Server-side traffic analysis revealsmobile location information over the internet IEEETransactions on Mobile Computing 18(6)1407ndash1418June 2019

[65] Keen Sung Brian Neil Levine and Marc LiberatoreLocation privacy without carrier cooperation In IEEEWorkshop on Mobile Security Technologies MOST page148 2014

[66] Jennifer Valentino-DeVries Service Meant to MonitorInmatesrsquo Calls Could Track You Too httpswwwnytimescom20180510technologycellphone-tracking-law-enforcementhtmlMay 2018

[67] Fabian van den Broek Roel Verdult and Joeri de RuiterDefeating IMSI catchers In ACM SIGSAC Conferenceon Computer and Communications Security CCS rsquo15Denver Colorado USA Oct 2015

[68] Jelle van den Hooff David Lazar Matei Zaharia andNickolai Zeldovich Vuvuzela Scalable private mes-saging resistant to traffic analysis In Proceedings ofthe 25th Symposium on Operating Systems PrinciplesSOSP rsquo15 Monterey California 2015

[69] Kenneth van Rijsbergen The effectiveness of a home-made IMSI catcher build with YateBTS and a BladeRFUniversity of Amsterdam 2016

[70] Zack Whittaker US cell carriers are selling accessto your real-time phone location data httpswwwzdnetcomarticleus-cell-carriers-selling-access-to-real-time-location-dataMay 2018

9 Glossary

AKAAuthentication and Key Agreement The process by whichthe UE and the AUSF exchange information by which theycan each verify a secret key held by the other and calculatekeys to be used for ciphering and integrity protection of datatransmitted between the UE and the network 12

16

AMFAccess and Mobility Management Function The control entitythat manages signaling between the UE and the core networkAMF supports functions related to bearer and connection man-agement and manages mobility between gNodeBs 2 3 9 1112

AUSFAuthentication Server Function The entity that holds subscrip-tion information to allow or deny access to the network 2 37 12 13

DiameterThe authentication authorization and accounting protocol usedby 4G5G cellular networks Diameter is used to enable roam-ing between modern cellular networks 6

EIREquipment Identity Register A database that stores IMEIs ofdevices in cellular systems IMEIs can be white-listed grey-listed or black-listed The EIR allows a devicersquos identity to bechecked for blacklisting (eg whether is has been reportedstolen) 6

gNodeBNext Generation NodeB The base station in 5G 2ndash4 9ndash12

GUTIGlobally Unique Temporary Identity The GUTI is a temporaryidentifier that can be used in lieu of an IMSI to identify asubscriber to the core network 3 4 7 13

IMEIInternational Mobile Equipment Identity A globally uniquepermanent device identifier which is allocated to each individ-ual mobile device It is set by the manufacturer 6

IMSIP Multimedia Subsystem The entity that provides voice andmessaging services for the network 6

IMSIInternational Mobile Subscriber Identity A globally uniqueidentifier associated with each mobile phone subscriber It isstored in the SIM inside the phone and is sent by the phone tothe network 1 3ndash7 10ndash13

MNOMobile Network Operator A cellular service provider 2 8

MVNOMobile Virtual Network Operator A cellular operator that doesnot necessarily own its own spectrum or all of the networkequipment it operates upon MVNOs run on top of MNO net-works 2 3 6ndash8

NG-RANNext Generation Radio Access Network Network that servesto connect UEs and gNodeBs 2 3

NGCNext Generation Core The core network in 5G Main logicalnodes of the NGC are the User Plane Function (UPF) Accessand Mobility Management Function (AMF) the Session Man-agement Function (SMF) and Authentication Server Function(AUSF) 1ndash3 7 12

PGPP-GWPGPP Gateway A proposed gateway for PGPP that sits be-tween the UPF and the global Internet The PGPP-GW allowsfor billing without requiring the userrsquos identity 7 8

RNTIRadio Network Temporary Identifier A unique identifier for aUE in a given cell used to connect over layer 2 3

SIMSubscriber Identity Module An entity that holds the IMSIwhich uniquely identifies a subscriber SIMs are used to au-thenticate a user to the network 2 3 6 7 12 13

SMFSession Management Function The session managment func-tion supports session management and IP address allocation 23 6

SQNSequence Number A value stored at the AUSF and the SIM tomaintain synchrony between the entities 12

SS7Signaling System 7 The protocol standard used by entitieson public switched telephone networks communicate withone another SS7 is used to setup and tear down voice callsdeliver SMS etc SS7 has been largely replaced by Diameterin modern cellular standards 6

TATracking Area A tracking includes one or many gNodeBsTypically the UE can move freely within gNodeBs in a track-ing area without notifying the AMF with a tracking area update3 10ndash12

TALTracking Area List A list of tracking areas stored on the devicethat the device can enter without triggering a tracking areaupdate 5ndash7 9ndash12

TAPTransferred Account Procedure A file detailing usage andwholesale charges due to roaming 6

UEUser Equipment The mobile device which allows a user to ac-cess network services connecting to the UTRAN or E-UTRANvia the radio interface Commonly understood to be a mobilephone 2ndash4 7 9ndash13

UPFUser Plane Function The gateway that provides global IPconnectivity from the NGC 2 3 6 7

17

• 1 Introduction
• 2 Background
• • 21 Cellular architecture overview
  • 22 Privacy in the cellular architecture
  • • 3 The need for privacy enhancements
    • 4 Scope
    • • 41 Cellular privacy threat model
      • 42 Aims
      • • 5 Design
        • • 51 User identity privacy
          • 52 Location privacy
          • • 6 Analysis
            • • 61 Simulation configuration
              • 62 Cellular privacy attack analysis
              • 63 Impact of PGPP on network capacity
              • • 631 Control overhead with PGPP TALs
                • 632 Control overhead with custom tracking areas
                • • 64 Testbed analysis
                  • • 7 Related Work
                    • 8 Concluding Remarks
                    • 9 Glossary