Show HN: PGPP (Pretty Good Phone Privacy) – a new type of mobile privacy service https://ift.tt/vqPHrnj
Show HN: PGPP (Pretty Good Phone Privacy) – a new type of mobile privacy service Hi, we're Barath and Paul. We co-founded INVISV to build Pretty Good Phone Privacy (PGPP) [ https://invisv.com/pgpp ], an app and service that provides mobile identifier privacy (IMSI) and Internet privacy (IP) so that neither we nor other providers learn your network identity. We've been thinking about how phones are tracking devices in disguise (at a few layers) and what we can do about it. But the problem is that mobile networks are hard to change, and existing companies are reluctant to change things. A couple years ago we had the idea that we could decouple your identity from your SIM (IMSI), so the mobile operator wouldn't know who you are but still provides you service. We did research, figured it out, and published it last year at Usenix Security. Then we took it to every mobile operator we could to see if they'd do it, but mostly got shrugs, confusion, or hostility. (We still hold out hope they'll change their minds.) So we decided we had to build and deploy it ourselves. And the mobile network is just the first part -- we also provide decoupled IP privacy (Relay) in PGPP via a partnership with Fastly, for when you're on WiFi or mobile data. The implementation is simple: for mobile privacy we decouple authentication from connectivity. Those are conflated today. We provide service using eSIMs (so you need an eSIM capable Android for this part). So we don't learn which eSIM your phone gets each time (your IMSI now changes periodically), we authenticate you with a cryptographic protocol (Chaum's blind signatures) that proves you should get a new eSIM but doesn't reveal your identity. Then you get mobile data service. This isn't something that exists today, despite the tracking/data collection that's happened both by third parties (SDRs / IMSI catchers) and operators themselves. It's like MAC randomization for mobile networks. We figured users would like better IP privacy too, so we used IETF MASQUE and collaborated with Fastly to provide relay service in PGPP as well. Relay service works on almost any Android device. This uses TLS to tunnel your traffic (which itself will usually be TLS encrypted, for almost all Web traffic today) through two hops and then to the rest of the Internet. The first hop is us -- we hide your IP but learn nothing of your traffic or where it's headed. The second hop is Fastly, who then connects you to the IP of the server you're trying to reach, but all they see is an INVISV IP trying to connect to some other IP. The site you're connecting to terminates your TLS stream but just sees it coming from Fastly. This is a beta and there are several things that aren't ideal. We don't have free plans because providing actual connectivity is pretty expensive. We know that data-only mobile service isn't for everyone (that's what our mobile plans provide -- no phone number). So we offer Relay service on its own for folks who want that. We also know eSIMs are not ideal either, so we'd like to generalize that down the road. We're focused on privacy, not just on mobile, and we'd love your feedback on the service and ideas about this and where to go next. Thanks! Barath and Paul https://ift.tt/qPIwVUv August 9, 2022 at 04:32PM
No comments