All questions are in bold for ease of use.
The major carriers in the United States participate in NSA surveillance (except for T-Mobile apparently, because it’s based outside of the US. Except they bought Sprint, which participates.) and that, along with other major privacy issues, means that the market for private carriers is incredibly slim. When I found out that some carriers, such as Mint Mobile, piggyback off of Verizon, I wondered: What’s stopping a carrier from simply E2EE everything from Verizon, and then using Verizon to transfer the data? Obviously, the encrypted data could still be collected and sold, but it wouldn’t matter if the encryption was setup properly, right? I’m looking to better understand how this works, and, if a solution exists, potentially be the first to make it happen. The reason I’m not suggesting creating a carrier without piggybacking is due to the sheer cost and lack of support it would have, which would lead to poor adoption. Also, if carriers simply don’t support E2EE, couldn’t carrier locked phones install the software (since most install software anyways) required to make E2EE work?
You seem to be asking for telephone calls and SMS messages to be end-to-end encrypted. The underlying technologies were not designed with encryption in mind, so the only way for it to work would be for all the participants in a conversation to use an additional software layer. That was the method used by TextSecure.
The authors of TextSecure eventually figured out that a purpose-built Internet-based messaging protocol would be a better transport layer for secure messaging. If you’re interested enough in secure messaging to be asking this question, you may be familiar with TextSecure’s successor.
As for why a carrier wouldn’t do this, I’ll ask the inverse: why would they put in the effort when anyone who cares about secure communication just uses an encrypted messaging app?
This is the right lead, but also OP asking the question doesn’t seem to understand encryption in general, or PFS. We’re all running on a decades old system now. Just move to something more modern like the Signal protocol if you’re so freaked out about who is listening to your shit.
I swear, this thread just invites so many militia psychos and preppers…
This comment screams “why worry if you have nothing to hide?”
I mean, I’m sure that wasn’t your intention, but that’s the sense I got from it. I think they were trying to find out from someone more knowledgeable on the subject why a privacy-centered cell company, selling a phone that doesn’t track you with bloatware, and the extra layer of software, as mentioned above, isn’t standard.
I mean, I think the answer is money and pressure from regulators. Any time a privacy issue comes up, they start handwringing about “a safe haven for terrorists” and shit.
Also, while more people are becoming concerned with their privacy, it’s met with a lack of technical knowledge from most people. The question definitely hints at a lack of technical knowledge, but most people don’t possess that that aren’t in IT/tech themselves. I think that’s completely understandable.
Why would they put in the effort when anyone who cares about secure communication just uses an encrypted messaging app?
Because not all traffic sent through cellular is messaging. People visit websites and whatnot when they’re out-and-about. Not to mention that not everyone uses secure messaging apps.
P.S. I am very aware of Signal, thanks!
Browsing most websites is E2EE. When it’s not, that isn’t something a phone carrier or ISP can fix because they don’t control the web server. The traffic will be in the clear between the ISP and the server.
For secure messaging without a third-party app, phone carriers in the USA seem to be pretty onboard with Google RCS, though I think I’d recommend anyone who’s serious about security use Signal instead.
Thanks for elaborating! I’m curious about two things
-
How are DNS queries handled over cellular?
-
Is traffic E2EE between the phone and the cell tower, or could anyone with a laptop sniff packets of phone calls OTA with Wireshark?
Mainly Because there is no money in doing it… people who are privacy can just do it themselves and use VPN, most every chat app these days is already e2ee, and data collection is mostly dependent on what apps you use/have installed rather than whos networks your data travels through.
To have e2ee, you’d have to have compatible software on both ends. But if you’ve got that, why bother with the private pipe to Verizon at all?
Calls are infeasible because you need to get a it of different parties on board, such as:
- land lines - probably the biggest hurdle
- international calls
- old mobile phones
- everything in between
This requires a lot of coordinated work by a lot of people, and all the while the government will want backdoors for wiretaps and whatnot. It’s just not going to happen. The technical problems aren’t the great (if the signal is unencrypted, encrypt it; boom, legacy network support), so it’s more that coordination that’s an issue.
The next best option is a VoIP service that works with traditional phone numbers and encrypts everything between your device and the service. This wouldn’t solve the broader problem, but encryption could be used by the service if the other end supports it. However, you’d need to only use VoIP on your phone, and the apps largely suck and there are technical issues like missing calls.
Text messages are being solved though with RCS now that Apple is on board and Google is marketing it, but unfortunately I don’t think it’s open enough for Linux phones to adopt, but I could be mistaken.
As another poster said, the underlying tech is not private: https://jmp.chat/privacy
For backwards compatibility, what your proposing is unlikely unless driven through regulation (personal opinion).
Use something over the top (like Signal was suggested), use a non-KYC provider (like Jmp), or use a burner phone.
A non-KYC provider I wouldn’t trust to be private personally, especially as a secondary SIM. Maybe slightly above average (the company can’t sell the number attached to my name), but I’m sure enough information leaks that a state-level actor could correlate the device to me. The IMEI the tower gets is probably enough to run to Google to figure out who bought the phone.
Even burners may trace back to you through GPS or triangulation depending on how private you really want to be.
