[Replicant] forum: question about information known by a cellular network provider

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Mon May 20 17:21:44 UTC 2019

On Mon, 20 May 2019 09:17:56 +0000
Fil Lupin <fillupin at protonmail.com> wrote:

> Hi,

> I forward a question concerning Information known by a cellular
> network provider while using and not using internet asked on the
> forum (https://redmine.replicant.us/boards/33/topics/15152) :
Part of that is documented on the following page:
but some information might be missing from it.

Patches for that are welcome, the source code of the page is here:

> 1. While I am not using the internet:
> The network provider would know Non-internet based static content
> such as: personal information including address, occupation, proof of
> identity, etc (if given/required during purchase) sensitive personal
> information including as bank account details, etc,

> device details such as IMEI number?,
If you have a SIM card, the IMEI number is not static. The operator
sees the IMEI number of all the phones you put your SIM card in.

> Serial number?, operating system?,
I've no idea about that, and it depends on several things:
- Are the proprietary modem firmwares and RIL implementation able to
  report that somehow? If so the operator can deduce that you don't use
  the stock implementations. On the top of my mind, the following ways
  may or may not be able to achieve that:
  - The SIM card would communicate with the OS through SIM Toolkit. 
  - The modem would somehow report the data and communicate with the OS
    through the nonfree RIL.
- The smartphone bought is modified by the operator in some way and
  enable to report that. This is very common for operator to modify and
  brand smartphones, but you typically know it at the time of purchase.

> type of device (smartphone, tablet etc.)?, 
This can be deduced from the IMEI. Some operator even enable you to see
that in your account web interface.

> MAC address of the device? etc.
That is tricky and would require more research. If the MAC address are
somehow sequential you might be able to deduce one MAC address from
another one, or from the IMEI.

> [Note: I am not sure whether content such as IMEI number, operating
> system, type of device (smartphone, tablet etc.), MAC address of the
> device would come under non-internet based content or internet-based
> content]
The IMEI is seen on the cellular network.

The operating system can be somehow deduced actively with tools like
nmap but it's probably expensive to do that at large scale.

The MAC addresses of the Bluetooth and WiFi interfaces are seen and
sometimes stored by hardware that displays adds, supermakets, etc.
Weather that's illegal or not depends a lot on the jurisdiction on the
countries. It's a good idea to turn off the WiFi and Bluetooth when you
don't use them because of that.

I'm not sure if it's possible to change the MAC addresses in Replicant
6. However it might be way easier to do it in Replicant 9 as we plan
to use a kernel that is way more closely based on upstream.

> The network provider would know Non-internet based dynamic content
> such as network-based location (which cell towers I use),
I was told by someone who worked in an operator that this has 10m of
precision with 3G activated and 20m without. If you stay at the same
place during a long period of time the accuracy increase as you see
multiples points at roughly the same location, so you can remove some
of the imprecision.

> call detail
> records (who you called and when), text message details (who you
> texted and when), text message content,
Yes, that all go through the operator. You can sometimes see some of
the information in your account web interface.

> payment history, etc.
I don't know what payment history refers to here.

> 2. While I am using the internet:
> The network provider would know Internet-based dynamic content such
> as IP address, 
It assigns the IP address to you.

> bandwidth consumption, 
Again you pass through the operator for that, they also often cap your
speed or make you pay or stop providing you data when you consume more
than a given bandwidth.

> turned on), browsing content and history (including the date, time
> and duration of the internet session)?, the apps running on the
> device?, data sent and received by the apps?.
That's the same than a classical Internet provider. It can see a lot of
metadata, (domain names, traffic usage, hours at which you use the
Internet the most, etc). You probably can see some data too if TLS is
not used.

It might also be possible to deduce the data being transferred even
with TLS with the size and pattern of the data being transferred. A way
to fix that would be to add random padding with random sizes in TLS

> 3. While I am using the internet via a VPN:
> The network provider would know Internet-based dynamic content such
> as the VPN's IP address,
Not automatically. The provider would see a VPN connection to a VPN
provider. They would have to deduce the IP address from other means.

> bandwidth consumption, 
They would still get metadata from the bandwith, and deduce at which
hours you use the Internet the most.

> location via GPS?.
The provider already has the location of the smartphone, but in some
cases it can also obtain it through the GPS if the modem has access to
the GPS receiver somehow:

If I understood well, in some system on a chips, like the Qualcomm MSM
7K series, the GPS is under the control of the modem, so RRLP (Radio
resource location services protocol) might work in that case.

I've not yet got the time to setup a test system to try that with
Replicant smartphones. 

I think that it's possible to do that without having to get a test
license by using cables that go from an SDR to the phone under
test, and by making sure that the signal doesn't radiate outside of
the cables  (for instance by using proper attenuators and such):

> Some info I got from another forum is that apps created using
> technologies/terms such as JSON, TNA, SDK and GPS would receive/send
> data while using the internet i.e. Internet-based dynamic content
> (JSON = JavaScript Object Notation, SDK = Software Development Kit,
> TNA = Truly Native Apps)
A GPS receiver doesn't need to send data to work. As far as I know
there is nothing in the GPS standard that may enable a GPS receiver to
send back some data.

So what happens usually is that something else (like an application)
manage to get the user position for instance by asking the OS which in
turn will try to get a position using various means like the GPS
receiver, the nearby cellphone tower ID, the MAC address of the WiFi
access point nearby, etc.

As the GPS consumes a lot of battery, the other ways to get a location
are also commonly used. I managed to test it, I think it was with
navit and some network location provider in f-droid.

There is also room for improvement here: if I remember well, in
libsamsung-ipc, we only have support for getting the identification of
the tower you're connected to, and not all the other ones that are

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20190520/8d5d4f5e/attachment.asc>

More information about the Replicant mailing list