The scale and force of phone-number indexed surveillance data available on via the commercial (and, let’s say, “commercial-adjacent”) market has slowly but persistently come to light over the past ten years. The ways and means of putting a cell phone number to task in locating an individual or disrupting their communication fall across a broad spectrum. At the expensive, sophisticated end of that spectrum, we have the practices typically associated with intelligence services, like the number routing-based techniques the Washington Post has profiled. Researchers routinely obtain data sets which have location resolved down to home addresses, like the data set used to determine partisanship of particular phone numbers’ owners by MIT researchers as detailed in Wired.

Most troublesome for some of our clients, there is the risk of individually targeted surveillance via their phone. Some principals need to be concerned with equipment in key meeting locations (like the IMEI catchers in DC, covered by the AP). More pedestrian is the low-cost, easy access method of paying a broker for location data obtained from the carrier, as clearly laid out by Joseph Cox and the Motherboard team at VICE. Given a few hundred bucks and a couple of hours, an adversary with your mobile phone’s number can also see where you are, where you’ve been, and where you head next.

For projects with certain intersections of threat models and risk profiles, this means Layer Aleph has to solve for mobile phones with a degree of anonymity at the carrier layer. Clients whose threats include abusive or hostile former partners, or investigative teams with well-resourced, capable adversaries are recent examples. After some iterations, we’ve settled on a toolkit suitable for most clients with these needs that has proven effectiveness across a few projects.

Several requirements present themselves:

  1. Principals need the keep their existing phone numbers as point of contact in systems like Signal or WhatsApp. Changing the phone numbers used as contact points is often impractical. The client’s work is always already in progress. A threat model that dictates an infrastructure burn along with a clean start is another problem entirely.
  2. The cell numbers held by the mobile devices via the wireless carriers themselves need to be anonymous as feasible. Specifically, we want the carrier to not have a name associated with them if possible.
  3. For some threat models, the mobile phone’s hardware identifier (usually the “IMEI”) needs to be anonymous from the wireless carrier’s point of view as well.

For requirement 1, our preferred solution is to port the number into the hands of a system currently held in higher trust. From there, we can redirect phone calls and text messages to a number of our choosing. There are a lot of options, we most often use Google Voice. Voice allows us to hold the number, protected from further interference, with a Google account setup with their phishing-resistant Advanced Protection Program. That tends to be an excellent level of protection for anyone without the FBI in their threat model. So, step one is beginning the porting process from a client’s current carrier to Google Voice. This takes 1-3 days.

Our second requirement gets solved by the thriving cash economy used by 20-30% of wireless subscribers here in the United States who depend on prepaid wireless service. Many carriers focused on the prepaid market offer “bring your own smartphone” kits, costing between $1 and $10, that include the SIM card necessary to activate any phone on the wireless carrier’s network. Coupled with the prepaid cards themselves, usually in $30-$60 denominations, one can pay in cash and get a phone on a network in a little under an hour.

Verizon and “Simple Mobile” (a division of T-Mobile) are recent favorites, because they offer prepaid plans with reasonable data costs (around $10/GB) and allow mobile hotspot/tethering use of phones on some of their prepaid plans. Best Buy, Target, Walgreens, and Walmart are nationwide chains consistently stocking the activation kits. The prepaid scratch-off cards used to pay for service on a monthly basis, usually by texting a long PIN from the card to a particular number, are available at almost every supermarket and drug store in the country. The more enterprising of your local bodegas will have Simple Mobile activation kits. Look for the green sign on their doors.

This entire market is structured to be as predatory as possible, with plans changing every few months. Data costs vary hugely (five to ten times, even within a single wireless carrier’s plans), and features like mobile hotspot/tethering come and go regularly. Even so, we’ve been able to hold monthly costs for typical client equipment usage to $55/device/month.

If a client has IMEI catchers or targetted wireless surveillance in their threat model, our third requirement comes into play. This is a very rare problem, typically confined to principals of large or powerful organizations, investigative teams working on national security-adjacent matters, and folks working at, with, or against, certain parts of the US Government. Often these risks come with mitigations far above and beyond getting daily carry cell phone anonymized at the wireless carrier level. New, anonymized equipment is required.

You may be as surprised as we were to discover that every Apple Store has a well-designed cash drawer concealed in a display table. The employees don’t even ask questions as they make your change.