When You Roam, You’re Not Alone
Ronald J. Deibert, Gary Miller
However, hidden within this seemingly routine transaction lies one of the most extensive, yet lesser-known surveillance risks of our age: the technical vulnerabilities at the heart of the world’s mobile communications networks. Accompanying the complex arrangement of global networks, international roaming service providers, and financial agreements are surveillance actors who access and covertly manipulate decades-old protocols to extract your sensitive personal information from the mobile network. Human rights and national security risks abound. A new report by the Citizen Lab (a research center with which we are affiliated) details how it all works.
Telecommunications companies constantly exchange huge volumes of messages using a private global network to “signal” when users attempt to roam and use services on partner networks in virtually any country around the world. This private network, called the IP Exchange (IPX), was originally conceived to provide a single connection from one mobile network to other partner networks to facilitate the transport of signaling messages needed for ubiquitous international roaming. Because these signaling messages provide essential user authentication, registration, and service information, they also allow telecommunications companies to retrieve extraordinarily detailed information about a user, including whether a phone number is active, which services are available to them, to which network the phone is currently connected, and most importantly, where they are geolocated at any time relative to the multitude of cell towers to which they connect as they traverse a city.
While at one time this information was restricted to a relatively small club of mobile telecommunications companies, membership has since diversified to private companies selling geolocation surveillance services. Some of these entities gain access to these highly sensitive signaling protocols by buying entry into the club from country network operators seeking more profit—such as small Caribbean, Asia-Pacific, eastern European, and African-based telecommunications firms as revealed in a 2020 article by the Guardian. In other cases, telecommunications firms are compelled by their country’s government to integrate a vendor’s software system into country networks to become an element of their surveillance apparatus—allowing that vendor to access the location and communications of domestic users or those using other country networks connected to the IPX.