I Don't Own a Cellphone. Can This Privacy-Focused Network Change That?

Hey there, Joseph here with a long one on a new and interesting privacy-focused phone network. Basically, Cape has been providing its services to the U.S. military. Now, it's ready to offer that service to high-risk members of the public. It rotates IMEIs, IMSIs, MAIDS, and retains a relatively small amount of user data. Might you get use out of it? I'll leave that up to you after reading the whole thing.

I haven’t owned a cellphone since around 2017. For years I used an iPod Touch to send emails or encrypted text messages. When Apple discontinued that iPod in 2022, I moved to a WiFi-only iPad Mini, which requires me to either carry a small bag or a jacket with pockets that can fit the not-so-mini communications device. 

This was an extreme way to live in the previous decade, and arguably it’s even more extreme in 2024. But every time I inch closer to finally buying a phone, some cybersecurity incident happens that reminds me why I made this radical choice: telecoms and data brokers selling location data to bounty hunters or other third parties; hackers (repeatedly) stealing peoples’ sensitive personal information from T-Mobile; stalkers tricking Verizon into handing over a target’s address by haphazardly posing as a cop; and AT&T storing the call and text metadata of “nearly all” of its customers inside a Snowflake instance that young, reckless hackers gained access to. 

This segment is a paid ad. If you’re interested in advertising, let's talk.

The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Member-supported since 1990, EFF champions user privacy, free expression, and innovation. EFF fights to ensure that technology supports freedom, justice, and innovation for all people of the world. Show your support with shirts, hats, totes, socks, cards, and more. Exclusive for 404 Media readers, we’re offering 20% off all items in our shop using coupon code 404MEDIA at checkout.

Then there is the constant threat of SIM swapping, where hackers trick a telecom into transferring the victim’s cell service from their normal SIM card to one the attacker controls. Another lesser but still relevant concern is SS7, where private surveillance companies, governments, and even financially motivated hackers can tap into the telecommunications backbone to track a device’s location or intercept calls and texts (I’ve been called up by the owner of an SS7 surveillance company after I wrote about them). 

In short, from covering this stuff all day every day, I fundamentally do not trust the world’s telecommunication companies or networks to keep my data secure.

A new company called Cape aims to address many, if not all, of those concerns. To be clear immediately: it is ultimately unknown how effective and useful Cape’s product is until it is road-tested much more widely, potentially over years, and I’m not endorsing the product. But this week Cape is making its privacy-focused phone network available to high-risk individuals after previously only offering it to the U.S. government, including a pilot program in Guam with the Navy. The intended market includes corporate executives, politicians, journalists, and domestic abuser survivors with plans to offer another version of the product to the broader public next year. And Cape loaned me a device to play around with.

Cape is a mobile virtual network operator (MVNO), essentially a company that provides its own cellservice by piggybacking off the existing physical infrastructure of fully-formed telecommunication companies. Google Fi is an MVNO. So is Mint Mobile. In Cape’s case, it uses UScellular’s infrastructure, and pairs it with a Cape-branded Android device. That phone works essentially like any other, and a Cape app installed on it lets a user interact with and configure the privacy-focused features.

“I'm comfortable sharing that our early design partners and our first customers have all been U.S. government folks who have an acute version of this problem, but we don't share specifics,” John Doyle, CEO of Cape and formerly of Palantir, said in an interview with 404 Media when asked to identify some of the U.S. government customers beyond the Navy pilot program.

Beyond the product itself, the news also raises a deeper question: why haven’t the U.S.’s main telecoms—AT&T, T-Mobile, Verizon—employed even some of Cape’s privacy and security features themselves, instead leaving that work to a startup?

Cape runs its own mobile core, all of the software necessary to route messages, authenticate users, and basically be a telecom. Ultimately, this gives Cape the control to do more privacy-enhancing things, such as periodically give its phones a new IMEI—a unique identifier for the phone—and new IMSI—a similar identifier but one attached to the SIM card (or eSIM in Cape’s case). The phone can also give itself a new mobile advertising identifier (MAID), which is an identifier advertising ecosystems and apps use to track peoples’ web browsing activity and is sometimes linked to their physical movement data. Cape said the IMEI and MAID rotation is handled by the custom Cape handset, which runs standard up-to-date Android.

Cape lets users create bundles of these identifiers, called “personas,” then cycle through them at different points. This means that during some attacks, a Cape phone may look like a different phone each time. The device can do this in a few ways. In the first, users can set geofences around a particular area, meaning that when they enter that location—such as their home, place of work, or commute—the device automatically switches to a particular IMSI, IMEI, and MAID. Secondly, users can set it to switch between these sets of identifiers after an approximate period of time has passed, between one hour and one day, with an option to add some percentage of variation between each rotation.

Cape loaned me an Android Cape device for verification purposes, and I saw that the device said it changed the IMSI, IMEI, and MAID when entering a designated geofence, after a determined period of time, and on demand. Other MVNOs offer some similar products, such as Pretty Good Phone Privacy, which lets a user rotate IMSIs. Cape appears to be a much more fleshed out product, though. Its investors include Andreessen Horowitz, Point72 Ventures, and XYZ Ventures. The company said in April it raised $61 million.

A page inside the Cape app also shows all the recent network attaches the phone has made, meaning a user could theoretically check if a suspicious network connected to their device. This could apply to SS7 attacks, which can track a phone’s physical location and intercept communications. In May, I revealed that a U.S. government official spoke out about SS7 attacks happening in the country as recently as 2022.

Cape also says it does not hold much information about a subscriber, including their name, address, or payment information. In the Verizon case I mentioned earlier, the stalker who posed as a law enforcement officer and got a target’s personal data later drove to an address associated with the victim armed with a knife. 

“As an organization focused on combating domestic violence and human trafficking, this technology is exciting,” Chris Cox, executive director of anti-domestic violence nonprofit Operation Safe Escape, told me. “The threats they face can range from very simple [to] highly sophisticated, and the attackers are extremely motivated to cause harm. These tools will not only help someone stay safe, but just as importantly help them feel safe.”

Cape requires a stronger form of user authentication to perform a SIM swap. After a SIM swap, a hacker can receive password reset tokens or two factor authentication codes, and break into a slew of different accounts. Attackers have done this by tricking telecoms’ customer support workers with fake identity documents, phishing for access to internal tools, planting malware inside telecoms, and even physically snatching the tablets used by telecom store employees to perform the SIM swaps themselves.

Over the years as SIM swapping has moved from a niche threat to a persistent issue, the U.S.’s major telecoms have introduced more security features, such as a PIN customers can setup which is required when moving service from one SIM to another. This is sometimes just four digits. Cape, meanwhile, says it requires a 24-word passphrase.

AT&T told me in an email that it “recently soft launched a no-cost security feature for wireless customers called ‘Wireless Account Lock.’ It completely disables 12 types of account changes and transactions for those who want extra protection, such as billing changes, device changes or moving your number to a different carrier. Customers can immediately lock and unlock their wireless account at any time.”

Cape says it deletes data after a relatively short period of time, meaning if it was compelled to turn over certain records, it might not be in a position to do so. “We also significantly limit the length of time that we retain any records, including the call data records themselves. So we retain data for 60 days, versus the industry standard which is years and years,” Doyle said. 

“Beyond that 60 day window, we have nothing to turn over,” Doyle added. Law enforcement could still theoretically put a preservation request in place, which orders a company to keep records related to a certain customer.

“Beyond that 60 day window, we have nothing to turn over.”

A “law enforcement request is going to include all of the identifiers and the call data records and all the rest. We comply with those requests. We can't share what we never collected,” Doyle said. Cape said the company does hold onto zip codes for three years for tax compliance reasons, but says it does not associate these with a subscriber’s identity.

Doyle said he has been in contact with officials of the FBI, including “FBI folks who specialize in cellular exploitation.” The focus there, Doyle said, was for Cape to find a way to fulfill the privacy promises of its product, while still enabling exigent use cases for the FBI. “For example, a child is abducted, goes missing, they [the FBI] have a workflow that they go through that follows legal process and is within the CALEA rubic, and we want to make sure that we're able to enable those workflows in particular,” Doyle added. CALEA, or the Communications Assistance for Law Enforcement Act, is the law that says telecoms must be able to provide legally requested information to law enforcement. In a follow-up email, Cape said it understands the role of law enforcement and narrowly tailored requests for information, but is against warrantless mass surveillance. With the Cape device I used, it was logged into a Google account, presumably creating another avenue for law enforcement to obtain some data about the user.

Might other officials at the FBI be worried about a tool like this being more widely available? “Probably at a high level,” Doyle said. 

For ten days in Kansas City recently, the U.S. government hunted people who were using Cape to test the company’s capabilities, Doyle said. Armed with IMSI catchers and simulated insider access to a major telecom, the red teamers were unable to locate the Cape users, Doyle added. The City Communications Office of Kansas City did not respond to a request for comment. The test was a partnership between Cape and the Department of Defense to test the phones’ capabilities. The IMSI catchers were meant to replicate a surveillance team looking for phones in a local geographic area, and the insider access represent a hostile telecom in a foreign country. With an IMSI catcher, “your goal is to build a list of people who have been in one location and then, presumably, to cross reference it against some other list of people who are in another location or who are on some other list,” Doyle said. 

For the offering to high-risk individuals at the moment, those users can get all of the IMSI, IMEI, and MAID rotations. Cape said when it rolls out more broadly to the public, that offering won’t include a physical phone or the same degree of identity obfuscation. 

Verizon and T-Mobile declined to comment or did not respond.

Personally, I find Cape’s tech very interesting, but more so I think it’s very notable that a company is finally trying to seriously address privacy issues with aging telecommunications networks more broadly. It shouldn’t have taken years, decades, for a startup to get funding and the will to tackle this problem.

My own threat level around phones is odd, quite unique, and personal to me. Maybe you, as someone who already uses a mobile phone, might get some use out of this tech. For me, I am so used to the friction of essentially carrying around a computer that I can wait and see.