The question of whether a cellular
telephone is a tracking device has often
hinged on the resolution of the cell site
data. If the data consists solely of the
cell site ID, then the precision of the lo-
cation information is clearly a function
of the size of the cell. Cell sizes vary sig-
nificantly, but the following can be used
as a rough rule of thumb:u
Urban:
Suburban:
Rural:
1 mile radius
2 mile radius
> 4 mile radius
It follows that through registration
messages alone, a subscriber’s location
is recorded to the level of a metropolitan
area at a minimum, and sometimes to
the level of a neighborhood.
A Private overlay
So long as the cellular concept requires
that a piece of equipment be located
within a particular cell, there will be a
requirement in cellular systems that an
MSC be able to locate user equipment
at the level of one or a small number
of cell sites. It is important to note,
however, that it is the equipment that
needs to be located and not a specific,
u Jeff Pool, Innopath, private correspondence.
These areas are further reduced if the cell has
multiple sectors.
named subscriber. In this section we
will consider the possibility of creating
a private overlay for cellular systems
that protects user privacy by strictly
separating equipment identity from
user identity. The proposed overlay requires the addition of a Public Key Infrastructure (PKI). 10 The PKI provides
the network and all subscribers with
a public encryption key and a private
decryption key. With this addition, a
private overlay to the existing cellular
infrastructure can be established as
described below.
The scenario assumed here is that
of a cellular telephone with standard
capabilities to which has been added the ability to operate in a private
mode, a private mode in which the
service provider is unable to associate location data for the phone with
a specific user. The private mode is
predicated on a private registration
process, which is enabled by having
the network transmit once a day (or
at some suitable interval) an identical certification message to each authorized subscriber. The certification
message that is sent to each subscriber is encrypted using that subscriber’s
public encryption key.
When the user enables the private
cellular mode, the cellular platform
sends a Privacy Enabling Registration
(PER) message to the network. The
PER, consisting of the certification
message and a Random Equipment Tag
(RET), is encrypted using the network’s
public encryption key. The certification message acts as a zero-knowledge
proof, showing the network that the
PER was sent by a valid user, but without actually identifying the user (we
will address the problem of cloning in
a moment). The RET is a random number that will be entered into the VLR
and the HLR and treated as if it were a
phone number. The VLR and the HLR
will thus collect all of the information needed to establish and maintain
phone calls to the cellular platform,
but will not associate this information
with a particular individual or phone
number. So long as the user chooses to
remain in private cellular mode, subsequent registration messages will include the RET as opposed to the user’s
telephone number.
Call setup, mobility management,
and roaming will all be handled exactly
as before, with the difference that the
HLR and VLR location information is
associated with the RET, as opposed to
a phone number. Data calls can be kept
private by associating the RET with a
temporary IP address.v
Incoming calls require that calling
parties know the RET. In order for the
RET to be associated with the correct
HLR, it will also be necessary that the
calling party identify the service pro-
vider that serves the called party. The
user in private cellular mode must thus
distribute, using public key encryp-
tion, his or her RET and the identity
of the service provider to those parties
from whom he or she would be willing
to receive a call.
