IEEE SYSTEMS JOURNAL, VOL. 7, NO. 2, JUNE 2013 211 Reclaiming Location Privacy in Mobile Telephony Networks—Effects and Consequences for Providers and Subscribers Klaus Rechert, Konrad Meier, Richard Zahoransky, Dennis Wehrle, Dirk von Suchodoletz, Benjamin Greschbach, Sven Wohlgemuth, Member, IEEE, and Isao Echizen Abstract —Mobile telephony (e.g., Global System for Mobile Communications [GSM]) is today’s most common communica- tion solution. Due to the specific characteristics of mobile commu- nication infrastructure, it can provide real added value to the user and various other parties. Location information and mobility pat- terns of subscribers contribute not only to emergency planning, general safety, and security, but are also a driving force for new commercial services. However, there is a lack of transparency in today’s mobile telephony networks regarding location disclosure. Location information is generated, collected, and processed with- out being noticed by subscribers. Hence, by exploiting subscriber location information, an individual’s privacy is threatened. We develop a utility-based opponent model to formalize the conflict between the additional utility of mobile telephony infrastructure being able to locate subscribers and the individual’s privacy. Based on these results, measures were developed to improve an individual’s location privacy through a user-controllable GSM software stack. To analyze and evaluate the effects of specific sub- scriber provider interaction, a dedicated test environment will be presented, using the example of GSM mobile telephony networks. The resulting testbed is based on real-life hardware and open- source software to create a realistic and defined environment that includes all aspects of the air interface in mobile telephony networks and thus, is capable of controlling subscriber–provider interaction in a defined and fully controlled environment. Index Terms—Critical infrastructure, Global System for Mo- bile Communications (GSM), mobile communication, mobile telephony, privacy, safety, security, testbed, ubiquitous commu- nication network. I. Introduction D IGITAL wireless telephony networks have become a core communication infrastructure in the past 15 years. Global Manuscript received October 1, 2011; revised July 7, 2012; accepted August 14, 2012. Date of publication February 25, 2013; date of current version April 17, 2013. K. Rechert, K. Meier, R. Zahoransky, D. Wehrle, and D. von Suchodoletz are with the Department of Computer Science, Albert- Ludwigs University of Freiburg, Freiburg im Breisgau 79085, Germany (e-mail: klaus.rechert@rz.uni-freiburg.de; konrad.meier@rz.uni-freiburg.de; richard.zahoransky@rz.uni-freiburg.de; dennis.wehrle@rz.uni-freiburg.de; dirk.von.suchodoletz@rz.uni-freiburg.de). B. Greschbach is with the School of Computer Science and Communi- cation, Royal Institute of Technology, Stockholm 10044, Sweden. (e-mail: bgre@kth.se). S. Wohlgemuth and I. Echizen are with the National Institute of Informat- ics, Chiyoda-ku, Tokyo 101-8430, Japan (e-mail: s.wohlgemuth@sirrix.com; iechizen@nii.ac.jp). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/JSYST.2013.2241357 System for Mobile Communications (GSM) and its successors have significantly changed the communication landscape both in developed and, with only a slight delay, in developing mar- ket economies by far outnumbering landline connections (e.g., in Germany [1]). With over three billion subscribers, mobile communication networks are a significant driving force behind economic growth by introducing new services such as mobile learning, exchange of market information, and micropayments. Mobile telephony and data are a crucial part of today’s communication infrastructure; moreover, they contribute to security and safety. The mobile telephony network and its physical characteristics help locate mobile phone users in cases of emergency 1 and may be a valuable tool for search and rescue [2]. For instance, Bengtsson et al. [3] analyzed post- disaster population displacement using SIM-card movements to improve allocation of relief supplies. Furthermore, location information gathered through mobile telephony networks is now a standard tool for crime prosecution and is used by the EC Data Retention Directive with the aim of reducing the risk of terror and organized crime [4]. In addition, commercial services are based on the availability of live mobility patterns of large groups (e.g., for traffic monitoring 2 or location- aware advertising [5]). Thus, location information of network subscribers might be passed on to third parties. Usually, subscribers are neither aware of the extent of their information disclosure (just by carrying a switched-on mobile phone), nor of how the collected data are used and by whom. Law enforcement and commercial agencies exploiting movement patterns have two options for utilizing location determination of mobile telephony networks: an active and a passive method. While active positioning yields immediate and more accurate results [e.g., through uplink time difference of arrival (U-TDOA) [6]], there are additional costs involved (e.g., network utilization) and thus, an incentive and dedicated target is required. Hence, active GSM positioning methods are not suitable for location tracking of masses. On the other hand, with passive location determination techniques, all required information is generated during normal communication with 1 FCC Enhanced 911 Wireless Service, http://www.fcc.gov/pshs/services/ 911-services/enhanced911, September 18, 2011. 2 For instance, Vodafone Germany, http://www.vodafone.com/content/index/ press/local − press − releases/germany/2008/tomtom − and − vodafone.html, September 18, 2011. 1932-8184/$31.00 c ⃝ 2013 IEEE