Privacy on steroids: Phone automatically changes its identifier every 24 hours to prevent tracking
Cape, the privacy-focused mobile carrier, has opened its IMSI rotation feature to all subscribers starting Wednesday. Now, every 24 hours, phones will automatically change the hidden identifier that networks have long used to track them.
-
Cape’s mobile service now automatically changes a phone’s IMSI every 24 hours, blocking carriers, hackers, and spy tools from tracking you.
-
Previously limited to high-risk users, it now works by default on popular iPhones and Pixels, with the option for on-demand rotation in sensitive situations.
-
IMSIs are drawn from a random pool of millions, ensuring no consecutive repeats and making network tracking or prediction nearly impossible.
Known as your International Mobile Subscriber Identity, your “IMSI” is a unique 15-digit number assigned to a mobile subscriber and stored on the phone’s SIM card, essentially telling your cellular network who a device belongs to for network authentication, service delivery, and handovers between cell towers.
For decades, IMSIs have remained fixed, meaning that every time a phone connects to a network or cell tower, it reveals the same number.
That consistency gives networks – and anyone with access, for that matter, including hackers, surveillance tools, and even the government – the ability to track a device’s location and usage over time, creating a detailed record of a person’s movements and communications.
“Identifier rotation will change the rules of the game and become a new standard in mobile telecom,” says Cape CEO John Doyle.
Furthermore, Doyle predicts IMSI rotation will reset expectations about the privacy compromises he says “people have been forced to accept in exchange for cell phone service.”
“Historically, using cell phone service meant getting tied to a static, trackable identity. Now that there’s an option to opt out, I believe that many people will take it,” Doyle explains.
IMSI threats you didn't know existed
To better illustrate the privacy concerns, cellular carriers can associate IMSIs with movement patterns, calling behavior, and usage habits.
Additionally, governments can request records linked to an IMSI and use surveillance tools known as IMSI catchers – fake cell towers used by law enforcement and other bad actors – exploiting the fact that phones can readily identify themselves to any network that asks.
According to Cape, with access to your IMSI:
- Carriers can profile your behavior, sell it to third parties and ad networks, or lose it in breaches.
- Governments can subpoena records associated with your IMSI, sometimes even without a warrant.
- IMSI catchers (“Stingrays” or fake base stations) can trick your phone into connecting, capture your IMSI, and use it to track you or intercept traffic.
- Attackers can launch SS7 and other signaling attacks once they know your IMSI.
Proving the risks are anything but hypothetical, in 2011, German politician and privacy advocate Malte Spitz obtained tens of thousands of location records tied to his IMSI after suing his mobile carrier.
In fact, the dataset showed his movements reconstructed with near-minute precision, demonstrating what privacy researchers had long warned of: that mobile networks generate a continuous, intimate log of a user’s daily life.
So much so, that even Cybernews' own Chief Editor Jurgita Lapienytė wrote a first hand account on the matter after observing her own cell phone's questionable behavior last year.
The evolution of “privacy-first”
Now, IMSI rotation is not necessarily new to Cape. It has previously existed as part of Obscura, a more specialized mobile plan aimed at high-risk users.
And more recently, Cape partnered with the Electronic Frontier Foundation to launch a program offering its services for free to journalists, activists, human rights defenders, and domestic abuse survivors.
“Originally available as 'Rotate Now,” it did not work by default – customers had to preconfigure their next IMSIs, and now this is all automatic,” Doyle says about the product’s evolution.
And although rotation frequency could be customized, Doyle says they found users confused about how to use the feature, for example, how often rotation should occur or whether changing it too frequently might cause problems.
No longer requiring any advanced configuration, the new rollout has simplified the model, with IMSI rotation happening every 24 hours by default, as well as the option to rotate immediately (more on that below).
Doyle says the daily change aligns with the threat model most people need.
“It’s frequent enough to disrupt persistent tracking, but not so frequent that it would look unusual,” he says.
Cape says the IMSI rotation feature is designed for privacy-conscious individuals who want to prevent telecom operators and other third parties from tracking their location and profiling their digital behavior.
In addition to those mentioned previously, this can also include travelers seeking to avoid foreign surveillance, crypto investors attending high-risk events, and executives, lawyers, and others handling sensitive information.
How Cape's IMSI rotation works
Cape’s Identifier Rotation automatically rotates your IMSI on a daily basis, and also allows you to change your IMSI on demand at the tap of a button within the Cape app, the company states in its announcement.
"There are millions of IMSIs in our pool, which are unique to Cape, and they are randomly assigned. Specifically, you get seven IMSIs per week, and at the end of the week, those seven are returned to the general pool, and seven random ones are selected for the next week,” Doyle told Cybernews about how the service works.
Doyle also made clear that “there is no reuse of the same IMSI over two consecutive weeks and there is no way to predict which IMSIs you’ll have in future weeks due to the randomization."
When asked about the likelihood of a threat actor hijacking or hacking the assignment process, Doyle reiterated that all IMSI numbers are randomly assigned, so there is no predictable algorithm to exploit.
“The IMSIs are randomized, and the chances of repeating two consecutive IMSIs are a fraction of a fraction of a percentage point, Doyle explained, adding that the percentage was purposefully considered.
“It’s higher than zero because we want to avoid keeping a history or log of prior IMSIs in our backend, which would be the only way to prevent a repeat,” he said.
What’s even more exciting – at least we think so – is the user’s ability to change their IMSI manually if the individual feels they are in a precarious situation, "effectively makes you appear as a different person on the network each and every day."
"You can also choose to rotate your IMSI manually from the app, which you may use in high-risk moments like crossing a border or attending a protest," Cape states, noting that the device will "simply cycle to the next IMSI in your weekly set."
Although currently in beta, Doyle says future versions will include a scheduling feature that allows subscribers to customize when the daily rotation occurs.
The “Standard Cape” consumer service now works on most popular iPhones and Android devices, something Doyle had mentioned was a major deterrent for some, especially loyal Apple users.
Currently, Cape says the Identifier rotation specifically works on iPhones 11-15 and Google Pixel devices, including those running on the private and security-focused GrapheneOS operating system.
“Our next priority is making it compatible with more phone models,” Doyle says.
