I've been using my Google Voice number for something similar. But Cape doesn't specify if/when these numbers are rotated in any way - you have three numbers to track now, and you can't retain these numbers if you switch services.
It's probably worth calling out that this is an experimental feature, and we are happy to get any and all feedback on things we can build out around them.
They are real numbers, not VOIP. That can matter depending on what they are used for and if the entity you are expecting a message from blocks sending to VOIP numbers.
The numbers don't rotate like our identifier rotation. They are yours. You can choose to delete a secondary number in the app, and if you have less than two, create a new one after 30 days.
I’m a skeptic. It’s only been a handful of years since Anom was backdoored by the Feds. The surveillance data provided by cell phones is simply too good to let someone work around it
This Anom comp comes up a lot. It's super hard to prove a negative, so no matter many how times I say "Cape is not a honeypot," the critics will just respond "that is exactly what a honeypot would say."
We're working on some ideas to address this with audits etc, but it will always be tough. However, if you like the idea, and like the features, then maybe it is worth your time to do the work and get comfortable with the company. Because we're the only ones providing some of these features, and we have a lot more in the hopper still to come. I hope we can win your trust at some point.
Good luck! It's a tough sell and some people won't accept that there are people from the defense sector that really care about the Constitution. Transparency is proly your best friend. But once you sign a Qualcom or carrier NDA, you are pretty tied-up as far as open-sourcing things or transparency, I'd imagine. Still, keep up the good fight!
I have no particular reason to trust that you aren't a honeypot but I'd like to point out that I also have no particular reason to trust that any other cell service provider isn't. In fact given the recent e911 location data sale scandal I generally assume that all of them are.
Even if it turned out that you were in fact a honeypot, protection against SIM swapping and encrypted voicemail presumably both provide security benefits regardless.
It's similar to the situation with VPN providers. The provider could literally be the NSA themselves and I'd _still_ most likely see security benefits from using it (unless the NSA happens to be my adversary of course).
The issue I’m having is that the morals of someone who would work for a planteir and people who would be in the military are not the morals of people who are advocates, or even might have a moral understanding, of the importance of privacy. I can imagine you creating the service because you see the market demanding this privacy, but what bothers me is that you worked for these companies in the first place.
Like others explained here, it’s amazing that you didn’t know these problems existed before you worked for at Plantier. If you could explain your migration from delusion to insight in a personal way of that might help me a bit more. In fact, if you said Plantier was an evil company, I might have even more faith.
If someone elsestarted this company who had a long history in privacy outside of the government, my take would be a lot different. In my humble opinion, I think you don’t really care about privacy. You’re just taking advantage of a market niche. And what can I say but that’s capitalism so good luck.
It would be better if you used your inside knowledge to fight for laws banning these practices by all the telcos.
You don't have to prove a negative, but if you want real trust from actually paranoid people, you will have to give up keys to the kingdom and work hard for it.
All your software/hardware would need to be open source, you would need to be regularly audited by neutral third-parties, actively work with the community to provide paranoia-level ongoing transparency reports and continuous improvements that the community wants to see, be willing to adopt many suggestions given by smart people, and just in general stop using your words to tell people you're serious, and use your actions to show it.
If someone says they are skeptical of XYZ, ask them what they would accept as proof, and then provide it.
I use Cape every day on my iPhone. The service is excellent, and the security features haven't ever interfered with my use of the phone. They have a convenient mobile app for setting up extra features like the IMSI rotation and getting support. As a tech savvy user, it matches what I want.
I'm a target for a variety of things, and knowing that no one can SIM swap me is worth the subscription alone. The SS7 protections, encrypted voicemail, secondary numbers, IMSI rotation, etc are all a bonus.
You would be better off hosting your “phone number “at Twilio and then forwarding that number to a throwaway SIM card that nobody knows the number to.
Your “phone number “that people interact with cannot be hijacked with SS7 because it’s not a real number… you’re immune to sim swaps … And you can Jettison your physical phone and SIM card at any time with no penalty.
As a bonus, because your actual phone number is now programmable you can do interesting things like set up a SMS firewall. You can, for instance, collapse all incoming text messages to ascii-256. Or truncate their overall length. Or CC your incoming SMS to a dedicated mailbox.
I have operated like this since 2016. I have no idea what my physical SIM phone number is and neither does anybody else.
"Identifier (IMSI) Rotation", "Secure Global Roaming" and "Network Lock" do look interesting *IF* they can actually address some of the baseband vulnerabilities that plague all modern devices. That's a Big If.
SIM Swap Protection you already get by using a VoIP number rather than a cell number.
And the other features are irrelevant if you're using over-the-top end-to-end encrypted messaging, like Signal, rather than Plain Old Telephone Service and SMS.
They built their own mobile core, does that help with resolving your "Big If"? I'm not a cellular guy, I don't know which pieces of the stack cover which attack vectors: I'm genuinely asking.
Do they own the enodeBs or the RAN? How many hops does it take to get to their core? Not sure how MVNO works maybe they have encrypted VLANs to their systems. Not a RAN guy.
We don't own eNodeBs/gNodeBs (the RAN). We operate as an MVNO. It is worth calling out that we operate as a full MVNO though, which is different from many MVNOs in the US currently, who tend to fall on the lighter end of the MVNO spectrum.
The primary difference is we run our own mobile core entirely.
Can you elaborate on the hops question? Not sure I quite understand what you're asking since there are a few ways to interpret "hops".
> They built their own mobile core, does that help with resolving your "Big If"?
Not really, but I too am uncertain about how to think about it.
Here's my long-winded but still limited understanding of the main vulnerabilities that are unique :
NETWORKS: If I build a network, and I build it out of switched Ethernet, and I control the premises completely, then I can generally trust that the data flowing through it isn't being secretly logged or tampered with. Moving away from this simplicity, my distrust of the network increases rapidly.
A cellular network is pretty much the opposite of this simple one-man, one-room, wired network, so I distrust it completely.
There is only one credible solution here: all traffic over the network must be end-to-end encrypted and authenticated. That means TLS/DTLS/QUIC/ESP/Wireguard with key-pinning and/or correctly implemented and maintained PKI. Assume that any and all traffic that is not E2E-encrypted and authenticated is subject to some combination of mass surveillance and/or individually-targeted attacks.
CELLULAR DEVICE HARDWARE: For historical reasons, modern smartphones contain [at least] two CPUs:
1. The main "application" processor, an ARM64 SoC running an OS and applications made by Google or Apple. They've put substantial efforts into hardening these OSes and applications against remote attacks.
Whether they're doing "enough" is another question; whether you should trust them is another question. But they're at least trying pretty hard to prevent rando malware-for-hire attackers from pwning your device via over-the-air vulnerabilities.
2. The "baseband" processor, a ghastly fossilized thing that runs a stack of overly-complex firmware dating back to 2G days, and controls access to the cellular network. It is probably developed by Qualcomm, which along with Samsung has a near-monopoly on baseband processors for modern devices sold outside of China. Qualcomm in particular is litigious and complacent about security issues (https://news.ycombinator.com/item?id=38620067), and almost everything about the processors and their firmware are closed-source and non-public.
The baseband processor is insecure both due to inattention, as well as treachery. The end user of the device does NOT control it in the way that the end user controls the main processor. Some nebulous combination of the baseband vendor, the carrier, and the government controls it (e.g. https://news.ycombinator.com/item?id=46848303).
So the baseband processor is an untrustworthy thing that should be walled off from the rest of the system, and only allowed to communicate with the rest of it via narrow and well-defined interfaces. However, this was not the case for many years: the baseband processor has had way too much access to the system.
In recent years, this situation has improved somewhat: recent Pixel devices with Google Tensor SoCs (and maybe others) have the baseband isolated via an IOMMU. https://grapheneos.org/faq#baseband-isolation
---
Okay, so can "Cape" do anything to assuage my concerns about _any_ of the above issues? Honestly, not very much. ¯\_(ツ)_/¯
Cape can't increase my trust in the cellular network. Cape can't increase my trust in the baseband processor on my device.
Cape can only do a couple things to make the baseband and the network Slightly Less Evil: shuffle IMSI frequently to prevent IMSI-based tracking, and don't let random scammers call up and SIM-swap me.
IMSI tracking is a consequence of how baseband devices communicate over-the-air, just as WiFi MAC address tracking is a consequence of how 802.11 devices communicate over-the-air.
And it's definitely a vulnerability, because it's used to track end users and reduce their privacy.
So it IS a baseband vulnerability. And IMSI randomization mitigates it to some degree, just as WiFi and Bluetooth MAC randomization mitigate tracking via those identifiers.
I’m arguing that just because a baseband processor is involved that doesn’t mean IMSI tracking is a vulnerability of the baseband processor itself. IMSI provisioning and randomization cannot be done without cooperation with the network operator and has nothing to do with the baseband processor itself.
>do look interesting IF they can actually address some of the baseband vulnerabilities that plague all modern devices. That's a Big If.
Baseband vulnerabilities are overhyped, imo. On proper phones (eg. pixels), their access to memory is restricted by IOMMU, which protects the rest of the phone from being compromised if there's some sort of an exploit. Once that's factored in, most exploits you can think of are "on the other side of the airtight hatchway[1]". For instance if you can hack the baseband to steal traffic, you should probably be more worried about your carrier being hacked or getting a lawful intercept order. Or if you're worried about the phone triangulating itself, you should probably be more worried about your carrier getting hacked and/or selling your location data.
... because that's literally the IOMMU's job? Why should we trust the TPM or the CPU or a YubiKey or anything, really? I don't completely trust any of it but to get anything done you have to trust something at some point.
> Baseband vulnerabilities are overhyped, imo. On proper phones (eg. pixels), their access to memory is restricted by IOMMU, which protects the rest of the phone from being compromised if there's some sort of an exploit.
Doesn't Google require all new Android-branded devices to isolate the baseband from the Android OS and applications?
I swear I read this somewhere in the last few years, though I can't seem to find any clear reference to it now. Hmmm.
> For instance if you can hack the baseband to steal traffic, you should probably be more worried about your carrier being hacked or getting a lawful intercept order.
Everything should use TLS/DTLS/QUIC, and an up-to-date PKI for obligatory certificate validation, otherwise I assume it's already being MITM'd by the NSA, every other three letter agency on the planet, corporate firewalls, and my ISP.
Are there solid VoIP providers that aren't detected by 2FA SMS services? I can't use my Google Voice for a decent chunk of sign-ups because it is detected (and rejected) too easily. I hate getting spam, so I try to keep my primary phone number only for friends and family.
Use sms verification services that spammers use. They're implemented by using banks of sim cards placed in some apartment somewhere, so it's as "real" as it can get.
Objectively, it gets even worse in regions where Google voice isn't available. The only options seem to be online SMS portals where a relatively small set of numbers are shared across many users.
If anyone knows of a good, secure VoIP provider outside of the US I'd be keen to hear about it.
VoIP.ms works great in both the US and Canada. (I believe it started here in Canada.)
Also, many Canadian financial institutions (including the CRA, Wealthsimple, and BMO) work fine with US phone numbers for 2FA… including Google Voice, in my personal experience. https://www.reddit.com/r/Googlevoice/comments/1c571kw
VoIP.ms is hard to port into and out of, I've repeatedly seen them drop part of the account number when transferring a number, then drag their feet for days thereafter on resubmitting the port.
Always ask for the Port Order Number (PON) so you can follow up with the other carrier to see what they received from VoIP.ms
Serious question, what services are you using that this isn't a deal breaker for you? And why isn't it?
Most services either don't have a legitimate interest in my phone number (so they can get bent) or they do have a legitimate interest in which case not accepting my phone number means they aren't doing their #$&^ job (so they can get bent).
It helps that the only services I'm willing to provide my phone number to are those that already inherently involve my PII. Banks, online shopping, etc. So if they won't accept whatever I give them I'll take my business to a competitor.
I've used my Google Voice number as my primary number for ~15 years at this point. (I use my "real" phone number so little that I have trouble remembering it.)
I've had almost no problems using my GV number for 2FA. Venmo is literally the only service I've ever used that won't accept it for 2FA… and now Venmo offers non-SMS based alternatives, which is good because SMS-based 2FA is the reason that the SIM-swap attack is worth doing.
Google Voice is requiring ID verification now, and porting your phone number out is difficult as they charge an unlock fee and you get to deal with Bandwidth.com's port out shenanigans as they are the real underlying carrier for Google Voice.
>Know Your Customer regulations require the company to … know the customer
Which KYC regulations exist for carriers? AFAIK you can walk into any store and get a SIM card. The most they ask for is maybe E911 which they don't check.
You don't need an ID to buy a SIM in UK? I remember not needing one a long time ago but in recent years was asked for one.. maybe not a law? irregularly applied?
Carriers both land/VoIP and wireless must attest to having fraud mitigation measures; this is the "Robocall Mitigation Database" and in Cape's record they exempt themselves from STIR/SHAKEN attestation but state they have measures to prevent fraudulent calling. (which is required for them to be permitted to operate)
What kind of measures are possible to prevent fraudulent calls when the caller is your anonymous customer? The answer is obviously "none," unless you respond to every complaint by terminating service of the offending customer and hoping they don't come back.
> What kind of measures are possible to prevent fraudulent calls when the caller is your anonymous customer?
Presumably some fairly basic heuristics would be sufficient. Robocalling isn't economically viable if you only get a few calls per subscription. You need to place (I assume) at least thousands of calls per day per subscription for it to even begin to make sense. Any account doing that is going to be blindingly obvious provided you have even 30 minutes worth of logs.
I can already walk into Walmart and purchase a cheap prepaid device with cash. That's pretty close to anonymous.
I think the regulations have some loopholes for domestic use, but one I don't know how they can really get around is for international roaming, as other countries have far stricter KYC laws.
Domestically you can buy a Tmobile or Cricket with a pre-paid visa cash card and a gmail address (no ID required), but they won't work outside the US.
You can sign up for US mobile service, which is a Verizon MVNO, right this moment with no personally identifiable information at all.
Remember: neither the visa nor MasterCard payment networks have any support for customer name. Everyone pretends that they do, but they do not. In the absence of an additional security layer like “verified by visa “there is no way to verify cardholder name.
You might check out who the CEO is here and how he runs the company and then consider whether you'd trust them. And look at the infra providers they use. Not what I would call the most upstanding bunch.
This probably doesn't cover what OP said, but after reading the CEO's intro post, I left a little more depressed. Make money off surveillance, and then make money off selling a privacy product.
> At Palantir, where I started in technical roles more than 10 years ago, I learned about a wide array of vulnerabilities in the cellular network that present a threat not only to mission-focused organizations in government, but also to everyday people. I came to see mobile phones — and the networks that power them — as perhaps the largest risks to our privacy and security.
> If you told Americans twenty years ago that corporations and governments would conspire to attach powerful tracking devices to nearly every adult worldwide, it would’ve sounded like science fiction. And yet, that’s not far from where we are today.
Great question. The product is basically the same-- it's a cell phone network and we sell connectivity to it.
A helpful thing to keep in mind is that everyone has basically 2 use cases for their cell phones:
1. Send and receive calls and SMS
2. Connect to the internet
Whether you're a national security professional, an investigative journalist, or an average consumer who values privacy, that's what you do with your phone. So if we can build features that make you more secure and more private across those two use cases, we have a product that can help both government and consumer users.
Sometimes when people ask the "conflict" question they mean some version of "but doesn't the government then ask you for a backdoor to get all the data?" All we can really do here is stand by our privacy policy. We store the minimum amount of data possible, we promise not to sell your data to anyone, we notify our users if we receive legal process on their account that is not subject to a gag order, and we pledge to push back on any law enforcement request we receive that is not well formed and narrowly tailored as required by law.
The backdoor/honeypot fears are often related to the Anom story that came out a few years ago. It's not a perfect rebuttal, but the reporter that broke that story has written about Cape a couple of times. You can read those articles here:
Hey, John Doyle here (CEO of Cape). I'm happy to dig into how I run the company, or the infra providers we use. I actually think we're pretty upstanding! If there are questions I can answer that will put your fears to rest, let me know.
Can you please respond with a full throated opinion of what Palantir is today? This seems to be what everyone is thirsting for and what you are perhaps inadvertently dancing around.
I'm 4 years removed from the company at this point, so any opinion I could offer would not be much more than any rando on the internet reacting to news stories.
They're a US mobile telco, a warrant canary wouldn't last a year here. That's not, on the surface, a useful differentiator between mobile service providers. Did you have a specific kind of warrant canary in mind that would act as a differentiator, or is there some aspect of warrant canaries I've overlooked that makes them meaningful for US telecoms that are governed by US federal and state laws, or..?
This is correct. We talked about canaries a bunch internally and came to the same conclusion-- not really worth it in this context (but please do offer up a model that makes sense if you see one).
I came to the conclusion the best we can do is what you see in our privacy policy: we notify our users when we're served with legal process that is not subject to a gag order, and we pledge to push back on any law enforcement request we receive that is not properly formed or narrowly tailored as required by law. I'd love input/ideas on how to be stronger here.
Do not fall for a word of this. If you've spent any time dealing with actual SIP providers (ie not the shit you'd hook an app up to, the ones debt collectors use), you'll know exactly how much you can trust them. Same difference
I have a conflict of interest here (I am an advisor to Cape, also a security expert, and my company has done security audits for Cape), you should absolutely look more deeply into what Cape has created. Their service is fundamentally different than other "security-focused cell providers" (mostly snake oil IMHO) because Cape wrote their own mobile core, nearly from scratch. They control the whole software stack and have done really innovative things with it.
Here are a few things you might want to look at more closely:
Peel really only protect your privacy at the level of purchase. Not associating your name address or any other data with your phone number. Cape seems to be doing something far more technical so that no one can locate you by your phone number using ordinary triangulation.
It's a pretty obvious honeypot. They're promising privacy even though they can't realistically provide it. The whole thing has ties with American surveillance companies. It's Operation Trojan Shield all over again.
> Enjoy unlimited high-speed data; after 50GB, speeds may slow to 256 kbps.
Last I checked 256 Kbps is not high speed. You can advertise this as unlimited data, or you can advertise it as 50 GB of high-speed data, but you can't call it unlimited high-speed data.
It's not. We chose this baseline sort of by default based on the practices of some other major carriers. Your question is a good one, and we'll take it as feedback.
I would be a lot less worried about signing up for that plan if I could soft-cap myself at 10GB until I login to the app and push a button that says "yeah for real I'm going to use another 10GB of mobile data", so that if iOS goes bonkers and tries to download my entire 90GB iTunes library over cellular, it doesn't fuck me over for a month. I haven't exceeded 7GB/mo intentionally for years, but it's happened twice so far against my express wishes, and carriers are uniformly awful at that.
This is good feedback. We don’t want caps and throttling to be a blocker for signing up and using us. Since we’re at a premium price point we should economically be able to be a lot more generous than existing carriers.
I would like to try Cape. How do guys deal with IMEI tracking from folks like Google when i search or use their email? Or that one is beyond your control?
Yeah. As a olde ex-carrier type person, I want burst mode unlimited, I expressly do not want continuous saturated unlimited, if that makes any sense. So if you tune the service to warn me “you’ve used 10% of your cap in five minutes so we’ve slowed your service down temporarily, respond with YES if this is intentional and we should speed it back up, otherwise it’ll reset in the morning”, that would be an example of best in category service that’s on my side rather than the carrier’s overage fees profit line item.
I don’t mind that you have caps, I consider caps to be a marketable form of 90th percentile billing to consumers, so please don’t take this as “remove all caps” — but definitely find an in-between that’s more nuanced than “you reach arbitrary threshold 50G at 1gbps 5G and so it only took 8 minutes and 40% battery, too bad so sad now your entire month of data is at DSL speeds”. (This sarcastic tone is not a critique of you! but of the general carrier practices that leave me worried about you.)
In a dream world my usage percentile for the past 30 days would be inversely proportional to my bandwidth speed so that momentary usage to download a software update had no meaningful impact, but running nonstop continuous data for four hours straight caused a measurable drop in bandwidth (which protects my battery and the network health). It’s not fiber-optic or fixed-installation wireless and I do respect the shared base antenna capacity problems!
Several years ago in the UK, giffgaff had a similar plan (throttled to 384 kbps after 80 GB throughput) which they called “always on”. I thought that was a good linguistic compromise.
A slightly different definition of “best” is Verizon’s Visible division. NO caps. Just slightly deprioritized speeds 100% of the time. Their website says 5Mbps speed cap at all times but I’ve tested 180Mbps and that was after using like 30GB on my hotspot. Basically all-you-can-eat (including the hotspot) with a risk that sometimes it’ll slow a little compared to others on the network, for $25/mo.
There's a real big difference between "one byte over the line and you're on a 56k modem" and "if you exceed your cap, you're deprioritized to last on the cell pole". The latter is how it should be implemented.
>Protect yourself from persistent tracking by rotating your IMSI every 24 hours, so you appear as a new subscriber each day.
But nothing for IMEI, which is fixed for a given device. Unless you got a new phone to use with this service, it can instantly be linked back to whatever previous service you're using. If we assume that whatever carrier they partner with keeps both IMEI and IMSI logs (why wouldn't they?) it basically makes any privacy benefits from this questionable. It's like clearing your cookies but not changing your IP (assuming no CGNAT).
The other benefits also seem questionable. "Disappearing Call Logs" don't really help when the person you're calling has a carrier that keeps logs, and if both of you care about privacy, why not just use signal?
They're asking $99/month for this, which is a bit steep. If you only care about the rotating IMSI, don't care about PSTN access (ie. no calls/texting), you can replicate it with some sort of data esim for much cheaper. The various e-shops that sell esims don't do KYC either.
Hi -- Head of Product at Cape. This is a good question. I will say up front there is no silver bullet for privacy on cellular networks given the way they were designed to interoperate. Our strategy is to offer many different protections that collectively make it harder for your activity to be tracked.
The details of what our carrier partners can see is in the table at the bottom of our privacy summary: https://www.cape.co/privacy-summary. We add noise to their data by doing things like rotating your IMSI daily and spreading traffic among multiple carrier partners. If the data is messy enough and not associated with your personal information, there should be less monetary incentive for the carrier to try to piece it together when they have an abundance of clean data with stable identifiers and verified personal information.
Additionally, with disappearing call logs, it's about reducing surface area. Fewer logs in less places.
It’s interesting that Apple is going down a similar path with hardware filtering location retrieval commands and neighborhood-level blurring on their C1 modems. Really awesome work from that team by making sure they’ve considered privacy as a first party feature for that chip.
How do you guys view the relative value of privacy/security at the network provider layer of the cell stack for the average user/citzen?
Even if Cape doesn’t retain metadata yourselves (eg LTE positioning info), is that data not still retained and repackaged by the tower owners themselves? Eg babel street, venntel, etc. A rotating IMEI every 24 hours might make it marginally more difficult for logical tracking, but there’s still only physically one location the phone can be in without fuzzing at the hardware level.
I should also say - I’ve been following y’all’s work for a while (and considered some of those early forward deployed engineer positions), but I’m struggling to see how this all works as a consumer product. Would be awesome to see an eventual partnership with Apple/Qualcomm to bring this to the hardware level since privacy is a tough nut to crack even at full MVNO.
Appreciate the shoutout. We love what Apple is doing in this area. There is a lot of room for them to help improve things at the modem/hardware/OS layer.
On the tower question, you’re right, we can’t control what data is collected by the tower owners. Like I said above our strategy is to add noise through a variety of methods that makes it harder (not impossible) for anyone collecting data to track you. We also give you multiple phone numbers. I think this stuff adds up and is a meaningful improvement over the status quo for most average user/citizens.
I like to use the organic food analogy. If given the choice, why not choose the carrier that is actually making an effort not to track you vs everyone else who clearly doesn’t care?
> It’s interesting that Apple is going down a similar path with hardware filtering location retrieval commands and neighborhood-level blurring on their C1 modems.
Are there any technical writeups on this yet? I agree, it’s really cool and would love to read about how they’re doing it
A sort of related question, is the user able to actually power-off the baseband carrier chip and still keep the phone powered on? I seem to recall there being some 911 regulations around that topic. But it might be a way to enable the user to at least disable that tracking vector, while still using the phone offline or via wifi?
This feature is called Flight Mode or Airplane Mode on most phones. You'll know if your phone implemented it this way because your battery life will go wayyyy up while in the mode.
I saw somewhere - it's not like "I know a friend" but literally read somewhere - IMEI is just configurable with standard cracked virus-loaded copies of QXDM :p
But realistically, none of that matters. You'll be the only one in 10 miles with this SIM that always uses an never-before-seen IMEI that connects to the exact same set of domains. That's some mall ninja stuff.
Carriers don't just log IMEI/IMSI, as well as last hop cell towers and your precise location, they need those information to route packets back to the phone. You can't establish TLS with bogus IP addresses. That's why people like Stallman or unnamed friend of a friend ex-CIA guys on Internet says cell technologies are evil mass surveillance tools.
Unfortunate that it doesn’t seem to support Linux phones. Phreely or Purism’s AweSIM would be a better fit for anyone running a non-Android/non-iOS setup. Hopefully they add this in the future.
based in Arlington, VA, is primarily funded by high-profile venture capital firms, including Andreessen Horowitz (a16z), which led their Series B, A Capital, Costanoa Ventures, ex/ante, Point72 Ventures, and XYZ Ventures.*
Arlington, VA ... is an interesting location that aligns with your guess. A similar situation happened some time ago with a drug cartel that thought they built their own private phones and phone network. I am not saying it's related, just feels similar.
So it's an MVNO mostly on the AT&T network with extra privacy features? I think it still all then comes down to how you use your phone and how much you can trust the whole pipeline. I use Credo Mobile which doesn't seem totally different. https://www.credomobile.com/our-story
Doyle here :) I'm very proud of my military service!
Prior to Cape, I led the national security business at Palantir. That experience was actually the catalyst for Cape. It’s where I first learned about the massive array of vulnerabilities that exist in our current cellular networks. I saw how those gaps impacted not just government organizations, but everyday people, and I realized that the mobile phones we carry every day are perhaps the single largest risk to our privacy.
I needed that experience to understand the depth of the problem, but once I left to start Cape, that connection ended. Cape has no ties to Palantir. We aren't a subsidiary, we aren't a "front," and we don't share data with them. The only thing we took from Palantir was the desire to fix a broken system. If you want to see me and some of the rest of our founding team talk more about this topic, you can watch this video on our Instagram page here.
Another related theory I’ve seen online is that Cape is a honeypot for law enforcement. Cape is not a honeypot. It’s so hard to prove a negative, but at least I can say it clearly and out loud: Cape is not a honeypot.
We are a group of individuals who deeply value privacy. That mission carries across everything we do, from our work with the US government and allies, to everyday people, and everything in between.
We partner with non-profits to support victims of domestic abuse who are facing cyber-stalking and digital harassment. https://www.cape.co/break-free
We are a young company growing exponentially, and we don't plan on slowing down. We know we have to earn your trust every day. The truth is, no one else is building a high-quality, first-class solution to these specific cellular problems. We are committed to being the ones who do it right.
Someone doesn't need to work for Palantir or the military to understand that cellular security is fundamentally broken and completely insecure.
That is a lot of highly polished for the camera media you dropped into that post. The way that you word things, such as "Cape is not a honeypot." but don't delve any deeper, to start, gives someone less than zero confidence or trust in your words.
I have seen enough in the industry to say that your words are meaningless.
John's account was throttled since it's new. Posting this on his behalf.
----
You're right that you don't need to do those things, but I would argue that my background made me uniquely situated to understand and care about these problems deeply enough to spend years of my life building a company in response.
I say "Cape is not a honeypot" a lot just so I don't appear to be mincing words. If you want to delve deeper on how we treat customer data, a couple of good resources are our privacy policy: https://www.cape.co/privacy-summary
Yikes, sorry guys (I'm a mod here). I've marked his account (and yours!) legit so this won't happen again.
It's my least favorite thing about HN that high-quality new accounts, such as founders jumping into threads about their work, sometimes get throttled by the software. Gah.
> but I would argue that my background made me uniquely situated to understand and care about these problems deeply enough to spend years of my life building a company in response.
Maybe but this line of argumentation also opens the door to more criticism. Anyone looking at Palantir from the outside only knows their reputation and involvement in unsavory projects before taking a job. You chose to take the job with that knowledge covering most of your field of view. You stayed to work for that company contributing to that kind of work. That's a signal that's brighter than the valuable experience you gathered there. Tech can be learned but the values needed to support or even tolerate Palantir's activities don't get easily changed.
The premise of your company pivots on trust, not technology, the same tech is known and available to everyone else too. And it's trust in you that you will do what you say, not that you can do what you say. The latter is a given, you clearly have the knowhow. The former is putting any promise in doubt.
> Cape routes your traffic through our US-based mobile core.
This sounds like an anti-feature when it comes to privacy or the paranoid.
> I say "Cape is not a honeypot" a lot just so I don't appear to be mincing words.
I appreciate you saying it but Crypto AG probably also said that a lot (figuratively).
> Cape does not keep this data.
Unfortunately you are limited in what you can do here. Having or processing this data for any amount of time, even without keeping it, puts you in the position to be compelled to provide it.
This is valid feedback and it’s on us to earn trust over time through our actions. I will say that Cape is a company of almost 100 people from many different backgrounds. Prior to Cape I spent almost a decade at DuckDuckGo. We’re a group of people that is frustrated with the status quo in the telco industry and want to do better.
One of the efforts we’re working on now is an audit of our data retention claims. We recently posted an RFC on Reddit if anyone from this community has input: https://www.reddit.com/r/CapeCellular/s/zTn7HQ0emo
We plan to continue to do more things like this that increase transparency and build trust over time.
What can be open sourced (GrapheneOS) already is, and the remainder is business logic that they have described for the MVNO that is likely carrier specific and tied to the oddball MVNO platform they are using.
Very hard to make the latter usable by anyone else IMO.
> The way that you word things, such as "Cape is not a honeypot." but don't delve any deeper, to start, gives someone less than zero confidence or trust in your words.
Hey thanks for the question! I was indeed an Echo. I loved my time in SF, and I learned a lot about being a good teammate and doing hard things in ambiguous environments, and a bit about secure comms. The first two will help at any startup, and the 3rd doesn't hurt at Cape...
Only you know if you want to jump into SFAS. I knew I'd always regret not doing it, which made the decision easy for me.
> Another related theory I’ve seen online is that Cape is a honeypot for law enforcement. Cape is not a honeypot. It’s so hard to prove a negative, but at least I can say it clearly and out loud: Cape is not a honeypot.
I'm sure you know this, but for others who may not: there's a history of splashy new mobile operators which promise security and privacy as their core feature, but turn out to be a front for law enforcement. https://en.wikipedia.org/wiki/Operation_Trojan_Shield is the preeminent example.
There are also people working in this space who are cranks and morons. In summer 2023, I had a phone call with the founder of a well-known startup founder from the dot-com era. He was trying to launch a privacy-focused cell network and messaging software. But everything about his approach was wrong, almost to the point of being an anti-solution to the problems he was trying to solve, as if he was totally unaware of the past 20-30 years' worth of learning about end-to-end encryption and mass surveillance.
He was also a conspiracy theorist: during our call, he repeatedly and unironically referred to a documentary film created by a well-known convicted felon and serial liar, as a source of credible information about the world.
> We also work with the EFF to provide investigative journalists and activists with free Cape service so they can do their work safely. https://www.cape.co/journalists-and-activists
There’s a chance this catches on with some folks with blacklisted IMEI’s due to a quirk on AT&T MVNOs where service works for a few days before getting halted per IMSI.
I'd like a service like yours that allows private signups and that works continuously to prove ongoing private operations. I don't need huge data plans, I'm fine with WiFi mostly. It needs to cost way less per month than your current pricing. It would be cool if you could find a way to serve people like me.
Appreciate the feedback, we’ll likely experiment with different plans down the road, but for now we’re focused on rolling out as much additional privacy/security value as we can to justify the premium price point.
I on the other hand am fine with the premium price... but it looks like I'd need to install a proprietary app to use the service. That's a 'hell naw' from me.
It would be more useful and beneficial to have a privacy oriented twilio than a privacy oriented carrier.
If we treat the carrier as adversarial, dumb pipes we can move the security and all of the capabilities into the cloud platform. A personal comms stack like this should be carrier-agnostic, phone-agnostic, sim-agnostic.
See my other post in this HN topic - I have done this since 2016 ...
eSIM, global, variable pricing per country with per-GB billing, anonymous crypto payments and no KYC. Although it seems to not have some of the additional security features of the OP.
Maybe have an onion web service and add direct Monero payment support. This will help privacy LARP'ers get into the mood. Truth be told, if you're paranoid by any measure and use a cell phone -> YNGMI. It's not cheap enough for average person to care and not private enough for ulta-paranoid to pay and use. The whole mobile infrastructure is utterly broken in terms of security and privacy so it's still refreshing to see any kind of attempt being made in this area.
FYI, I had to walk through the first dozen or so steps of the signup form to figure out that it's available in the US only. I suspected as much, but I figured I'd post it here, since it's not in their FAQ.
Hold on. Cell towers still know where the device is. If a group of people in an area have stable ismi’s and one person’s ismi is rotating daily, it doesn’t take a genius to figure out who’s now using cape. Using it for travel makes sense, but again being a device that doesn’t a have an owner is, as the kids say, sus.
It depends what your threat model is. Most telco data collection and resale is based on IMSI’s attached to KYC’d customers. If they can’t get personal information and the IMSI looks like it’s a day old, that data is inherently less valuable to data brokers. The large telcos have plenty of clean data with stable IMSI’s tied to KYC’d customers that is worth more.
Does cape use its own cell towers, or do they rely on third parties to provide the actual infrastructure? And if they do use third parties, are they sure that they aren't also storing data about the connected devices etc?
We don’t operate our own towers and as you point out we can’t control what someone there does. Our privacy and security model is to treat the towers as untrustworthy. This is why we do things like rotate your IMSI daily or split your traffic across multiple underlying network partners. We want to make any data that is collected noisy and less valuable to data brokers.
I have some questions about the "Last-Mile encryption" and "Encrypted Voicemail". Does Cape receive cleartext and resend it encrypted? What does this achieve? Integrity? Does the service drop unencrypted messages?
We receive in cleartext and encrypt with a key controlled by the customer. Most carriers store voicemail and SMS in cleartext on their servers. The goal is reduce exposure while preserving interoperability. This post on encrypted voicemail gets into more technical details about how it works: https://www.cape.co/blog/product-feature-encrypted-voicemail...
I know it'a a bit of a pivot but the following would make me move:
1/ eSIM activation outside the US
2/ The family plan is weird. My wife and I don't want to manage two separate bills.
3/ multiple eSIMs and numbers in different countries all within the one account (Germany in particular)
It’s rare to see an MVNO thread get into the weeds of the mobile core, but as a Full MVNO, Cape is essentially running its own sovereign telco infrastructure. From an outside perspective, they are definitely among the few who are treating the signaling plane with the proper level of scrutiny (they built their own signalling firewall)
But even with a proprietary core and a signaling firewall, Cape is still an island in a sea of legacy protocols and peer MNOs with different intentions...
I'd be interested to see how they are hardening the IMS (IP Multimedia Subsystem) and VoLTE/VoWifi stack. SIP signaling and RTP streams for voice are often unencrypted internally.
If Cape is applying their 'Network Lock' logic to the IMS layer, they could potentially mitigate SIP-level spoofing and voice interception that occurs at the interconnect.
Their 'Encrypted Voicemail' (using asymmetric keys on the device) is a strong signal that they understand the 'Last Mile' problem.
Also even if SEPPs are not really a thing, i'd be curious to know if they've started looking at this.
In the small world of telco security (disclaimer i work for P1Security), they are definitely working in the right direction. Any international ambition, particularly in EU, will be a tough sell though....
Mitigating SIP and TDM spoofing requires broad cooperation among every other Telecom provider. That doesn't exist today, you can't prevent people from spoofing your number.
First, I think we can learn some stuff from looking at how the US government actually operated its known honeypots to evaluate the likelihood of Cape being a honeypot.
First, when it ran Anom, it went out of its way not to collect data on persons inside the United States. U.S. Anom users never had any of their data captured by the FBI because it raised profound 4th Amendment concerns. Cape is operating in the U.S. and is seeking U.S. users. Typical U.S. honeypots are generally targeted abroad.
Second, the U.S. government has historically not used former military officers with ties to defense contractors as the people that built and operated the honeypots. With Anom, they co-opted trusted members of the secure phone community. The very fact that the company is very open about its founders is a pretty good sign that they are probably not a honeypot because they would not make a very good honeypot for the truly criminal element.
Third, Cape is incorporated in the United States and seeking U.S. users. In the process, it's making some fairly aggressive claims in its privacy policy and terms of service about its products that would subject them to breach of contract and fraud claims if in fact they were secretly not doing those things.
Fourth, the legacy telecoms have a long history of selling your data, secretly cooperating in national security programs of questionable legality, etc. It seems like Cape can't possible a worse option than the status quo.
1. Citation needed. People in the US were arrested under this operation though they were foreign nationals.
2. History matters until it doesn't. There was a time when the US did not perform science experiments on unsuspecting populations, too. The government does not get the benefit of the doubt when it comes to "past performance is not indicative of future performance".
3. We have seen sitting presidents pardon people for crimes they have yet to commit.
> First, when it ran Anom, it went out of its way not to collect data on persons inside the United States. U.S. Anom users never had any of their data captured by the FBI because it raised profound 4th Amendment concerns. Cape is operating in the U.S. and is seeking U.S. users. Typical U.S. honeypots are generally targeted abroad.
1. People in the US were arrested for using Anom (despite the 14th amendment protecting both citizen and noncitizen alike, at least in the case where the non-US person is on US soil).
3. Fair point, though if it is truly a government sting operation I don't think you can take them to civil court either unless authorized under statute right?
Why is this so much more expensive than other MVNOs? Mint Mobile, for example, is $30/m for unlimited. Most MVNOs can be funded anonymously, through in store purchases.
I believe for reasons Aromatic_War stated in a top comment above: they're actually doing novel stuff with their control planes, not just using what's already there like most MVNOs
This is right. Deploying our own packet core and IMS core, building our own BSS from scratch. All of this stuff is expensive (and hard). We're hoping to be able to bring the price down over time.
Guess I'm more paranoid than fairly. Id class this in a wait and see category maybe try it out on a secondary device for a trial run. You'd have to have the need to their services to justify the cost or just not care about cost.
jerlam | 23 hours ago
https://www.cape.co/blog/product-feature-secondary-numbers
I've been using my Google Voice number for something similar. But Cape doesn't specify if/when these numbers are rotated in any way - you have three numbers to track now, and you can't retain these numbers if you switch services.
alek-cape | 19 hours ago
They are real numbers, not VOIP. That can matter depending on what they are used for and if the entity you are expecting a message from blocks sending to VOIP numbers.
The numbers don't rotate like our identifier rotation. They are yours. You can choose to delete a secondary number in the app, and if you have less than two, create a new one after 30 days.
treetalker | 23 hours ago
mingus88 | 22 hours ago
https://www.vice.com/en/article/anom-backdoor-fbi-years-of-a...
cucumber3732842 | 22 hours ago
Like they're not gonna burn that kind of capability over tax evasion, state civil law violations, etc.
johndoylecape | 21 hours ago
We're working on some ideas to address this with audits etc, but it will always be tough. However, if you like the idea, and like the features, then maybe it is worth your time to do the work and get comfortable with the company. Because we're the only ones providing some of these features, and we have a lot more in the hopper still to come. I hope we can win your trust at some point.
jrexilius | 20 hours ago
johndoylecape | 20 hours ago
https://www.404media.co/privacy-telecom-cape-introduces-disa...
fc417fc802 | 20 hours ago
Even if it turned out that you were in fact a honeypot, protection against SIM swapping and encrypted voicemail presumably both provide security benefits regardless.
It's similar to the situation with VPN providers. The provider could literally be the NSA themselves and I'd _still_ most likely see security benefits from using it (unless the NSA happens to be my adversary of course).
johndoylecape | 19 hours ago
But to be clear, you DO actually know that other cell service providers are selling your data to law enforcement:
https://www.theguardian.com/business/2016/oct/25/att-secretl...
https://arstechnica.com/tech-policy/2025/09/court-rejects-ve...
Noaidi | 7 hours ago
Like others explained here, it’s amazing that you didn’t know these problems existed before you worked for at Plantier. If you could explain your migration from delusion to insight in a personal way of that might help me a bit more. In fact, if you said Plantier was an evil company, I might have even more faith.
If someone elsestarted this company who had a long history in privacy outside of the government, my take would be a lot different. In my humble opinion, I think you don’t really care about privacy. You’re just taking advantage of a market niche. And what can I say but that’s capitalism so good luck.
It would be better if you used your inside knowledge to fight for laws banning these practices by all the telcos.
ranger_danger | 6 hours ago
All your software/hardware would need to be open source, you would need to be regularly audited by neutral third-parties, actively work with the community to provide paranoia-level ongoing transparency reports and continuous improvements that the community wants to see, be willing to adopt many suggestions given by smart people, and just in general stop using your words to tell people you're serious, and use your actions to show it.
If someone says they are skeptical of XYZ, ask them what they would accept as proof, and then provide it.
dguido | 21 hours ago
I'm a target for a variety of things, and knowing that no one can SIM swap me is worth the subscription alone. The SS7 protections, encrypted voicemail, secondary numbers, IMSI rotation, etc are all a bonus.
rsync | 18 hours ago
Your “phone number “that people interact with cannot be hijacked with SS7 because it’s not a real number… you’re immune to sim swaps … And you can Jettison your physical phone and SIM card at any time with no penalty.
As a bonus, because your actual phone number is now programmable you can do interesting things like set up a SMS firewall. You can, for instance, collapse all incoming text messages to ascii-256. Or truncate their overall length. Or CC your incoming SMS to a dedicated mailbox.
I have operated like this since 2016. I have no idea what my physical SIM phone number is and neither does anybody else.
dlenski | 22 hours ago
> Minimal Data Collection
> Identifier Rotation
> Secondary Numbers
> Disappearing Call Logs
> SIM Swap Protection
> Network Lock
> Encrypted Voicemail
> Private Payment
> Last-Mile Encrypted Texting
> Secure Global Roaming
"Identifier (IMSI) Rotation", "Secure Global Roaming" and "Network Lock" do look interesting *IF* they can actually address some of the baseband vulnerabilities that plague all modern devices. That's a Big If.
SIM Swap Protection you already get by using a VoIP number rather than a cell number.
And the other features are irrelevant if you're using over-the-top end-to-end encrypted messaging, like Signal, rather than Plain Old Telephone Service and SMS.
[OP] 0xWTF | 22 hours ago
Also, the 50 foreign countries seems interesting.
wil421 | 21 hours ago
alek-cape | 19 hours ago
The primary difference is we run our own mobile core entirely.
Can you elaborate on the hops question? Not sure I quite understand what you're asking since there are a few ways to interpret "hops".
simfree | 2 hours ago
I've talked to a few tangentially and it seems like an interesting space.
dlenski | 4 hours ago
Not really, but I too am uncertain about how to think about it.
Here's my long-winded but still limited understanding of the main vulnerabilities that are unique :
NETWORKS: If I build a network, and I build it out of switched Ethernet, and I control the premises completely, then I can generally trust that the data flowing through it isn't being secretly logged or tampered with. Moving away from this simplicity, my distrust of the network increases rapidly.
A cellular network is pretty much the opposite of this simple one-man, one-room, wired network, so I distrust it completely.
There is only one credible solution here: all traffic over the network must be end-to-end encrypted and authenticated. That means TLS/DTLS/QUIC/ESP/Wireguard with key-pinning and/or correctly implemented and maintained PKI. Assume that any and all traffic that is not E2E-encrypted and authenticated is subject to some combination of mass surveillance and/or individually-targeted attacks.
CELLULAR DEVICE HARDWARE: For historical reasons, modern smartphones contain [at least] two CPUs:
1. The main "application" processor, an ARM64 SoC running an OS and applications made by Google or Apple. They've put substantial efforts into hardening these OSes and applications against remote attacks.
Whether they're doing "enough" is another question; whether you should trust them is another question. But they're at least trying pretty hard to prevent rando malware-for-hire attackers from pwning your device via over-the-air vulnerabilities.
2. The "baseband" processor, a ghastly fossilized thing that runs a stack of overly-complex firmware dating back to 2G days, and controls access to the cellular network. It is probably developed by Qualcomm, which along with Samsung has a near-monopoly on baseband processors for modern devices sold outside of China. Qualcomm in particular is litigious and complacent about security issues (https://news.ycombinator.com/item?id=38620067), and almost everything about the processors and their firmware are closed-source and non-public.
The baseband processor is insecure both due to inattention, as well as treachery. The end user of the device does NOT control it in the way that the end user controls the main processor. Some nebulous combination of the baseband vendor, the carrier, and the government controls it (e.g. https://news.ycombinator.com/item?id=46848303).
So the baseband processor is an untrustworthy thing that should be walled off from the rest of the system, and only allowed to communicate with the rest of it via narrow and well-defined interfaces. However, this was not the case for many years: the baseband processor has had way too much access to the system.
In recent years, this situation has improved somewhat: recent Pixel devices with Google Tensor SoCs (and maybe others) have the baseband isolated via an IOMMU. https://grapheneos.org/faq#baseband-isolation
---
Okay, so can "Cape" do anything to assuage my concerns about _any_ of the above issues? Honestly, not very much. ¯\_(ツ)_/¯
Cape can't increase my trust in the cellular network. Cape can't increase my trust in the baseband processor on my device.
Cape can only do a couple things to make the baseband and the network Slightly Less Evil: shuffle IMSI frequently to prevent IMSI-based tracking, and don't let random scammers call up and SIM-swap me.
bryancoxwell | 22 hours ago
dlenski | 16 hours ago
Trackability is definitely a vulnerability.
bryancoxwell | 10 hours ago
dlenski | 3 hours ago
IMSI tracking is a consequence of how baseband devices communicate over-the-air, just as WiFi MAC address tracking is a consequence of how 802.11 devices communicate over-the-air.
And it's definitely a vulnerability, because it's used to track end users and reduce their privacy.
So it IS a baseband vulnerability. And IMSI randomization mitigates it to some degree, just as WiFi and Bluetooth MAC randomization mitigate tracking via those identifiers.
bryancoxwell | 3 hours ago
gruez | 21 hours ago
Baseband vulnerabilities are overhyped, imo. On proper phones (eg. pixels), their access to memory is restricted by IOMMU, which protects the rest of the phone from being compromised if there's some sort of an exploit. Once that's factored in, most exploits you can think of are "on the other side of the airtight hatchway[1]". For instance if you can hack the baseband to steal traffic, you should probably be more worried about your carrier being hacked or getting a lawful intercept order. Or if you're worried about the phone triangulating itself, you should probably be more worried about your carrier getting hacked and/or selling your location data.
[1] https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...
rl3 | 20 hours ago
That just kicks the can down the road to "Why should we fully trust the IOMMU?"
Granted, it does defend against the vast majority of actors.
fc417fc802 | 19 hours ago
rl3 | 14 hours ago
You raise a good point.
dlenski | 14 hours ago
Doesn't Google require all new Android-branded devices to isolate the baseband from the Android OS and applications?
I swear I read this somewhere in the last few years, though I can't seem to find any clear reference to it now. Hmmm.
> For instance if you can hack the baseband to steal traffic, you should probably be more worried about your carrier being hacked or getting a lawful intercept order.
Everything should use TLS/DTLS/QUIC, and an up-to-date PKI for obligatory certificate validation, otherwise I assume it's already being MITM'd by the NSA, every other three letter agency on the planet, corporate firewalls, and my ISP.
qingcharles | 21 hours ago
gruez | 21 hours ago
https://cotsi.org/methodology
busko | 21 hours ago
If anyone knows of a good, secure VoIP provider outside of the US I'd be keen to hear about it.
dlenski | 16 hours ago
Also, many Canadian financial institutions (including the CRA, Wealthsimple, and BMO) work fine with US phone numbers for 2FA… including Google Voice, in my personal experience. https://www.reddit.com/r/Googlevoice/comments/1c571kw
simfree | 2 hours ago
Always ask for the Port Order Number (PON) so you can follow up with the other carrier to see what they received from VoIP.ms
upofadown | 10 hours ago
fc417fc802 | 19 hours ago
Most services either don't have a legitimate interest in my phone number (so they can get bent) or they do have a legitimate interest in which case not accepting my phone number means they aren't doing their #$&^ job (so they can get bent).
It helps that the only services I'm willing to provide my phone number to are those that already inherently involve my PII. Banks, online shopping, etc. So if they won't accept whatever I give them I'll take my business to a competitor.
rsync | 18 hours ago
https://kozubik.com/items/2famule/
dlenski | 16 hours ago
I've had almost no problems using my GV number for 2FA. Venmo is literally the only service I've ever used that won't accept it for 2FA… and now Venmo offers non-SMS based alternatives, which is good because SMS-based 2FA is the reason that the SIM-swap attack is worth doing.
List of services that allow Google Voice for 2FA: https://www.reddit.com/r/Googlevoice/comments/1c571kw/crowds...
simfree | 2 hours ago
buttocks | 22 hours ago
gruez | 22 hours ago
Which KYC regulations exist for carriers? AFAIK you can walk into any store and get a SIM card. The most they ask for is maybe E911 which they don't check.
whiterock | 22 hours ago
gruez | 21 hours ago
jrexilius | 20 hours ago
psim1 | 20 hours ago
What kind of measures are possible to prevent fraudulent calls when the caller is your anonymous customer? The answer is obviously "none," unless you respond to every complaint by terminating service of the offending customer and hoping they don't come back.
fc417fc802 | 20 hours ago
Presumably some fairly basic heuristics would be sufficient. Robocalling isn't economically viable if you only get a few calls per subscription. You need to place (I assume) at least thousands of calls per day per subscription for it to even begin to make sense. Any account doing that is going to be blindingly obvious provided you have even 30 minutes worth of logs.
I can already walk into Walmart and purchase a cheap prepaid device with cash. That's pretty close to anonymous.
jrexilius | 20 hours ago
Domestically you can buy a Tmobile or Cricket with a pre-paid visa cash card and a gmail address (no ID required), but they won't work outside the US.
rsync | 18 hours ago
You can sign up for US mobile service, which is a Verizon MVNO, right this moment with no personally identifiable information at all.
Remember: neither the visa nor MasterCard payment networks have any support for customer name. Everyone pretends that they do, but they do not. In the absence of an additional security layer like “verified by visa “there is no way to verify cardholder name.
throwaway57572 | 22 hours ago
helterskelter | 22 hours ago
theearling | 21 hours ago
Ms-J | 20 hours ago
By the way, if you look at this thread you can see Cape has deployed narrative control.
nxobject | 21 hours ago
> At Palantir, where I started in technical roles more than 10 years ago, I learned about a wide array of vulnerabilities in the cellular network that present a threat not only to mission-focused organizations in government, but also to everyday people. I came to see mobile phones — and the networks that power them — as perhaps the largest risks to our privacy and security.
> If you told Americans twenty years ago that corporations and governments would conspire to attach powerful tracking devices to nearly every adult worldwide, it would’ve sounded like science fiction. And yet, that’s not far from where we are today.
https://www.cape.co/blog/building-the-future-of-mobile-priva...
johndoylecape | 21 hours ago
montyanne | 20 hours ago
How does the company handle the split between your defense and consumer products? Do you see there being conflicting interests here?
johndoylecape | 19 hours ago
A helpful thing to keep in mind is that everyone has basically 2 use cases for their cell phones:
1. Send and receive calls and SMS 2. Connect to the internet
Whether you're a national security professional, an investigative journalist, or an average consumer who values privacy, that's what you do with your phone. So if we can build features that make you more secure and more private across those two use cases, we have a product that can help both government and consumer users.
Sometimes when people ask the "conflict" question they mean some version of "but doesn't the government then ask you for a backdoor to get all the data?" All we can really do here is stand by our privacy policy. We store the minimum amount of data possible, we promise not to sell your data to anyone, we notify our users if we receive legal process on their account that is not subject to a gag order, and we pledge to push back on any law enforcement request we receive that is not well formed and narrowly tailored as required by law.
The backdoor/honeypot fears are often related to the Anom story that came out a few years ago. It's not a perfect rebuttal, but the reporter that broke that story has written about Cape a couple of times. You can read those articles here:
https://www.404media.co/privacy-telecom-cape-introduces-disa...
https://www.404media.co/i-dont-own-a-cellphone-can-this-priv...
putlake | 4 hours ago
johndoylecape | 21 hours ago
loteck | 20 hours ago
johndoylecape | 7 hours ago
simfree | 2 hours ago
rsync | 18 hours ago
Seeing a warrant canary would be encouraging…
altairprime | 15 hours ago
johndoylecape | 7 hours ago
I came to the conclusion the best we can do is what you see in our privacy policy: we notify our users when we're served with legal process that is not subject to a gag order, and we pledge to push back on any law enforcement request we receive that is not properly formed or narrowly tailored as required by law. I'd love input/ideas on how to be stronger here.
monster_truck | 22 hours ago
dguido | 22 hours ago
Here are a few things you might want to look at more closely:
Encrypted voicemail uses public key crypto: https://www.cape.co/blog/product-feature-encrypted-voicemail
How they use full control of the mobile core to detect SS7 signaling attacks https://www.cape.co/blog/product-feature-network-lock
Swapping SIMs is done via digital signatures, not customer support https://www.cape.co/blog/cape-product-feature-secure-authent...
They're the only provider that can rotate your IMSI, and do it continuously for you https://www.cape.co/blog/product-feature-identifier-rotation
They're also one of very few organizations doing original research on cell network security:
Collaborating with the EFF to release software for detecting cell site simulators (e.g, imsi catchers et al) https://www.cape.co/blog/how-eff-and-cape-collaborated-to-im...
Identifying novel weaknesses for physically tracking people on cell networks https://dl.acm.org/doi/pdf/10.1145/3636534.3690709
anonymous541908 | 21 hours ago
roughly | 21 hours ago
bsstoner | 21 hours ago
monster_truck | 12 hours ago
Very aware of who you are, and have done plenty of security work myself. Here's what I want from you: How can you prove this isn't just Anom 2.0
helterskelter | 22 hours ago
1: https://www.phreeli.com
Noaidi | 7 hours ago
konaraddi | 22 hours ago
wao0uuno | 14 hours ago
LorenDB | 22 hours ago
Last I checked 256 Kbps is not high speed. You can advertise this as unlimited data, or you can advertise it as 50 GB of high-speed data, but you can't call it unlimited high-speed data.
johndoylecape | 21 hours ago
quietsegfault | 20 hours ago
johndoylecape | 19 hours ago
altairprime | 15 hours ago
bsstoner | 11 hours ago
chirau | 11 hours ago
throawayonthe | 9 hours ago
ThePowerOfFuet | 6 hours ago
bombcar | 9 hours ago
It ends up being the same as charging $5 if you go over, but it'll feel much more premium.
altairprime | 3 hours ago
I don’t mind that you have caps, I consider caps to be a marketable form of 90th percentile billing to consumers, so please don’t take this as “remove all caps” — but definitely find an in-between that’s more nuanced than “you reach arbitrary threshold 50G at 1gbps 5G and so it only took 8 minutes and 40% battery, too bad so sad now your entire month of data is at DSL speeds”. (This sarcastic tone is not a critique of you! but of the general carrier practices that leave me worried about you.)
In a dream world my usage percentile for the past 30 days would be inversely proportional to my bandwidth speed so that momentary usage to download a software update had no meaningful impact, but running nonstop continuous data for four hours straight caused a measurable drop in bandwidth (which protects my battery and the network health). It’s not fiber-optic or fixed-installation wireless and I do respect the shared base antenna capacity problems!
phantom784 | 7 hours ago
MrDOS | 5 hours ago
jauntywundrkind | 19 hours ago
Comcast I think is the best? Haven't checked in a while but their mobile plan I think soft caps to 1Mbps.
cbdevidal | 11 hours ago
bombcar | 9 hours ago
gruez | 22 hours ago
>Protect yourself from persistent tracking by rotating your IMSI every 24 hours, so you appear as a new subscriber each day.
But nothing for IMEI, which is fixed for a given device. Unless you got a new phone to use with this service, it can instantly be linked back to whatever previous service you're using. If we assume that whatever carrier they partner with keeps both IMEI and IMSI logs (why wouldn't they?) it basically makes any privacy benefits from this questionable. It's like clearing your cookies but not changing your IP (assuming no CGNAT).
The other benefits also seem questionable. "Disappearing Call Logs" don't really help when the person you're calling has a carrier that keeps logs, and if both of you care about privacy, why not just use signal?
They're asking $99/month for this, which is a bit steep. If you only care about the rotating IMSI, don't care about PSTN access (ie. no calls/texting), you can replicate it with some sort of data esim for much cheaper. The various e-shops that sell esims don't do KYC either.
bsstoner | 21 hours ago
The details of what our carrier partners can see is in the table at the bottom of our privacy summary: https://www.cape.co/privacy-summary. We add noise to their data by doing things like rotating your IMSI daily and spreading traffic among multiple carrier partners. If the data is messy enough and not associated with your personal information, there should be less monetary incentive for the carrier to try to piece it together when they have an abundance of clean data with stable identifiers and verified personal information.
Additionally, with disappearing call logs, it's about reducing surface area. Fewer logs in less places.
montyanne | 20 hours ago
It’s interesting that Apple is going down a similar path with hardware filtering location retrieval commands and neighborhood-level blurring on their C1 modems. Really awesome work from that team by making sure they’ve considered privacy as a first party feature for that chip.
How do you guys view the relative value of privacy/security at the network provider layer of the cell stack for the average user/citzen?
Even if Cape doesn’t retain metadata yourselves (eg LTE positioning info), is that data not still retained and repackaged by the tower owners themselves? Eg babel street, venntel, etc. A rotating IMEI every 24 hours might make it marginally more difficult for logical tracking, but there’s still only physically one location the phone can be in without fuzzing at the hardware level.
I should also say - I’ve been following y’all’s work for a while (and considered some of those early forward deployed engineer positions), but I’m struggling to see how this all works as a consumer product. Would be awesome to see an eventual partnership with Apple/Qualcomm to bring this to the hardware level since privacy is a tough nut to crack even at full MVNO.
bsstoner | 19 hours ago
On the tower question, you’re right, we can’t control what data is collected by the tower owners. Like I said above our strategy is to add noise through a variety of methods that makes it harder (not impossible) for anyone collecting data to track you. We also give you multiple phone numbers. I think this stuff adds up and is a meaningful improvement over the status quo for most average user/citizens.
I like to use the organic food analogy. If given the choice, why not choose the carrier that is actually making an effort not to track you vs everyone else who clearly doesn’t care?
vigilans | 4 hours ago
Organic garlic never talked up a partnership with <society-scale nasty characters>.
tangelogica | 2 hours ago
Are there any technical writeups on this yet? I agree, it’s really cool and would love to read about how they’re doing it
jrexilius | 19 hours ago
inigyou | 12 hours ago
ThePowerOfFuet | 6 hours ago
ThePowerOfFuet | 6 hours ago
You mean the ICCID?
numpad0 | 11 hours ago
But realistically, none of that matters. You'll be the only one in 10 miles with this SIM that always uses an never-before-seen IMEI that connects to the exact same set of domains. That's some mall ninja stuff.
Carriers don't just log IMEI/IMSI, as well as last hop cell towers and your precise location, they need those information to route packets back to the phone. You can't establish TLS with bogus IP addresses. That's why people like Stallman or unnamed friend of a friend ex-CIA guys on Internet says cell technologies are evil mass surveillance tools.
ThePowerOfFuet | 6 hours ago
Always-on Mullvad solves that nicely.
numpad0 | an hour ago
kotaKat | 9 hours ago
Whoops.
iamnothere | 21 hours ago
efficax | 21 hours ago
burnt-resistor | 19 hours ago
Bender | an hour ago
based in Arlington, VA, is primarily funded by high-profile venture capital firms, including Andreessen Horowitz (a16z), which led their Series B, A Capital, Costanoa Ventures, ex/ante, Point72 Ventures, and XYZ Ventures.*
Arlington, VA ... is an interesting location that aligns with your guess. A similar situation happened some time ago with a drug cartel that thought they built their own private phones and phone network. I am not saying it's related, just feels similar.
mzmzmzm | 21 hours ago
drnick1 | 21 hours ago
How does this compare to silent.link?
Ms-J | 21 hours ago
Look at who Doyle has worked for previously and what connections he has. Palantir and the military, to start.
johndoylecape | 20 hours ago
Prior to Cape, I led the national security business at Palantir. That experience was actually the catalyst for Cape. It’s where I first learned about the massive array of vulnerabilities that exist in our current cellular networks. I saw how those gaps impacted not just government organizations, but everyday people, and I realized that the mobile phones we carry every day are perhaps the single largest risk to our privacy.
I needed that experience to understand the depth of the problem, but once I left to start Cape, that connection ended. Cape has no ties to Palantir. We aren't a subsidiary, we aren't a "front," and we don't share data with them. The only thing we took from Palantir was the desire to fix a broken system. If you want to see me and some of the rest of our founding team talk more about this topic, you can watch this video on our Instagram page here.
Another related theory I’ve seen online is that Cape is a honeypot for law enforcement. Cape is not a honeypot. It’s so hard to prove a negative, but at least I can say it clearly and out loud: Cape is not a honeypot.
We are a group of individuals who deeply value privacy. That mission carries across everything we do, from our work with the US government and allies, to everyday people, and everything in between.
We are incredibly proud to work with people who protect our country by ensuring they have secure, trusted communications wherever they are. https://www.bloomberg.com/news/articles/2024-04-18/us-navy-t...
We also work with the EFF to provide investigative journalists and activists with free Cape service so they can do their work safely. https://www.cape.co/journalists-and-activists
We partner with non-profits to support victims of domestic abuse who are facing cyber-stalking and digital harassment. https://www.cape.co/break-free
We are a young company growing exponentially, and we don't plan on slowing down. We know we have to earn your trust every day. The truth is, no one else is building a high-quality, first-class solution to these specific cellular problems. We are committed to being the ones who do it right.
Ms-J | 20 hours ago
That is a lot of highly polished for the camera media you dropped into that post. The way that you word things, such as "Cape is not a honeypot." but don't delve any deeper, to start, gives someone less than zero confidence or trust in your words.
I have seen enough in the industry to say that your words are meaningless.
alek-cape | 19 hours ago
You're right that you don't need to do those things, but I would argue that my background made me uniquely situated to understand and care about these problems deeply enough to spend years of my life building a company in response.
I say "Cape is not a honeypot" a lot just so I don't appear to be mincing words. If you want to delve deeper on how we treat customer data, a couple of good resources are our privacy policy: https://www.cape.co/privacy-summary
And our trust page: https://trust.cape.co/
You can also check out our blog for a bunch of posts on specific features we've built, etc.
dang | 15 hours ago
It's my least favorite thing about HN that high-quality new accounts, such as founders jumping into threads about their work, sometimes get throttled by the software. Gah.
johndoylecape | 7 hours ago
alek-cape | 3 hours ago
Glad to see we won't run into it again, and that our workaround wasn't a problem.
close04 | 12 hours ago
Maybe but this line of argumentation also opens the door to more criticism. Anyone looking at Palantir from the outside only knows their reputation and involvement in unsavory projects before taking a job. You chose to take the job with that knowledge covering most of your field of view. You stayed to work for that company contributing to that kind of work. That's a signal that's brighter than the valuable experience you gathered there. Tech can be learned but the values needed to support or even tolerate Palantir's activities don't get easily changed.
The premise of your company pivots on trust, not technology, the same tech is known and available to everyone else too. And it's trust in you that you will do what you say, not that you can do what you say. The latter is a given, you clearly have the knowhow. The former is putting any promise in doubt.
> Cape routes your traffic through our US-based mobile core.
This sounds like an anti-feature when it comes to privacy or the paranoid.
> I say "Cape is not a honeypot" a lot just so I don't appear to be mincing words.
I appreciate you saying it but Crypto AG probably also said that a lot (figuratively).
> Cape does not keep this data.
Unfortunately you are limited in what you can do here. Having or processing this data for any amount of time, even without keeping it, puts you in the position to be compelled to provide it.
bsstoner | 11 hours ago
One of the efforts we’re working on now is an audit of our data retention claims. We recently posted an RFC on Reddit if anyone from this community has input: https://www.reddit.com/r/CapeCellular/s/zTn7HQ0emo
We plan to continue to do more things like this that increase transparency and build trust over time.
UnreachableCode | 12 hours ago
bsstoner | 11 hours ago
simfree | 2 hours ago
Very hard to make the latter usable by anyone else IMO.
j-bos | 7 hours ago
Neither or against either perception but this reminds me of https://barrypopik.com/blog/i_know_its_not_true_but_lets_mak...
birdsongs | 14 hours ago
Can you expand on this? Because currently, the US government is not someone I want the companies I use to work with.
> The only thing we took from Palantir was the desire to fix a broken system.
What broken system does Palantir fix?
pjc50 | 11 hours ago
> group of individuals who deeply value privacy
.. do you see the problem here?
J57E6H2hxM | 9 hours ago
Currently in cyber as a Guard O/civ and also considering SFAS. Thank you!
johndoylecape | 7 hours ago
Only you know if you want to jump into SFAS. I knew I'd always regret not doing it, which made the decision easy for me.
dlenski | 4 hours ago
I'm sure you know this, but for others who may not: there's a history of splashy new mobile operators which promise security and privacy as their core feature, but turn out to be a front for law enforcement. https://en.wikipedia.org/wiki/Operation_Trojan_Shield is the preeminent example.
There are also people working in this space who are cranks and morons. In summer 2023, I had a phone call with the founder of a well-known startup founder from the dot-com era. He was trying to launch a privacy-focused cell network and messaging software. But everything about his approach was wrong, almost to the point of being an anti-solution to the problems he was trying to solve, as if he was totally unaware of the past 20-30 years' worth of learning about end-to-end encryption and mass surveillance.
He was also a conspiracy theorist: during our call, he repeatedly and unironically referred to a documentary film created by a well-known convicted felon and serial liar, as a source of credible information about the world.
> We also work with the EFF to provide investigative journalists and activists with free Cape service so they can do their work safely. https://www.cape.co/journalists-and-activists
That's good to know.
It appears from the EFF site that you were involved in developing the Rayhunter tool which they announced last year? https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-ope...
abc123abc123 | 11 hours ago
Noaidi | 7 hours ago
Looks like a pretty sweet honey pot.
floam | 20 hours ago
maybsum1else | 20 hours ago
johndoylecape | 19 hours ago
loteck | 20 hours ago
I'd like a service like yours that allows private signups and that works continuously to prove ongoing private operations. I don't need huge data plans, I'm fine with WiFi mostly. It needs to cost way less per month than your current pricing. It would be cool if you could find a way to serve people like me.
bsstoner | 19 hours ago
mr_machine | 6 hours ago
rsync | 16 hours ago
If we treat the carrier as adversarial, dumb pipes we can move the security and all of the capabilities into the cloud platform. A personal comms stack like this should be carrier-agnostic, phone-agnostic, sim-agnostic.
See my other post in this HN topic - I have done this since 2016 ...
Doohickey-d | 15 hours ago
eSIM, global, variable pricing per country with per-GB billing, anonymous crypto payments and no KYC. Although it seems to not have some of the additional security features of the OP.
anon5739483 | 15 hours ago
bartvk | 14 hours ago
chasil | 12 hours ago
jp0001 | 14 hours ago
bsstoner | 11 hours ago
voidUpdate | 13 hours ago
bsstoner | 11 hours ago
pona-a | 12 hours ago
bsstoner | 11 hours ago
AdamN | 11 hours ago
1/ eSIM activation outside the US 2/ The family plan is weird. My wife and I don't want to manage two separate bills. 3/ multiple eSIMs and numbers in different countries all within the one account (Germany in particular)
Aromatic_War | 11 hours ago
I'd be interested to see how they are hardening the IMS (IP Multimedia Subsystem) and VoLTE/VoWifi stack. SIP signaling and RTP streams for voice are often unencrypted internally.
If Cape is applying their 'Network Lock' logic to the IMS layer, they could potentially mitigate SIP-level spoofing and voice interception that occurs at the interconnect. Their 'Encrypted Voicemail' (using asymmetric keys on the device) is a strong signal that they understand the 'Last Mile' problem.
Also even if SEPPs are not really a thing, i'd be curious to know if they've started looking at this.
In the small world of telco security (disclaimer i work for P1Security), they are definitely working in the right direction. Any international ambition, particularly in EU, will be a tough sell though....
simfree | 2 hours ago
dakolli | 10 hours ago
varispeed | 10 hours ago
ddtaylor | 8 hours ago
horoscope_slump | 7 hours ago
First, when it ran Anom, it went out of its way not to collect data on persons inside the United States. U.S. Anom users never had any of their data captured by the FBI because it raised profound 4th Amendment concerns. Cape is operating in the U.S. and is seeking U.S. users. Typical U.S. honeypots are generally targeted abroad.
Second, the U.S. government has historically not used former military officers with ties to defense contractors as the people that built and operated the honeypots. With Anom, they co-opted trusted members of the secure phone community. The very fact that the company is very open about its founders is a pretty good sign that they are probably not a honeypot because they would not make a very good honeypot for the truly criminal element.
Third, Cape is incorporated in the United States and seeking U.S. users. In the process, it's making some fairly aggressive claims in its privacy policy and terms of service about its products that would subject them to breach of contract and fraud claims if in fact they were secretly not doing those things.
Fourth, the legacy telecoms have a long history of selling your data, secretly cooperating in national security programs of questionable legality, etc. It seems like Cape can't possible a worse option than the status quo.
hrimfaxi | 7 hours ago
2. History matters until it doesn't. There was a time when the US did not perform science experiments on unsuspecting populations, too. The government does not get the benefit of the doubt when it comes to "past performance is not indicative of future performance".
3. We have seen sitting presidents pardon people for crimes they have yet to commit.
4. "Not worse" is not a selling point.
horoscope_slump | 7 hours ago
3.) A president cannot pardon a civil claim against a company for breach of TOS.
hrimfaxi | 6 hours ago
> First, when it ran Anom, it went out of its way not to collect data on persons inside the United States. U.S. Anom users never had any of their data captured by the FBI because it raised profound 4th Amendment concerns. Cape is operating in the U.S. and is seeking U.S. users. Typical U.S. honeypots are generally targeted abroad.
1. People in the US were arrested for using Anom (despite the 14th amendment protecting both citizen and noncitizen alike, at least in the case where the non-US person is on US soil).
3. Fair point, though if it is truly a government sting operation I don't think you can take them to civil court either unless authorized under statute right?
8cvor6j844qw_d6 | 5 hours ago
Just my thoughts.
driverdan | 8 hours ago
306bobby | 8 hours ago
johndoylecape | 7 hours ago
dmarks100 | 7 hours ago
fortranfiend | 7 hours ago
mrbluecoat | 7 hours ago
https://www.hachettebookgroup.com/titles/joseph-cox/dark-wir...
ranger_danger | 7 hours ago
ThePowerOfFuet | 6 hours ago
vivzkestrel | 5 hours ago
- how do I know you are actually implementing what you claim on your webpage?
fnikacevic | 4 hours ago
OhMeadhbh | 4 hours ago
4d4m | 4 hours ago