It’s interesting that Apple is going down a similar path with hardware filtering location retrieval commands and neighborhood-level blurring on their C1 modems. Really awesome work from that team by making sure they’ve considered privacy as a first party feature for that chip.

How do you guys view the relative value of privacy/security at the network provider layer of the cell stack for the average user/citzen?

Even if Cape doesn’t retain metadata yourselves (eg LTE positioning info), is that data not still retained and repackaged by the tower owners themselves? Eg babel street, venntel, etc. A rotating IMEI every 24 hours might make it marginally more difficult for logical tracking, but there’s still only physically one location the phone can be in without fuzzing at the hardware level.

I should also say - I’ve been following y’all’s work for a while (and considered some of those early forward deployed engineer positions), but I’m struggling to see how this all works as a consumer product. Would be awesome to see an eventual partnership with Apple/Qualcomm to bring this to the hardware level since privacy is a tough nut to crack even at full MVNO.

You mean the ICCID?

Always-on Mullvad solves that nicely.

That is a lot of highly polished for the camera media you dropped into that post. The way that you word things, such as "Cape is not a honeypot." but don't delve any deeper, to start, gives someone less than zero confidence or trust in your words.

I have seen enough in the industry to say that your words are meaningless.

Can you expand on this? Because currently, the US government is not someone I want the companies I use to work with.

> The only thing we took from Palantir was the desire to fix a broken system.

What broken system does Palantir fix?

I'm sure you know this, but for others who may not: there's a history of splashy new mobile operators which promise security and privacy as their core feature, but turn out to be a front for law enforcement. https://en.wikipedia.org/wiki/Operation_Trojan_Shield is the preeminent example.

There are also people working in this space who are cranks and morons. In summer 2023, I had a phone call with the founder of a well-known startup founder from the dot-com era. He was trying to launch a privacy-focused cell network and messaging software. But everything about his approach was wrong, almost to the point of being an anti-solution to the problems he was trying to solve, as if he was totally unaware of the past 20-30 years' worth of learning about end-to-end encryption and mass surveillance.

He was also a conspiracy theorist: during our call, he repeatedly and unironically referred to a documentary film created by a well-known convicted felon and serial liar, as a source of credible information about the world.

> We also work with the EFF to provide investigative journalists and activists with free Cape service so they can do their work safely. https://www.cape.co/journalists-and-activists

That's good to know.

It appears from the EFF site that you were involved in developing the Rayhunter tool which they announced last year? https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-ope...

Currently in cyber as a Guard O/civ and also considering SFAS. Thank you!

> group of individuals who deeply value privacy

.. do you see the problem here?

Doesn't Google require all new Android-branded devices to isolate the baseband from the Android OS and applications?

I swear I read this somewhere in the last few years, though I can't seem to find any clear reference to it now. Hmmm.

> For instance if you can hack the baseband to steal traffic, you should probably be more worried about your carrier being hacked or getting a lawful intercept order.

Everything should use TLS/DTLS/QUIC, and an up-to-date PKI for obligatory certificate validation, otherwise I assume it's already being MITM'd by the NSA, every other three letter agency on the planet, corporate firewalls, and my ISP.

That just kicks the can down the road to "Why should we fully trust the IOMMU?"

Granted, it does defend against the vast majority of actors.

Not really, but I too am uncertain about how to think about it.

Here's my long-winded but still limited understanding of the main vulnerabilities that are unique :

NETWORKS: If I build a network, and I build it out of switched Ethernet, and I control the premises completely, then I can generally trust that the data flowing through it isn't being secretly logged or tampered with. Moving away from this simplicity, my distrust of the network increases rapidly.

A cellular network is pretty much the opposite of this simple one-man, one-room, wired network, so I distrust it completely.

There is only one credible solution here: all traffic over the network must be end-to-end encrypted and authenticated. That means TLS/DTLS/QUIC/ESP/Wireguard with key-pinning and/or correctly implemented and maintained PKI. Assume that any and all traffic that is not E2E-encrypted and authenticated is subject to some combination of mass surveillance and/or individually-targeted attacks.

CELLULAR DEVICE HARDWARE: For historical reasons, modern smartphones contain [at least] two CPUs:

1. The main "application" processor, an ARM64 SoC running an OS and applications made by Google or Apple. They've put substantial efforts into hardening these OSes and applications against remote attacks.

Whether they're doing "enough" is another question; whether you should trust them is another question. But they're at least trying pretty hard to prevent rando malware-for-hire attackers from pwning your device via over-the-air vulnerabilities.

2. The "baseband" processor, a ghastly fossilized thing that runs a stack of overly-complex firmware dating back to 2G days, and controls access to the cellular network. It is probably developed by Qualcomm, which along with Samsung has a near-monopoly on baseband processors for modern devices sold outside of China. Qualcomm in particular is litigious and complacent about security issues (https://news.ycombinator.com/item?id=38620067), and almost everything about the processors and their firmware are closed-source and non-public.

The baseband processor is insecure both due to inattention, as well as treachery. The end user of the device does NOT control it in the way that the end user controls the main processor. Some nebulous combination of the baseband vendor, the carrier, and the government controls it (e.g. https://news.ycombinator.com/item?id=46848303).

So the baseband processor is an untrustworthy thing that should be walled off from the rest of the system, and only allowed to communicate with the rest of it via narrow and well-defined interfaces. However, this was not the case for many years: the baseband processor has had way too much access to the system.

In recent years, this situation has improved somewhat: recent Pixel devices with Google Tensor SoCs (and maybe others) have the baseband isolated via an IOMMU. https://grapheneos.org/faq#baseband-isolation

---

Okay, so can "Cape" do anything to assuage my concerns about _any_ of the above issues? Honestly, not very much. ¯\_(ツ)_/¯

Cape can't increase my trust in the cellular network. Cape can't increase my trust in the baseband processor on my device.

Cape can only do a couple things to make the baseband and the network Slightly Less Evil: shuffle IMSI frequently to prevent IMSI-based tracking, and don't let random scammers call up and SIM-swap me.

I've had almost no problems using my GV number for 2FA. Venmo is literally the only service I've ever used that won't accept it for 2FA… and now Venmo offers non-SMS based alternatives, which is good because SMS-based 2FA is the reason that the SIM-swap attack is worth doing.

List of services that allow Google Voice for 2FA: https://www.reddit.com/r/Googlevoice/comments/1c571kw/crowds...

Most services either don't have a legitimate interest in my phone number (so they can get bent) or they do have a legitimate interest in which case not accepting my phone number means they aren't doing their #$&^ job (so they can get bent).

It helps that the only services I'm willing to provide my phone number to are those that already inherently involve my PII. Banks, online shopping, etc. So if they won't accept whatever I give them I'll take my business to a competitor.

https://cotsi.org/methodology

If anyone knows of a good, secure VoIP provider outside of the US I'd be keen to hear about it.

https://kozubik.com/items/2famule/

Trackability is definitely a vulnerability.

> At Palantir, where I started in technical roles more than 10 years ago, I learned about a wide array of vulnerabilities in the cellular network that present a threat not only to mission-focused organizations in government, but also to everyday people. I came to see mobile phones — and the networks that power them — as perhaps the largest risks to our privacy and security.

> If you told Americans twenty years ago that corporations and governments would conspire to attach powerful tracking devices to nearly every adult worldwide, it would’ve sounded like science fiction. And yet, that’s not far from where we are today.

https://www.cape.co/blog/building-the-future-of-mobile-priva...

based in Arlington, VA, is primarily funded by high-profile venture capital firms, including Andreessen Horowitz (a16z), which led their Series B, A Capital, Costanoa Ventures, ex/ante, Point72 Ventures, and XYZ Ventures.*

Arlington, VA ... is an interesting location that aligns with your guess. A similar situation happened some time ago with a drug cartel that thought they built their own private phones and phone network. I am not saying it's related, just feels similar.

2. History matters until it doesn't. There was a time when the US did not perform science experiments on unsuspecting populations, too. The government does not get the benefit of the doubt when it comes to "past performance is not indicative of future performance".

3. We have seen sitting presidents pardon people for crimes they have yet to commit.

4. "Not worse" is not a selling point.

What kind of measures are possible to prevent fraudulent calls when the caller is your anonymous customer? The answer is obviously "none," unless you respond to every complaint by terminating service of the offending customer and hoping they don't come back.

Very aware of who you are, and have done plenty of security work myself. Here's what I want from you: How can you prove this isn't just Anom 2.0

Your “phone number “that people interact with cannot be hijacked with SS7 because it’s not a real number… you’re immune to sim swaps … And you can Jettison your physical phone and SIM card at any time with no penalty.

As a bonus, because your actual phone number is now programmable you can do interesting things like set up a SMS firewall. You can, for instance, collapse all incoming text messages to ascii-256. Or truncate their overall length. Or CC your incoming SMS to a dedicated mailbox.

I have operated like this since 2016. I have no idea what my physical SIM phone number is and neither does anybody else.

We're working on some ideas to address this with audits etc, but it will always be tough. However, if you like the idea, and like the features, then maybe it is worth your time to do the work and get comfortable with the company. Because we're the only ones providing some of these features, and we have a lot more in the hopper still to come. I hope we can win your trust at some point.

Like they're not gonna burn that kind of capability over tax evasion, state civil law violations, etc.