Roberto Popolizio
Published on: November 21, 2024
In this interview series by Safety Detectives, I speak with cybersecurity experts who share actionable tips, insider knowledge, and predictions for the future, helping you understand what’s really happening with your data and how you can protect your digital life more effectively—without losing your sanity.
John Doyle is the founder and CEO of Cape, a pioneering privacy-first mobile carrier established in 2022.
He previously led the national security business at Palantir Technologies, and served as Special Forces Sergeant in the U.S.Under his guidance, Cape has raised $61 million from prominent investors, including Andreessen Horowitz, to develop a nationwide mobile network that emphasizes user privacy and security without compromising connectivity. He discussed how Cape is empowering individuals to get control over their mobile identities while providing robust protection against digital threats.
What is the most pressing security issue that you solve, and for whom? What makes this problem so crucial that you set out to build your solution?
I spent many years leading the national security business at Palantir prior to Cape, which is how I learned of the extent to which we are all visible, trackable, and vulnerable in ways beyond our control when we turn on a cell phone.
Our cell phones sit in our pockets through our most intimate daily rituals, documenting our every move, observing conversations among friends and family, and capturing every bit and byte we exchange with those we love. The inherently trusting relationship we have with our phones, that phones have with mobile carriers, and that carriers have with the global cell network, create a host of attack vectors for malicious actors to access, monetize, and exploit our personal data. And because these vulnerabilities exist in the blueprint of the network, solutions confined to the device (such as apps, or custom “black phone” solutions) can never truly solve the problem.
Cape was built to challenge the idea that you have to sacrifice privacy and security in order to be connected by offering a privacy-first mobile carrier that operates at the network level, and attacking these problems at the root. What this means is that we provide premium cellular service while protecting every subscriber––from ordinary consumers to national security professionals–– from a wide range of threats to their communications, locations and behavior data, and identity information.
What are the risks for companies and consumers, if this issue goes unchecked? Are there any industries or user groups that are especially vulnerable?
Governments, enterprises, and private citizens are all at risk from the network vulnerabilities inherent in telco today, so the implications are far-reaching and severe. Take AT&T’s recent data breach of 110 million customers (nearly its entire customer base) which revealed call and text records, detailing with whom you communicated, from what location, and other highly sensitive information. Nefarious actors can and do mine this data, and find enormous intelligence or monetary value in it.
Even without hacking, private cell data is routinely monetized by telecom carriers in a multibillion-dollar industry. In 2020, the FCC fined the four largest U.S. carriers $200M for selling user location data without proper controls. But aside from the data that apps are selling and trading, our mobile companies are exposing our relationships, locations, and habits to our nation’s adversaries, and national security professionals acutely feel these vulnerabilities, too. U.S. officials have been sounding the alarm about lax cybersecurity measures from major carriers, which leave customers and government officials susceptible to compromise by foreign actors.
Hackers can exploit cellular networks to collect personal data, track users’ locations, and plant spyware. For example, the recent Salt Typhoon attacks that penetrated Verizon and AT&T’s networks to target then-candidates for president and vice president Donald Trump and J.D Vance. Cellular networks are increasingly becoming the preferred hunting ground for foreign entities seeking to spy on government officials.
What are alternative solutions (DIY and competitors) people usually try, and why do you think they are flawed?
Even with all the best privacy apps and data-sharing settings turned off, once your device attempts to connect to a cell tower, it reveals personal information about you—such as location, browsing behavior, and other metadata—that is then shared on an interconnected global network available for exploitation by hackers around the world. There are burner phones, but these are impractical for most people to use and only work at the device-level; they do nothing to protect from signaling attacks, SIM swaps, telco compromise, and tracking.
Unlike privacy apps, VPNs, and browsers, Cape addresses vulnerabilities at the network level, where many of the most pernicious attacks originate. We have our own mobile core; and for example, we’ve eliminated dependencies on vulnerability-prone protocols and technologies like SS7 and 3G. So there’s no possibility of bid-down attacks, in which fake cell site simulators force your phone from 4G to a less secure 3G connection. We also have our own signaling firewall, offering more advanced visibility and control over potential signaling threats. This means unmatched cellular privacy and anonymity, and virtually untraceable location and identity protection from hackers and data brokers.
What features or capabilities enable you to solve these issues in a better way, and what are their tangible benefits? Can you share metrics and examples of the impact you’re making?
Upfront, Cape requires minimal data to become a customer. Names, addresses, and Social Security numbers, which are typically collected by traditional carriers, and aren’t necessary to sign up for Cape. We also don’t use usernames and passwords, which are easy to obtain via breaches and social engineering. Instead, we use expert-vetted cryptography to secure accounts. Subscribers can only perform critical actions like porting out their number using a private key that Cape never sees or holds. By minimizing the data that we collect and hold, Cape is hardened against insider threat and operates with a minimal trust mindset.
We also ensure SIM swap protection, since no one, not even a Cape employee, can port out a subscriber number without access to the private key held only by the subscriber. SIM swaps are a growing type of identity theft where an attacker convinces a mobile carrier to transfer a victim’s phone number to a SIM card he controls. The FBI investigated over 1,075 SIM-swapping cases just in 2023, resulting in losses nearing $50 million, highlighting the financial impact of this crime
We also protect against signaling attacks, which allows for location tracking and interception of calls and SMS. There are millions of such attacks each month, and they come from the fact that networks globally are interconnected and trusting of each other, which means that a compromised telco or telco service provider from anywhere in the world can be exploited to target your phone. With enhanced signaling protection, we allow our customers to identify a suspicious attempt by, for example, a Chinese telco to attempt to solicit information from their phone in the background. Our proprietary technology goes beyond industry-standard firewalls to verify the legitimacy of these requests to attach to a subscriber’s phone.
Looking ahead, what are the most important trends in cybersecurity and privacy that you believe aren’t getting enough attention? What makes them critical?
Cellular network vulnerabilities are a direct result of the lack of innovation in the sector. Telecom is a natural oligopoly focused on buying spectrum and building out hardware, while the critical software that manages sensitive subscriber data is outsourced to third parties and riddled with vulnerabilities. Cellular networks were built to prioritize interoperability over privacy and this has become increasingly recognized and exploited by bad actors. All of the major US telcos have suffered major breaches in recent years, with the recent Salt Typhoon attacks as only the latest example.
Telcos would see a lot of improvements by simply moving to commercial cloud and innovating at the pace of modern software leaders. But without significant rethinking of mobile network privacy and security, attacks like Salt Typhoon and breaches to the major cell phone carriers will continue.
And how about you? What developments are you working on, and what makes you feel they will have a major impact?
We’ve just launched our ultra-secure cell phone service tailored for individuals at high risk of digital attacks, including public figures like elected officials, corporate executives, and journalists. This tech was previously only available to U.S. government customers.
In the near future, we will work to make these protections available to everyone with our general consumer launch. We’re really excited to offer a solution that meets the universal demand for better cellular privacy and security, and to position Cape as a pivotal player in the future of secure mobile networks.
How can our readers connect with you?
Website: https://www.cape.co/
LinkedIn: https://www.linkedin.com/company/capemvno
X: @CapeWireless
Data sources:
https://woodruffsawyer.com/insights/cyber-sim-swapping