Security News If you wanted total visibility over high-risk individuals, you’d build a mobile virtual network operator called Cape

[oldschool]

Content source

https://paul-walsh.medium.com/if-you-wanted-total-visibility-over-high-risk-individuals-youd-build-a-mobile-virtual-network-c4caf46fddf1

If you’re a journalist, lawyer, activist, whistleblower, government official, crypto trader, or anyone who works with information and systems that could make you a target, read this before you rely on any app, phone or network to keep you safe.​

The people most likely to be hurt by the gap between perceived and actual privacy are the ones who can least afford to find out the difference too late.

This article explains in simple terms how the technology stack for every mobile user works, what each layer exposes, and what people are actually trusting when they hand God Mode to a new MVNO.

Your phone is broadcasting your identity, location and behaviour to multiple companies right now, regardless of which privacy app you’re using.

Encrypted apps like Signal encrypt the content of your messages but your mobile network still sees who you’re communicating with, when, and from where. Cape, a new mobile virtual network operator in the US, promises to protect the privacy of high risk individuals, but was founded by former Palantir executives who built their careers serving the CIA, NSA and FBI, won their first government contracts before they had a single consumer on their network. They’re operating a system that combines the surveillance capabilities of a carrier like AT&T with the interception capabilities of companies like SS8 Networks, built specifically to tap into those networks on behalf of intelligence agencies.

The 4 layers almost every privacy app operates inside​

To understand what any privacy tool can and can’t protect you from, you need to understand the 4 layers in the technology stack:

• Layer 1: The app. Signal, WhatsApp, Telegram. This is where encryption lives. It protects the content of messages between devices.
• Layer 2: Your phone. A physical device with a permanent hardware identity that broadcasts to every cell tower it passes, regardless of which app you’re using.
• Layer 3: The mobile network. Records your location, device identity and communication patterns continuously and automatically.
• Layer 4: The lawful interception infrastructure. Companies like SS8 Networks that physically tap into mobile networks on behalf of intelligence agencies and law enforcement.

Signal secures Layer 1. Layers 2, 3 and 4 remain fully visible to anyone with the right access and the right authority.

What Signal protects and what others still see​

Signal is a well built product and the Signal Protocol is strong. When you send a message on Signal, the content is encrypted between your device and the recipient’s. Nobody in the middle can read it, unless the CIA has a backdoor.

But think of your phone number as a PO box address. Every message you send or receive is logged against that address, along with the address of every person you communicate with, the time of every exchange and how often. Your phone connects to cell towers continuously, recording your location every time it does. Your carrier logs all of this regardless of which app you’re using, and retains it for years.

So even though nobody can read your messages, your carrier knows your PO box address, every address you’ve ever exchanged messages with, exactly when those exchanges happened, how often, and where you were each time. A regular carrier collects more than 100 data points on each customer. When that dataset is combined with your communication patterns, relationships and location history, it can identify who you are, map your social network, track your movements and predict who you’ll meet before you meet them, without a single word of your messages ever being read. With modern AI that analysis takes seconds and alerts can be automated to notify whoever has access the moment something triggers their interest. Signal locks the letter inside the envelope but it has no control over what’s written on the outside, and the postal system records every delivery.

The infrastructure built to tap into what the network sees​

In the late 1990s I was seconded from ADC Metrica, a specialist telecoms testing and measurement consultancy, to audit the technical operations of NewNet in Connecticut on behalf of ADC Telecommunications after its acquisition. My role was to evaluate the performance of the people responsible for all of their technology development and testing, spanning 12 development managers and 2 test managers along with their internal teams and outsourced partners, and to make recommendations on what to do with them.

NewNet was a powerhouse in SS7 and SMS technology that provided Lawful Interception services, the infrastructure that makes it possible for law enforcement in the US to intercept and monitor communications at scale. They offered me a full time role to manage the combined operation but Connecticut wasn’t appealing to me during my 20s.

What I didn’t know at the time was that the technology I was auditing would become the foundation for something much larger. When ADC later divested that division, SS8 Networks acquired it and built it into one of the world’s leading lawful intelligence platforms, trusted by 6 of the world’s largest intelligence agencies. SS8’s systems physically tap into mobile and IP networks to enable real time interception of voice, data and metadata.

The companies that analyse what interception captures​

Palantir is arguably the most powerful company in the world when it comes to what it knows about people and what it can do with that knowledge. Its clients include the CIA, NSA, FBI and the UK Ministry of Defence. Its Gotham and Foundry platforms process and visualise the kind of communications data that systems like SS8’s are built to capture. SS8 captures. Palantir analyses. Together they serve the same intelligence and defence ecosystems, performing complementary functions inside the same surveillance infrastructure, and the capabilities that combination unlocks are not fully visible to the public.

The company that combines all of these layers under one roof​

Cape is a 4 year old Mobile Virtual Network Operator (MVNO) that has raised $191 million and is valued at $800 million, backed by Andreessen Horowitz and Bain Capital Ventures, two of the most prominent investors in US defence and intelligence technology, including Palantir and Anduril.
SS8 was built to tap into networks owned by carriers like AT&T and extract visibility over who is communicating with whom, when and from where. Cape isn’t just building its own core network with unknown partners, it’s building tech that has significantly more invasive capabilities. Based on what Cape says it does and how, it has the potential to make AT&T and SS8 redundant for anyone seeking access to a subscriber’s data.

Cape doesn’t just collect the same kind of data as AT&T, it collects more. Its privacy features, IMSI rotation, Network Lock, encrypted voicemail and SIM swap protection, require Cape to see, process and retain far more data about each subscriber than any standard carrier ever collects. Network Lock requires continuous GPS access. IMSI rotation requires a real time mapping table linking every rotating identity back to the real subscriber.

And buried in Cape’s privacy policy, not on their website, is a capability that allows Cape or their network partners to scan the content of SMS messages if they suspect spam or a scam campaign. There’s no opt in or opt out, which for a privacy network built specifically for the highest risk individuals is a significant omission.

Cape also requires subscribers to use their mandatory app, for reasons that don’t live up to my scrutiny, and offers a customised phone. Every phone contains a baseband processor, a separate chip that runs its own closed-source firmware and manages all communication with the mobile network. It operates independently of the main operating system, sitting beneath any privacy controls the customer can see or configure. A manufacturer with full control over both the hardware and that firmware could embed capabilities that would be extraordinarily difficult for even expert security researchers to detect. The BADBOX operation, in which tens of thousands of consumer Android devices were shipped with firmware backdoors that went undetected at scale, demonstrated that this isn’t theoretical. No standard carrier has access to the hardware layer of a subscriber’s device. Only the device manufacturer does. Cape is both.
All of this means an intelligence agency with an existing Palantir relationship wouldn’t need to go beyond it if Cape operates as an undisclosed partner or functions within Palantir’s ecosystem. The data collection, routing, monitoring, analysis and delivery to authorised parties can now flow through a single private tech company.

If you were designing a system that gave a single organisation complete visibility over the communications of the highest risk individuals in the United States, it would look a great deal like what Cape has built.

Who built Cape and why their background matters​

If you’re going to trust a company with God Mode to everything covered in this article, you need to know who you’re trusting.

All 4 founders come from what’s known as the “Palantir Mafia”.

1. John Doyle, Cape’s CEO, was Head of National Security at Palantir, directing the division responsible for delivering intelligence and data analytics to the CIA, NSA, FBI and DoD.
2. Nicholas Espinoza, Head of R&D, his role at Palantir involved identifying cellular network vulnerabilities and building analysis platforms for the intelligence community.
3. Stephen Dowhy, Head of Engineering, comes from Anduril Industries
4. David Dunn, Chief Architect, also from Palantir.

Other members of staff and advisors come from agencies including the CIA, FBI and Homeland Security.

Cape’s own press materials describe the company as founded by experts in national security, and Doyle himself describes their technology as originally designed alongside national security professionals. Their mission, to ensure communication is private, secure and resilient, mirrors Palantir’s own national security mandate almost word for word. One of Cape’s investors has confirmed that the most recent National Defense Authorization Act includes explicit language requiring federal agencies to adopt the precise capability Cape is built around: rotating and obfuscating persistent device identifiers. Cape lists its customers as government, enterprises and consumers, in that order.

In the context of a company like Cape, the ability to rotate these identifiers is controlled entirely by its technology. The high-risk subscriber is trading limited tracking by regulated carriers for the most invasive tracking I’ve seen, by a tech company that holds the master key to those rotating identities.

Cape’s relationship with the US government and what it reveals​

Within a year of founding, with no consumer product, no subscribers and no track record as a carrier, Cape secured government contracts including a pilot with the US Navy in Guam to secure communications for military personnel, contractors and their families. Building and deploying a carrier grade mobile network to a standard that satisfies US military requirements doesn’t happen in 12 months from a standing start. No serious infrastructure company achieves product market fit that quickly, let alone one with a significant technology stack that wins sensitive government contracts on the strength of a promise.

The most credible explanation is that the groundwork was laid before Cape existed as a company, while they were still working at Palantir, where they already had the relationships, the knowledge and the access that only comes from years inside the national security apparatus.
Cape has raised its funding from the same investor ecosystem as Palantir and Anduril. And yet there’s no public comment from Alex Karp or Peter Thiel about Cape. Cape’s CEO has been defending claims on public forums like Hacker News that Cape is a “honeypot” by acknowledging they have to earn trust.

What makes the Guam deployment particularly striking is its sequence. Typically a consumer technology company proves its product in the public market before government agencies trust it with sensitive operations. Cape did it the other way around. The US military was their first customer. The consumer offering came after. Was Guam a military pilot later adapted for consumers, or was it always the proving ground for a product designed to be sold to the most privacy conscious, highest risk individuals in the United States?

Whether that’s the intent is not something anyone outside Cape can know. But it’s what the architecture makes possible, and for high risk individuals, what an architecture makes possible matters more than what a company promises.

The government trusted Cape before the public had heard of them, and that trust came from who the founders were and what they had already built, not from anything Cape had publicly demonstrated. Before you hand over God Mode to your communications, it’s worth asking whether your reasons for trusting them are the same as the government’s.

Some of their core staff and advisors include former senior officials from the FBI and CIA, including a former COO of the CIA. These are architects of the same God Mode surveillance systems that high risk individuals are trying to hide from. The question of why they’re now building the network those individuals are supposed to hide in is one Cape has never been asked.

30 years of watching the same pattern​

Across more than 30 years working inside telecoms infrastructure, consumer technology and cybersecurity, I’ve watched the same pattern repeat. The tools get more sophisticated, the marketing gets more reassuring, and the underlying exposure stays largely the same because the architecture beneath it all hasn’t fundamentally changed. Before you sign up for the next big thing in privacy, look at who’s holding the keys and where they learned to use them.

If I’ve got anything wrong, please tell me. I’d rather be corrected publicly than leave an inaccuracy standing. Everything in this article reflects my own analysis and opinions based on publicly available information. It is not a formal review, assessment or position from MetaCert.

 

[oldschool]

There have been discussions on the GOS forum about the relatively new Cape Mobile and someone posted the above link. The article states that Cape comnbines all the necessary systems of two platforms to conduct and transmit data for "lawful surveilane" purposes.

Palantir is arguably the most powerful company in the world when it comes to what it knows about people and what it can do with that knowledge. Its clients include the CIA, NSA, FBI and the UK Ministry of Defence. Its Gotham and Foundry platforms process and visualise the kind of communications data that systems like SS8’s are built to capture. SS8 captures. Palantir analyses. Together they serve the same intelligence and defence ecosystems, performing complementary functions inside the same surveillance infrastructure, and the capabilities that combination unlocks are not fully visible to the public.

And there is this:

A manufacturer with full control over both the hardware and that firmware could embed capabilities that would be extraordinarily difficult for even expert security researchers to detect. The BADBOX operation, in which tens of thousands of consumer Android devices were shipped with firmware backdoors that went undetected at scale, demonstrated that this isn’t theoretical. No standard carrier has access to the hardware layer of a subscriber’s device. Only the device manufacturer does. Cape is both.

If Cape's "private network" sounds too good to be true, then maybe it is.

 

[Zero Knowledge]

Ahhh I've seen many security experts pumping this, website is great and service looks polished but questions remain.

Ironic that this is just a copy of PhantomSecure or ANOM for business/government people with extra bits and pieces. I guess the criminals were onto something

 

[Marko :)]

If this was a scam, why would Proton and EFF partner with them?

 

[Zero Knowledge]

If this was a scam, why would Proton and EFF partner with them?

It's not a scam, they are legit with lots of buzz from the security world. But they are just an improved spin on encrypted criminal phones with better design and security.

 

[simmerskool]

@oldschool enjoyed article, had never heard of Cape... thanks!

 

[oldschool]

If this was a scam, why would Proton and EFF partner with them?

Good question. There's much discussion about it on the GOS forum and elsewhere. Cape actually has pretty good discounts via referrals, lifetime discounts for early adopters, etc.,. And they sell phones pre-loaded with GOS. Makes you wonder who their target demographic is.

 

[oldschool]

Ahhh I've seen many security experts pumping this, website is great and service looks polished but questions remain.

Ironic that this is just a copy of PhantomSecure or ANOM for business/government people with extra bits and pieces. I guess the criminals were onto something

It's not a scam, they are legit with lots of buzz from the security world. But they are just an improved spin on encrypted criminal phones with better design and security.

Indeed.

 

[Marko :)]

I swear to God, US has so many MVNOs you can find one for everyone. Trump followers, ultra-catholics and now privacy-conscious people.

 

[Trident]

I swear to God, US has so many MVNOs you can find one for everyone. Trump followers, ultra-catholics and now privacy-conscious people.

The problem with MVNOs is that when the network is congested, the service provider (MNO) will first serve their high paying customers, then the low paying direct customers and any MVNOs or contracts through third parties for a fraction of the price will be the lowest priority.

So many times and at many different places, you will be getting poor service, regardless which MVNO (for Trump or Trumpana followers) you will choose. This is why they are cheap.

 

[Marko :)]

The problem with MVNOs is that when the network is congested, the service provider (MNO) will first serve their high paying customers, then the low paying direct customers and any MVNOs or contracts through third parties for a fraction of the price will be the lowest priority.

So many times and at many different places, you will be getting poor service, regardless which MVNO (for Trump or Trumpana followers) you will choose. This is why they are cheap.

I understand that, yeah. Situation is totally different here in my country since we don't have a lot of mobile networks—just 3 main ones that own the infrastructure and 2 MVNOs, both of which are owned by 2 of these main ones. MVNOs are supposed to offer services of main networks for smaller price, but sometimes you can actually find cheaper offers at main networks.

 

[Trident]

I understand that, yeah. Situation is totally different here in my country since we don't have a lot of mobile networks—just 3 main ones that own the infrastructure and 2 MVNOs, both of which are owned by 2 of these main ones. MVNOs are supposed to offer services of main networks for smaller price, but sometimes you can actually find cheaper offers at main networks.

Yeah, it is similar situation in the UK now after Three (Hutchinson UK) and Vodafone UK have merged. We now have 3 major providers (O2 and EE are the other two).

The MVNO prices have gone up.

There are still some cheap prices you can source but you can also go on Uswitch or MoneySuperMarket and get offers from the range of £8 a month.

But then it looks like they do limit your capacity and stuff.

For example Vodafone for these cheap plans does not enable 5G or 5G standalone.

O2 seems to reduce your total speed if necessary to maintain the network and EE as of the last few years has disappeared from these websites.

Lebara, Lyca and so on, you can get for £2-3 a month but then they go up.

 

[Marko :)]

Yeah, it is similar situation in the UK now after Three (Hutchinson UK) and Vodafone UK have merged. We now have 3 major providers (O2 and EE are the other two).

The MVNO prices have gone up.

There are still some cheap prices you can source but you can also go on Uswitch or MoneySuperMarket and get offers from the range of £8 a month.

But then it looks like they do limit your capacity and stuff.

For example Vodafone for these cheap plans does not enable 5G or 5G standalone.

O2 seems to reduce your total speed if necessary to maintain the network and EE as of the last few years has disappeared from these websites.

Lebara, Lyca and so on, you can get for £2-3 a month but then they go up.

The only benefit of using MVNO here is unused minutes/SMS/data at the end of the month is transferred to next month though you can't stack leftovers forever. Usually the maximum is double what plan has.

Now that UK is out of EU/EEA, do you still get free roaming in the EU? Because all networks in Croatia still consider UK part of the EU/EEA and don't charge us when going to UK.

 

[Trident]

The only benefit of using MVNO here is calls/SMS/data unused at the end of the month is transferred to next month though you can't stack left over forever. Usually the maximum is double what plan has.

Now that UK is out of EU/EEA, do you still get free roaming in the EU? Because all networks in Croatia still consider UK part of the EU/EEA and don't charge us when going to UK.

We have a few here that do rollover, not all though.

With the roaming it’s been a mess.

First they said they will all still do it, then a year later most stopped (except the O2 which still does EU roaming as standard on all plans) and now they are all introducing plans with roaming, some of them from the range of £30-40.

Lebara, Lyca, Spusu and several other providers continue to offer roaming.

Though with these cheap options you will be the last priority of the cheapest network in the country you are travelling to.

 

[Marko :)]

Though with these cheap options you will be the last priority of the cheapest network in the country you are travelling to.

Luckily for Brits coming here... the cheapest network in Croatia is also ranked as the best one.
Considering they were the worst mobile network in the country with many areas without any signal and slow 3G/4G speeds, it's quite an achievement.

https://www.speedtest.net/awards/croatia/

In short, ever since they came, Tele2 was owned by Swedish Tele2 group and they barely invested in it. Network was terrible and barely moving forward. Then Swedes sold it to United Group which is regional telecommunication and media company, renamed it Telemach to match the branding in Ex-Yu countries, and they heavily invested into modernizing entire mobile network as well as started building fixed network from scratch. I'm using it and I'm very satisfied, even planning to switch fixed services as they are almost half the price of competitors.

 

[Trident]

Tele2 was owned by Swedish Tele2

Telenor… they used to be in Bulgaria as well, after they acquired Globul from Cosmote and invested in network. They suspended activity in Bulgaria as well after they sold Telenor to e& and PFF group joint venture. It was renamed to Yettel.

United Group in Bulgaria operates Vivacom (another mobile provider, historically known as BTK and Vivatel), as well as TV channel called Nova TV (which was the third channel to be streamed over the air in Bulgaria).

They recently entered the energetics business in Bulgaria as well.

 

[simmerskool]

The MVNO prices have gone up.

There are still some cheap prices you can source but you can also go on Uswitch or MoneySuperMarket and get offers from the range of £8 a month.

just for context & perspective, we've (family) has had Verizon for many years, 3 phones 3 watches... added up, it looks like just the plan "unlimited" for my 1 phone is $75 US + another $10+ in fees and taxes per month... Perhaps we should shop around... (but it works 99.99% of the time) easier it to get lazy & complacent when something works, until it doesn't...

 

[Trident]

just for context & perspective, we've (family) has had Verizon for many years, 3 phones 3 watches... added up, it looks like just the plan "unlimited" for my 1 phone is $75 US + another $10+ in fees and taxes per month... Perhaps we should shop around... (but it works 99.99% of the time) easier it to get lazy & complacent when something works, until it doesn't...

I am paying a lot of money as well for EE. What’s included is Apple One (which before I used to share), the roaming everywhere, including out of EU and Apple Watch plan. Everything is unlimited + priority in busy areas and 5G Standalone.
All that for £41 and it still seems like a lot and I am on the hunt for better deals.
Though EE here have the best network.

You should definitely shop around.

 

[Zero Knowledge]

Good question. There's much discussion about it on the GOS forum and elsewhere. Cape actually has pretty good discounts via referrals, lifetime discounts for early adopters, etc.,. And they sell phones pre-loaded with GOS. Makes you wonder who their target demographic is.

*BACK ON TOPIC* This is the big question, it's just basically an updated and better designed and secure version of PhantomSecure/ANOM with extra network and security features. I think it's business/corporations and government officials operating in high danger environments (*cough China*) while traveling overseas. It could also turn into a huge honeypot like ANOM. I can't see a huge user base except for criminals who need this service and will pay for it, but I may be wrong.

But Cape has big name investors, is being pumped and advertised by the security media endlessly everywhere. Maybe this time secure phones will succeed?

 

[Trident]

But Cape has big name investors, is being pumped and advertised by the security media endlessly everywhere. Maybe this time secure phones will succeed?

They will succeed for how long is the question…

Previous projects didn’t last.

Also with these big name investors there is a big possibility for backdoors.