Note that location services comprises many different technologies, not all of which can be turned off. Many of them are required for the phone to operate. The upcoming FCC regs, for instance, require 100m self-locating ability to always be on. I guess for things like 911 service?

Speaking of paranoia, there's also rumors that the FBI/black helicopter/MIB bunch can actually power-up your phone remotely, especially with some models. This sounds completely out-of-left-field to me, but who knows? Court docs show they can use your phone as a listening device even when you're not calling somebody, so I wouldn't put other things along these lines past them. There's probably a good reason Osama Bin Laden refused to have anybody associated with him possess a cell phone, whether it was used, had a battery in it, or not. Seems like I read something somewhere once about illuminating electronics gear with microwaves, then reading the signature of the radiation emitted. But it could have been in a pulp sci-fi novel. As I said, it's difficult to tell where reality ends and paranoia begins with this because reality is quickly catching up to the paranoia of just a few years ago. Who would have imagined sub-meter resolution on where you are? That's almost accurate enough to tell if you're wearing the phone in your jacket pocket or on your belt. Crazy stuff.

If people are worried about being tracked maybe they should carry around a device that is always broadcasting radio signals to third party towers.

I'm not really sure it's feasible, though. I don't know the details of how phones interact with towers, but I would think that what's happening is that your phone broadcasts a radio signal, and that same exact signal is picked up by more than one tower. If you want to triangulate the location of the radio signal, you don't need to know how long it took to get to the tower, you just need to know how much longer it took to get to one tower than the other, and the locations of the two towers.

Additionally, I think you can make a similar calculation based on signal strength if you can account for anisotropies in the attenuation of the signal. This seems less reliable to me, but if this is how it is done you could potentially throw off your location by a little bit by putting your phone in a partially shielded case that increases the attenuation on one side relative to another.

When the phone is turned on, the phone communicates with cell towers. This can approximate your location. To be truly anonymous (as much as possible) you should have the phone cut ALL communication with the cell towers. When you make the call, the antenna turns on, call is made, antenna turns off.

Additionally if the phone can be configured to use wifi for phone calls, then ideally you decrease the possibility of the location being tracked.

If the phone is on in theory authorities should be able to pull records from the cell companies and track every place the carrier of the phone visited.

For added shipping security always ship from a VERY high volume shipping place. This way its hard to isolate your package, but not impossible.

A simple example of limiting the invasiveness using this approach, would be to have your phone on only at work & home, or similar. In absence of phone snooping, someone can already easily locate you at those two standard destinations, and can easily discover when you'd typically be at those places (ie you're not giving them much by using your phone there under normal circumstances).

Apple/Google have made great progress in several areas, but there are just pieces of the puzzle we entrust the carriers with:

General Location Information: By the nature of the way cellular networks work, they require all times the device is powered the relative location of the device. There are lots of rules and carrier preferences around this, but when the radio is active, the cellular network needs to know which are the closest towers, and when the radio is inactive, a wider location (think a postal/zip code).

I think most people would reasonably consider leaking this information or allowing it to be public unreasonable.

Specific Location Information: So I'm not totally sure about this one, since I unfortunately never took the opportunity to test it. There exists a diameter API for e911 services, that allows requesting the GPS coordinates of a device. I never tested this out, to see if the device would notify if this API was used, or whether it was only functional form within a 911 call.

So take it with a grain of salt, but embedded within this might be the possibility to continually request specific GPS coordinates of a device.

Denial of Service: A large issue with many of these weaknesses, is it can lead to targeted denial of service. So if I have access to the diameter network, I can send routing updates to a location where you aren't, and continually deny you access to the network.

The device might be secure, but if you can't use it, it's still a problem. This wouldn't require much sophistication, probably on a similar level to say running a ddos attack against a website.

Inflated Billing: Another side effect, I can target you and generate inflated bills, by indicating you are roaming on an expensive network. When I left, I believe the most expensive roaming location was still $65 CDN/MB. Try and deal with a carrier explaining that you can't possibly be in Canada and Africa at the same time.

Detectability: These problems can be hard to detect, if you suspect fraud on you're account due to denial of service or inflated billing, there are only a select few people at the carrier that can find these problems. Diameter protocol also has a specific weakness, in that requests are routed by destination network, but answers are routed back along the path the request took, and may cross 3-4 companies networks. So even if you try and implement source based policy, it's trivially easy to spoof the source when implementing these types of attacks.

Sim Updates: I'm not totally familiar with this part of the architecture, but if your able to spoof the device into connecting to a rogue network, you may be able to do more nefarious things than just route or block the user plane traffic. You may actually be able to send sim updates, that could brick the device or maybe even run programs on the sim card. Don't hold me to this though, I'm pretty far removed from this part of the spec.

I'm also not totally convinced the internet model has all the answers yet, but I'm happy to see the progress made over the last several years. But I think that's really a different topic, so won't dive into it here.

I think my argument would be progress need to be made on both sides of the equation. Carriers should work towards being able to operate with the least privilege necessary (good luck... I don't have my hopes up seeing the inside), and still protect the privacy and integrity of the information it does need (routing locations, e911 services, record keeping, OTA updates, metadata).

Blackphone is pretty lame, IMO. There's something better coming from a trusted source in weeks, and plenty of work being done on the "there is no phone" phone concept.

Phone initial handshakes with the tower are done at high power and are always identical, meaning you can get a ridiculous coding gain to detect them.

Surreptitious microphones and other sensors are indeed still a problem, but they seem easy to audit/remove in the short term, and if this model catches on and they become a real threat, the physical audits just have to go deeper.

What you do gain is a processor that can be trusted by the user (in the same way we all trust Intel CPUs), with the Mifi only seeing encrypted communications. Also we've moved the demarc point solidly between two separate physical devices - upgrade your pocket computer without involving your cell provider, and replace your communications ability without affecting your user environment.

However, what is avoidable are fixed IDs like IMSI and IMEI that allow persistent tracking of the "same device" or "same user" across every tower. The routing functions of IMEI could easily be replaced with a nonce that changed for every registration. The billing functions of IMSI could be replaced with blinded tokens. And the persistent identity of phone numbers could be provided by independent parties like with email, ideally over a (non-wireless) mix network.