Built to Forget: Cape is a New Kind of Mobile Carrier

04.18.25 - 4 min read

Telecom breaches, surveillance overreach, and digital identity attacks have become painfully common—and painfully predictable. Every few months, headlines reveal how traditional carriers expose users to privacy and security failures.

It doesn’t have to be this way.

At Cape, our network is built from the ground up to resist these threats. Here’s a breakdown of our five core protections—and how each one could have stopped the attacks that made the news.

More private.

Other Carriers: Excessive Collection, Long Retention
Traditional telcos collect and retain large amounts of metadata like call logs, timestamps, and phone numbers for years. This metadata, while seemingly harmless, can reveal sensitive relationships, patterns of communication, and private associations.

Cape: Minimal Collection, Maximum Protection
Cape collects only what’s necessary to provide service. No names, no street addresses, no emails. Our systems are designed to forget rather than remember, with strict data retention policies that keep your metadata from being stored, sold, breached, or subpoenaed.

Examples:

In July 2024, AT&T reported a major data breach affecting approximately 110 million customers. Cybercriminals accessed phone numbers, call records, text message metadata, and in some cases, cell site information that could approximate users’ locations. This breach, which spanned data from May to October 2022 and some data from January 2023, occurred due to unauthorized access to AT&T’s cloud provider, Snowflake. While the content of communications was not exposed, the metadata still provided valuable insights into customers' interactions and movements.

In July 2024, AT&T reported a major data breach affecting approximately 110 million customers. Cybercriminals accessed phone numbers, call records, text message metadata, and in some cases, cell site information that could approximate users’ locations. This breach, which spanned data from May to October 2022 and some data from January 2023, occurred due to unauthorized access to AT&T’s cloud provider, Snowflake. While the content of communications was not exposed, the metadata still provided valuable insights into customers' interactions and movements.

NBC News reported that the Trump-era Department of Justice secretly obtained phone and text message logs of 43 congressional members and staffers as part of leak investigations. The DOJ subpoenaed telecom providers for metadata, including call logs, phone numbers, and timestamps, without notifying the individuals involved. While the content of communications was not accessed, the metadata still provided a detailed picture of communications patterns and relationships, raising serious concerns about privacy and government overreach.

NBC News reported that the Trump-era Department of Justice secretly obtained phone and text message logs of 43 congressional members and staffers as part of leak investigations. The DOJ subpoenaed telecom providers for metadata, including call logs, phone numbers, and timestamps, without notifying the individuals involved. While the content of communications was not accessed, the metadata still provided a detailed picture of communications patterns and relationships, raising serious concerns about privacy and government overreach.

In October 2024, Chinese hackers known as "Salt Typhoon" breached at least eight major U.S. telecommunications providers, including AT&T, Verizon, and T-Mobile, in what some lawmakers described as the largest telecommunications hack in American history. They infiltrated lawful intercept systems, accessing sensitive metadata such as call logs and unencrypted text messages, and maintained unauthorized access for months. High-profile individuals, including President-elect Donald Trump and Vice President-elect J.D. Vance, were among those targeted. U.S. senators have called for enhanced security measures to protect national infrastructure.

In October 2024, Chinese hackers known as "Salt Typhoon" breached at least eight major U.S. telecommunications providers, including AT&T, Verizon, and T-Mobile, in what some lawmakers described as the largest telecommunications hack in American history. They infiltrated lawful intercept systems, accessing sensitive metadata such as call logs and unencrypted text messages, and maintained unauthorized access for months. High-profile individuals, including President-elect Donald Trump and Vice President-elect J.D. Vance, were among those targeted. U.S. senators have called for enhanced security measures to protect national infrastructure.

In a landmark case from April 2024, the Federal Communications Commission (FCC) fined AT&T, Verizon, T-Mobile, and Sprint a total of $200 million for illegally sharing access to customer location data without their consent. The carriers had allowed third-party aggregators to access highly sensitive geolocation data, enabling tracking of individuals without proper oversight or user approval. The violations were widespread and underscored systemic issues in the way carriers manage and safeguard location data.

In a landmark case from April 2024, the Federal Communications Commission (FCC) fined AT&T, Verizon, T-Mobile, and Sprint a total of $200 million for illegally sharing access to customer location data without their consent. The carriers had allowed third-party aggregators to access highly sensitive geolocation data, enabling tracking of individuals without proper oversight or user approval. The violations were widespread and underscored systemic issues in the way carriers manage and safeguard location data.

On March 30, 2024, AT&T acknowledged that a large dataset of personally identifiable information (PII) belonging to current and former customers had been leaked. Originally stolen in August 2021, the data was published online recently, allowing researchers to verify its authenticity. The compromised information included full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers and passcodes.

On March 30, 2024, AT&T acknowledged that a large dataset of personally identifiable information (PII) belonging to current and former customers had been leaked. Originally stolen in August 2021, the data was published online recently, allowing researchers to verify its authenticity. The compromised information included full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers and passcodes.

A chilling incident reported by 404 Media reveals how a stalker exploited Verizon’s compliance with a fraudulent Emergency Data Request (EDR) to obtain sensitive information. Posing as a police officer, the stalker submitted a fake warrant to request the victim's address and phone logs. Armed with this information, the stalker drove to the victim’s address with a knife and used the obtained data to track the victim’s family, friends, workplace, and even her daughter’s therapist.

A chilling incident reported by 404 Media reveals how a stalker exploited Verizon’s compliance with a fraudulent Emergency Data Request (EDR) to obtain sensitive information. Posing as a police officer, the stalker submitted a fake warrant to request the victim's address and phone logs. Armed with this information, the stalker drove to the victim’s address with a knife and used the obtained data to track the victim’s family, friends, workplace, and even her daughter’s therapist.

A September 2024 report revealed how de-identified smartphone geolocation data was used to track devices associated with the Securities and Exchange Commission (SEC). Researchers leveraged this data to monitor SEC visits to firm headquarters, uncovering insights into the agency’s investigative practices, and potentially revealing SEC enforcement intent.

A former Verizon employee admitted to using his access to Verizon systems to provide sensitive customer data to operatives of a Chinese spy agency. This included leveraging his insider knowledge to access and share personal information about U.S. citizens, compromising their privacy and security. This incident underscores the risks of insider threats within telecom companies, particularly when data systems are centralized and allow broad access.

A former Verizon employee admitted to using his access to Verizon systems to provide sensitive customer data to operatives of a Chinese spy agency. This included leveraging his insider knowledge to access and share personal information about U.S. citizens, compromising their privacy and security. This incident underscores the risks of insider threats within telecom companies, particularly when data systems are centralized and allow broad access.

In September 2024, AT&T was fined $13 million after a vendor used by the company to create billing and marketing videos failed to delete sensitive customer data as required. This breach exposed customer billing information, raising concerns about the telecom industry's third-party data-sharing practices and oversight. Regulators highlighted that AT&T did not sufficiently ensure the vendor adhered to proper data-handling and deletion protocols.

In September 2024, AT&T was fined $13 million after a vendor used by the company to create billing and marketing videos failed to delete sensitive customer data as required. This breach exposed customer billing information, raising concerns about the telecom industry's third-party data-sharing practices and oversight. Regulators highlighted that AT&T did not sufficiently ensure the vendor adhered to proper data-handling and deletion protocols.

Hackers reportedly stole and advertised call logs from Verizon’s Push-to-Talk service. The exposed data included sensitive call details, putting customer privacy and potentially national security at risk. This incident highlights vulnerabilities in telecom infrastructure and the risks associated with storing large volumes of communication metadata for extended periods.

More secure

Other Carriers: Trust-Based Systems Are a Hacker’s Playground
Most telecom infrastructure is decades old and depends on implicit trust between systems for operability and connectivity. This trust creates significant vulnerabilities for hackers to exploit. Once in, attackers can move laterally with ease. Cloud environments are often unprotected by MFA, and outdated mobile cores are easy targets.

Cape: Secure by Design
At Cape, we employ a minimal-trust approach, encrypting both internal and external workflows wherever possible, enforcing MFA on every system, implementing fine-grained access controls and audit logs for transparency, and deliberately storing as little information in our systems as possible. Unlike most other digital telcos, or “MVNOs”, Cape has built and operates its own cloud-based mobile core, meaning we’re not stuck relying on insecure legacy infrastructure.

Examples:

In October 2024, Chinese hackers known as "Salt Typhoon" breached at least eight major U.S. telecommunications providers, including AT&T, Verizon, and T-Mobile, in what some lawmakers described as the largest telecommunications hack in American history. They infiltrated lawful intercept systems, accessing sensitive metadata such as call logs and unencrypted text messages, and maintained unauthorized access for months. High-profile individuals, including President-elect Donald Trump and Vice President-elect J.D. Vance, were among those targeted. U.S. senators have called for enhanced security measures to protect national infrastructure.

In October 2024, Chinese hackers known as "Salt Typhoon" breached at least eight major U.S. telecommunications providers, including AT&T, Verizon, and T-Mobile, in what some lawmakers described as the largest telecommunications hack in American history. They infiltrated lawful intercept systems, accessing sensitive metadata such as call logs and unencrypted text messages, and maintained unauthorized access for months. High-profile individuals, including President-elect Donald Trump and Vice President-elect J.D. Vance, were among those targeted. U.S. senators have called for enhanced security measures to protect national infrastructure.

A former Verizon employee admitted to using his access to Verizon systems to provide sensitive customer data to operatives of a Chinese spy agency. This included leveraging his insider knowledge to access and share personal information about U.S. citizens, compromising their privacy and security. This incident underscores the risks of insider threats within telecom companies, particularly when data systems are centralized and allow broad access.

A former Verizon employee admitted to using his access to Verizon systems to provide sensitive customer data to operatives of a Chinese spy agency. This included leveraging his insider knowledge to access and share personal information about U.S. citizens, compromising their privacy and security. This incident underscores the risks of insider threats within telecom companies, particularly when data systems are centralized and allow broad access.

In September 2024, AT&T was fined $13 million after a vendor used by the company to create billing and marketing videos failed to delete sensitive customer data as required. This breach exposed customer billing information, raising concerns about the telecom industry's third-party data-sharing practices and oversight. Regulators highlighted that AT&T did not sufficiently ensure the vendor adhered to proper data-handling and deletion protocols.

In September 2024, AT&T was fined $13 million after a vendor used by the company to create billing and marketing videos failed to delete sensitive customer data as required. This breach exposed customer billing information, raising concerns about the telecom industry's third-party data-sharing practices and oversight. Regulators highlighted that AT&T did not sufficiently ensure the vendor adhered to proper data-handling and deletion protocols.

Hackers reportedly stole and advertised call logs from Verizon’s Push-to-Talk service. The exposed data included sensitive call details, putting customer privacy and potentially national security at risk. This incident highlights vulnerabilities in telecom infrastructure and the risks associated with storing large volumes of communication metadata for extended periods.

In July 2024, AT&T reported a major data breach affecting approximately 110 million customers. Cybercriminals accessed phone numbers, call records, text message metadata, and in some cases, cell site information that could approximate users’ locations. This breach, which spanned data from May to October 2022 and some data from January 2023, occurred due to unauthorized access to AT&T’s cloud provider, Snowflake. While the content of communications was not exposed, the metadata still provided valuable insights into customers' interactions and movements.

In July 2024, AT&T reported a major data breach affecting approximately 110 million customers. Cybercriminals accessed phone numbers, call records, text message metadata, and in some cases, cell site information that could approximate users’ locations. This breach, which spanned data from May to October 2022 and some data from January 2023, occurred due to unauthorized access to AT&T’s cloud provider, Snowflake. While the content of communications was not exposed, the metadata still provided valuable insights into customers' interactions and movements.

No selling your data

Other Carriers: You’re the Product
From selling real-time location data to sharing geolocation with law enforcement or third-party vendors, traditional carriers have a long history of monetizing user data—often without appropriate user consent.

Cape: You’re Our Customer.
Our business depends on protecting your privacy, not monetizing it. We never sell or share your data—not with marketers, not with data brokers, not even with law enforcement. We fight overbroad requests and notify users of any lawful process seeking disclosure.

Examples:

NBC News reported that the Trump-era Department of Justice secretly obtained phone and text message logs of 43 congressional members and staffers as part of leak investigations. The DOJ subpoenaed telecom providers for metadata, including call logs, phone numbers, and timestamps, without notifying the individuals involved. While the content of communications was not accessed, the metadata still provided a detailed picture of communications patterns and relationships, raising serious concerns about privacy and government overreach.

NBC News reported that the Trump-era Department of Justice secretly obtained phone and text message logs of 43 congressional members and staffers as part of leak investigations. The DOJ subpoenaed telecom providers for metadata, including call logs, phone numbers, and timestamps, without notifying the individuals involved. While the content of communications was not accessed, the metadata still provided a detailed picture of communications patterns and relationships, raising serious concerns about privacy and government overreach.

A chilling incident reported by 404 Media reveals how a stalker exploited Verizon’s compliance with a fraudulent Emergency Data Request (EDR) to obtain sensitive information. Posing as a police officer, the stalker submitted a fake warrant to request the victim's address and phone logs. Armed with this information, the stalker drove to the victim’s address with a knife and used the obtained data to track the victim’s family, friends, workplace, and even her daughter’s therapist.

A chilling incident reported by 404 Media reveals how a stalker exploited Verizon’s compliance with a fraudulent Emergency Data Request (EDR) to obtain sensitive information. Posing as a police officer, the stalker submitted a fake warrant to request the victim's address and phone logs. Armed with this information, the stalker drove to the victim’s address with a knife and used the obtained data to track the victim’s family, friends, workplace, and even her daughter’s therapist.

In a landmark case from April 2024, the Federal Communications Commission (FCC) fined AT&T, Verizon, T-Mobile, and Sprint a total of $200 million for illegally sharing access to customer location data without their consent. The carriers had allowed third-party aggregators to access highly sensitive geolocation data, enabling tracking of individuals without proper oversight or user approval. The violations were widespread and underscored systemic issues in the way carriers manage and safeguard location data.

In a landmark case from April 2024, the Federal Communications Commission (FCC) fined AT&T, Verizon, T-Mobile, and Sprint a total of $200 million for illegally sharing access to customer location data without their consent. The carriers had allowed third-party aggregators to access highly sensitive geolocation data, enabling tracking of individuals without proper oversight or user approval. The violations were widespread and underscored systemic issues in the way carriers manage and safeguard location data.

SIM Swap Protection

Other Carriers: SIM Swaps Exploit Human Error
Traditional customer accounts for cell phone service are protected by usernames and passwords, and rely on customer support agents or employees to manage account changes like number transfers. These weak account security methods allow for SIM swaps, which occur when bad actors socially engineer, bribe, or threaten telco employees to transfer your number to a different phone number. Once a number is stolen, attackers can bypass 2FA, access accounts, and impersonate the victim.

Cape: No Passwords, No Human-in-the-loop
Cape eliminates passwords and passcodes. Instead, SIM management requires a cryptographic passphrase stored only on your device. Even Cape employees cannot initiate a SIM port—only you can, through your device.

Examples

On March 30, 2024, AT&T acknowledged that a large dataset of personally identifiable information (PII) belonging to current and former customers had been leaked. Originally stolen in August 2021, the data was published online recently, allowing researchers to verify its authenticity. The compromised information included full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers and passcodes.

On March 30, 2024, AT&T acknowledged that a large dataset of personally identifiable information (PII) belonging to current and former customers had been leaked. Originally stolen in August 2021, the data was published online recently, allowing researchers to verify its authenticity. The compromised information included full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers and passcodes.

Enhanced Signaling Protection

Other Carriers: SS7 and Diameter Are Unlocked Doors
Legacy signaling protocols like SS7 and Diameter allow malicious actors to track your location, intercept calls, or redirect texts with minimal effort. These attacks are hard to detect and even harder to stop once they start.

Cape: Proprietary Signaling Proxy Blocks the Threat
Cape has removed direct SS7 dependencies and route all Diameter requests through our own secure signaling proxy. Any requests to update location or redirect calls are verified in real-time through your Cape app, which allows us to block any malicious signaling attacks.

Examples

Mobile networks worldwide rely on two core protocols—SS7 and Diameter—to manage essential tasks like locating subscribers and updating their locations when they roam. While foundational to mobile communications, these protocols are notoriously vulnerable to exploitation, allowing location tracking, and eavesdropping on calls and texts.

Examples of these weaknesses are well-documented:

Karsten Nohl’s 60 Minutes demonstration on how SS7 could intercept Congressman Ted Lieu’s voicemails.
CISA’s Kevin Briggs highlighted ongoing SS7 and Diameter exploits track Americans, with many incidents likely undetected.
Veritasium recently showcased SS7 being used to redirect calls from Linus Tech Tips.

Mobile networks worldwide rely on two core protocols—SS7 and Diameter—to manage essential tasks like locating subscribers and updating their locations when they roam. While foundational to mobile communications, these protocols are notoriously vulnerable to exploitation, allowing location tracking, and eavesdropping on calls and texts.

Examples of these weaknesses are well-documented:

Karsten Nohl’s 60 Minutes demonstration on how SS7 could intercept Congressman Ted Lieu’s voicemails.
CISA’s Kevin Briggs highlighted ongoing SS7 and Diameter exploits track Americans, with many incidents likely undetected.
Veritasium recently showcased SS7 being used to redirect calls from Linus Tech Tips.

Telecom security failures have become routine.

Cape was built to change that.

We believe that privacy and security is a basic right, and that connectivity in the modern world should not come at the expense of an exposed digital identity. We’re creating a fundamentally different mobile experience—one where your carrier is no longer the weak link in your security chain.

Share it

SIGN UP TODAY

Cape your calls. Cape your location. Cape your life.