Summary
We prevent mass surveillance, but authorities can still go after criminals. We don’t keep a centralized, identity-linked archive, and host networks don’t receive any identifier mapping from us. What exists is minimal, siloed, and short-lived.
Investigations must follow due process across multiple parties. When there’s a legitimate case, authorities build it via targeted, court-supervised requests to the relevant parties (the host network, apps/clouds, banks, device forensics), a due-process puzzle, not a bulk dump. Big Wireless typically centralizes most of this; REALLY does not.
REALLY protects people’s freedom and liberty, but evil can still be thwarted. Needed records can still be obtained via due process from other groups, it’s just more tedious at the individual level, which protects the public from broad sweeps and profiling.
Privacy by design via our PrivateCore™, lawful when required. We are CALEA-compliant and operate within the regulatory environment, we just don’t have a lot of data to share (or to leak).
The Critic’s Question
“If you don’t store much, and networks can’t see anything, how can authorities still ‘put the puzzle together’? Aren’t you making investigations impossible? If not can they tap my phone?”
Why This Matters (In Plain English)
Telecom produces sensitive metadata (who/when/where). Traditional carriers tend to centralize identity-linked histories and keep them for long periods. That makes a single broad request very powerful, and risky. It’s convenient for bulk access, but it also enables dragnet surveillance, increases breach impact, and invites profiling errors against innocent people.
REALLY is engineered differently. We run a full phone service without building a one-stop, identity-linked archive and without sending identifier mapping to host networks. That design keeps ordinary people out of mass sweeps, and it still lets targeted investigations move forward through due process to prevent terror attacks and other nefarious crimes.
Can your phone still be tapped? Of course. But it's not easy like it would be on Verizon, AT&T or any other carrier, and with our setup authorities need to follow due process. What we built makes them play by the rules. They can still get the bad guys, but it's near impossible to spy on everyday law-abiding citizens at scale.
How Investigations Work Without a One-Stop Archive
Think puzzle, not bulk dump. When there’s a legitimate case:
A lead exists (victim report, device forensics, credible tip, OSINT, platform notice).
Targeted, court-supervised requests go to relevant parties, each disclosing only what they actually have:
Host network (e.g., towers): tower-level technical events (CDRs).
Apps/clouds: service logs for the specific account/timeframe.
Financial/retail: payment trails tied to the case.
Device forensics: handset contents/identifiers if lawfully accessed.
REALLY: limited subscriber/account records that exist within short retention windows.
Correlation builds the timeline across time, place, device IDs, logins, and transactions.
Everything is auditable, multiple requests, multiple logs, clear scope.
Result: the case advances through due process across multiple parties. It’s deliberate and narrow, not a mass sweep.
Big Wireless vs. REALLY (Side-by-Side)
A) Data Layer: Identity, Logs, Storage, Access
Big Wireless
Centralizes identity-linked CDRs/metadata.
Keeps records for long periods; multiple vendors/partners have access.
One broad request can return bulk history in a single handover.
REALLY
No centralized, identity-linked archive.
No identifier mapping sent to hosts.
Records are minimal, siloed, and short-lived—so disclosures are naturally narrow and specific.
B) Communications Layer: Voice & Data In Transit
Big Wireless
Standard call routing can leave downgrade points (e.g., exposure to IMSI-catchers).
No built-in, network-level VPN for sessions; traffic patterns/metadata are widely visible.
REALLY
Encrypted-calling protections (including anti-downgrade policies where devices support them)
Built-in, telco-native VPN to shield browsing/app traffic.
Fewer “free” signals for bulk interception; targeted lawful access still proceeds through proper process.
Read our dedicated explainers on Encrypted Calling and VPN for the technical deep dive.
What We Do (and Don’t) Share or Store
No one-stop archive. We avoid building centralized, identity-linked histories.
No identifier mapping to hosts. We don’t send account network-identifier mapping to host networks.
Minimal, short-lived records. Retention is tightly limited to operating the service and meeting legal duties.
No monetization. We don’t sell or broker customer data.
How This Protects People, Especially Those at Risk
Less collateral exposure: No giant vault to sweep or leak.
Fewer profiling mistakes: Without mass archives, innocent people are less likely to be pulled into broad searches.
More due process by default: Multiple parties and steps create natural checks, logs, and court oversight.
Quick FAQ
Q: Are you blocking investigations?
A: No. We’re ensuring they proceed case-by-case, under court supervision, instead of via bulk sweeps.
Q: If hosts create tower CDRs, can’t they identify me anyway?
A: Hosts do not receive any identifier mapping. Connecting dots requires targeted requests to the relevant parties.
Q: What does “short-lived” mean?
A: We are publishing a Retention Matrix with specific time limits by dataset shortly.
Wrap-Up
Mass surveillance doesn’t work here. There’s no centralized, identity-linked archive, and hosts don’t receive identifier mapping from us. What exists is minimal, siloed, and short-lived.
Investigations still proceed, but as a due-process puzzle across multiple parties, not a single bulk dump. That extra effort protects the public from broad sweeps and profiling while keeping lawful, case-specific access viable.
Privacy by design, lawful when required. We are CALEA-compliant and operate within the regulatory environment, we just don’t have a lot of data to share (or to leak).
Sources:
CALEA framework; FCC CPNI rules & certification guidance; NIST SP 800-53 (audit & access controls); reputable analyses on targeted access vs. dragnet surveillance.
Honest limits
Lawful access still happens. When required by law and properly scoped, we provide targeted, court-authorized access to the limited records we may have.
Some interconnects are legacy. We will document exceptions and continue to reduce exposure.
Compromised endpoints: Malware on a device can leak content outside any carrier’s control. This is not the fault of REALLY or any wireless carrier (to be fair). In extreme cases where high profile families, governments or individuals are targeted by Pegasus or a few other attacks, there’s not yet a good solution. The good news is that these attacks are extremely rare. The bad news is they require advanced “threat modeling”, a product we are working on.
Proof & verification (in progress)
Coming soon:
Policy: Lawful Process Policy (targeted, court-supervised access; no dragnet). Retention Matrix (specific TTLs; minimal scope).
Architecture: Data-flow and access workflow diagrams showing no centralized archive and no identifier mapping sent to hosts.
Audit: SOC 2 / ISO 27701 control IDs for access reviews, logging, and retention enforcement; counsel attestation on process.
Tests: Mock warrant drill (docs + outcomes); verification that no bulk-export capability exists; quarterly TTL drill → no data found beyond retention.
Transparency: Law-enforcement transparency report (received/complied/narrowed/rejected) and security/privacy changelog.
Contracts: Vendor/roaming DPAs with field whitelists, retention ceilings, and no re-identification/secondary use clauses.
Join the only carrier that makes privacy non-negotiable.
