The counter-evidence I'll cite comes from language used by criminal investigators in true-crime television like Forensic Files. I recall several instances of language like "we realized that the suspect then disappeared off the grid — meaning that either the battery in their cellphone ran dry, or more likely, was removed." They never consider the possibility that the suspect powered off their phone — suggesting (to me, at least) that that's not a concern for them.
Thinking more closely about the implication of this, I think the feature I was positing probably exists, but isn't an always-active signalling feature in the way I described in my GP post. It's not that the baseband will (for a regular, non-wiretapped person) periodically reach out to ping towers while the phone is nominally off — which would indeed continue to drain the battery perceptibly.
Instead, my thinking is that one of the following two things are true:
1. Phones need to be powered on to receive an "activate persistent baseband wiretap" message; but once they do receive such a message while powered on, powering down the phone will no longer fully power down the baseband, and the baseband will instead continue to silently register itself with nearby towers.
2. Whether or not the phone is powered on, as long as the baseband receives power from the battery, the baseband will wake up every so often just enough to receive periodic announce broadcasts from nearby cell towers. And part of these periodic broadcasts, is a set of queued "system" SMS messages — broadcast to all subscribers rather than directionally-MIMOed to just the intended subscriber, but each encrypted for a specific device. (This would be, in effect, the cell tower acting a bit like a Numbers Station.) One such "system" SMS message can activate silent-persistent-baseband-wiretap mode. Once the baseband receives such a message, it will stay awake from then on, and begin actively pinging cell towers. (At which point the "system" SMS message will be considered ACKed and removed from the service provider's SMSC's system-messages queue topic.)
In either of these cases, only people actively being wiretapped would begin to experience perceptible battery drain.
In the first case, there'd be no additional battery expense for regular, non-wiretapped subscribers — the baseband would be receiving the wiretap message like it receives any other SMS, and only when it would receive other SMSes. Given that SMSCs queue SMSes, you could have a phone off for a while to prevent wiretap activation; it would only get wiretapped the moment you turn the phone back on. (But once wiretapped, turning it off would no longer help.) If criminal organizations knew this, you'd expect to see a specific pattern of use for "burner" devices from them.
In the second case, there'd naively be a barely-perceptible additional battery expense. (But maybe not — in theory, the radio could have an independent little circuit for this that is powered by the cell tower in a process similar to RFID! After all, it only needs enough smarts to recognize one particular message and tell the rest of the baseband processor to wake up. Like the "wake word" DSP on a smart speaker.)
Thinking more closely about the implication of this, I think the feature I was positing probably exists, but isn't an always-active signalling feature in the way I described in my GP post. It's not that the baseband will (for a regular, non-wiretapped person) periodically reach out to ping towers while the phone is nominally off — which would indeed continue to drain the battery perceptibly.
Instead, my thinking is that one of the following two things are true:
1. Phones need to be powered on to receive an "activate persistent baseband wiretap" message; but once they do receive such a message while powered on, powering down the phone will no longer fully power down the baseband, and the baseband will instead continue to silently register itself with nearby towers.
2. Whether or not the phone is powered on, as long as the baseband receives power from the battery, the baseband will wake up every so often just enough to receive periodic announce broadcasts from nearby cell towers. And part of these periodic broadcasts, is a set of queued "system" SMS messages — broadcast to all subscribers rather than directionally-MIMOed to just the intended subscriber, but each encrypted for a specific device. (This would be, in effect, the cell tower acting a bit like a Numbers Station.) One such "system" SMS message can activate silent-persistent-baseband-wiretap mode. Once the baseband receives such a message, it will stay awake from then on, and begin actively pinging cell towers. (At which point the "system" SMS message will be considered ACKed and removed from the service provider's SMSC's system-messages queue topic.)
In either of these cases, only people actively being wiretapped would begin to experience perceptible battery drain.
In the first case, there'd be no additional battery expense for regular, non-wiretapped subscribers — the baseband would be receiving the wiretap message like it receives any other SMS, and only when it would receive other SMSes. Given that SMSCs queue SMSes, you could have a phone off for a while to prevent wiretap activation; it would only get wiretapped the moment you turn the phone back on. (But once wiretapped, turning it off would no longer help.) If criminal organizations knew this, you'd expect to see a specific pattern of use for "burner" devices from them.
In the second case, there'd naively be a barely-perceptible additional battery expense. (But maybe not — in theory, the radio could have an independent little circuit for this that is powered by the cell tower in a process similar to RFID! After all, it only needs enough smarts to recognize one particular message and tell the rest of the baseband processor to wake up. Like the "wake word" DSP on a smart speaker.)