Aside from the phone actually spying on it's users, metadata correlation,
network, tringualtion, isp..
Invisible Infrastructures : Surveillance Architecture
https://labs.rs/en/invisible-infrastructures-surveillance-achitecture/
let’s start from the beginning and explain the way a device connects to a
network, or rather how it authenticates itself on the network. For the
purpose of authentication the device uses 2 ID numbers, the first one is the
device’s IMEI number (International Mobile Station Equipment Identity), and
the SIM card’s IMSI number (International Mobile Subscriber Identity). Both
numbers are unique and predefined for every device/SIM card. The mobile
carriers have an infrastructures of Base Stations (BS) that are
geographically distributed throughout the area that’s being served by the
operator
