I'm not sure if MAC addresses are used in cell network negotiation, and they are easily spoofed, but the cellular network provider could certainly link an IP address to a device id. then again, most criminal "burner" phones are not internet enabled anyway

IMSI, IMEI, MSISDN, etc.

Systems to associate 'burner' phones to individuals, with patterns of metadata, have been commonplace for decades

https://github.com/kimgr/asn1ate/blob/master/testdata/public...

yes those can be used as device ids and in network negotiation. harder to spoof as they're a lower abstraction layer than MAC addresses

I read in an earlier NYT article about geo-fencing that the initial response involves unidentifiable tags.