This is really interesting. Based on their wikipedia I can see they collect a lot of RF traffic - are IMEIs identifiable with the raw data captured that way? I'm surprised they are not encrypted. I say this as someone who knows nothing about the space.
In 2G/3G networks, IMSI is unencrypted in the initial handshake process while the handset gets a TMSI, so it can very trivially be passively observed, but only at specific points in time.
In 5G this is somewhat fixed - the handset uses its Home Network Public Key to encrypt the device-specific IMSI (producing a SUCI) which only the Home Network can decrypt. The MCC and MNC (carrier information) are still sent in the clear to allow the encrypted SUCI to route to the correct Home Network for decryption.