Saturday, January 28, 2006

Phone stalking

The mobile phone companies seem to be remarkably careless with the sensitive real-time location data they are gathering on their customers. My mate Ben writes:

I asked my girlfriend if I could, in principle, track her for a day, without telling her how: she agreed and I set the service up on her phone, in five minutes, while she was asleep. I have a map of her movements in front of me right now. It feels very wrong. And it required no technical knowledge, or “hacking”, whatsoever. That this is possible, and so easy, to my mind, is extremely sinister. I had a squabble with one of these companies on Radio 4 yesterday, and they seemed astonished at what I was saying. They promised that they would tighten up security, and think about getting better consent for tracking people’s location than one response to a text message. The notion that this technology could be misused in this way had not, apparently, occurred to them.

It has certainly occurred to the police and intelligence agencies, who will shortly have powers to require companies to store this data for 12 months. And then get access for an extremely large number of purposes under the Regulation of Investigatory Powers Act. Along with Her Majesty's Revenue and Customs, and a wide range of other government agencies.


Watching Them, Watching Us said...

We have been worried about these commercial Location Based Services since they started to come to market in 2003, aimed not just at companies with mobile remote workers, but also at the "parents worried about their children" and "families worried about vulnerable old people with Alzheimer's disease etc." see
"ChildLocate mobile phone tracking concerns"

The accuracy of these services is not good enough to do what is advertised, outside of the centres of major cities where there are pico-cells.

In fact, the location data provided could be downright misleading, by several kilonetres, which is worse than useless if the information is used to initiate a search for a missing child. e.g. see "Soham Murders, Mobile Phones and Data Protection"

There is , of course a voluntary "Industry Code of Practice for the use of mobile phone technology to
provide passive location services in the UK", an outline of which is available online.

However, the Industry Regulator Ofcom, which should be lookung out for the interests of the public, not protecting the revenue streams of the mobile phone industry has refused to get involved.

See our Freedom of Information Act request which tried to find an official copy of the Code of Practice document above, which at the time was not to be found on any of the mobile phone network companies websites.

It does not appear that the Information Commissioner has been involved with this Code of Practice either, which seems to be designed to insulate the mobile phone networks from any responsibility for any failures or abuse by the third party Location Based Service providers, rather than to genuinely protect the public.

The Mobile Phone Networks charge a fixed rate per location request (whether it is sucessful or not i.e. even when the phone is switched off) to the third party Location Based Service providers who integrate the location data with an online map via a website.

Vodafone, apparently "remebers" the last known location before a phone is switched off or goes into a radio "dead zone" e.g. the London Underground, but the other networks simply give fail to give a location when requested to in such situations.

If these LBS provider companies had to send out an SMS message to the phone being tracked, each time a customer made a location tracking request, then there would be little or no profit in the business, as the cost to the LBS provider would eat into the small profit they make on each Location request. Obviously, the mobile phone networks make a profit on each Location Request and on each SMS sent.

Remember that the Regulation of investigatory Powers Act, the European Convention on Human Rights Article 8 - Article 8 – "Right to respect for private and family life" does not apply to snooping by private individuals or companies, only to Public Bodies.

Wtaching Them, Watching Us said...

That last paragraph should have referred to RIPA only in the context of Location Based Services i.e. Communications Traffic Data. It does apply to private individuals and companies with respect to actual interception of the content of phone calls.

Sainsbury's were selling an end of line "no frills", pre-paid mobile phone with no ring tones, no camera etc, but with a claimed 500 hour battery life i.e. 2 weeks, for only £12.50 including 6 pounds of phone credit.

Such phones could easily be legally registered with a Location Based Service and used as disposable, anonymous, electronic tracking devices by hiding them in or on someone's car or luggage etc.

Again RIPA would cover this sort of thing if done by the Police etc., but not by private individuals.