Sunday, February 26, 2006

Mobile tracking devices on trial

Your mobile phone is a beacon - a radio transmitter in a box. Therefore it is possible to trace the signal and work out where it is.

There are now several web companies which will track your friends' and family's phones for you, so you always know where they are.

But just how safe is it to make location details available online?

There are several reasons why you may want to track someone. You may be a company wanting to keep tabs on employees during work hours, or a parent wanting to check up on a child's whereabouts.

These sorts of tracking services, now available in the UK, get information from the network about which cell your phone is currently in, and, for a small fee, display the location on an online map.

As well as checking where a certain phone is right now, you can run scheduled lookups, or snail trails, to record the phone's movements throughout the day, and produce a report for you to peruse at your leisure.

Obviously you cannot just enter any mobile phone number and expect to track someone.

First of all you need to prove your identity, via a credit card, and then, crucially, the owner of the phone in question needs to consent to being tracked.

The owner is sent a text message telling them about the tracking request, to which they must reply.

Experiment

The question is: is it possible to circumvent this security, and track someone without their knowledge?

I attempted to find out, using regular contributor Guy Kewney, an independent technology journalist and, for one day only, human guinea pig.


10:13 - Guy was at Westminster
I sent him on a tour of London. He could go anywhere he wanted, and I planned to meet up with him later and tell him, hopefully, where he had been.

Guy did not know that when I borrowed his phone for a few minutes earlier in the day, I took the opportunity to register it on one of the tracking services.

I received the incoming text message warning him about the tracking, responded to it and then deleted it from his inbox.

When I gave him his phone back, Guy had no idea he was now in possession of a consenting tracking device.

Hence, a little while later, I could watch him emerge from the tube at the start of his tour.

But just borrowing someone's phone for a few minutes is too obvious a loophole. It is one which has already been closed by an industry body which oversees new technologies such as mobile tracking services.

Voluntary rules

The Mobile Broadband Group has drawn up a voluntary code of conduct which the networks in the UK ask location providers to stick to.

One of the conditions of the code is that after a phone is registered as a tracking device, reminder texts should be sent to the phone at random intervals.


Guy never received a message warning him he was being tracked
This way, it should be impossible for a malicious tracker to intercept every reminder.

The problem is, those random reminders are not required to be sent very frequently.

We tracked several phones over several days, and often had to wait for a day or two before receiving a reminder message.

Hamish Macleod from the Mobile Broadband Group, who came up with the code of conduct, argues this is enough.

He said: "We assessed this risk during the development of the code and consulted obviously with all the experts that we did, and the schedule of random alerts that we came up with we thought was adequate to protect against the risks.

"This is a situation to be kept under review as the service is developed."

Child-safe?

With more and more children owning mobile phones, special attention needs to be given to who can track them.


10:54 - Guy was at Buckingham Palace
If you are not a genuine parent or guardian, the code requires location services to check that both the tracker and the person being tracked can prove they are consenting adults.

Mr Macleod says: "The person that is to be located has to demonstrate to the service provider they are at least 16 years old.

"They can do this through various channels, for example they can get a credit card number which is used as a proxy for age verification, or something like that."

At least, that is what is supposed to happen. But neither of the services we tested asked the person being tracked to prove they were an adult.

Although they did ask us for the age of the person we wanted to track, they did not check we were telling the truth.

The companies were not following the letter of the code and, what is more, no-one was holding them to account.

HAVE YOUR SAY
What do you make of the new mobile tracking services online? Is it ever possible for regulation to keep up with technology?


Send your comments to Click
Neither service would comment on this oversight.

Although the code of conduct was well intentioned, the Mobile Broadband Group admits it will need refining as loopholes become apparent.

It also highlights the limits of such voluntary codes, and the problems with policing them.

Jago Russell from the human rights group Liberty says: "We have concerns in general about industry codes of practice. They aren't legal regulation; they don't give the consumer an effective legal remedy if the code of practice isn't complied with.

"So in many ways they're not really worth the paper they're written on."

Changes

As a result of our investigation, The Mobile Broadband Group is making some changes to the code of conduct.

The frequency of the random reminders is going to be increased, and the code will make clearer the appropriate way to check the age of the participants.


11:22 - Guy was at Piccadilly Circus
Guy Kewney says: "It's a shame but then if you start regulating new technology you usually fall down because people don't expect the unexpected.

"The real problem is that you can't actually perceive the unintended consequences of your technology change, so a hard and fast rule that says 'don't do this' won't stop you doing that, in which case you've wasted your time passing it."

Should we really be worried about being tracked by mobile phones?

Guy Kewney says: "You can worry about anything in this society. If I wanted to track you, the easy way to do it is - well you've found one way, but if they've closed that loophole or if it becomes tricky - then I just hire a private detective.

No comments: