Stalking In Parliament

March 15th, 2006 by Ben Goldacre in bad science, phone stalking | 27 Comments »

Judy Mallaber MP spoke rather well on the dismally insecure regulation of the new mobile phone tracking industry in parliament last night (and mentioned me, hurrah!):

Hansard

“Getting back to child protection, in theory the child must consent to his phone being tracked in the first place, but is there not something a bit odd about the idea of a four year-old, part of Teddyfone’s target market, being able to give and maintain consent? An oppressive parent could insist on the child giving consent, or a devious paedophile skilled at grooming could easily find a way around the necessity, for example, by registering the second phone to himself before handing it to the child or hiding it in his backpack. To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person’s mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies’ current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker’s website has recently published information telling how to spoof consent without even having to have temporary possession of the target’s phone; all that is needed is the number. If someone has a person’s number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers.”

What I find most interesting about this whole thing is how dismissive the people involved in regulating this industry are of the problems. They seem quite happy to rely on people like me and various hackers to spot huge holes in their untested insecure systems before they close them up: for a while it was even possible to track a mobile phone just by having the number, you didn’t even need to have access to the phone to send a “consenting” text message.

As an example of their approach, the first company I used to stalk my girlfriend failed to send out the “warning you are being stalked” text messages to the stalkee. When I wrote about this, their reaction was to tell The Register that I was being deceptive, that I had received the warning messages, but that I didn’t mention them because that made for a better story. This was not true, they failed to arrive, as I described, and indeed the “Mobile Broadband Group” (who are supposed to regulate this area) audited them and found that they had failed to send the warning messages as they should have (and The Register kindly printed a correction).

Obviously I’m worried about an industry who’s first reaction, when caught out, is to deny the problem and accuse journalists of nefariousness.

Now, that one company sends out warning messages with ludicrous frequency (I got two in the space of two minutes) but others still fail to do so. I’ve been using one for a week now, with no warning messages appearing whatsoever, despite claims by the Mobile Broadband Group that they are on top of this.

There are two major problems with their whole set up. Firstly, accepting a text message as consent for being tracked is clearly insufficient, as a text message being sent from a phone is no way to check your identity. Anyone who has every bought a mobile phone on contract knows that when they are worried about getting their money out of you, phone companies will go to huge lengths to be absolutely certain they’ve got your identity correct: but when it’s about protecting your privacy, hey, a text message will do.

But secondly, for myself, I can’t see why it should be left to the individual tracking companies to set up their own warning texts, when they are demonstrably incapable of doing so; and I also can’t see why, when presented with a problem like this, the Mobile Broadband Grouop can’t even be bothered to just go round and do their own quick audit of whether the companies they regulate really are sending out the “warning you are being tracked” messages or not.

If I can do it, in half an hours work, you’d think they could do it too?


++++++++++++++++++++++++++++++++++++++++++
If you like what I do, and you want me to do more, you can: buy my books Bad Science and Bad Pharma, give them to your friends, put them on your reading list, employ me to do a talk, or tweet this article to your friends. Thanks! ++++++++++++++++++++++++++++++++++++++++++

27 Responses



  1. stever said,

    March 15, 2006 at 1:20 pm

    good stuff Ben. i sense a result imminent on this.

  2. Ben Goldacre said,

    March 15, 2006 at 1:23 pm

    i’m not so sure, might be too geeky for people to get their head around, maybe some violence facilitated by the technology might help, people like a strong narrative.

  3. stever said,

    March 15, 2006 at 1:26 pm

    and this one from february – rather odd:

    Lady Hermon (North Down, UU) Hansard source

    To ask the Secretary of State for Northern Ireland whether technology is available to the Police Service for Northern Ireland to allow it to use mobile phone tracking to pursue investigations into (a) missing persons and (b) missing persons believed to be underwater.

    Shaun Woodward (Parliamentary Under-Secretary, Northern Ireland Office)

    The Police Service of Northern Ireland utilises the same technology as is available to law enforcement agencies in the rest of the United Kingdom and deploys that technology in accordance with the provisions of the Regulation of Investigatory Powers Act 2000 in investigations, including missing persons investigations, where appropriate. Mobile phones under water are highly likely to be inoperable; and even if operable the signal would not transmit effectively.

  4. Shermozle said,

    March 15, 2006 at 1:29 pm

    I’m curious about how people have spoofed the consent thing, as mentioned in hansard. What’s the link?

  5. Ben Goldacre said,

    March 15, 2006 at 1:32 pm

    you used to be able to send them the “i consent” text message from any spoof text sending website. since that glaring loophole was exposed, they now make you reply either to a number that cannot receive spoofed messages, or reply with a code that was sent to the phone (so you would have to have access to the target phone in order to obtain that code). there is another loophole but i can;t tell you what it is.

  6. Shermozle said,

    March 15, 2006 at 1:33 pm

    Should have googled before asking:
    www.rootsecure.net/?p=reports/locate_anyone_in_uk

  7. Ben Goldacre said,

    March 15, 2006 at 1:38 pm

    thanks for that link, i hadn;t seen a fleetonline statement about fixing that hole before.

    “This was always applied for Vodafone due to network regulations and has now been turned on for the other networks too.”

    this is an apparent contradiction of what i was told by by the mobile broadband group, who suggested this hole was a failure by fleetonline to follow the code that was for all networks. it really does look like the companies and the regulators are just making this up as they go along.

  8. RS said,

    March 15, 2006 at 1:47 pm

    Oh why do you hate entrepreneurism so?

  9. Tom said,

    March 15, 2006 at 2:04 pm

    Here’s a TheyWorkForYou link to the same speech. Just after the BBC White Paper – could mean that a few more people saw it than might otherwise have…

  10. stever said,

    March 15, 2006 at 2:11 pm

    linked from the above is ben’s wiki-page: en.wikipedia.org/wiki/Ben_Goldacre

    Ben Goldacre is a London-based British journalist and doctor. He writes a column, Bad Science, on the Saturday science page of The Guardian newspaper. Devoted to satirical criticism of scientific inaccuracy, health scares, junk science, pseudoscience and quackery, it focuses especially on examples from the mass media, consumer product marketing and complementary and alternative medicine in Britain.

    He has been a particular critic of the claims of TV nutritionist Gillian McKeith, anti-immunisation campaigners, Brain Gym, bogus positive MRSA swab stories in tabloids, and the makers of the product Penta Water, to name just a few, and with some success: for example, McKeith has stopped calling herself a “doctor” on Channel 4, and Penta have ceased trading in the UK, under investigation from various bodies.

    On Bad Science, Goldacre describes himself as “a serious fuck-off academic ninja.”[1]

    External links

    * Bad Science column in The Guardian
    * Bad Science website

    ——————————

    *wonders about adding some secret garden photos*

  11. Kimpatsu said,

    March 15, 2006 at 4:02 pm

    “…for myself, I can’t see why it should be left to the individual tracking companies to set up their own warning texts, when they are demonstrably incapable of doing so; and I also can’t see why, when presented with a problem like this, the Mobile Broadband Grouop can’t even be bothered to just go round and do their own quick audit …”
    Simple. Just like the bogus excuse the government is giving for ID cards; “you can refuse a passport; it’s voluntary”. Likewise, you can refuse a mobile phone.
    Except that in the 21st century CE, you need both to lead a normal life. So their excuses are mere sophistry. But you will never get them to admit the real reason: that it’s a THRILL to spy on people without their knowledge.

  12. Andrew Clegg said,

    March 15, 2006 at 5:00 pm

    Ben, msg 5: there is another loophole but i can;t tell you what it is.

    Isn’t this a bit like e.g. Microsoft sitting on known security holes for weeks or months through their glacially-slow patch development cycle, meaning that for the duration, only evil-doers know about the exploits?

    Security through openness is a much better policy than security through obscurity.

    Unless you mean you’re under a non-disclosure agreement or something..!

    Andrew.

  13. Ben Goldacre said,

    March 15, 2006 at 5:07 pm

    it’s not my secret.

  14. censored said,

    March 15, 2006 at 5:25 pm

    Another glaring problem is that no-where do operators guarantee that text messages sent will actually arrive. Very often, at peak times, messages will go missing, taking days to go through or disappearing altogether. So even if “you’re being tracked” texts were sent, who is to say anyone receives them?

  15. Roger Macy said,

    March 15, 2006 at 6:31 pm

    Young children being stalked and their parents not noticing that they’ve acquired a nice new mobile phone? I suppose it can and will happen but I’ll wager it’ll happen far more often in Soap scripts.
    Ben, stamp your copyright on this, quick.

  16. Pete said,

    March 17, 2006 at 9:44 am

    To be fair to The Register, the article in question was re-printed from www.out-law.com/ and it was out-law that also printed the retraction. Having said that, I suspect The Register is probably the more widely read site.

    censored makes a good point, text messages can and do just vanish, so what guarentees are there that they ever arrive?

    I have heard “rumour” that to guarentee your phone cannot be tracked you have to do more than just switch it off, you have to remove the battery as well, how true this is I have no idea, I think I’ll try to find out though.

  17. MostlySunny said,

    March 17, 2006 at 11:19 am

    crikey – this is scary stuff – we have mobile (cellphone) tracking here (South Africa) too I think. Am going to look into it when I get a chance.

    What we do have here are car trackers. They are installed by insurance companies in all vehicles over a certain value. If you car is stolen you can contact them and they “track it” and send out a task team to recover it.

    However, I have noticed deluxe versions of this being marketed to companies whereby they can keep track of the location of all their vehicles at any given time.

    I have heard that it is scarily easy to get a few months of data on car movements if you just know who to contact (and where to leave the cash)…

    great for stitching up cheating spouses…

  18. stever said,

    March 17, 2006 at 11:58 am

    Pete – the clock continues operating when the phone is switched ‘off’ – so thats not implausable.

  19. Big Les said,

    March 17, 2006 at 1:22 pm

    I feel we’re in danger of straying into “paedos ate my children” Daily Mail hysteria-ville here. Ben’s doing good work on this one, but all concerned need to keep a sense of perspective. After all, it’s perfectly *possible* that you might one day find yourself in a bath of ice with your kidneys missing, but it doesn’t mean it’s ever happened in real life or is something that it’s realistic to worry about when weighed against the havoc caused by people propagating the idea.

  20. stever said,

    March 17, 2006 at 4:57 pm

    fair point Les, but it was the MP bthat took it in that direction not Ben or anyone here.

    I would say thjough, that its more an issue of bad regulation leaving the door open to potentially abusive use of technology, rather tthan Bad science per se.

  21. Pierre said,

    March 17, 2006 at 6:29 pm

    I wonder how many MPs have cell phones…

    Perhaps they would consider it more of a threat if someone were to set up a website where all MPs’ cell phones were tracked for the whole world to see

  22. amoebic vodka said,

    March 18, 2006 at 2:25 am

    “Pete – the clock continues operating when the phone is switched ‘off’ – so thats not implausable.”

    Impossible, no, but plausable? The arial is a much bigger drain on the battery than the clock (er..when sending and receiving things). And the phone company has no need to locate a switched off phone as you can’t make/take calls or text messages with it.

    “Perhaps they would consider it more of a threat if someone were to set up a website where all MPs’ cell phones were tracked for the whole world to see”

    While presumably possible, that doesn’t maker it legal. So it would get taken down straight away. And the authors of the site could be accused of …hey, there’s a thought. Can’t Ben come up with a terrorism-related excuse why it should be looked in to properly? That might work.

  23. Pete said,

    March 18, 2006 at 2:32 am

    amoebic vodka

    Can’t Ben come up with a terrorism-related excuse why it should be looked in to properly? That might work.

    Surely that’s not too implausible a scenario, a bomb could be designed to only go off when the mobile being tracked was within the blast radius, it gets it’s signal from a program that tracks the phone which knows where the bomb is. I wouldn’t know how to start making one, but I can see in principal how it could be done.

  24. Melissa said,

    March 18, 2006 at 4:22 pm

    Pete’s idea would make a great film script. :)

  25. Pete said,

    March 20, 2006 at 9:19 am

    Thanks Melissa If you think that then I’d better claim copyright quick, before anyone makes a blockbuster out of it <G>

  26. xanax online pills said,

    April 5, 2006 at 7:46 pm

    setter Lovejoy acknowledged fencer tamed wither:pullover

  27. jiangjiang said,

    December 8, 2009 at 2:26 am

    ed hardy ed hardy
    ed hardy clothing ed hardy clothing
    ed hardy shop ed hardy shop
    christian audigier christian audigier
    ed hardy cheap ed hardy cheap
    ed hardy outlet ed hardy outlet
    ed hardy sale ed hardy sale
    ed hardy store ed hardy store
    ed hardy mens ed hardy mens
    ed hardy womens ed hardy womens
    ed hardy kids ed hardy kids ed hardy kids