Judy Mallaber MP spoke rather well on the dismally insecure regulation of the new mobile phone tracking industry in parliament last night (and mentioned me, hurrah!):
“Getting back to child protection, in theory the child must consent to his phone being tracked in the first place, but is there not something a bit odd about the idea of a four year-old, part of Teddyfone’s target market, being able to give and maintain consent? An oppressive parent could insist on the child giving consent, or a devious paedophile skilled at grooming could easily find a way around the necessity, for example, by registering the second phone to himself before handing it to the child or hiding it in his backpack. To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person’s mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies’ current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker’s website has recently published information telling how to spoof consent without even having to have temporary possession of the target’s phone; all that is needed is the number. If someone has a person’s number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers.”
What I find most interesting about this whole thing is how dismissive the people involved in regulating this industry are of the problems. They seem quite happy to rely on people like me and various hackers to spot huge holes in their untested insecure systems before they close them up: for a while it was even possible to track a mobile phone just by having the number, you didn’t even need to have access to the phone to send a “consenting” text message.
As an example of their approach, the first company I used to stalk my girlfriend failed to send out the “warning you are being stalked” text messages to the stalkee. When I wrote about this, their reaction was to tell The Register that I was being deceptive, that I had received the warning messages, but that I didn’t mention them because that made for a better story. This was not true, they failed to arrive, as I described, and indeed the “Mobile Broadband Group” (who are supposed to regulate this area) audited them and found that they had failed to send the warning messages as they should have (and The Register kindly printed a correction).
Obviously I’m worried about an industry who’s first reaction, when caught out, is to deny the problem and accuse journalists of nefariousness.
Now, that one company sends out warning messages with ludicrous frequency (I got two in the space of two minutes) but others still fail to do so. I’ve been using one for a week now, with no warning messages appearing whatsoever, despite claims by the Mobile Broadband Group that they are on top of this.
There are two major problems with their whole set up. Firstly, accepting a text message as consent for being tracked is clearly insufficient, as a text message being sent from a phone is no way to check your identity. Anyone who has every bought a mobile phone on contract knows that when they are worried about getting their money out of you, phone companies will go to huge lengths to be absolutely certain they’ve got your identity correct: but when it’s about protecting your privacy, hey, a text message will do.
But secondly, for myself, I can’t see why it should be left to the individual tracking companies to set up their own warning texts, when they are demonstrably incapable of doing so; and I also can’t see why, when presented with a problem like this, the Mobile Broadband Grouop can’t even be bothered to just go round and do their own quick audit of whether the companies they regulate really are sending out the “warning you are being tracked” messages or not.
If I can do it, in half an hours work, you’d think they could do it too?