Ben Goldacre
Wednesday February 1, 2006
The Guardian
For the past week I’ve been tracking my girlfriend through her mobile phone. I can see exactly where she is, at any time of day or night, within 150 yards, as long as her phone is on. It has been very interesting to find out about her day. Now I’m going to tell you how I did it.
First, though, I ought to point out, that my girlfriend is a journalist, that I had her permission (“in principle …”) and that this was all in the name of science, bagging a Pulitzer and paying the school fees. You have nothing to worry about, or at least not from me.
Article continues
But back to business. First I had to get hold of her phone. It wasn’t difficult. We live together and she has no reason not to trust me, so she often leaves it lying around. And, after all, I only needed it for five minutes.
I unplugged her phone and took it upstairs to register it on a website I had been told about. It looks as if the service is mainly for tracking stock and staff movements: the Guardian, rather sensibly, doesn’t want me to tell you any more than that. I ticked the website’s terms and conditions without reading them, put in my debit card details, and bought 25 GSM Credits for £5 plus vat.
Almost immediately, my girlfriend’s phone vibrated with a new text message. “Ben Goldacre has requested to add you to their Buddy List! To accept, simply reply to this message with ‘LOCATE'”. I sent the requested reply. The phone vibrated again. A second text arrived: “WARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you.” I deleted both these text messages.
On the website, I see the familiar number in my list of “GSM devices” and I click “locate”. A map appears of the area in which we live, with a person-shaped blob in the middle, roughly 100 yards from our home. The phone doesn’t go off at all. There is no trace of what I’m doing on her phone. I can’t quite believe my eyes: I knew that the police could do this, and telecommunications companies, but not any old random person with five minutes access to someone else’s phone. I can’t find anything in her mobile that could possibly let her know that I’m checking her location. As devious systems go, it’s foolproof. I set up the website to track her at regular intervals, take a snapshot of her whereabouts automatically, every half hour, and plot her path on the map, so that I can view it at my leisure. It felt, I have to say, exceedingly wrong.
By the time my better half got home, I was so childishly over-excited that I managed to keep all of this secret for precisely 30 seconds. And to my disappointment, she wasn’t even slightly freaked out. I don’t know if that says good or bad things about our relationship and I wouldn’t want you to come away thinking it’s all a bit “Mr & Mrs Smith” around here. Having said that, we came up with at least five new uses for this technology between us in a few minutes, all far more sinister than anything I had managed to concoct on my own.
And that, for me, was the clincher. Your mobile phone company could make money from selling information about your location to the companies that offer this service. If you have any reason to suspect that your phone might have been out of your sight, even for five minutes, and there is anyone who might want to track you: call your phone company and ask it to find out if there is a trace on your phone. Anybody could be watching you. It could be me.
coracle said,
February 6, 2006 at 4:42 pm
Looks like this issue is expanding, ZDnet have picked up on it and Liberty are raising concerns.
news.zdnet.com/2100-1035_22-6035317.html
Nyss said,
February 13, 2006 at 2:57 pm
In response to Ian’s Scene 2 years from now, there are ways to purchase prepaid debit cards that can be used to purchase items online, but can’t be traced. So much for some comfort.
Peewee said,
February 13, 2006 at 6:47 pm
This really is no big deal in the grand scheme of things. Nearly _all_ forms of remote service use a physical device or token (computer, phone, smart-card on a credit-card etc..) as a means of authenticating the user — and rarely (although for secure applications this is becoming more common) a private secret piece of information known only by the authentic user (eg a PIN). Here are some every day examples:
– Lost password on a web site. If you have lost your password for registered access to a web site, the standard protocol is to assume that only the real user of the site has access to the email address with which they registered. Nearly all home users configure their mail browser to save their POP3 password. So I bet you could access all of your girlfriend’s password-restricted sites if you wanted as well.
– Pre-CHIP&PIN card transactions. The main proof of authentic use of the account used to be possession of the credit-card itself. Nobody checked signatures. If you left your credit card lying around then somebody could pretend to be you.
– Car keys. If you leave your car keys lying around somebody could take your car – commit a speeding offence without your knowledge – and then you would be liable for it!!
– Ordering a pizza. The pizza company will verify that you are who you claim to be by using caller-id on the phone. This means that somebody you trust to have physical access to your phone can order a pizza to be delivered to your house without your consent.
etc.. etc..
Whoaaaa! Scarey! Call Liberty!
The very simple principle to learn here is that if you don’t trust the people around you who have everyday access to, eg your wallet, your mobile phone, your computer, your keys- then take steps to secure them! Keep your wallet with you at all times. Similarly with your mobile phone stupid! If you don’t trust cohabitees not to abuse your identify online then put your PC in a locked-room or at the very least put a BIOS password on it. And don’t leave the keys or the password lying around like you did with your mobile you idiot!
These are not big mysteries about modern technology that are imposed upon innocent people by big companies. These are the usual ravings of a technologically clueless older generation that has ceased to understand modern ubiqiotious technology and then whinges incesenstently about it.
Peewee said,
February 13, 2006 at 7:18 pm
Postscript to above:
It really does not take a genuis to realise that somebody in possession of your phone can pretend to be you in several ways. For example, the SMS protocol makes no steps to authenticate the sender to the receiver beyond the address of the sending phone…. So.. therefore… you could send text messages proporting to be from your girlfriend when they are in fact from Mr Goldacre. You could play havoc with somebody’s life this way by sending texts to work colleagues etc.. if you so desired. Secondly, they can run up bills on your account.
The common sense conclusion is obvious. Regardless of location services, if you don’t trust people with physical access to your phone then secure it. Eg Put a PIN on it. Keep it with you. This applies regardless of what extra non-telephony services are available on your phone network and is just plain common sense.
It’s no different from your car keys. Your car keys give you access to a potentially lethal weapon. Your car is tracked around the country by its number plates. The technology exists to require that your car asks for a PIN to be entered instead of just assuming that the key-holder is a legitimate driver- yet this is not the case. Why is this no big deal? Because people realise that they need to keep keys safe.
A mobile phone and a desktop PC are just other forms of ‘key’- and it really isn’t hard to work this out!
Shehzad A. Yazdani said,
February 22, 2006 at 1:36 pm
Pl send me the detail, for how I can register for stalk on the cell phone
Shehzad A. Yazdani said,
February 22, 2006 at 1:38 pm
I wnat to register with Ben Goldacre for cell phone stalk
thebaron said,
February 24, 2006 at 2:34 pm
On Peewee:
“These are the usual ravings of a technologically clueless older generation that has ceased to understand modern ubiqiotious technology and then whinges incesenstently about it”
Older generation: I guess that’s me (I hope not “technologically clueless”, but that may be self-delusion).
I’m even old enough to know how to spell “ubiqiotious” correctly. However, what does “incesenstently” signify :
(1) incessantly
(2) insistently
(3) incensedly
I numbered the alternatives so you won’t have to waste your (young?) technopacked brain on such an obsolete task, viz. decent spelling.
JonnyW said,
February 26, 2006 at 1:41 pm
Hey Ben
Apprently due to a BBC investigation the frequency of the text messages sent is going to be increased!!
news.bbc.co.uk/1/hi/programmes/click_online/4747142.stm
Kess said,
February 26, 2006 at 1:53 pm
JonnyW – you beat me to it.
Does it look a bit like plagarism of Ben’s work by the BBC?
Ben Goldacre said,
February 26, 2006 at 2:50 pm
That’s so funny, it really is a complete copy of my article. I particularly like the bit where they get an “independent technology expert in” to talk about it.
Obviously there are no intellectual property laws about that kind of thing, nor should there be, and telly people generally think their “research” is “taking stories from print”.
But having said that, if I worked making filler telly, and a good story came up in print that I was going to copy, I’d get in the person who did the story I was copying, on the simple pragmatic grounds that they’d obviously have expertise and probably more material on the same subject.
Heh:
Guy did not know that when I borrowed his phone for a few minutes earlier in the day, I took the opportunity to register it on one of the tracking services.
I received the incoming text message warning him about the tracking, responded to it and then deleted it from his inbox.
When I gave him his phone back, Guy had no idea he was now in possession of a consenting tracking device.
Hence, a little while later, I could watch him emerge from the tube at the start of his tour.
Frank said,
February 26, 2006 at 2:54 pm
Yeah, just saw this article and was going to highlight it here. Pretty shameless.
MsT said,
February 26, 2006 at 3:12 pm
You can send your comments to the “Click” productionteam here:
news.bbc.co.uk/1/hi/programmes/click_online/3593880.stm
If it’s anything like when I used to work for the BBC then they definitely do read them.
Phil Wilson said,
February 26, 2006 at 9:51 pm
Glad to see I wasn’t the only one who spotted the er, resemblence! Comment to the Click team sent!
Mick James said,
February 27, 2006 at 9:34 am
Actually, the Mirror seems to have been first to the draw here, by a couple of years:
tinyurl.com/8z5ku
JonCK said,
January 23, 2008 at 1:33 pm
I have come across two mobile phone tracking sites www.traceamobile.co.uk and www.mobilelocators.com
They seem to have the same registration process and seem to abide by the mobile phone networks secuity code.