Feeds

Mobile phone tracking, girlfriend stalking and the law

All in a day's work

Choosing a cloud hosting partner with confidence

A service has launched in the UK which allows you to track any mobile phone around the globe and follow its movements from your own computer. The Guardian ran a feature on it yesterday called 'How I stalked my girlfriend'. It painted a scary picture.

The service is run by World-Tracker, a company based on the Isle of Man. When a mobile number is entered onto the World-Tracker website, a text message is sent to that phone, to ask if the person carrying the phone wishes to be tracked.

If consent is given by reply, World-Tracker will show the location of the mobile phone on a map or as a map reading, using a Google Maps-based interface. The accuracy is between 50 and 500 metres. When the phone moves, the movement can be monitored online whenever the phone is turned on.

The system can be accessed through either a PC or mobile phone with internet access. It works with mobiles on the Vodafone, O2, T-Mobile and Orange networks.

World-Tracker is targeting parents who want to keep an eye on their children’s movements; businesses wanting to track their workers; lone workers, who feel more secure if someone else knows where they are; and anyone else who has ever lost a mobile phone – giving reassurance that their phone can be located more easily.

But in yesterday's Guardian, freelance writer Dr Ben Goldacre revealed a sinister side to the service. (He didn't name the site in his article; but Dr Goldacre had discussed it previously in a Radio 4 interview in which World-Tracker was also involved).

He signed up – for £5 plus VAT – and he provided his girlfriend's phone number. He lives with her and said he needed her phone for just five minutes to initiate the tracking.

According to his article, the first message read: "Ben Goldacre has requested to add you to their Buddy List! To accept, simply reply to this message with 'LOCATE'" He replied from her phone as instructed and another text arrived: "WARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you."

He deleted these messages and tracking began.

Dr Goldacre has said that he had his girlfriend's consent for his experiment, conducted in the interests of journalism; but his article portrays a system open to abuse – and according to World-Tracker, Dr Goldacre omitted some vital details about its service.

OUT-LAW spoke to World-Tracker today. It described a quite different service. A spokesman – who did not wish to be named – said the company follows an industry Code of Practice for the use of location data. He pointed out that a breach of the Ofcom-endorsed Code would result in the mobile networks withdrawing their services from World-Tracker.

An important step required by the Code was not mentioned in the Guardian article: it demands that periodic text messages are sent to the phone. According to World-Tracker's spokesman, the company complies with this requirement in the Code.

The Code of Practice states

"Subsequent to activation, the [location service provider] must send periodic SMS alerts to all locatees to remind them that their mobile phone can be located by other parties. These alerts should be sent at random intervals, not in a set pattern. The suggested text and minimum standard frequency for sending the alerts is set out in Annex D."

In fact, Annex D is marked confidential: it is only made known to location service providers like World-Tracker, perhaps to minimise the risk of message interception.

Fiona Caskey, an Associate with Pinsent Masons, the law firm behind OUT-LAW.COM, regularly advises companies on data protection issues, including surveillance of employees.

She said that if the company is following the code, it is probably doing all that is necessary to comply with the country's privacy laws. But unscrupulous boyfriends are taking a risk if they seek to exploit the service.

"If Ben hadn't obtained his girlfriend's consent, he'd be breaking the Regulation of Investigatory Powers Act, better known as RIPA," said Caskey. It is an offence under RIPA to intercept and delete someone else's text message, she explained. "Such behaviour runs a risk of up to two years' imprisonment and a fine."

Perhaps surprisingly, the boyfriend is unlikely to breach the Data Protection Act by his acts. "He could argue that he was doing this for 'domestic purposes' – and he's off the hook," said Caskey.

Ben Goldacre replies...

* Update, 03/02/2006 18:15: Dr Goldacre contacted OUT-LAW with the following comments: "You quote an accusation by World Tracker that I 'omitted some vital details about its service'. You go on to say that 'An important step required by the Code was not mentioned in the Guardian article: it demands that periodic text messages are sent to the phone.'"

Dr Goldacre says he told a World-Tracker representative on last Friday's Radio 4 interview that he had tracked phones through World-Tracker's service for several days, and then deleted them from the World Tracker website – "and they have never received these follow-up warning messages. It is as simple as that. The Radio 4 reporter's phone that we also tracked specifically never received any follow up text messages."

When confronted for a response on this matter, Dr Goldacre says the World-Tracker representative replied that he would "look at our system" and "make sure that a text goes out in a sooner period."

Dr Goldacre continues: "I explained my concern that once somebody was deleted off the system they would never get a follow-up text, and never know that they were being tracked, and he agreed: 'As things stand at the moment no, but this is something that we should seriously look at.'"

He concludes: "The security provisions that World Tracker currently have in place present no barrier whatsoever to somebody tracking a phone undetected, exactly as I described in my piece, and there was no wilful omission of information from my article."

OUT-LAW did not listen to the Radio 4 interview and we did not speak with Dr Goldacre before reporting the comments made by World-Tracker. We apologise for any offence caused to Dr Goldacre as a result of these omissions.

We have notified World-Tracker that this story has been amended and suggested that they communicate directly on this matter.

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Providing a secure and efficient Helpdesk

More from The Register

next story
Sea-Me-We 5 construction starts
New sub cable to go live 2016
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
BT claims almost-gigabit connections over COPPER WIRE
Just need to bring the fibre box within 19m ...
EE coughs to BROKEN data usage metrics BLUNDER that short-changes customers
Carrier apologises for 'inflated' measurements cockup
Comcast: Help, help, FCC. Netflix and pals are EXTORTIONISTS
The others guys are being mean so therefore ... monopoly all good, yeah?
Surprise: if you work from home you need the Internet
Buffer-rage sends Aussies out to experience road rage
EE buys 58 Phones 4u stores for £2.5m after picking over carcass
Operator says it will safeguard 359 jobs, plans lick of paint
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.