Feeds

Mobile phone tracking, girlfriend stalking and the law

All in a day's work

Security for virtualized datacentres

A service has launched in the UK which allows you to track any mobile phone around the globe and follow its movements from your own computer. The Guardian ran a feature on it yesterday called 'How I stalked my girlfriend'. It painted a scary picture.

The service is run by World-Tracker, a company based on the Isle of Man. When a mobile number is entered onto the World-Tracker website, a text message is sent to that phone, to ask if the person carrying the phone wishes to be tracked.

If consent is given by reply, World-Tracker will show the location of the mobile phone on a map or as a map reading, using a Google Maps-based interface. The accuracy is between 50 and 500 metres. When the phone moves, the movement can be monitored online whenever the phone is turned on.

The system can be accessed through either a PC or mobile phone with internet access. It works with mobiles on the Vodafone, O2, T-Mobile and Orange networks.

World-Tracker is targeting parents who want to keep an eye on their children’s movements; businesses wanting to track their workers; lone workers, who feel more secure if someone else knows where they are; and anyone else who has ever lost a mobile phone – giving reassurance that their phone can be located more easily.

But in yesterday's Guardian, freelance writer Dr Ben Goldacre revealed a sinister side to the service. (He didn't name the site in his article; but Dr Goldacre had discussed it previously in a Radio 4 interview in which World-Tracker was also involved).

He signed up – for £5 plus VAT – and he provided his girlfriend's phone number. He lives with her and said he needed her phone for just five minutes to initiate the tracking.

According to his article, the first message read: "Ben Goldacre has requested to add you to their Buddy List! To accept, simply reply to this message with 'LOCATE'" He replied from her phone as instructed and another text arrived: "WARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you."

He deleted these messages and tracking began.

Dr Goldacre has said that he had his girlfriend's consent for his experiment, conducted in the interests of journalism; but his article portrays a system open to abuse – and according to World-Tracker, Dr Goldacre omitted some vital details about its service.

OUT-LAW spoke to World-Tracker today. It described a quite different service. A spokesman – who did not wish to be named – said the company follows an industry Code of Practice for the use of location data. He pointed out that a breach of the Ofcom-endorsed Code would result in the mobile networks withdrawing their services from World-Tracker.

An important step required by the Code was not mentioned in the Guardian article: it demands that periodic text messages are sent to the phone. According to World-Tracker's spokesman, the company complies with this requirement in the Code.

The Code of Practice states

"Subsequent to activation, the [location service provider] must send periodic SMS alerts to all locatees to remind them that their mobile phone can be located by other parties. These alerts should be sent at random intervals, not in a set pattern. The suggested text and minimum standard frequency for sending the alerts is set out in Annex D."

In fact, Annex D is marked confidential: it is only made known to location service providers like World-Tracker, perhaps to minimise the risk of message interception.

Fiona Caskey, an Associate with Pinsent Masons, the law firm behind OUT-LAW.COM, regularly advises companies on data protection issues, including surveillance of employees.

She said that if the company is following the code, it is probably doing all that is necessary to comply with the country's privacy laws. But unscrupulous boyfriends are taking a risk if they seek to exploit the service.

"If Ben hadn't obtained his girlfriend's consent, he'd be breaking the Regulation of Investigatory Powers Act, better known as RIPA," said Caskey. It is an offence under RIPA to intercept and delete someone else's text message, she explained. "Such behaviour runs a risk of up to two years' imprisonment and a fine."

Perhaps surprisingly, the boyfriend is unlikely to breach the Data Protection Act by his acts. "He could argue that he was doing this for 'domestic purposes' – and he's off the hook," said Caskey.

Ben Goldacre replies...

* Update, 03/02/2006 18:15: Dr Goldacre contacted OUT-LAW with the following comments: "You quote an accusation by World Tracker that I 'omitted some vital details about its service'. You go on to say that 'An important step required by the Code was not mentioned in the Guardian article: it demands that periodic text messages are sent to the phone.'"

Dr Goldacre says he told a World-Tracker representative on last Friday's Radio 4 interview that he had tracked phones through World-Tracker's service for several days, and then deleted them from the World Tracker website – "and they have never received these follow-up warning messages. It is as simple as that. The Radio 4 reporter's phone that we also tracked specifically never received any follow up text messages."

When confronted for a response on this matter, Dr Goldacre says the World-Tracker representative replied that he would "look at our system" and "make sure that a text goes out in a sooner period."

Dr Goldacre continues: "I explained my concern that once somebody was deleted off the system they would never get a follow-up text, and never know that they were being tracked, and he agreed: 'As things stand at the moment no, but this is something that we should seriously look at.'"

He concludes: "The security provisions that World Tracker currently have in place present no barrier whatsoever to somebody tracking a phone undetected, exactly as I described in my piece, and there was no wilful omission of information from my article."

OUT-LAW did not listen to the Radio 4 interview and we did not speak with Dr Goldacre before reporting the comments made by World-Tracker. We apologise for any offence caused to Dr Goldacre as a result of these omissions.

We have notified World-Tracker that this story has been amended and suggested that they communicate directly on this matter.

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Protecting against web application threats using SSL

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Turnbull: NBN won't turn your town into Silicon Valley
'People have been brainwashed to believe that their world will be changed forever if they get FTTP'
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
Bonking with Apple has POUNDED mobe operators' wallets
... into submission. Weve squeals, ditches payment plans
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.