UPDATE: Some of our concerns have been answered, and ChildLocate is now one of the best protected of the Location Data Services in the UK.
We shall be closely watching future developments regarding the commercial exploitation of Location Services, especially those aimed at monitoring children or vulnerable adults.
Read our original concerns which still apply to some of the rival services and about the developments with ChildLocate since the service was originally launched:
It seems that Tracking Vulnerable People e.g. children or the elderly is grabbing the imagination of the marketdroids, but when dealing with Children, there should be extraordinary safeguards in place.
A service called ChildLocate seems to have been launched by a company called
6 Pound Street
which aims, for a hefty subscription, to get their partnering Mobile Phone Operators to hand over GSM mobile phone Cell Location Data of registered phones.
The worrying feature of the service is the ability to use a website to find the location of the Child, and to send "authenticated" SMS messages.
The consequences of a breach in security of such a website could be literally life threatening. One would expect the security features of such a website to exceed those used on say, internet banking, but this is not the case.
The ChildLocate website employs Flash pop-up forms for purchasing the service, sending Credit Card and other personal details, and for logging on to the system to Locate a Child and to send "trusted" SMS messages (a perfect tool for evildoers if this system is insecure)
How can the public be assured that the web interface and forms are not vulnerable to, for example, SQL injection attacks ?
The web server which handles these Flash forms is actually run by a different company, called TrackWell based in Iceland (i.e. outside of the European Union for Data Protection purposes) which does not make use of the standard SSL/TLS encryption such as is normally used for credit card purchases or banking over the Internet, and sends everything in cleartext , at risk of being "sniffed" over the internet.
Even using the alternate method of authentication, i.e. SMS messages is by no means secure, as the "From" header on the SMS can be easily forged.
Nowadays it is the law that anybody with a job which has potential access to Children e.g. a teacher or school caretaker etc has to have a background check via the notorious Criminal Records Bureau.
Have all of the of the MobileLocate employees been through these checks ?
Obviously, none of the TrackWell employees or consultants in Iceland would ever appear on the UK Criminal Records Bureau, despite the certainty of them having full access to the registration and tracking and SMS messaging computers.
You could actually be putting your children at additional risk by subscribing to such a system in its present form.
The Mobile Phone Network partners of MobileLocate i.e. Vodafone, O2, T-Mobile and Orange deserve criticism as well. Instead of just greedily counting the revenue from selling Mobile Phone Cell Location Data, they have a moral duty to make sure that the systems that they are setting up in partnership with third party companies adhere to the normal Data Protection Principles.
In the case of a service so potentially disasterous if it is compromised, as this one one involving Children, then each of these Mobile Phone companies should have conducted their own independent security review of the system before the service was launched.