UPDATE: Some of our concerns have been answered, and ChildLocate is now one of the best protected of the Location Data Services in the UK.
We shall be closely watching future developments regarding the commercial exploitation of Location Services, especially those aimed at monitoring children or vulnerable adults.
Read our original concerns which still apply to some of the rival services and about the developments with ChildLocate since the service was originally launched:
It seems that Tracking Vulnerable People e.g. children or the elderly is grabbing the imagination of the marketdroids, but when dealing with Children, there should be extraordinary safeguards in place.
A service called ChildLocate seems to have been launched by a company called
MobileLocate Ltd.
6 Pound Street
Newbury Berkshire
RG14 6AA
which aims, for a hefty subscription, to get their partnering Mobile Phone Operators to hand over GSM mobile phone Cell Location Data of registered phones.
The worrying feature of the service is the ability to use a website to find the location of the Child, and to send "authenticated" SMS messages.
The consequences of a breach in security of such a website could be literally life threatening. One would expect the security features of such a website to exceed those used on say, internet banking, but this is not the case.
The ChildLocate website employs Flash pop-up forms for purchasing the service, sending Credit Card and other personal details, and for logging on to the system to Locate a Child and to send "trusted" SMS messages (a perfect tool for evildoers if this system is insecure)
How can the public be assured that the web interface and forms are not vulnerable to, for example, SQL injection attacks ?
The web server which handles these Flash forms is actually run by a different company, called TrackWell based in Iceland (i.e. outside of the European Union for Data Protection purposes) which does not make use of the standard SSL/TLS encryption such as is normally used for credit card purchases or banking over the Internet, and sends everything in cleartext , at risk of being "sniffed" over the internet.
Even using the alternate method of authentication, i.e. SMS messages is by no means secure, as the "From" header on the SMS can be easily forged.
Despite publishing a Privacy Policy, and claiming to have consulted the Information Commissioner back in April 2003, there do not seem to be any entries on the Data Protection Register for either MobileLocate, ChildLocate, or for any other similarly named company within their Post Code.
Data Protection Register search form
Nowadays it is the law that anybody with a job which has potential access to Children e.g. a teacher or school caretaker etc has to have a background check via the notorious Criminal Records Bureau.
Have all of the of the MobileLocate employees been through these checks ?
Obviously, none of the TrackWell employees or consultants in Iceland would ever appear on the UK Criminal Records Bureau, despite the certainty of them having full access to the registration and tracking and SMS messaging computers.
You could actually be putting your children at additional risk by subscribing to such a system in its present form.
The Mobile Phone Network partners of MobileLocate i.e. Vodafone, O2, T-Mobile and Orange deserve criticism as well. Instead of just greedily counting the revenue from selling Mobile Phone Cell Location Data, they have a moral duty to make sure that the systems that they are setting up in partnership with third party companies adhere to the normal Data Protection Principles.
In the case of a service so potentially disasterous if it is compromised, as this one one involving Children, then each of these Mobile Phone companies should have conducted their own independent security review of the system before the service was launched.
We are in the process of asking the Oftel (soon to be Ofcom) industry regulator what their policy is regarding such risky Mobile Phone Location Data tracking services.
A few points I would like to raise in response to the web article on http://www.spy.org.uk/cgi-bin/childlocate.pl
1 ? We have implemented the strongest available encryption technology to secure all data transitions and communications via our network. This means that all communications with our customers are encrypted. For more info on our security set-up go to http://www.childlocate.co.uk/system.htm.
2 - All our customer records are stored in in accordance with the UK Data Protection Act 1998 Notification Registration Number: PZ8277048. The Data Protection Act covers all countries within the EU and the EEA.
3 ? I very much disagree with the comment in the article that the use of our service can be ?life threatening?. The notification features in place make sure that the person being tracked is made aware about the service and he or she is in full control over his or her privacy. Here is a list of privacy control commands available on a mobile phone: http://www.childlocate.co.uk/smscommands.htm
4 ? The ChildLocate service is regulated by a Privacy Management Code of Practice that has been approved by the 4 major UK mobile operators and is the basis for the regulation of location based services using GSM in the UK. This document took takes into account various stakeholders interest into account and took over 1 year to create so there isn?t like the operators have just jumped at the bandwagon in order to cash in on location based services. As a result of their concerns, the mobile operators have for example not agreed on allowing ?buddy tracking? services on their networks, however lucrative that market might seem.
5 ? The operation of the ChildLocate service does not require us to check staffs background via the Criminal Records Bureau. However, access to personal data is restricted on three levels, depending on the role of the person involved, to only a handful of trusted staff and all access to customers for technical support purposes is only accessed by staff directly employed by MobileLocate Ltd.
Best regards
Jon Magnusson
Managing Director
MobileLocate Ltd.
We have commented on Jon Magnussen's points here:
http://www.spy.org.uk/spyblog/archives/000094.html
and
http://www.spy.org.uk/cgi-bin/childlocate.pl