Just in case you thought that Phorm was the only threat to your privacy, here is an example of similar "no opt out" snooping technology being installed in the infrastructure of a public space, a shopping centre, which secretly snoops on individuals, without their informed prior consent, in the hope that advertising and sales revenues can be maximised.
There is no way, short of switching off your mobile phone, of opting out or avoiding this snooping scheme.
The Times has a story:
From Times Online May 16, 2008Shops secretly track customers via mobile phone
Signals given off by phones allow shopping centres to monitor how long people stay and which stores they visit
Jonathan Richards, San Francisco
Customers in shopping centres are having their every move tracked by a new type of surveillance that listens in on the whisperings of their mobile phones.
The technology can tell when people enter a shopping centre, what stores they visit, how long they remain there, and what route they take as they walked around.
All the same issues about the lack of informed, prior consent of members of the public who have been, or are now being snooped on in secret, for the commercial benefit of others, apply to Path Intelligence Ltd. (technology provider), the shopping centres (public infrastructure providers), and retailers (profit makers), just as they do to Phorm (technology provider), the Internet Service Providers (public infrastructure providers) and web advertisers (profit makers).
If you look at the demonstration (needs Flash) of the interactive mapping and reporting software which Path Intelligence seem to have developed for this snooping technology, you will see that it could also be easily applied to display and analyse inputs from other "spy on the public without their knowledge or consent" technologies which exploit things which large numbers of people might be carrying on their persons, like BlueTooth or unkilled consumer product RFID tags, or "Biometric" Passports or ID Cards.
It should be relatively simple to link such a system to the existing CCTV surveillance camera networks which modern shopping centres all employ.
Sharon Biggar, the company's chief operating officer, said that one of the stores which had already deployed the receivers did not want its name revealed for fear of alarming its customers.
Who is this snooping retailer ? Why should we not boycott them ?
The company that makes the dishes, which measure 30cm (12 inches) square and are placed on walls around the centre, said that they were useful to centres that wanted to learn more about the way their customers used the store.
A shopping mall could, for example, find out that 10,000 people were still in the store at 6pm, helping to make a case for longer opening hours, or that a majority of customers who visited Gap also went to Next, which could useful for marketing purposes.
10,000 people in a store sounds positively dangerous. Perhaps they mean within the shopping centre.
Why would large crowds of shoppers still milling around at closing time not be utterly obvious to human staff, without the need for this snooping technology ?
It has already been installed in two shopping centres, including Gunwharf Quays in Portsmouth, and three more centres will begin using it next month, Times Online has learnt.
The other shopping centre may well be newly refurbished The Cascades, also in Portsmouth - there appears to
In the case of Gunwharf Quays, managers were surprised to discover that an unusually high percentage of visitors were German - the receivers can tell in which country each phone is registered - which led to the management translating the instructions in the car park.
Why could none of the shopping centre staff or retail shop staff determine that there were lots of German speaking visitors ?
The Information Commissioner's Office (ICO) expressed cautious approval of the technology, which does not identify the owner of the phone but rather the handset's IMEI code - a unique number given to every device so that the network can recognise it.
But an ICO spokesman said, "we would be very worried if this technology was used in connection with other systems that contain personal information, if the intention was to provide more detailed profiles about identifiable individuals and their shopping habits."
Errr... it is a shopping centre stuffed full of CCTV cameras and private security guards - who seriously believes that this FootPath(tm) snooping will never be used in conjunction with CCTV ?
Only the phone network can match a handset's IMEI number to the personal details of a customer.
Path Intelligence, the Portsmouth-based company which developed the technology, said its equipment was just a tool for market research. "There's absolutely no way we can link the information we gather back to the individual," a spokeswoman said. "There's nothing personal in the data."
Nonsense ! Path Intelligence lists a long list of possibly commercially useful benefits of their system to shopping centre operators and retailers, most of which can and should only be accomplished through the use of anonymous aggregated statistics.
However, if you read the last section of the list of claimed benefits for the FootPath(tm) product, they admit that it is capable of identifying individuals
Security:
* Identify unauthorized individuals in 'no go' areas of the centre
* Identify suspicious 'left' luggage
How is it possible to do this with truly anonymous data ? Either there is a "whitelist" of individual authorised staff phones or a "blacklist" of alleged individual "troublemaker" phones, or there is one watchlist database with different status flags.
This visualisation graphic screenshot clearly shows that shoppers can be tracked individually. The apparent "walking through walls" effect is an artifact of the path that the software uses to join the periodic data points, which are probably about 5 to 10 minutes apart, i.e. when your mobile phone makes a handshake with the network, to check signal strength with the neighbouring mobile phone cell tower base stations.
See the original screenshot here.
The description of the features of the PI Explorer software which analyses the data from the snooping antennas includes:
Security alerts that send an SMS message should a security situation be identified
Just as with Phorm, it is up to Path Intelligence to prove and reassure the general public that it is impossible for their system to be abused. We will not simply take it on trust, from people with commercial or other motives for extending the surveillance capabilities of a system, which does not have any way for people to opt out of being snooped on.
Can you spot the IMEI snooping antennas ?
The Times article says that the first secret trials of this technology on the unsuspecting public are being conducted by this Portsmouth based company seem to be at the local Gunwharf Quay shopping centre, although we suspect that it may have also been tested, or is still in use, at the Cascades shopping centre, also in Portsmouth (there seems to be a Cascades demo on the Path Intelligence website, as well as a West Quay one)
We would welcome any photos and location reports from any Spy Blog readers who can spot the locations of the mobile phone signal snooping antennas - "30cm (12 inches) square ".
(original image from The Times article)
See the Gunwharf Quay shopping centre maps.
What is the density of the snooping antennas required in order to achieve a location accuracy of 1 to 2 metres indoors ?
The receivers together cost about £20,000 to rent per month. About 20 of the units, which are unobtrusive, cream-coloured boxes about the size of a satellite dish, would be needed to cover the Bluewater shopping centre.
Bluewater (near Dagenham in London), is a much larger shopping centre than Gunwharf Quays
Are there any Warning Signs or notices on display at these shopping centres, which warn their customers or potential customers and other members of the public that their mobile phones are being tracked ?
Can these systems also track IMEI signals from the neighbouring area outside of the shopping centre or its car parks ?
N.B. Similar location snooping results could be achieved by the Mobile Phone Networks, and their Location Based Data services, especially at, say, Airports, where there are lots of mobile phone micro-cells or pico-cells installed, to try to grab profitable business account customers and tourists with expensive call roaming charges on their network rather than on their rivals networks, when the visitors first switch on their mobile phones after landing.
Secure Web interface ?
Those Spy Blog readers who remember our criticisms of various Mobile Phone Location Based Services systems launched in recent years, will know that we are rightly sceptical when we see that such potentially sensitive data e.g. the location of your children, is not being processed and securely stored locally, but is happily being uploaded and then made available via the inherently insecure internet.
Path Intelligence Explorer is our secure, internet delivery solution. Your data can be accessed 24/7, allowing you the convenience to interrogate your information from anywhere in the world
What proof is there that such a web based system is not vulnerable to unathorised access from anywhere in the world ?
There is no indication that this data is strongly encrypted, either when it is being uploaded from the snooping antennas, nor when a customer downloads web based graphical or Excel spreadsheet reports.
Why not use it in Prisons instead ?
There is a place for this mobile phone location snooping technology, to operate without the informed consent of the people whose mobile phone locations are being tracked by the FootPath(tm) system , but that is not in any public shopping areas. It could and should be deployed in every prison, given the vast numbers of illegal mobile phones which are smuggled into British prisons every year.
See Thousands of Mobile Phones seized in UK Prisons - evidence of corruption ?
There have been attempts to use similar RFID badge based location tagging in a couple of US Prisons, so as to keep prison gang members under surveillance.
Please do not deploy such prison panopticon technology against the innocent public.
Illegal to spoof IMEI
The first reaction of some of our more technically proficient readers might be to start thinking of ways to devise IMEI (International Mobile Equipment Identifier) spoofing devices, to frustrate any such snooping system.
However, apart from probably disrupting the local mobile phone system for other users, including possible life saving calls to the Emergency Services, this would be illegal in the United Kingdom and punishable by up to 5 years in prison, a serious enough offence to invoke extradition proceedings from abroad, if necessary.
See Mobile Telephones (Re-programming) Act 2002
This badly worded Act criminalises the mere possession of equipment or software (i.e. a computer and a serial cable or BlueTooth connection) which may be used, or the actual act of changing an IMEI without the written permission of the (usually foreign) handset manufacturer (incredibly, not, the UK based mobile phone network operator),.-
This Act has been recently amended to also criminalise simply advertising or offering such an IMEI re-programming service or product.
Note that the stupid wording of this Act also criminalises any spoofing or changing of IP addresses or MAC addresses of BlueTooth or WiFi or internet data connected WAP phones, SmartPhones etc. which connect to the internet via GSM or 3G data services i.e. most modern mobile phones, PDAs and portable computers which can act as mobile telephones.
They are using the GNU Radio Universal Software Radio Peripheral (USRP). You can find more technical details in the following resources:
* Patent application WO2006010774 (also in EP1779133)
* The Open Source CEO: Toby Oliver, Path Intelligence (Part 12) (Toby Oliver is CEO and Co-founder, Path Intelligence)
* Comment from Toby Oliver in the Tech Crunch article.
Regarding your comment about using this kind of technology in prisons, have you seen: Intelligence gathering by capturing the social processes within prisons by Vassilis Kostakos and Panos A. Kostakos? This is based on looking at discoverable Bluetooth devices in four locations in Bath.
br -d
Which is why I have never had and never will have a mobile phone.
Remember also that virtually every out of town shopping centre has got Automatic Number Plate Recognition which interfaces with the PNC , databases on stolen credit cards, outstanding fines,DVLC etc.,
@ Edward - all payphones are also instantly traceable (from the 1980's when a few of them were used to phone in coded IRA etc. bomb warnings or hoaxes).
If you use a prepaid calling card (or a credit card. obviously) then that also leaves a trace, linking otherwise disparate calls, e.g. to your mother's home address and to your anonymous Whitehall whistleblower source etc. since each card has a unique serial number and an expiry date.
However, simple pre-paid Mobile Phones are now available from some supermarkets for only £5 or £10 each i.e. less than the average top up voucher, so there are still a few ways to confuse the snoopers.
@ David - thanks for the background research on Path Intelligence.
I did see reports of the Bath Bluetooth study, but had not realised that they are now pitching this research at the "security" funding cornucopia.
Will it be advertisers and market researchers, or the police and security agencies, or terrorists and criminals, or just hackers, artists and pranksters, who snarf, monitor record and analyse the Bluetooth emissions of, say, the visitors to the London 2012 Olympic Games ?
I see a business opportunity. Could a manufacturer assign to each of their devices a number of IMEIs, say 100, randomly from their pool of assignable IMEIs? Then, give the phone’s firmware the ability to switch between these IMEIs and put a leaflet in the box giving the user permission to change freely between these multiple, pre-assigned IMEIs.
There doesn’t appear to be a problem with the Mobile Telephones (Re-programming) Act 2002; the manufacturer has set up the multiple IMEIs and given the user permission to change between them, and the user would use that facility as a means of preserving privacy rather than acting unlawfully. The question is: Would such a device be compliant with the various mobile communication standards?
@wtwu,
I find the threat of Bluetooth snarfing overrated. This is one technology that is very much under the control of the user. Using it in paired non discoverable mode, one can even have the benefit of this technology without much of the snooping risks (at least the ones that have been publicised so far). Some more education may be needed and the default settings should be different but still the end user has control.
Unfortunately for most other technology (Ethernet, WiFi, GSM, etc.) if you want to get the benefits, you are forced to leak lots of data for the taking - and the choice is not in the hand of the end-user.
br -d
I'm not a lawyer but I believe that the Wireless Telegraph Act makes it illegal to receive radio signals that are not intended for general reception or covered by a license exemption.
Unless the Mobile phone network operator has granted permission I think this is illegal.
Addition: Or unless they have a license from OFCO to receive mobile phone signals, or there is some license exemption in place. I think either is unlikely.
The Wireless Telegraphy Act 2006 says
It is unlawful to establish or use a wireless telegraphy station, or to instal or use wireless telegraphy apparatus,
except under and in accordance with a licence
"wireless telegraphy” means the emitting or receiving [...] of energy [...] of a frequency not exceeding 3,000 gigahertz that [...] is used in connection with determining position, bearing or distance, or for gaining information as to the presence, absence, position or motion of an object or of a class of objects.
Incidentally, I wonder if this updated wireless telegraphy act outlaws the use of radar detectors which a judge found to be legal under previous acts.
How are they able to get the IMEI of the handset? Are they using their own cells?
@ Bob - Questions about the legality of the IMEI snooping scheme, under the Wireless Telegraphy Act 2006 and any Ofcom mobile phone licence regulations under the Communications Act 2003, are ones which need to be put to Path Intelligence and Ofcom and the Home Office etc. - will any investigative journalists do this, or does it have to be left to bloggers ?
In an ideal world, Ofcom would have investigated this already.
At a guess, Ofcom will, as usual, ignore any complaints from consumers, but might lurch into action if one of the Mobile Phone Networks complains that this IMEI snooping technology is infringing on their lucrative Location Based Services revenues or sales of micro or pico cells to shopping centres / airports / prisons etc.
The parallels with the Phorm affair are getting stronger - simply asking the Information Commissioner's Office for a comment is not sufficient - whilst there are obvious Prior Informed Consent issues under Data Protection Act, that is not the whole picture.
@ Dave - they do not need full base station functionality to snoop on the IMEI. This is allocated to a particular mobile handset and is transmitted to the network before any SIM card related stuff can be sent e.g. the IMSI (International Mobile Subscriber Identity), and the subsequent cryptographic handshakes etc used to protect a call over the air.
There needs to be a strong enough signal established, and a free sub-frequency / time slot allocated to the particular handset at a base station, before any of the higher level protocol handshakes can proceed.
You can take the SIM card out of most mobile phone handsets and still use them to make Emergency 999 / 112 calls.
You can also put some models of handset into engineering de-bugging mode, and watch the signal strengths of the neighbouring Base Station Cell IDs and the "colours" of the frequency /time slots, also without a SIM card.
Therefore Path Intelligence do not need to establish full micro or pico base stations linked to the network, simply to snoop on the this periodic (every 5 to 10 minutes, even when calls or SMS or data traffic are not being transmitted or received).
@ PA - that would be a legal way around such IMEI snooping, and it would also find a ready market with operators of GSM Gateways, which are legal in the UK, but disliked by the Mobile Network Operators for their effect on their revenue and on cell bandwidth hogging.
Of course using multi-user GSM Gateways, especially with overseas mobile or landline calls, also complicates Government snooping and monitoring of phone calls and SMS messages.
the most watch country in the world UK
Here's an Ofcom document:
http://www.ofcom.org.uk/static/archive/ra/publication/ra_info/ra169.htm. It's pretty clear to me that the FootPath system is illegal. The only loophole could be if they have been authorised by a GSM operator.
I think anyone in the UK who visits Gunwharf Keys or whereever should write to Ofcom.
@wtwu The concept of using a payphone in this neck of the woods is 100% theoretical, even if you could stand the smell.
Also unlikely that OBL uses them either. Apparently Easyjet flghts Liverpool - Amsterdam day returns , is the preferred route for trackie suited and booted couriers simply carrying verbal messages for Merseyside drug gangs.... which is ultimately the State's most secure system with Queen's messengers.
There are blogistes who might attract serious attention who regularly use images which it is said, have stenographic messages encoded which will yield to the snoopistes, messages such as "FO and don't be so Fing nosey" ... but this may only be a mischeivous tale.
I would like more information about the pros and cons of pre-paid as opposed to a billed subscriber. How could this help anonymity if it is the IMSI (International Mobile Subscriber Identity), and the subsequent cryptographic handshakes etc used to protect a call over the air.
@ wassim - with Path Intelligence style external surveillance, it makes no difference if you are using a pre-paid mobile or a one with a n airtime billing contract, especially if the system is integrated with CCTV surveillance cameras.
Obviously the pre-paid mobile phones are usually more anonymous, as there can be fewer traceable financial records tying your name and address to the phone.
It is easy to compromise your anonymity, even with pre-paid mobile phones, as you can register them with the network operator in exchange for a few free SMS messages or some calling credit, or you could buy calling credits with a credit card (which again usually links to your own name and address, unless you are involved in fraud). If you buy a mobile phone top credit voucher or swipe card transaction at a supermarket, this may be linked to your Nectar Card or Tesco Clubcard or other loyalty discount card, which again may be registered to your address or that of a close relative.
The TMSI is supposed to change fairly frequently at random, but Path Intelligence seem to be able to snop on the IMSI, to extract the country cf origin of foreign mobile handsets, so there is nothing that technically prevents them from storing the rest of the IMSI, for future analysis, only their word.
You have to trust them, even though they have not actually sought your informed consent to snoop on your mobile phone signals, for profit.
What utter rubbish.
IMEI is free to air, your phone broadcasts it between 30seconds and 15 minute intervals. Less if it's 3G.
You are an active broadcasting agent when you use a mobile phone, therefore anything you broadcast is free to pick up.
For those that disagree, get rid of your mobile phones, stop using GPS, GPRS and the like.
IMEI is a non identifiable number, it cannot be traced back to an individual unless that number is correlated using a phone providor. Something that is currently illegal for them to hand out.
Out of the 20-50k people in a shopping centre on any one day, do you honestly think the shopping centre owners care about John Smith? Even if they could identify him.
When Path Intelligence talks about security, it means stationary signals, such as mobile phone detonators.
Before the backlash begins, I am a privacy nut, I've opted out of society, marketing and the like. I don't like the fact I'm on CCTV, but I accept it's the price you pay. In the next few years, face recognition will hit the mainstream big time, so in comparison this will be peanuts.
@ JS - Look at the later blog post, where we publish some more details, from Path Intelligence themselves, rather than from the somewhat misleading article in The Times:
Path Intelligence FootPath(tm) mobile phone tracking - a few more details
IMEI uniquely (apart from illegally re-programmed unblocked phones, many of which share the same IMEI) identifies a handset, and if that is what Path Intelligence were using, it would be irrelevant that "it cannot be traced back to an individual unless that number is correlated using a phone providor. Something that is currently illegal for them to hand out."
It would provide a method of profiling the movements and shopping habits of a shopper nationally or internationally, wherever, say, a large chain of retailers had installed Path Intelligence style systems, and were sharing the data between shops locations.
Once the movement pattern profile is created, it is only a matter of time before iit is very likely that it can be cross referenced with credit card or loyalty card etc. use, at a particular location, at a particular time, especially in combination with CCTV images.
However, as the later article explains, they are not actually using IMEI, but the random TMSI, which is supposed to change periodically.
More worryingly, they are also reading the IMSI, which is linked to your SIM Card and phone number, and which is sent when the phone is switched on, and which the TMSI is meant to hide your phone handset from "eavesdroppers". Path Intelligence apparently parse the country code from the less frequently presented IMSI, but you have to trust them that they do not store the whole IMSI and analyse it.
Neither Path Intelligence nor Shopping Centre management should be trying to track "mobile phone detonators" themselves - that should be the Police, the Security Service and all of the Mobile Phone Networks, who may, after all, be able to track such suspect phones over a much wider area than the very local FootPath system. They make no claims whatsoever about being able to detect such "mobile phone detonators" on their website.
Facial Recognition is currently so bad as to be worse than useless for trying to identify individuals on watchlists - the rate of false positives and false negatives is far too high, and dependent on changing lighting conditions.
There is no prospect of the technology being improved to equal the current accuracy of other biometrics like fingerprints, or the more accurate iris scans, in the foreseeable future.
What is currently popular and feasible right now, is tracking human shapes by video, enhanced by clothing logo recognition - there may be thousands of people displaying, say a Nike logo, but at any one time, in any specific area, there will only be a few wearing a particular colour / logo combination who are a certain height and width etc.
Finally, your point about
may be true of licence free Industrial Scientific Medical frequencies which are used by WiFi, BlueTooth, Near Field Communications, RFID tags, anti-shoplifting tags etc.
That is not true for heavily regulated mobile phone frequencies, where the monopoly licences have cost the Network Operators literally billions of pounds for their exclusive use.
As the later blog article reveals, Path Intelligence are not in partnership with any of the Mobile Phone Networks, and do not have a separate licence from Ofcom, so they potentially fall foul of the Wireless Telegraphy Act 2006.Section 116 (2) (b) which bans unlicenced passive receivers as well as transmitters.