Response to email from Jon Magnusson, Managing Director, MobileLocate:
From: Jon Magnusson
To: <childlocate@spy.org.uk>
Subject: Your article
Date: Tue, 11 Nov 2003 10:33:18 +0100
Hi there,
A few points I would like to raise in response to your web article on http://www.spy.org.uk/cgi-bin/childlocate.pl
1 - We have implemented the strongest available encryption technology to secure all data transitions and communications via our network. This means that all communications with our customers are encrypted. For more info on our security set-up go to http://www.childlocate.co.uk/system.htm.
This is welcome news, and we were astonished that MobileLocate did not launch the ChildLocate service with this SSL/TLS encryption from the customer's web browser to the Trackwell credit card and userid and password handling server, back on October 9th.
The previous Flash forms were served from:
http://www.staging.trackwell.com/buddyservice/mct/index.html
Which did not then, and does not now, have a Digital Certificate installed. At least, as of Tuesday 11th November 2003, this URL links automatically to the same page as the current Flash form handling URL https://www.trackwell.com/childlocate/ and which both now end up at:
https://www.trackwell.com/mct/child.html
This server (also still based in Iceland) does now have a Thawte Digital Certificate which allows for 128bit SSL/TLS encryption:
Valid from: 05 November 2003 15:13:57
Valid to: 04 November 2004 15:13:57
Subject:
CN = www.trackwell.com
O = Track Well Software hf
L = Reykjavik
S = Reykjavik
C = IS
However, SSL/TLS encryption on its own still does not mean that the back end systems are secure. There are many cases of vulnerabilities to SQL injection attacks, default database passwords, vulnerable default stored procedures etc. Even "Unbreakable" Oracle database systems are plagued with security holes c.f. http://www.nextgenss.com/advisories.html
2 - All our customer records are stored in in accordance with the UK Data Protection Act 1998 Notification Registration Number: PZ8277048. The Data Protection Act covers all countries within the EU and the EEA.
Again, this is welcome news, however, there is still no mention of this on the Data Protection Register for the public to see at the moment.
Perhaps MobileLocate could publish a copy of what will, hopefully eventually appear on the DPR.
3 - I very much disagree with you that the use of our service can be "life threatening". The notification features in place make sure that the person being tracked is made aware about the service and he or she is in full control over his or her privacy. Here is a list of privacy control commands available on a mobile phone: http://www.childlocate.co.uk/smscommands.htm
The ChildLocate service is a very tempting target for child molesters, spouses involved in child custody battles, abusive husbands whose women and children try to flee from to battered wives' hostels, celebrity stalkers, paparazzi, criminal kidnappers, terrorists etc.
The full comment still seems fair:
"The consequences of a breach in security of such a website could be literally life threatening."
There have already been cases in the UK of stalkers compromising Mobile phone SMS messages, with the help of "insiders" working at a mobile phone company c.f. http://www.theregister.co.uk/content/archive/28229.html
SMS messages are inherently insecure and can be easily forged. This is not much of a risk to the revenue of Mobile Phone companies, as forged messages still have to be paid for, but it is too risky to rely on SMS messages and simple passwords on their own as strong authentication. There is a whole m-commerce industry using WAP, WTLS etc. which tries to answer some of these problems for the m-commerce and financial industries, and one would have expected that what is considered to be essential to secure mere credit card payments etc. would also be used to protect Children's personal details and the "trusted" messaging system that ChildLocate offers.
4 - The ChildLocate service is regulated by a Privacy Management Code of Practice that has been approved by the 4 major UK mobile operators and is the basis for the regulation of location based services using GSM in the UK. This document took takes into account various stakeholders interest into account and took over 1 year to create so there isn't like the operators have just jumped at the bandwagon in order to cash in on location based services. As a result of their concerns, the mobile operators have for example not agreed on allowing "buddy tracking" services on their networks, however lucrative that market might seem.
The most important "stakeholders" are the mobile phone customers. The public would be very interested to read this "Privacy Management Code of Practice" which does not appear on either the Oftel, Vodafone, Orange, O2 or T-Mobile websites. Perhaps MobileLocate will publish a copy on their website ?
5 - The operation of the ChildLocate service does not require us to check staffs background via the Criminal Records Bureau. However, access to personal data is restricted on three levels, depending on the role of the person involved, to only a handful of trusted staff and all access to customers for technical support purposes is only accessed by staff directly employed by MobileLocate Ltd.
It can be argued that you are operating a "child care organisation" which "supervises" children, and therefore come under the Protection of Children Act 1999. Given the service that you are selling, it is in your commercial interest to ensure that you are seen to be at least as responsible an employer as your local school or volunteer scout and guide association.
I hope the above is in some way an answer to your concerns and I hope that you will reflect these information in your web text as soon as possible, whereas the current article does not reflect correctly on the security measures we have taken to ensure the safety of our ChildLocate service.
Best regards,
Jon Magnusson
Managing Director
MobileLocate Ltd
Some of our concerns have been answered, but we shall be closely watching future developments regarding the commercial exploitation of Location Services, especially those aimed at monitoring children or vulnerable adults.
Hooray! The MobileLocate Data Protection Register entry is now public:
Registration Number: Z8277048
Date Registered: 05-NOV-03 Registration expires: 04-NOV-04
Data Controller: MOBILELOCATE LTD
http://forms.informationcommissioner.gov.uk/cgi-bin/dpr98-fetch.pl?source=DPR&docid=39891