How safe is SafetyText ?
A new mobile phone service has been launched called SafetyText aimed at providing a delayed and/or cancellable SMS text message service for young people who are out on the town etc. but who do not want to notify their parents or "buddys" etc. unless they go missing.
The father of Lucie Blackman, the ex-airline stewardess who was murdered in Japan seems to be involved in this venture.
This "buddy list" technology has obvious dangers which the similar Location Based Services suppliers have been held back from exploiting in the UK through the secret Code of Conduct (email us if this is actually available to the public anywhere) which the Mobile Phone Networks seem to have agreed to.
Our worries about the service revolve around the "Personal Profile"
"Everyone who registers with SafetyText is asked to complete an optional private page, which is his or her Personal Profile. This page will contain lots of information about an individual, from their hair colour to where they hang out. They are also asked for information about contact details for their friends. You can also save a photo of yourself on the page. All this information would be available to police if you were reported missing. (NB this information held on a secure server and cannot be accessed by anyone). "
This personal profile database is a tempting target for stalkers and kidnappers - it needs the highest levels of protection available.
Where child safety is concerned, it is not enough for commercial services simply to claim that their systems are secure.
What assurance is there that the SafetyText "secure servers" are not vulnerable to SQL Injection attacks via their poorly designed web forms and database input validation scripts, like those which have been reported to us as having compromised the security of more than one of the Location Based Data service suppliers ?
There are similarities with the ChildLocate service when it was launched last September.
We criticised ChildLocate and its commercial rivals (many of which seem to be "white label" services which can be "re-branded" by various marketing companies, as can SafetyText) for not having registered under the Data Protection Act.
Search the Data Protection Register for
SafetyText Ltd
14 Belvedere Street
Ryde Isle of Wight PO33 2JW
GB
admin@safetytext.com
Company Registration Number 5116628
or even for their "white label" text message supplier SendMyText Ltd
SendMyTxt UK
CAD House
68 Windmill Road
Croydon Surrey CR0 2XE
GB
Tel +44 (0)870 141 7200
Fax +44 (0)870 141 7201
Email info@sendmytxt.co.uk
Any of these details by name, by post code etc. come up blank on the Data Protection Register search.
If these companies have registered, then they should at least be showing their temporary Data Protection registration refence number, like ChildLocate did once they had been prompted.
Any service aimed at child safety or parent reassurance should have sorted out their DPA registration before launching their service to the media and public.
We also criticised the Location Based Data service companies for giving no indication of whether or not the people with administrator access to their so called "secure servers" and infrastructure had passed even the minimal checks required for anyone with access to children through the Criminal Records Bureau
It is not good enough to claim that such checks are unecessary, it is fears and reassurance about child safety that they are using to market their services, so they should be seen to be taking every possible precaution, which they are failing to do.
Exactly the same criticisms can be made of SafetyText.