Toby Oliver from Path Intelligence has, via email, answered a few of our Questions and Concerns but raised a few new ones - see below.
As a general point we don't use the phones IMEI's we use the TMSI and occasionally part of the IMSI
See our previous article "Path Intelligence - Phorm for shopping centres ?"
More coverage and comment at The Register
[...]While I appreciate there are concerns about what we do there were a number of mistakes and omissions in the Times article. Before we started this, we talked to as many people as we could to make sure we were doing this the right way including the EFF, the information commissioner, and Liberty.
As a general point we don't use the phones IMEI's we use the TMSI and occasionally part of the IMSI
That is rather a big correction to The Times article which claimed IMEI (International Mobile Equipment Identifier) tracking !
N.B. the badly worded Mobile Telephones (Re-Programming) Act 2002 is still vague enough to cover all these "unique identifiers" .
The TMSI - Temporary Mobile Subscriber Identity, is touted by the Mobile Phone industry specifically as a countermeasure against the mobile phone handset being tracked or identified.
The IMSI - International Mobile Subscriber Identity - contains a section which betrays a mobile phone handset's home country, which is , presumably, how the statistics on foreign visitors are complied."In order to avoid the subscriber being identified and tracked by eavesdroppers on the radio interface, the IMSI is sent as rarely as possible"
but the ids are hashed as soon as we receive them to make it much more difficult to combine them with other data.
Is this hashing done at the antenna boxes, or only at the remote data analysis centre ?
How long is such unhashed data retained for ?
How long is individually trackable hashed data retained for ?
Is the hash function a strong cryptographic one way hash, like SHA-2, RIPEMD 160 , Whirlpool etc, ?
Or is it a weak proprietary hash, like Trafficmaster plc use for their roadside ANPR cameras and traffic pattern statistics analysis, which only has less than 26,000 possible value i.e. it can be deciphered in real time given the computer processing power available today.
> 1) Are you working in partnership with, or with permission from,
> one or more UK Mobile Phone Network operators ? If so, then who
> are they ?
>
We are not in partnership with any network operator.
So there is no permission from a Mobile Phone Network Licensee for Path Intelligence to listen in on their very tightly controlled mobile phone frequencies 900 MHz, 1800 MHz or (for 3G 2100 MHz).
> 2) If not, then how is your technology legal to use in the United
> Kingdom under the Wireless Telegraphy Act 2006 ?
> 3) Have you, or Gunwharf Quay shopping centre i.e. Gunwharf
>Quays Management Ltd, (or the owners Land Securities) or the
>individual retailers who are using your system, applied for, or been
>granted any exemptions under the Communications Act 2003 by >Ofcom ?
>
Our system is purely passive, does no decryption and does not even
attempt to listen to either parties conversation and as such our legal
advice has been that we are doing is not illegal as far as the various
acts are concerned. We definitely don't want to be infringing on either
of these so I would be keen to understand the specific areas that we
might be infringing on if you know them.
If FootPath(tm) is not Licensed by Ofcom, then it seems to fall within the draconian all encompassing legal definitions of "Wireless Telegraphy", "Wireless telegraphy apparatus", and " Interception and disclosure of messages"
-
Section 116 (2) (b)
(b) is used in connection with determining position, bearing or distance, or for gaining information as to the presence, absence, position or motion of an object or of a class of objects.
[...]
117 "Wireless telegraphy apparatus" and "wireless telegraphy station"
(1) In this Act "wireless telegraphy apparatus" means apparatus for the emitting or receiving, over paths that are not provided by any material substance constructed or arranged for the purpose, of energy to which section 116(2) applies.
48 Interception and disclosure of messages
(1) A person commits an offence if, otherwise than under the authority of a designated person--
(a) he uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of a message (whether sent by means of wireless telegraphy or not) of which neither he nor a person on whose behalf he is acting is an intended recipient, or
(b) he discloses information as to the contents, sender or addressee of such a message.
(2) A person commits an offence under this section consisting in the disclosure of information only if the information disclosed by him is information that would not have come to his knowledge but for the use of wireless telegraphy apparatus by him or by another person.
[...]
(4) A person who commits an offence under this section is liable on summary conviction to a fine not exceeding level 5 on the standard scale.
[...]
A Level 5 fine on the standard scale is currently £5000 per offence.
> 4)There is no mention on your website of the use of any forms of
> strong encryption to protect the IMEI data being collected by your
> antennas, and being sent offsite for analysis. Similarly, there is
> no mention of any, for example, Secure Sockets Layer session
> encryption for the web interface to your PI Explorer analysis and
> reporting software which your customers presumably use. Do you
> protect the publics IMEI tracking data with encryption at all ?
>
As I mentioned above, we don't use IMEI's and all data that is transferred around is encrypted over a ssh link. The data viewed in our web tool is only viewable via a secure http session.
That is a bit more reassuring, provided that these supporters of Open Source software development have not fallen victims the the recently disclosed Debian OpenSSL predictable random number generator scandal.
> 5) Who has independently tested the security of these internet
> based systems ?
>
We haven't had our security independently tested yet, but that is something we need to do.
That would be A Very Good Idea.
> 6) Where is this offsite analysis conducted ? I note that your
> corporate web site www.pathintelligence.com appears to be
> physically and legally located in the USA i.e. outside of the
> European Economic Area.
> This analysis is conducted in the UK. Can I ask why you think we are located in the USA? Path Intelligence Ltd is a UK company.
As the www.pathintelligence.com webserver appears to be located in Atlanta Georgia, USA, perhaps the PI Explorer webserver(s) might also be co-located there. This could have implications under the Data Protection Act.
> 7) Do you have a current entry on the Register of Data Controllers
> ? I cannot seem to find one under the names "Path Intelligence" or
> even "Sensus Analytics" or via your post code.
>
> http://www.ico.gov.uk/ESDWebPages/DoSearch.asp
>
We only deal with anonymous data so from our discussions with the Information commissioner's office we don't need to be on the register of data controllers.
Given the Phorm affair, which also claims to just use "anonymous" data, and the fact that the Information Commissioner's Office admit that they are short of people who understand the details of technology, then that may not necessarily be the view that the ICO eventually come to if there is a formal complaint.
It would be more reassuring to the public if Path Intelligence did actually register under the Data Protection Act regardless.
> > 8) Given the huge problems with illegal mobile phones in UK's
> prisons, have you approached the Ministry of Justice, or been
> approached by the Prison Service etc. to conduct a pilot
> installation of your technology ?
>
That is a very good point and we have had some initial discussions with them, although I think they are looking at a number of ways of tackling the problem.
There are over 170 prisons etc. in the UK, which should represent a bigger potential market than, say Airports, for this sort of tracking equipment, which might obviate some of the problems which mobile phone signal jamming would inflict on the areas surrounding prisons, and especially on calls to the Emergency services.
This makes a lot more sense to me.
The IMEI (and IMSI) is usually only sent when a handset first registers on the network, so for most of the handsets this system can see this information isn't available. As you said a standard IMSI is 15 digits longs, the first 3 are the MCC (Mobile Country Code) and the next 3 are the MNC (Mobile Network Code) when these are available, it's possible to identify both the the County and Operator.
The TMSI is much better from a privacy point of view as this usually changes every couple of hours, so they won't be able to link multiple visits, chances are you will not be able to track a user for more than 3 hours (this depends on the network)
@ Chris - are TMSI actually random in practice ?
"The network shall not allocate a TMSI with all 32 bits equal to 1 (this is because the TMSI must be stored in the SIM, and the SIM uses 4 octets with all bits equal to 1 to indicate that no valid TMSI is available)."
Properly random stuff is hard to do. How do we know that one or more Authentication Centres does not cut corners and use a predictable or weak algorithm to generate TMSI with ?
How many times have we seen predictable sequence number for TCP sessions, in different proprietary and open source implementations of TCP stacks ?
Why should closed source telecomms equipment software be any better ?
Why does “we don’t intercept the IMEI, we only intercept the IMSI” not sound any better? As it seems likely that IP addresses are going to be classed as personal information, it would be logical to extend that to TMSIs, as well as those IMSIs that they do manage to intercept. I therefore agree with the article that Path Intelligence would be wise to register under the Data Protection Act.
Sadly, I don’t have much confidence in the Wireless Telegraphy Act being used against Path Intelligence. OUT-LAW.COM’s analysis of Phorm was that their system may cause millions upon millions of infringements of various laws but that, as Phorm and the ISPs are big business, these should be viewed as trivial, technical infringements that shouldn’t stand in the way of making profit. I can’t see the government standing in the way of Path Intelligence also making profit, no matter what the cost to individuals’ privacy.
I have only just been made aware of this tracking a couple of days ago despite it going on right under my nose
I intend to follow up and try to get this system removed from my area
i took some photos of the machines in action here
i made a blog post about it here
i just can't believe it!
@ Ging - thanks for the link to your photos.
You make a very important point about the fact that the Gunwharf Quays development includes private residences as well as shops, which appear to be within the scanning range of the installed Path Intelligence equipment.
A complaint to Ofcom about this aspect of the system might get them to examine what, on the face of it, seems to be a contravention of the Wireless Telegraphy Act 2006, for using unlicenced radio receiving equipment on strictly the strictly controlled mobile phone frequencies.