By Calvin Lau
My cellphone is my best friend. It’s also a homing beacon and an open book, and I should probably be a little more worried.
Remember when Paris Hilton’s T-Mobile Sidekick was hacked last year? Phone numbers, personal notes and a few topless portraits were (and still are) all over the web, all because someone simply called T-Mobile customer support and got staff to turn over Hilton’s password. Hackers call this “social engineering.” Security experts call it “pretexting,” approaching people with information under false pretenses to get secure information.
Many websites will sell the detailed calling records of any phone number for a price, usually about $200. Who’s calling you, who you’ve called, when and how long you were talking: It’s all there. Last year, Maclean’s magazine writer Jonathan Gatehouse used such a service to make a point to Jennifer Stoddart, Canada’s federal privacy commissioner. Gatehouse walked into Stoddart’s Ottawa office with the calling records from her home, cottage and cell phones.
The privacy commissioner has since begun investigating how her personal information was obtained from Telus Mobility and Bell Canada, and there are threats of fines of up to $10 million for each offence. “Part of the reason why this is happening is an existing and continuing vulnerability to social engineering on the part of the phone companies,” said Sherwin Siy, staff counsel for the Electronic Privacy Information Center, a privacy group in the United States.
In the States, privacy laws aren’t as strict as they are in Canada, allowing data brokers to work with relative ease. Siy considers the practice fraud. “There is no legitimate reason anybody would need to get these phone records outside of judicial process,” he said. Siy said the cell phone carriers need to plug some holes, such as asking for more than a postal code or birthday to verify a user’s identity.
“They are the ones that hold the records and it is their responsibility to maintain confidentiality… using biographical information is not a good way to authenticate a user. These are all common sense security procedures that haven’t been implemented,” Siy said.
Pretexting is low-tech and a simple problem. With high-tech invasions of privacy, however, it gets more complicated. In Britain, there’s been a new crop of companies that can track the location of nearly any cell phone using a method called GSM (Global Systems for Mobile) tracking.
It triangulates your location using nearby cell towers. Sites such as Worldtracker.com market the service to businesses to keep track of employees with company phones, or to parents to track their wayward preteens. To keep the government at bay, these companies have created their own code of conduct. First, a user must prove ownership through credit card. Afterwards, an alert is sent to the phone asking for an OK.
Then, at random intervals, alerts are sent notifying the user of the tracking. There is a precedent being set south of the border allowing such monitoring. Last December, New York State Judge Gabriel Gorenstein ruled GSM tracking doesn’t require a warrant, under the 2001 USA PATRIOT Act. In his ruling, he wrote: “The government does not seek to install the ‘tracking device:’ the individual has chosen to carry a device and to permit transmission of its information to a third party, the carrier.”
Individuals and government are exploiting cell phones to invade privacy and the only line of defence comes from cell phone companies, who are failing. Customer support is porous, monitoring is increasing and people still think cell phones are more private than land lines. So don’t laugh when your paranoid friend says, “They’re watching me.”
They can, in more ways than one.