[LINK] RFI: 'Footpath' Customer Phone Tracking

Steven Clark steven.clark at internode.on.net
Fri Oct 14 13:27:23 AEDT 2011

On 14/10/11 09:08, Richard Chirgwin wrote:
> Roger,
> With such thin information provided by the company, I am forced to guess!
> As far as I can tell, the best candidate for a random number used to
> communicate between the mobile and the base station is described here:
> http://en.wikipedia.org/wiki/Network_switching_subsystem
> Look under "Authentication Centre", "Procedures Implemented" subsection:
> "When a particular IMSI requests access to the GSM core network, the
> MSC sends the RAND part of the triplet to the SIM."
> That random number is generated by the Authentication Centre - for
> this discussion it can be treated as part of the base station.
> However, on its own it doesn't identify a mobile phone. So the answer
> to the first privacy question, "would this include
> personally-identifiable information?", is no.
> In that sense, it's probably less intrusive in isolation than using
> cameras or - in an old world of retail path-watching - human watchers!
> To a second question, "could this be correlated to a specific
> individual at a later date?" I have no answer. You would need two data
> sets - Pathfinder and the carrier's data - and I have no idea whether
> the carriers retain the random numbers used to set up phone-base
> station logins.

Associating GPS data with CCTV footage ought to enable identification of
the person. At least enable identifiability. Especially if linked to
loyalty program data ...

Treating a technological implementation in isolation can exclude/evade
Privacy Act 'implications.' But when considered alongside equally
available technologies that can readily be integrated or interlinked,
the potential implications multiply. Unfortunately, since existing (and
proposed) regulation focuses on data and not context, it's relatively
easy to sidestep regulatory 'interference'.

You don't have to know a person's name to accumulate data about them, or
to treat them differently. (etc).

Does capturing mobile phone transmissions for purposes other than
providing a telecommunications service constitute an offence? Is this
'interception'? To do this, are they using equipment that *could* be
used to intercept phone calls in the 'usual' manner? (such equipment -
including a functional base station -  can be put together from readily
available hardware and software). And how would 'consumers' know
otherwise? (beyond 'coz we told you we don't/won't')


More information about the Link mailing list