[LINK] RFI: 'Footpath' Customer Phone Tracking

Richard Chirgwin rchirgwin at ozemail.com.au
Fri Oct 14 14:26:25 AEDT 2011 

Steven,

On 14/10/11 1:27 PM, Steven Clark wrote:
> On 14/10/11 09:08, Richard Chirgwin wrote:
>> Roger,
>>
>> With such thin information provided by the company, I am forced to guess!
>>
>> As far as I can tell, the best candidate for a random number used to
>> communicate between the mobile and the base station is described here:
>> http://en.wikipedia.org/wiki/Network_switching_subsystem
>>
>> Look under "Authentication Centre", "Procedures Implemented" subsection:
>> "When a particular IMSI requests access to the GSM core network, the
>> MSC sends the RAND part of the triplet to the SIM."
>>
>> That random number is generated by the Authentication Centre - for
>> this discussion it can be treated as part of the base station.
>> However, on its own it doesn't identify a mobile phone. So the answer
>> to the first privacy question, "would this include
>> personally-identifiable information?", is no.
>>
>> In that sense, it's probably less intrusive in isolation than using
>> cameras or - in an old world of retail path-watching - human watchers!
>>
>> To a second question, "could this be correlated to a specific
>> individual at a later date?" I have no answer. You would need two data
>> sets - Pathfinder and the carrier's data - and I have no idea whether
>> the carriers retain the random numbers used to set up phone-base
>> station logins.
> Associating GPS data with CCTV footage ought to enable identification of
> the person. At least enable identifiability. Especially if linked to
> loyalty program data ...
This, however, is not GPS data, but it is positional.

Yes, combining position with CCTV could yield identification, good point.
> Treating a technological implementation in isolation can exclude/evade
> Privacy Act 'implications.' But when considered alongside equally
> available technologies that can readily be integrated or interlinked,
> the potential implications multiply. Unfortunately, since existing (and
> proposed) regulation focuses on data and not context, it's relatively
> easy to sidestep regulatory 'interference'.
>
> You don't have to know a person's name to accumulate data about them, or
> to treat them differently. (etc).
>
> Does capturing mobile phone transmissions for purposes other than
> providing a telecommunications service constitute an offence? Is this
> 'interception'?
That's an interesting question. I don't know the extent to which network 
*signalling* (which this appears to use) is covered by the interception 
act.
> To do this, are they using equipment that *could* be
> used to intercept phone calls in the 'usual' manner?
My reading of the technology says "no". They're identifying a particular 
item of signalling data (one that isn't encrypted, for a start). 
Intercepting the call requires much more.
> (such equipment -
> including a functional base station -  can be put together from readily
> available hardware and software).
> And how would 'consumers' know
> otherwise? (beyond 'coz we told you we don't/won't')
>
I suspect there's more than that to mounting a man-in-the-middle between 
mobile phone and network - busting the over-the-air encryption for 
example. But if you're right the Pathfinder doesn't change anything: how 
do you know you're logged into a real base station and not a fake one, 
at any time?

Richard C

More information about the Link mailing list