Short Cuts

Daniel Soar

For a moment in the late 1990s, it looked as though mobile phones might make us free. You could work in the park, be available when you wanted to be, choose who you answered to. You could be anywhere while you did anything. If location was mentioned it was gratuitous chatter (‘I’m on the train!’) or a handy lie (‘I’m in the office’). Back then, a phone in your pocket was an expensive novelty. Ten years later, there are 3.3 billion active mobile phones, meaning that – if you ignore the show-offs who have several – half the planet has one; 85 per cent of the million new subscriptions taken up each day come from the developing world. Three billion people are just a few button presses away, and where they are doesn’t matter. But if you’re the retiring type, the trouble is that the phone companies and interested others do know exactly where you are, at any given second, so long as you have your handbag with you and your phone switched on: even the most basic technology, phone mast triangulation, locates you to within a couple of hundred metres; newer phones, with GPS built in, will tell any system that asks whether you’re in the kitchen or the loo.

You might assume that this information is either of interest to no one or, at the very least, protected by privacy laws and accessible only by the agencies that hunt suicide bombers and paedophiles. But you’d be wrong. Anyone can, for instance, sign up – at £29.99 a year – to mapAmobile.com (‘you’ll always know where your loved ones are’), which allows you to follow the movements of your ‘family and friends’ on a computer screen. The safeguard, from your friend’s point of view, is that he has to consent to being tracked, a process which involves his replying to a text message alerting him to the request; this shouldn’t be much of a hindrance to you as would-be stalker if he happens to leave his phone lying around. That this sort of enterprising solution is possible is the result of the major networks – in the UK, Vodafone, Orange, O2 and T-Mobile – having decided, in around 2002, to sell their location data to any company willing to pay for it.

Such services are obscure, and barely legal, but it’s about to be brought home to the majority of mobile users that what they’re up to isn’t private information. Owners of the latest version of Apple’s iPhone – avidly queued for at stores around the world last month – can now download an application that displays a friend’s location as a bright green dot on a map. In 2009, phones running Google’s Android operating system will be able to show you in pictures how to reach that green dot while avoiding traffic snarl-ups and stray hurricanes; they’ll also tell you how much a drink will cost when you get there. Along the way you might have to dodge a virtual attack from a passing stranger who, like you, has signed up to an urban espionage ‘immersive game’ and has pegged you in the street as a target. If all this sounds like unnecessary gimmickry, and you’re perfectly happy with your phone the way it is, or would be if only you knew how to make it ring like a phone rather than a wheezing horse or a three-dimensional aural representation of the rings of Saturn, then you’re out of luck: the information your phone provides is out there anyway. It doesn’t belong to you, and anyone with the required resources can do with it what they will.

At a very rough estimate half a trillion calls are made each day on the world’s mobile networks: their origin and destination, their time and duration and all identifying codes are logged on telecom provider hard-drives and generally retained, under emerging legislation, for up to two years. It’s impossible to exaggerate the value of these data. In most countries no one can listen in to your conversation – though it’s technically trivial to do – without a warrant, but given what most of us talk about most of the time what we actually say when we’re on the phone may be the least interesting thing about the call. Certainly this is the view of the growing Intelligence Support Systems industry (ISS), which sells analysis tools to government agencies, police forces and – increasingly – the phone companies themselves. Take the case of ThorpeGlen, a company headquartered in a business park outside Ipswich that also hosts research divisions of BT and Nokia Siemens Networks. At the frequent ISS conferences – Dubai, Qatar, Washington, Prague – one of the key topics of discussion tends to be how to identify targets for LI (that’s ‘lawful intercept’) in the first place: it’s a cinch to bug someone, but how do you help a law enforcement agency decide who to bug?

To help answer that question, companies like ThorpeGlen (and VASTech and Kommlabs and Aqsacom) sell systems that carry out ‘passive probing’, analysing vast quantities of communications data to detect subjects of potential interest to security services, thereby doing their expensive legwork for them. ThorpeGlen’s VP of sales and marketing showed off one of these tools in a ‘Webinar’ broadcast to the ISS community on 13 May. He used as an example the data from ‘a mobile network we have access to’ – since he chose not to obscure the numbers we know it’s Indonesia-based – and explained that calls from the entire network of 50 million subscribers had been processed, over a period of two weeks, to produce a database of eight billion or so ‘events’. Everyone on a network, he said, is part of a group; most groups talk to other groups, creating a spider’s web of interactions. Of the 50 million subscribers ThorpeGlen processed, 48 million effectively belonged to ‘one large group’: they called one another, or their friends called friends of their friends; this set of people was dismissed. A further 400,000 subscriptions could be attributed to a few large ‘nodes’, with numbers belonging to call centres, shops and information services. The remaining groups ranged in size from two to 142 subscribers. Members of these groups only ever called each other – clear evidence of antisocial behaviour – and, in one extreme case, a group was identified in which all the subscribers only ever called a single number at the centre of the web. This section of the ThorpeGlen presentation ended with one word: ‘WHY??

Once you’ve found your terrorist, how do you know that he won’t, say, pass on his phone, or get a new number or use a throwaway pay-as-you-go handset (as British Olympic officals were advised to do by MI6 in an attempt to evade Chinese spies)? ThorpeGlen has a solution for that too. It also sells ‘profiling’ systems, which measure the behaviour pattern of an individual subscriber and, using statistical analysis, determine whether that same pattern is now appearing from another source. In other words, if your terrorist gets a new phone you’ll still know it’s him. If he keeps the same phone and starts changing his pattern, then he’s about to blow up Jakarta International Airport. This is important stuff. If you want to see how ThorpeGlen’s systems work for yourself, just log on to https://81.143.55.50:58443; all you need to do is figure out a username and password. Who isn’t a spy now?