Mobile Networks and Data Privacy

In a story that drags down the already woeful privacy and security reputation of mobile phones, the UK’s tax collection agency — HMRC — allegedly used its SMS service provider to acquire the location data of certain individuals.

That mobile network providers can track location data should come as no surprise, but to have SMS service providers potentially handing over location data to a third party has serious data privacy implications.

The article gives a useful outline of how the SS7 protocol used by my mobile phone networks can detect where messages were received.

Signalling System Number 7 (SS7) is the signalling protocol used by mobile phone networks to route Short Messaging Service (SMS) messages.

Using SS7 to detect where messages were received is relatively simple. In essence SS7 tells mobile networks where to send messages based on which mast a particular phone number was last connected to. A register of those connections is kept and can be queried.

Thus the technique is called Home Location Register (HLR) lookup. Commands exist for querying a network’s HLR for a particular Mobile Station Integrated Services Digital Network number (MSISDN, or “phone number” to you and I). If you know the location of a mast where that MSISDN was last connected, you’ve got a radius of where the phone could be located. Cross-referencing that radius with multiple masts helps triangulate a specific phone, and thus its user.

This is the data used by police forces and others to locate criminals by tracking their mobile phones.

A key question here is why SMS service providers need to hold on to this data in the first place. It could also mean that a company could use such a service to send out mass SMS messages to track the locations of all its customers.

Mobile network providers will be holding on to location data for law enforcement and national security purposes, but one can argue that an SMS service provider has no reasonable need for retaining such data. It certainly appears to fall short of meeting the principle of Privacy by Design and data minimisation.

With data leaking through all manner of means and places, one has to wonder whether existing data privacy legislation goes far enough in protecting the personal data of individuals, particularly with enforcement being so weak.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.