There are certain things you do not want to share with strangers. In my case it was a stream of highly personal text messages from my husband, sent during the early days of our relationship. Etched on my phone's SIM card - but invisible on my current handset and thus forgotten - here they now are, displayed in all their brazen glory on a stranger's computer screen.
I have just walked into a windowless room on an industrial estate in Tamworth, UK, where three cellphone analysts in blue shirts sit at their terminals, scrutinising the contents of my phone and smirking. "If it's any consolation, we would have found them even if you had deleted them," says one. Worse, it seems embarrassing text messages are not the only thing I have to worry about: "Is this a photo of your office?" another asks (the answer is yes). "And did you enjoy your pizza on Monday night? And why did you divert from your normal route to work to visit this address in Camberwell, London, on Saturday?"
I am at DiskLabs, a company that handles cellphone forensic analysis for UK police forces, but also for private companies and individuals snooping on suspect employees or wayward spouses. Armed with four cellphones, which I have begged, borrowed and bought off friends and strangers, I am curious to know just how much personal information can be gleaned from our used handsets and SIM cards. These days, the latest smartphones incorporate GPS, Wi-Fi connectivity and motion sensors. They automatically download your e-mails and appointments from your office computer, and come with the ability to track other individuals in your immediate vicinity. And there is a lot more to come. Among other things, you could be using the next generation of phones to keep tabs on your health, store cash and make small transactions - something that is already happening in east Asia.
"Mobile phones are becoming a bigger part of our lives," says Andy Jones, the head of information security research at British Telecommunications. "We trust and rely on them more. And as we rely on them more, the potential for fraud has got to increase." Aside from the text messages stored on my SIM card, the most detailed personal information that could be gleaned from my handset came from an application called Sports Tracker. It allows users to measure their athletic performance over time and I had been using it to measure how fast I could cycle to work across London. It records distance travelled, fastest speed at different points along the route, changes in altitude, and roughly how many calories I burn off.
But when DiskLabs uploaded this data to their computer and ran it through Google Maps and Street View, they were able to pull up images of the front of my office and my home - with the house number clearly displayed. Sports Tracker also recorded what time I normally leave the house in the morning and when I return from work. "If I wanted more information, then I could just stalk you," says Neil Buck, a senior analyst at DiskLabs.
A phone-based calendar could also leave you vulnerable. Police in the UK have already identified burglaries that were committed after the thief stole a phone and then targeted the individual's home because their calendar said they were away on holiday, says Professor Joe McGeehan, the head of Toshiba's research lab in Europe and leader of a project which recently set UK designers the challenge of trying to make cellphones less attractive to people like hackers and identity thieves.
When Mr Buck looked at my colleague's iPhone, he found two four-digit numbers stored in his address book under the names "M" and "V". A search through his text messages revealed a few from Virgin informing him that a new credit card, ending in a specific number, had just been mailed to him. Buck guessed that "M" and "V" were PIN codes for the Virgin credit card and a Mastercard - and he proved to be correct on both counts.
"Out of context, an individual piece of information such as an SMS is almost meaningless," says Dr Jones. "But when you have a large volume of information - a person's diary for the year, his e-mails, the plans he's building - and you start to put them together, you can make some interesting discoveries." In this way the DiskLabs team also identified my colleague's wife's name, her passport number and its expiry date, and that she banks with Barclays. Ironically, Barclays had contacted her regarding fraud on her card and she had texted this to her husband.
A growing awareness of identity theft means that many people now destroy or wipe computer hard drives before throwing them away, but the same thing is not yet happening with cellphones, says Dr Jones. At the same time, we are recycling ever greater numbers of handsets. According to the market analysts ABI Research, by 2012 over 100 million cellphones will be recycled for reuse each year. Although his team used specialist forensic software to retrieve data from the phones, much of it could be obtained directly from the handsets themselves, or by using simple software of the kind that is sold with a phone. "This was not designed to be a sophisticated attack, it used simple techniques that anyone would have access to," Dr Jones says.
That is bad news, considering that around 20 millions handsets were lost or stolen worldwide in 2008, according to the UK data security specialists Recipero. So how can people go about making their phones more secure? Turning on the security settings is an important first step, says Prof McGeehan, as this may dissuade potential thieves from going to the effort of trying to crack the codes. Then make sure you delete anything you want to keep secret, while bearing in mind that it is often possible to recover it. "I work on the basis that anything I put on there I've got to be prepared for people to see," he says.
As for me, I have taken to deleting potentially incriminating messages as soon as they arrive in my inbox - and reproving the sender in return. I have also passed my old handset to my husband for safekeeping. If those brazen messages must fall into someone else's hands, I'd rather they were the hands of the Don Quixote who composed them than a smirking IT geek in a distant windowless room. www.newscientist.com