UK To Examine Phone Surveillance In Prisons

The secretive use of IMSI grabbers (a telephone eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users) is set to receive oversight from the UK Interception of Communications Commissioner's Office (IOCCO).

IOCCO is awaiting a formal request from the Prime Minister to provide oversight of the use of mobile phone eavesdropping devices in prisons, its head has confirmed to The Register.

Known as “IMSI grabbers” in the UK but more widely as “IMSI catchers”, the eavesdropping devices pretend to be mobile phone masts as part of a man-in-the-middle attack which forces devices to transmit their International Mobile Subscriber Identity number.

The Register reports that IOCCO has been informally asked to examine the use of these devices, but only in prisons. The office is still awaiting a formal request from the Prime Minister, but has been informally notified of the coming task which will form part of its increased examination of the interception of prisoners' communications.

Matthew Rice, an advocacy officer at Privacy International told The Register that IMSI grabbers were a significant privacy concern, describing the devices as “a particularly intrusive 'dragnet' approach to surveillance. If you're in the wrong place at the wrong time, anyone's mobile phone, email and text communications can be intercepted.”

IMSI grabbers, while a communications interception capability, are not currently part of IOCCO's oversight remit. Instead their use falls under the oversight of the considerably less public Office for Surveillance Commissioners (OSC) which scrutinises covert surveillance in the UK with an equal degree of covertness.

While the use of IMSI grabbers has never been avowed by a police force in the UK, an investigation conducted by Privacy International and Vice, broadcast in a documentary titled Phone Hackers: Britain's Secret Surveillance, seemed to reveal their widespread deployment around London.

Earlier this year, requests made under the Freedom of Information Act by Scottish news outlet The Ferret managed to snag the first confirmation on the use of the devices in the UK. It found that the Scottish Prison Service had deployed IMSI grabbers in a £1.2m pilot project to prevent use of mobile phones in prisons, although it was also revealed that this was only partially successful as prisoners “developed innovative countermeasures” to deal with the devices.

“Recent reports of trials of this technology in prisons is particularly alarming,” Rice stated. “For no other reason than because they happen to live near a prison, innocent members of the public could have their phone details logged or even their services blocked. This is unacceptable.”

Rather than the OSC, IOCCO has been tasked with looking into the use of IMSI grabbers in prisons due to the differences between the two oversight bodies' roles. Use of the devices is permitted in prisons, not under Part II of Regulation of Investigatory Powers Act 2000, which covers covert surveillance, but under the Prisons Interference with Wireless Telegraphy Act 2012.

The OSC oversees covert operations conducted under Part II of RIPA and the Police Act 1997, while IOCCO—which, due to a greater commitment to public engagement spearheaded by Joanna Cavan, who is soon to move to GCHQ - has a broader remit to oversee snooping in other areas, even where such oversight is directed by the Prime Minister and not by statute.

Speaking to journalists ahead of the release of IOCCO's annual report for 2015, which revealed that 86.2 per cent of all items of communications information collected by the State last year were related to telephone communications rather than Internet ones, Cavan said that it was “not enough anymore to be tied to the strict Parliamentary timetable, and to have to wait to lay reports in Parliament, so we're very keen going forward to continue to publish as we go along and put as much out there [as we can].”

Before joining IOCCO, Cavan worked as an interception and digital forensics specialist and appeared as an independent expert witness in forensic telecommunications cases, particularly regarding the location analysis of base transceiver stations (mobile phone masts). As she will join GCHQ's tech help desk in the coming weeks, however, she will not form part of IOCCO's oversight team into the use of IMSI grabbers in prisons.

As noted on page four of IOCCO’s annual report for 2015, the office's additional oversight functions in regards to interception under the Prisons Interference with Wireless Telegraphy Act 2012 will only apply to England and Wales, not interception in Scotland. IOCCO has agreed to undertake this additional oversight “subject to receiving a formal direction from the Prime Minister and some additional resources.”

Privacy International was scathing of the existing oversight regime, telling The Register: “The oversight of the deployment of IMSI catchers in prisons is similar to the oversight of the deployment of IMSI catchers by law enforcement and intelligence agencies: Woeful.”

It is as though the bodies charged with oversight (IOCCO and OSC) were happier to leave their oversight in the dark while the use of the technology became an open secret. Steps taken until now have been disappointing to say the least.

As the surveillance powers available for law enforcement are set to expand, the bodies charged with oversight need to seriously consider whether they have the capacity and the expertise to effectively execute that most important responsibility: Building trust with the public.

Although the Global System for Mobile Communications (GSM) standards were developed by the European Telecommunications Standards Institute (ETSI) as a secure means of wireless communication, the specifications require the mobile device to authenticate itself to the network using its IMSI (International Mobile Subscriber Identity) – but do not require the network to authenticate itself back to the mobile device.

This long-known shortcoming in security has proved difficult to defend against those who seek to spoof the network itself. As mobile devices must maximise signal strength by selecting the base transceiver station which is nearest, IMSI grabbers often lie about their location and thus force devices to communicate with them.

Additionally, once the connection between the base station and mobile device is established it is the base station which selects the encryption mode to be used in that connection, making it possible for a malicious actor to force a mobile device to communicate in plain-text rendering the communications visible to the man-in-the-middle himself.

The Register:
 

« Oliver Stone’s Snowden Film
Cloud-Based Malware Now Delivers Ransomware »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XenArmor

XenArmor

XenArmor products include NetCertScanner, an enterprise software to scan & manage expired SSL Certificates on your local network or internet.

AMETIC

AMETIC

AMETIC, is the Association of Electronics, Information and Communications Technologies, Telecommunications and Digital Content Companies in Spain.

Versa Networks

Versa Networks

Versa is a software-defined networking vendor providing an end-to-end solution that both simplifies and secures the WAN/branch office network.

EOL IT Services

EOL IT Services

EOL IT Services is the UK’s most accredited provider of IT Asset Disposal (ITAD), Lifecycle Services and Data Destruction.

BTblock

BTblock

Blockchain and cybersecurity is a vital combination for Enterprise success. BTblock is a Force Multiplier for its clients.

ZecOps

ZecOps

ZecOps is a cybersecurity automation company offering solutions for servers, endpoints, mobile devices, and custom devices.

Ukrainian Academy of Cyber Security (UACS)

Ukrainian Academy of Cyber Security (UACS)

UACS is a professional non-profit public organization established to promote the development of an extensive network and ecosystem of education and training in the field of cyber security.

GovernmentCIO

GovernmentCIO

GovernmentCIO was founded with a single purpose: to transform government IT. We are thought leaders in data analytics, machine learning, cybersecurity and IT transformation.

CommandK

CommandK

CommandK provides companies with infrastructure to protect their sensitive data. Built-in solutions to prevent data-leaks and simplify governance.

Safe Decision

Safe Decision

Safe Decision is an information technology company offering Cyber Security, Network, and Infrastructure Services and Solutions.

Blink Ops

Blink Ops

Blink helps security teams streamline everyday workflows and protect your organization better.

Stratascale

Stratascale

Stratascale is a consultant, systems integrator, and technology advisor with expertise in Automation, Cloud Ascension, Cybersecurity, Data Intelligence, and Digital Experience solutions.

Espria

Espria

Espria is a leading independent managed service provider with expertise in Cloud, IT, Communications and Document Solutions.

Getvisibility

Getvisibility

Getvisibility enables customers to detect, classify and protect sensitive information increasing data security, governance, compliance and lowering the risk of losing valuable data.

UltraViolet Cyber

UltraViolet Cyber

UltraViolet is an industry leading tech-enabled managed security services company.

SSL2BUY

SSL2BUY

SSL2BUY is a leading SSL certificate provider, authorized to sell top CA brands like Comodo, DigiCert, GlobalSign, Thawte, GeoTrust and more.