UK To Examine Phone Surveillance In Prisons

Uploaded on 2016-09-20 in NEWS-Cybersecurity News, GOVERNMENT-National, GOVERNMENT-Law Enforcement, FREE TO VIEW

The secretive use of IMSI grabbers (a telephone eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users) is set to receive oversight from the UK Interception of Communications Commissioner's Office (IOCCO).

IOCCO is awaiting a formal request from the Prime Minister to provide oversight of the use of mobile phone eavesdropping devices in prisons, its head has confirmed to The Register.

Known as “IMSI grabbers” in the UK but more widely as “IMSI catchers”, the eavesdropping devices pretend to be mobile phone masts as part of a man-in-the-middle attack which forces devices to transmit their International Mobile Subscriber Identity number.

The Register reports that IOCCO has been informally asked to examine the use of these devices, but only in prisons. The office is still awaiting a formal request from the Prime Minister, but has been informally notified of the coming task which will form part of its increased examination of the interception of prisoners' communications.

Matthew Rice, an advocacy officer at Privacy International told The Register that IMSI grabbers were a significant privacy concern, describing the devices as “a particularly intrusive 'dragnet' approach to surveillance. If you're in the wrong place at the wrong time, anyone's mobile phone, email and text communications can be intercepted.”

IMSI grabbers, while a communications interception capability, are not currently part of IOCCO's oversight remit. Instead their use falls under the oversight of the considerably less public Office for Surveillance Commissioners (OSC) which scrutinises covert surveillance in the UK with an equal degree of covertness.

While the use of IMSI grabbers has never been avowed by a police force in the UK, an investigation conducted by Privacy International and Vice, broadcast in a documentary titled Phone Hackers: Britain's Secret Surveillance, seemed to reveal their widespread deployment around London.

Earlier this year, requests made under the Freedom of Information Act by Scottish news outlet The Ferret managed to snag the first confirmation on the use of the devices in the UK. It found that the Scottish Prison Service had deployed IMSI grabbers in a £1.2m pilot project to prevent use of mobile phones in prisons, although it was also revealed that this was only partially successful as prisoners “developed innovative countermeasures” to deal with the devices.

“Recent reports of trials of this technology in prisons is particularly alarming,” Rice stated. “For no other reason than because they happen to live near a prison, innocent members of the public could have their phone details logged or even their services blocked. This is unacceptable.”

Rather than the OSC, IOCCO has been tasked with looking into the use of IMSI grabbers in prisons due to the differences between the two oversight bodies' roles. Use of the devices is permitted in prisons, not under Part II of Regulation of Investigatory Powers Act 2000, which covers covert surveillance, but under the Prisons Interference with Wireless Telegraphy Act 2012.

The OSC oversees covert operations conducted under Part II of RIPA and the Police Act 1997, while IOCCO—which, due to a greater commitment to public engagement spearheaded by Joanna Cavan, who is soon to move to GCHQ - has a broader remit to oversee snooping in other areas, even where such oversight is directed by the Prime Minister and not by statute.

Speaking to journalists ahead of the release of IOCCO's annual report for 2015, which revealed that 86.2 per cent of all items of communications information collected by the State last year were related to telephone communications rather than Internet ones, Cavan said that it was “not enough anymore to be tied to the strict Parliamentary timetable, and to have to wait to lay reports in Parliament, so we're very keen going forward to continue to publish as we go along and put as much out there [as we can].”

Before joining IOCCO, Cavan worked as an interception and digital forensics specialist and appeared as an independent expert witness in forensic telecommunications cases, particularly regarding the location analysis of base transceiver stations (mobile phone masts). As she will join GCHQ's tech help desk in the coming weeks, however, she will not form part of IOCCO's oversight team into the use of IMSI grabbers in prisons.

As noted on page four of IOCCO’s annual report for 2015, the office's additional oversight functions in regards to interception under the Prisons Interference with Wireless Telegraphy Act 2012 will only apply to England and Wales, not interception in Scotland. IOCCO has agreed to undertake this additional oversight “subject to receiving a formal direction from the Prime Minister and some additional resources.”

Privacy International was scathing of the existing oversight regime, telling The Register: “The oversight of the deployment of IMSI catchers in prisons is similar to the oversight of the deployment of IMSI catchers by law enforcement and intelligence agencies: Woeful.”

It is as though the bodies charged with oversight (IOCCO and OSC) were happier to leave their oversight in the dark while the use of the technology became an open secret. Steps taken until now have been disappointing to say the least.

As the surveillance powers available for law enforcement are set to expand, the bodies charged with oversight need to seriously consider whether they have the capacity and the expertise to effectively execute that most important responsibility: Building trust with the public.

Although the Global System for Mobile Communications (GSM) standards were developed by the European Telecommunications Standards Institute (ETSI) as a secure means of wireless communication, the specifications require the mobile device to authenticate itself to the network using its IMSI (International Mobile Subscriber Identity) – but do not require the network to authenticate itself back to the mobile device.

This long-known shortcoming in security has proved difficult to defend against those who seek to spoof the network itself. As mobile devices must maximise signal strength by selecting the base transceiver station which is nearest, IMSI grabbers often lie about their location and thus force devices to communicate with them.

Additionally, once the connection between the base station and mobile device is established it is the base station which selects the encryption mode to be used in that connection, making it possible for a malicious actor to force a mobile device to communicate in plain-text rendering the communications visible to the man-in-the-middle himself.

The Register:
 

« Oliver Stone’s Snowden Film
Cloud-Based Malware Now Delivers Ransomware »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Applicure Technologies

Applicure Technologies

Applicure Technologies develops the leading multi-platform web application security software products to protect web sites and web applications from external and internal attacks.

Clearwater Security & Compliance

Clearwater Security & Compliance

Clearwater Compliance specialize in Privacy, Security, Compliance and Risk Management Solutions for Health Care, Law Firms and other businesses.

CyberSmart

CyberSmart

CyberSmart is a platform that allows you to maintain compliance, achieve certification and secure your organisation.

Sentia

Sentia

Sentia is an IT and infrastructure firm, with focus on Outsourcing, IT operation and management, Hosting, Co-location, Network, and IT security.

Computer Forensic Services

Computer Forensic Services

Computer Forensic Services are digital evidence specialists. Practice areas include Information Security, e-Discovery, Law Enforcement Support and Litigation.

Jobsora

Jobsora

Jobsora is an innovative job search platform in the UK and more than 35 other countries around the world. Sectors covered include IT and cybersecurity.

Insight Partners

Insight Partners

Insight Partners is a leading global private equity and venture capital firm investing in growth-stage technology, software and Internet businesses.

Business Hive Vilnius (BHV)

Business Hive Vilnius (BHV)

BHV is one of the oldest startup incubator and technology hubs in the Baltics, primarily focused on hardware, security, blockchain, AI, fintech and enterprise software.

AaDya

AaDya

AaDya provide smart, simple, affordable and effective cybersecurity software solutions for small and medium businesses.

Netpoleon Group

Netpoleon Group

Netpoleon is a leading provider of integrated security, networking solutions and value added services.

Realsec

Realsec

RealSec is an international company and is a developer of encryption and digital signature systems and Blockchain for the Banking and Methods of Payment sectors, Government and Defense and Multisector

Shield Capital

Shield Capital

Shield Capital helps founders build frontier solutions in cybersecurity, artificial intelligence, space & autonomy for commercial and government enterprises.

CyberconIQ

CyberconIQ

CyberconIQ provide an integrated Human Defense Platform that reduces the probability and/or the cost of a cybersecurity breach by measurably improving our clients risk posture and compliance culture.

CyberUp

CyberUp

CyberUp is a nonprofit organization created to strengthen the cybersecurity workforce. We help employers reimagine how they grow and scale their cybersecurity workforce.

NoviFlow

NoviFlow

NoviFlow is a leading provider of terabit networking software solutions for Communication Service Providers (CSPs).

Anjolen

Anjolen

Anjolen provides expertise in cybersecurity, compliance and cyber forensic services.