UK To Examine Phone Surveillance In Prisons

Uploaded on 2016-09-20 in NEWS-Cybersecurity News, GOVERNMENT-National, GOVERNMENT-Law Enforcement, FREE TO VIEW

The secretive use of IMSI grabbers (a telephone eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users) is set to receive oversight from the UK Interception of Communications Commissioner's Office (IOCCO).

IOCCO is awaiting a formal request from the Prime Minister to provide oversight of the use of mobile phone eavesdropping devices in prisons, its head has confirmed to The Register.

Known as “IMSI grabbers” in the UK but more widely as “IMSI catchers”, the eavesdropping devices pretend to be mobile phone masts as part of a man-in-the-middle attack which forces devices to transmit their International Mobile Subscriber Identity number.

The Register reports that IOCCO has been informally asked to examine the use of these devices, but only in prisons. The office is still awaiting a formal request from the Prime Minister, but has been informally notified of the coming task which will form part of its increased examination of the interception of prisoners' communications.

Matthew Rice, an advocacy officer at Privacy International told The Register that IMSI grabbers were a significant privacy concern, describing the devices as “a particularly intrusive 'dragnet' approach to surveillance. If you're in the wrong place at the wrong time, anyone's mobile phone, email and text communications can be intercepted.”

IMSI grabbers, while a communications interception capability, are not currently part of IOCCO's oversight remit. Instead their use falls under the oversight of the considerably less public Office for Surveillance Commissioners (OSC) which scrutinises covert surveillance in the UK with an equal degree of covertness.

While the use of IMSI grabbers has never been avowed by a police force in the UK, an investigation conducted by Privacy International and Vice, broadcast in a documentary titled Phone Hackers: Britain's Secret Surveillance, seemed to reveal their widespread deployment around London.

Earlier this year, requests made under the Freedom of Information Act by Scottish news outlet The Ferret managed to snag the first confirmation on the use of the devices in the UK. It found that the Scottish Prison Service had deployed IMSI grabbers in a £1.2m pilot project to prevent use of mobile phones in prisons, although it was also revealed that this was only partially successful as prisoners “developed innovative countermeasures” to deal with the devices.

“Recent reports of trials of this technology in prisons is particularly alarming,” Rice stated. “For no other reason than because they happen to live near a prison, innocent members of the public could have their phone details logged or even their services blocked. This is unacceptable.”

Rather than the OSC, IOCCO has been tasked with looking into the use of IMSI grabbers in prisons due to the differences between the two oversight bodies' roles. Use of the devices is permitted in prisons, not under Part II of Regulation of Investigatory Powers Act 2000, which covers covert surveillance, but under the Prisons Interference with Wireless Telegraphy Act 2012.

The OSC oversees covert operations conducted under Part II of RIPA and the Police Act 1997, while IOCCO—which, due to a greater commitment to public engagement spearheaded by Joanna Cavan, who is soon to move to GCHQ - has a broader remit to oversee snooping in other areas, even where such oversight is directed by the Prime Minister and not by statute.

Speaking to journalists ahead of the release of IOCCO's annual report for 2015, which revealed that 86.2 per cent of all items of communications information collected by the State last year were related to telephone communications rather than Internet ones, Cavan said that it was “not enough anymore to be tied to the strict Parliamentary timetable, and to have to wait to lay reports in Parliament, so we're very keen going forward to continue to publish as we go along and put as much out there [as we can].”

Before joining IOCCO, Cavan worked as an interception and digital forensics specialist and appeared as an independent expert witness in forensic telecommunications cases, particularly regarding the location analysis of base transceiver stations (mobile phone masts). As she will join GCHQ's tech help desk in the coming weeks, however, she will not form part of IOCCO's oversight team into the use of IMSI grabbers in prisons.

As noted on page four of IOCCO’s annual report for 2015, the office's additional oversight functions in regards to interception under the Prisons Interference with Wireless Telegraphy Act 2012 will only apply to England and Wales, not interception in Scotland. IOCCO has agreed to undertake this additional oversight “subject to receiving a formal direction from the Prime Minister and some additional resources.”

Privacy International was scathing of the existing oversight regime, telling The Register: “The oversight of the deployment of IMSI catchers in prisons is similar to the oversight of the deployment of IMSI catchers by law enforcement and intelligence agencies: Woeful.”

It is as though the bodies charged with oversight (IOCCO and OSC) were happier to leave their oversight in the dark while the use of the technology became an open secret. Steps taken until now have been disappointing to say the least.

As the surveillance powers available for law enforcement are set to expand, the bodies charged with oversight need to seriously consider whether they have the capacity and the expertise to effectively execute that most important responsibility: Building trust with the public.

Although the Global System for Mobile Communications (GSM) standards were developed by the European Telecommunications Standards Institute (ETSI) as a secure means of wireless communication, the specifications require the mobile device to authenticate itself to the network using its IMSI (International Mobile Subscriber Identity) – but do not require the network to authenticate itself back to the mobile device.

This long-known shortcoming in security has proved difficult to defend against those who seek to spoof the network itself. As mobile devices must maximise signal strength by selecting the base transceiver station which is nearest, IMSI grabbers often lie about their location and thus force devices to communicate with them.

Additionally, once the connection between the base station and mobile device is established it is the base station which selects the encryption mode to be used in that connection, making it possible for a malicious actor to force a mobile device to communicate in plain-text rendering the communications visible to the man-in-the-middle himself.

The Register:
 

« Oliver Stone’s Snowden Film
Cloud-Based Malware Now Delivers Ransomware »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Security Magazine

Security Magazine

Security, the business magazine for security executives, focuses on management issues facing top security professionals and effective solutions being employed, both physical and cyber.

CERT.hr

CERT.hr

CERT.hr is the national authority competent for prevention and protection from computer threats to public information systems in the Republic of Croatia.

Openminded (OPMD)

Openminded (OPMD)

Openminded is a French security and network services company.

Advanced Software Products Group (ASPG)

Advanced Software Products Group (ASPG)

ASPG offers a wide range of innovative mainframe software solutions for Data Security, Access Management, System Management and CICS productivity.

Caretower

Caretower

Caretower is one of Europe’s leading value added managed service provider in cyber security.

Datec PNG

Datec PNG

Datec is the the largest end-to-end information and communications technology solutions and services provider in Papua New Guinea.

Charities Security Forum (CSF)

Charities Security Forum (CSF)

The Charities Security Forum is the premier membership group for information security people working for charities and not-for-profits in the UK.

Jobsite

Jobsite

Jobsite is an award winning job board in the UK providing job listings in the key sectors of IT, Engineering and Finance.

CornerStone

CornerStone

CornerStone is an award winning, independent risk, cyber and security consulting firm providing a range of Risk Management, Security Design and Implementation Management Services.

DESCERT

DESCERT

DESCERT offers you an extended IT, cyber security, risk advisory & compliance audit team which provides strategic guidance, engineering and audit services.

OneCollab

OneCollab

OneCollab, your unwavering ally in the dynamic landscape of IT services and cybersecurity.

NoviFlow

NoviFlow

NoviFlow is a leading provider of terabit networking software solutions for Communication Service Providers (CSPs).

CyberSalus

CyberSalus

CyberSalus is a pioneering cyber tech services company dedicated to protecting the digital integrity of healthcare organizations.

Vorlon

Vorlon

Vorlon's agentless patent-pending solution facilitates risk profiling of apps, and provides AI-driven behavioral analytics with response recommendations.

TeamT5

TeamT5

TeamT5 Inc. is a leading cybersecurity company dedicated to cyber threat research and solutions.

NetSentries Technologies

NetSentries Technologies

NetSentries provide smart cybersecurity solutions and services to protect Governments, Enterprise and Individuals from threats through a comprehensive range of protocols, products and services.