UK To Examine Phone Surveillance In Prisons

Uploaded on 2016-09-20 in NEWS-Cybersecurity News, GOVERNMENT-National, GOVERNMENT-Law Enforcement, FREE TO VIEW

The secretive use of IMSI grabbers (a telephone eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users) is set to receive oversight from the UK Interception of Communications Commissioner's Office (IOCCO).

IOCCO is awaiting a formal request from the Prime Minister to provide oversight of the use of mobile phone eavesdropping devices in prisons, its head has confirmed to The Register.

Known as “IMSI grabbers” in the UK but more widely as “IMSI catchers”, the eavesdropping devices pretend to be mobile phone masts as part of a man-in-the-middle attack which forces devices to transmit their International Mobile Subscriber Identity number.

The Register reports that IOCCO has been informally asked to examine the use of these devices, but only in prisons. The office is still awaiting a formal request from the Prime Minister, but has been informally notified of the coming task which will form part of its increased examination of the interception of prisoners' communications.

Matthew Rice, an advocacy officer at Privacy International told The Register that IMSI grabbers were a significant privacy concern, describing the devices as “a particularly intrusive 'dragnet' approach to surveillance. If you're in the wrong place at the wrong time, anyone's mobile phone, email and text communications can be intercepted.”

IMSI grabbers, while a communications interception capability, are not currently part of IOCCO's oversight remit. Instead their use falls under the oversight of the considerably less public Office for Surveillance Commissioners (OSC) which scrutinises covert surveillance in the UK with an equal degree of covertness.

While the use of IMSI grabbers has never been avowed by a police force in the UK, an investigation conducted by Privacy International and Vice, broadcast in a documentary titled Phone Hackers: Britain's Secret Surveillance, seemed to reveal their widespread deployment around London.

Earlier this year, requests made under the Freedom of Information Act by Scottish news outlet The Ferret managed to snag the first confirmation on the use of the devices in the UK. It found that the Scottish Prison Service had deployed IMSI grabbers in a £1.2m pilot project to prevent use of mobile phones in prisons, although it was also revealed that this was only partially successful as prisoners “developed innovative countermeasures” to deal with the devices.

“Recent reports of trials of this technology in prisons is particularly alarming,” Rice stated. “For no other reason than because they happen to live near a prison, innocent members of the public could have their phone details logged or even their services blocked. This is unacceptable.”

Rather than the OSC, IOCCO has been tasked with looking into the use of IMSI grabbers in prisons due to the differences between the two oversight bodies' roles. Use of the devices is permitted in prisons, not under Part II of Regulation of Investigatory Powers Act 2000, which covers covert surveillance, but under the Prisons Interference with Wireless Telegraphy Act 2012.

The OSC oversees covert operations conducted under Part II of RIPA and the Police Act 1997, while IOCCO—which, due to a greater commitment to public engagement spearheaded by Joanna Cavan, who is soon to move to GCHQ - has a broader remit to oversee snooping in other areas, even where such oversight is directed by the Prime Minister and not by statute.

Speaking to journalists ahead of the release of IOCCO's annual report for 2015, which revealed that 86.2 per cent of all items of communications information collected by the State last year were related to telephone communications rather than Internet ones, Cavan said that it was “not enough anymore to be tied to the strict Parliamentary timetable, and to have to wait to lay reports in Parliament, so we're very keen going forward to continue to publish as we go along and put as much out there [as we can].”

Before joining IOCCO, Cavan worked as an interception and digital forensics specialist and appeared as an independent expert witness in forensic telecommunications cases, particularly regarding the location analysis of base transceiver stations (mobile phone masts). As she will join GCHQ's tech help desk in the coming weeks, however, she will not form part of IOCCO's oversight team into the use of IMSI grabbers in prisons.

As noted on page four of IOCCO’s annual report for 2015, the office's additional oversight functions in regards to interception under the Prisons Interference with Wireless Telegraphy Act 2012 will only apply to England and Wales, not interception in Scotland. IOCCO has agreed to undertake this additional oversight “subject to receiving a formal direction from the Prime Minister and some additional resources.”

Privacy International was scathing of the existing oversight regime, telling The Register: “The oversight of the deployment of IMSI catchers in prisons is similar to the oversight of the deployment of IMSI catchers by law enforcement and intelligence agencies: Woeful.”

It is as though the bodies charged with oversight (IOCCO and OSC) were happier to leave their oversight in the dark while the use of the technology became an open secret. Steps taken until now have been disappointing to say the least.

As the surveillance powers available for law enforcement are set to expand, the bodies charged with oversight need to seriously consider whether they have the capacity and the expertise to effectively execute that most important responsibility: Building trust with the public.

Although the Global System for Mobile Communications (GSM) standards were developed by the European Telecommunications Standards Institute (ETSI) as a secure means of wireless communication, the specifications require the mobile device to authenticate itself to the network using its IMSI (International Mobile Subscriber Identity) – but do not require the network to authenticate itself back to the mobile device.

This long-known shortcoming in security has proved difficult to defend against those who seek to spoof the network itself. As mobile devices must maximise signal strength by selecting the base transceiver station which is nearest, IMSI grabbers often lie about their location and thus force devices to communicate with them.

Additionally, once the connection between the base station and mobile device is established it is the base station which selects the encryption mode to be used in that connection, making it possible for a malicious actor to force a mobile device to communicate in plain-text rendering the communications visible to the man-in-the-middle himself.

The Register:
 

« Oliver Stone’s Snowden Film
Cloud-Based Malware Now Delivers Ransomware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Wooxo

Wooxo

Wooxo provides business security and continuity solutions to protect business data for organisation of all sizes.

World Wide Technology (WWT)

World Wide Technology (WWT)

WWT is a technology solution provider in the areas of big data, collaboration, computing and cloud, mobility, networking, security and storage.

Truepic

Truepic

Truepic provides technologies that prevent fraud, identity theft, misinformation, and disinformation caused by generative, manipulated, or deepfake digital content.

Information & eGovernment Authority (iGA) - Bahrain

Information & eGovernment Authority (iGA) - Bahrain

The Information & eGovernment Authority facilitates many services catering to different parts of the community within the IT sector in Bahrain including information security.

Advisera 27001Academy

Advisera 27001Academy

Advisera is a market leader in providing documentation and online support for the implementation of business standards including ISO 27001, ISO 22301 and EU GDPR.

Veritas Technologies

Veritas Technologies

Veritas provide industry-leading solutions that cover all platforms with backup and recovery, business continuity, software-defined storage and information governance.

Industrial Internet Consortium (IIC)

Industrial Internet Consortium (IIC)

The Industrial Internet Consortium is the world's leading organization transforming business and society by accelerating the Industrial Internet of Things (IIoT).

Risk Based Security (RBS)

Risk Based Security (RBS)

Risk Based Security provide the most comprehensive and timely vulnerability intelligence, breach data and risk ratings.

Lewis Brisbois

Lewis Brisbois

Lewis Brisbois offers legal practice in more than 40 specialties, and a multitude of sub-specialties including Data Privacy & Cybersecurity.

Boeing

Boeing

Boeing is the world's largest aerospace company and leading manufacturer of commercial jetliners, defense, space and security systems.

BreachQuest

BreachQuest

BreachQuest brings together cybersecurity experts with decades of experience identifying security flaws, penetrating networks, and responding to incidents.

Strata Identity

Strata Identity

Strata is pioneering identity orchestration to unify on-premises and cloud-based authentication and access systems for consistent identity management in multi-cloud environments.

Infiot

Infiot

Infiot is a pioneer in enabling secure, reliable access with zero trust security, network optimization, edge-intelligence and AI driven operations for all remote users, devices, sites and cloud.

MicroAge

MicroAge

Powered by five decades of experience, lasting partnerships, client relationships, and the values that guide us daily, MicroAge is here to help you secure, accelerate, and transform your business.

Cyber-Security Council Germany

Cyber-Security Council Germany

The German Cyber Security Council's objective is to consult businesses, government agencies and political decision-makers and to support them against cybercrime.

Socura

Socura

Socura helps make the digital world a safer place; changing the way organisations think about cyber security through a dynamic, innovative, and human approach.