The Prisons and Courts Bill, introduced to Parliament last week, will force UK mobile networks to deploy fake mobile phone masts around the outside of prisons to snoop on mobile phone users.
Provisions in the new bill will allow the Justice Secretary to order networks to deploy so-called “IMSI catchers” to prevent, detect or investigate the use of mobile phones in prisons.
Currently fake base stations can only be deployed under the legal provisions in the Prisons (Interference with Wireless Telegraphy) Act 2012, which restrict their deployment to within prison walls – and further, only allows prison governors to deploy them.
The new proposals therefore expand the ability of the state to spy on innocent citizens by further co-opting mobile phone companies’ technical abilities.
The Register asked Ofcom, the designated regulator of these things, for comment. It referred us to information about the test deployment of an IMSI catcher at HMP Shotts, Scotland, in 2014. There the device was deployed to detect illegal use of mobile phones by prisoners illicitly communicating with the outside world. Although the IMSI catcher itself was legal, the Scottish Prison Service was very reluctant to talk about its use.
The Interception of Communications Commissioner’s Office (IOCCO) told The Register last year that it was waiting for a request from the Prime Minister to step in and regulate the use of IMSI catchers instead of Ofcom, this has not happened. Instead IOCCO is effectively being wound up, with some of its functions due to be transferred to a combined Investigatory Powers Commission.
In effect, use of IMSI catchers is effectively unregulated, albeit legal for the state and bodies authorised by the state under the Data Retention and Investigatory Powers Act 2014. It remains illegal for ordinary citizens to use them.
British police forces already own and operate IMSI catchers, though they refuse to talk about them for fear of a public backlash and the inevitable clipping of their wings. Despite this, The Register has previously reported on the purchases of such devices under the accounting euphemism “CCDC”, which stands for “covert communications data capture”.
Back in 2011 one-time Reg correspondent Bill Ray explained how IMSI catchers work:
2G networks only authenticate in one direction – the SIM proves its identity to the network – so creating a fake base station is relatively easy. The GSM standard also allows the base station to ask for an unencrypted connection, essential in countries where strong encryption isn't allowed, so a man-in-the-middle attack is very feasible. Handsets are supposed to provide an on-screen notification when encryption has been disabled, but conformance to that detail is very rare indeed.
But that's to listen in to calls. Tracking people is a good deal easier. Phones broadcast an identifying number (the TIMSI) which can't immediately be linked to an individual but can be used to track movements in an entirely passive way. The lack of identity actually makes the process (legally) easier, as under the current legislation (in 2011) the privacy implications disappear when there's no identity. Private companies such as Path Intelligence do exactly the same thing for shopping malls and suchlike, tracking footfall without knowing (or caring) whose feet are falling.
The police, however, are slightly different in that they can go back to the network operator later and link the TIMSI to a real IMSI. That will generally link to a physical person, who might then have to explain what his/her phone was doing at the time in question.
The Metropolitan Police in particular has been operating IMSI catchers, along with a covert air wing run through a front company registered to an anonymous mailbox in South London, since at least 2011. The Met’s surveillance aircraft, a twin-engined Cessna Caravan F406 with the registration G-BVJT, is a familiar sight to Londoners. It is thought the aircraft's surveillance fit includes IMSI catchers and live mobile phone tracking and eavesdropping capability. ®