Court papers indicate text messages from HMRC's 60886 number could snoop on Brit taxpayers' locations
Bitter contract dispute revealed HLR lookup capability baked into agreement
Exclusive Britain's tax collection agency asked a contractor to use the SS7 mobile phone signalling protocol that would make available location data of alleged tax defaulters, a High Court lawsuit has revealed.
Her Majesty's Revenue and Customs had the potential to use SS7 to silently request that tax debtors' mobile phones give up location data over the past six years, according to papers filed in an obscure court case about a contract dispute.
SMS provider MMGRP Ltd, operators of HMRC's former 60886 text messaging service, filed a suit against the tax agency after losing the contract to send text messages on its behalf. Court documents obtained by The Register show that the secret surveillance capability was baked into otherwise mundane bulk SMS sending carried out by MMGRP Ltd.
The tax collection agency, which has the power to retrospectively change laws, had been using SMS reminder messages as an enforcement tool.
We asked HMRC for comment, posing a series of questions including how long had it used HLR look-up techniques against taxpayers; did HMRC obtain necessary warrants to carry out HLR lookups and, if so, under what legislation and from which courts; how many times it had used this technique; under what circumstances it was deployed; and is the capability present in a contract with its new supplier.
In response, the Brit tax collection agency admitted to using home location register (HLR) checks, although it maintained: "HLR checks were used solely to check if a customer's phone number was still active before sending a SMS message."
What the papers say
The since-settled lawsuit over an alleged breach of public procurement laws was filed by the company which operated HMRC's former 60886 SMS sender number and brought the HMRC surveillance powers to light.
MMGRP sued the HMRC last summer alleging breach of public contract regulations after the tax authority awarded a multi-million pound deal to one of MMGRP's rivals in March.
Particulars of claim filed in the High Court in July last year by the SMS provider said:
As part of the Existing Services, the Claimant also provides home location register ("HLR") services (the "HLR Services"). These allow for the screening of bad or dead numbers (i.e. ones which are incorrect or no longer used) and thus their exclusion from any transmissions.
The document also said the agency had asked for the capability of doing more than merely verifying that tax demands sent by text had been delivered, quoting the contract between the pair as requiring, under "Existing Services":
Location and service provider information associated with the recipient. This could be as little as the network provider of recipient (which would save us a stage in our investigative processes thanks to numbers being ported between networks). It could go as far as the location details of the recipient handset when the SMS delivery route is queried via the C7 or SS7 signalling protocol. The provision of SMS services will not be over the PSN.
In its defence document filed a month later, on 19 August last year, HMRC's legal team admitted that part of MMGRP's case, meaning they did not contest its truth.
The Reg wonders why HMRC did not dispute this in the legal papers, and why the capability was baked into the contract if the tax collector was not going to use it.
Describing the contract outlined in the lawsuit as "slightly odd", Professor Alan Woodward, the University of Surrey-based compsci expert, told The Register: "I can see how this might be required if HMRC must later prove that a letter was received and read in a specific jurisdiction. Someone they are taking to court might claim they never received it or that it had no effect where they were when they were served with some form of formal notice."
He added: "As with other powers, provided there is suitable legislation, oversight and transparency then it may have a place in chasing some of the tax evaders."
GSM security expert Tobias Engel told The Register this location-finding service looked like a natural bolt-on to the SMS systems MMGRP was providing to HMRC, characterising it as a fairly routine service feature.
- You might want to consider the cost of not upgrading legacy tech, UK's Department for Work and Pensions told
- HMRC tool for measuring IR35 status is so great, employers are ditching it in their droves
- UK taxman breathes life into old relationship as Capgemini handed £51m deal extension
- Hauliers report problems with post-Brexit customs system but HMRC insists it is 'online and working as planned'
"A few years back this was still very easy," said Engel, "since getting SMS routing information (the infamous so-called 'HLR lookup') already revealed a coarse location of the phone, and that same routing information could then be used to query the network for a more precise location."
How does it work?
Signalling System Number 7 (SS7) is the signalling protocol used by mobile phone networks to route Short Messaging Service (SMS) messages.
Using SS7 to detect where messages were received is relatively simple. In essence SS7 tells mobile networks where to send messages based on which mast a particular phone number was last connected to. A register of those connections is kept and can be queried.
Thus the technique is called Home Location Register (HLR) lookup. Commands exist for querying a network's HLR for a particular Mobile Station Integrated Services Digital Network number (MSISDN, or "phone number" to you and I). If you know the location of a mast where that MSISDN was last connected, you've got a radius of where the phone could be located. Cross-referencing that radius with multiple masts helps triangulate a specific phone, and thus its user.
This is the data used by police forces and others to locate criminals by tracking their mobile phones.
Bitter contract dispute
MMGRP's lawsuit came about after HMRC had repeatedly extended the contract following its original expiry date of July 2020.
HMRC leaned heavily on the SMS provider for those short-duration extensions, raising the spectre of "reputational damage to HMRC, to outer [sic] Government Departments who utilise the service and ultimately to [MMG] as a provider" if the company didn't agree.
For its part, MMGRP admitted that director Daniel Layton, "in the heat of the moment" threatened to shut off HMRC's SMS services altogether when the tax authority told him it was awarding the contract to another company instead of renewing at the end of its existing term in early 2021.
"Mr Layton rapidly withdrew that threat," the company's particulars of claim added.
Ultimately the service was awarded to rival business IMImobile after lots of short-term extensions with MMGRP.
MMRGP owns the old HMRC 60886 SMS shortcode, which is why taxpayers are no longer advised to look out for messages from that number.
The court case has since been settled. HMRC does not say on its website that it makes use of HLR technology to identify taxpayers' locations - but does list a range of ways in which it might try to contact them. ®