Evidence for Investigatory Powers Review
Via email to: email@example.com
This Review must be given access to all of the Regulation of Investigatory Powers Commissioners' Annual Reports, including their Confidential Annexes, if it is to have any public credibility.
GCHQ Tempora - mass surveillance tapping of undersea fibre optic communications cables
- "full take" 3 days
- MetaData / Communications Data 30 days
Mobile Phones have become SmartPhones i.e. also powerful hand held computers connected to the internet and other non-telephony related radio networks like WiFi, BlueTooth, NFC and (listen only) GPS. They can also include physical sensors such as accelerometers and fingerprint readers, which may generate personal data.
You may have read the Spy Blog post with this title.
In the stupid, rush to pass the Data Retention and Investigatory Powers Act, without proper scrutiny, the Home Office and Parliament appear to have legally crippled the Retention of Mobile Phone Location Data, by only including the Start Cell ID and not any Intermediate or End Cell IDs in in the "strict" Schedule of Relevant Communications:
Mobile Phone Call Detail Records / Charging Detail Records both the Cell ID at the Start of a communication and the Cell ID at the End of the mobile phone communication.
Some systems actually record the Start
and End Cell IDs of both the Recipient of a voice call or SMS text
message and that of the Sender if they are also using a mobile phone.
We think therefore, that these new Regulations make it illegal for Mobile Phone Network Operators to hand over the "Cell ID at the End of a communication", or any of the potentially dozens of Intermediate Cell ID locations which a mobile phone on the move is likely to generate between the Start and the End of the communication.
If Spy Blog worked for the Police or the Intelligence Agencies, we would be furious with the Home Office for such legislative bungling, which actually reduces the useful Communications Location data from Mobile Phones, which they have access to at present.
It is also unclear if this error applies to not only 12 month old Retained Communications Data (which the Home Office have never been able to cite a single criminal case where this led to the investigative breakthrough in identifying the criminals c.f. the previous Spy Blog article) but to any demand for Communications Location Data. even narrowly targeted, very recent or real time Location Data demands.
Perhaps the Home Office sophists will try to claim that this is all still somehow covered by the broader 2009 Regulations definitions, but these are repealed by the 2014 Regulations and the new more restricted Schedule in the Provisional Regulations (if passed) must be what "Parliament intended".
N.B. If these "fake mobile phone base stations" are used for "man-in-the-middle" interception attacks, they can and do interfere not just with telephony Voice calls, but also with Data e.g.
· SMS text messages
· Internet IP connectivity which is possible even with "old" tech GSM phones and is certainly so with 3G or 4G SmartPhones or data dongles
i.e. their "legal" use falls foul of the amendments brought in to the Computer Misuse Act 1990 by the Serious Crime Act 2006 which criminalise Denial of Service attacks, even "reckless" ones
Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
3A.Making, supplying or obtaining articles for use in offence under section 1 or 3
These devices also seem to be radio devices operating without a licence on heavily regulated parts of the radio spectrum reserved for the Mobile Phone Network monopolies i.e. their use is an offence under the Wireless Telegraphy Act 2006
The Metropolitan Police have so far refused FOIA requests on the topic of IMSI catchers using the "Neither Confirm Nor Deny" trick
The refusal by the Police to answer any questions about IMSI catchers gives rise to the suspicion that they are being operated illegally, without a proper Licence in contravention of the
Wireless Telegraphy Act 2006
Incredibly the Interception of Communications Commissioner's office claims that IMSI catchers (which can only work by actively intercepting the communications between a Mobile Phone network Base Station and a mobile phone handset) is somehow the responsibility of the
Office of the Chief Surveillance Commissioner
c.f. the twitter thread:
The use and authorisation of such powerful interception and denial of service technologies, which are not operated by the Communications Service Providers but by the Police and others themselves directly, needs to be brought within a revised RIPA.
In the very few, narrowly defined circumstances where these IMSI Catchers need to be used operationally (e.g. in a real time, tactical hunt for suspected Mobile Phone activated explosive devices), then a revised RIPA needs to amend the Computer Misuse Act and the Wireless Telegraphy Act accordingly and there needs to be:
1. Proper, proportionate authorisation, for the Police, intelligence agencies and the UK Military
2. A ban on Foreign (allied) Military or (friendly ?) Intelligence Agency or Police IMSI catcher snooping in the UK unless under the control and responsibility of named UK officials.
3. A Statutory Code of Practice
4. Auditing of every use of IMSI Catchers by a RIPA Commissioner, ideally before they are used, but with the provision for immediate notification after their emergency tactical deployment and use.
5. Reporting on any collateral damage effects e.g. disruption of 999 Emergency Service telephony or the Mobile Phone Internet service of people not being specifically targeted
6. Financial compensation for such disruption
N.B. flying IMSI Catchers in aircraft or drones in secret, like the Metropolitan Police Service appear to do, is not proportionate, even for terrorism investigations.
The SS7 worldwide telecommunications standards allow mobile phone locations to be tracked in secret, from anywhere in the world, with a little cooperation from telecommunications companies.
There are also commercial companies which offer this service.
The RIPA Interception of Communications Commissioners' public Reports do not mention this at all, so the public and Parliament do not know to what extent the Police and Intelligence Agencies and other Public Bodies try to get around or evade the supposed Single Point of Contact (SPoC) system and automated gateways for handling official requests for Communications Data.
The Police in Germany and the Netherlands use the technique of sending "silent SMS pings" to locate target mobile phones, hundreds of thousands of times a year.
It is inconceivable that the UK Police and Intelligence agencies do not do the same.
This is not the same as the RIPA Communications Data record requests for Retained Call Detail Records which are partially audited by the Interception of Communications Commissioner.
The public must assume that this practice is used to evade and circumvent the very narrow RIPA audit criteria used by the Interception of Communications Commissioner, who has never reported on these practices in public.
Technology has moved on since 2000 and there are now millions of Global Positioning Satellite devices in the hands of ordinary consumers, be they dedicated GPS devices for hikers or sportsmen, or in car navigation systems or are built in to various models of SmartPhone etc.
There does not seem to be any laws or regulations which cover the use or abuse of GPS devices or data.
Vehicle attached GPS bugs are used by the Police and by Private Investigators and by jealous ex-spouses, stalkers and other criminals to track their targets or victims.
There is no clarity from the Chief Surveillance Commissioners' public Annual Reports as to how often such devices are used, or if their use is audited at all.
There are no criminal penalties for the abuse of GPS tracking data, which there should be.
SmartPhone Apps can make use of the Accelerometers built in to many models of handset , used primarily to flip the display between portrait and landscape, depending how you orientate the phone.
However they are also used by the health conscious in the form of running or cycling Apps often linked to online maps and to GPS.
The potential for intrusion and tracking of innocent people is illustrated by the aggregated data from one of these Apps which was published in the aftermath of the recent earthquake near San Francisco, which showed thousands of subscribers being woken up early in the morning.
The Police or other investigators must not be allowed to exploit such data without a framework of regulation, which RIPA currently does not provide.
· WiFi MAC addresses tracking
· WiFi Access Point automatic connection attempts
· BlueTooth MAC address tracking
· NFC tracking
· IMSI tracking via Software Defined Radios
These radio based technologies are built in to many models of SmartPhone and they can all be time, date, location tracked and mapped.
e.g. The City of London had to ban the enterprising scheme by Renew London which tracked and mapped (without their explicit prior permission) the MAC addresses and movements of SmartPhone users passing by 200 or so WiFi enabled rubbish / recycling bins
The tracking of SmartPhone handsets using these technologies should not be a "legal grey area", it should be clearly defined by an amended RIPA
Fingerprints are used on some models of Mobile Phones and Laptop Computers as an extra locking mechanism.
Where such biometrics are used they may sometimes be checked against a central data base via data communications protocols. e.g. the Police's own Project Lantern roadside fingerprint scanners
RIPA & DRIPA must be amended to make it very clear that access to any non-telephonic Communications built in to SmartPhone hardware or downloadable software Apps, should not be treated as Communications Data but as Intercept.
Google Glass demonstrates the power of internet connected wearable computers with built in camera , microphone and other sensor technology.
The public rightly objects to the sneaky use of such Body Worn Video for personal privacy and for commercial copyright reasons.
The technology also has the potential for Facial Recognition and Automatic Number Plate Recognition, but RIPA is incapable of dealing with such multi-use technology , especially if the systems are pointed at crowds of people
- is a Direct or Intrusive Surveillance authorisation needed ?
The RIPA Surveillance Commissioners themselves have raised, in more than one Annual Report, the question of whether Directed Surveillance authorisations are required for CCTV traffic cameras and those fitted with Automatic Number Plate Recognition software
RIPA needs to be amended to provide clarity, backed up by legal penalties for misuse, which the powerless (non-RIPA) Surveillance Camera Commissioner does not provide.
Mobile Phone Location Data is immensely privacy intrusive, it is exactly the technology used by the Home Office in electronic tagging of offenders on bail etc.
Some Public Bodies such as Fire and Rescue Services should be allowed to have instant, real time access to Mobile Phone Location Data to locate genuine 999 emergency callers and to try to filter out or alert themselves to fake 999 calls. Fire engine crews all too often come under physical attack, either from bored "ASBOids" or by criminals especially during riots.
However Fire & Rescue Services should not be allowed to have access to the back history of locations which can be revealed by Mobile Phone Location Data, as used by electronic tags etc.
RIPA is currently all or nothing in this regard: either a Public Body has full access to every kind of Communications Data, including Location Data and Friendship Trees or it is restricted to just Subscriber Details or to no access at all.
Communications Data is at least as intrusive / useful as Intercept and sometimes even more so, especially against real criminal or terrorist or spy targets who use pre-arranged verbal codes or rare foreign dialects.
The 2 years in prison criminal penalty for illegal Intercept should also apply to abuse of Communications Data. There must be no automatic exemption from this for Police or Intelligence Agency or Military or other Central or Local Government or other Public Body officials.
The Interception of Communications Commissioner spends considerable time and resources inspecting various Prisons, and so he should.
However there is no statutory basis whatsoever for him to do so under RIPA or DRIPA, it is just mission creep which started when Gordon Brown was Prime Minister.
IoCC inspections of Prisons and Detention Centres should also, by law, report on the numbers of illegal Mobile Phones seized in each Prison and on and on the effectiveness of any visitor and staff body scanners and on any phone jamming systems installed. They should also report on any collateral damage to the surrounding areas, especially regarding emergency 999 calls, which such jamming or shielding may cause.
It is no wonder that there is little or no public confidence in the transparency of the secretive RIPA Commissioners i.e.
Intelligence Services Commissioner
Interception of Communications Commissioner
Chief Surveillance Commissioner
when they are exempt from the Freedom of Information Act, in spite of meeting not just one, but both of the Conditions for listing in Schedule 1 of the FOIA.
There are massive exemptions under FOIA which would allow them to protect any sources and methods which need to remain confidential, but there are plenty of non-sensitive FOIA requests about e.g. their own budget and staff resources etc. and number of complaints dealt with etc. which the public should be allowed to request under FOIA.
The Freedom of Information Act should also apply to the secretive Investigatory Powers Tribunal
Other Government Departments have continued to use or abuse their own Statutory Powers when conducting Investigations.
The most notorious example is the Department for Work and Pensions, which uses the
Social Security Fraud Act 2001 (passed after RIPA)
to gather Communications Data, mostly Subscriber Details, without going through the Single Point of Contact (SpoC) system set up for the Police and other consumers of Communications Data.
They seem to do this out of sheer bureaucratic empire building and to avoid having to pay the small handling fee which the CSPs charge.
It is vital that DWP and others are forced to use RIPA and the hopefully new, better Regulation and Audit scheme which your Review will precipitate.
Amended RIPA should forbid DWP from using the Social Security Fraud Act 2001 and force it to use RIPA instead, as they refuse to do this voluntarily.
Before they were abolished, the Financial Services Authority head was supposed to be "consulted" if a lowly Police Constable threatened the "economic wellbeing of the United Kingdom" (i.e. a threat to National Security) by disproportionately issuing a RIPA section 49 Notice for the secret cryptographic key(s) of say an Internet Bank 's secure web server.
These have thousands or millions of customers whose details would be affected, leading to loss of business confidence, a possible run on the bank and perhaps large scale financial fraud.
This cannot be proportionate, even for a potential mass murder plot terrorism investigation.
The current replacement Financial Regulators, the Financial Conduct Authority and the Prudential Regulation Authority should be formally given a role and a veto in such RIPA Part III section 49 Notices aimed at regulated financial institutions.
Astonishingly, the RIPA Commissioners' Reports, where they do deal with
RIPA Part III Investigation of electronic data protected by encryption etc.
never seem to be able to compile up to date figures for the (rare) use of this power, there is always some delay or the Prosecution or the Court system does not pass on the details in time etc.
This is not the way to instil public trust in the RIPA system.
All the RIPA Commissioners should publish running totals monthly of their statistics, on their public websites, which they can then revise if necessary, just like the Financial Regulators do.
Your Review should take expert evidence about the RIPA section 49 secrecy powers and the section 54 Tipping Off offences
and the implications of the extension of territoriality brought in by the rushed "emergency" DRIPA legislation, which do not seem to me to be limited to just RIPA Part 1, but also apply to RIPA Part III Encryption keys.
Foreign companies, especially those in the USA , may operate a Warrant Canary
RIPA / DRIPA needs to provide legal clarity as to the legality of this in the UK or else we will suffer economic damage.