UK Home Office spy powers unit pretended it was a private citizen in Ofcom consultation
Civil servants belatedly nixed PDF metadata
Exclusive The UK Home Office's Investigatory Powers Unit (HOIPU) anonymously responded to an Ofcom consultation urging the regulator to maintain a "security"-related ban on GSM devices that help people get cheap calls abroad.
The HOIPU sent its anonymous response, written as if it came from a private citizen and not a government department, to the telecoms regulator's recent review of Commercial Multi-User Gateways (COMUGs).
"I thought it would be helpful to set out a couple of practical examples in which the use of COMUGs or GSM gateways could endanger the safety of life," wrote the author of the HOIPU's response.
A newer version of the HOIPU response, re-uploaded to Ofcom's website, has since been stripped of almost all metadata – but enough remains to identify the HOIPU as the creator. Its author appears to be a Matthew Dine.
The Home Office has admitted the anonymous response came from its Investigatory Powers Unit and suggested that its anonymity was a mere admin error. It had not answered El Reg's questions about why the HOIPU pretended to be an anonymous private citizen by the time of publication.
PDF metadata from the Home Office Investigatory Powers Unit’s original submission (left) and the metadata from the latest version (right). Note the "creation date" timestamp on both
In the response (PDF), Dine wrote: "When a call is routed through a COMUG or a GSM Gateway, the originating caller's telephone number and location are not forwarded by the GSM gateway and, instead, are replaced by the number and location of the SIM card in the GSM gateway through which the call is routed. This means that the use of a COMUG or GSM gateway would make it almost impossible for the communications data of a call and caller to be ascertained."
Dine also repeated the usual arguments in favour of using call metadata in criminal investigations, all but saying "think of the children". He concluded, without providing any technical evidence, that COMUGs could not be operated in a way "which would allow law enforcement and public authorities to continue to use the information" – thus calling for the ban to stay in force.
What are COMUGs, or GSM gateways?
COMUGs are banks of mobile phone SIM cards that forward calls made to them. Users ring the gateway via a published phone number and then dial the number they actually want to call – usually an overseas one – in order to save money by not dialling direct.
Multi-user gateways were banned in the early 2000s by Ofcom, with the support of irate mobile operators, on the grounds they were a threat to national security because the caller's identity was not forwarded through the gateway. The legal method of banning them was to require them to be licensed and then not issue any licences. Ofcom was consulting on whether to exempt COMUGs from the licensing requirement.
Last year Ofcom legalised the use of commercial single-user gateways (COSUGs), which work on the same principle but only have one corporate customer.
Mobile operators at home and abroad see COMUGs as devices operated by unscrupulous scammers determined to diddle them out of revenue, as this 2011 Reg story explains. At the time of the ban mobile operators said that COMUGs hog available channels on nearby base stations and block out genuine consumers. ®
The Home Office responds
Below is the Home Office's statement to The Register:
The claim in this article that the Home Office ‘pretended’ it was a private citizen in the Ofcom consultation response is entirely inaccurate.
The Home Office formally responded to Ofcom’s consultation on GSM gateways, given the significant risks the use of this technology could pose. As soon as the error that caused the Home Office’s response to be anonymised was pointed out, the Home Office immediately contacted Ofcom to ask them to make clear that this response had come from the Home Office.
It is entirely appropriate that the Government should point out to the regulator the dangers of this technology and at no point did the Home Office seek to hide the fact that it was responding to this consultation.
The Home Office also insisted, via multiple phonecalls over the past week, that we remove Matthew Dine's name on the grounds that he is "too junior to be named."
Sponsored: Becoming a Pragmatic Security Leader