New prison law will let UK mobile networks deploy IMSI catchers

Walked past a jail? Expect to become a crime suspect

By Gareth Corfield


The Prisons and Courts Bill, introduced to Parliament last week, will force UK mobile networks to deploy fake mobile phone masts around the outside of prisons to snoop on mobile phone users.

Provisions in the new bill will allow the Justice Secretary to order networks to deploy so-called “IMSI catchers” to prevent, detect or investigate the use of mobile phones in prisons.

Currently fake base stations can only be deployed under the legal provisions in the Prisons (Interference with Wireless Telegraphy) Act 2012, which restrict their deployment to within prison walls – and further, only allows prison governors to deploy them.

The new proposals therefore expand the ability of the state to spy on innocent citizens by further co-opting mobile phone companies’ technical abilities.

Clause 21 of the new bill, along with its schedule 4, will amend the P(IWT) Act to allow the Justice Secretary to authorise “interference with wireless telegraphy”.

The Register asked Ofcom, the designated regulator of these things, for comment. It referred us to information about the test deployment of an IMSI catcher at HMP Shotts, Scotland, in 2014. There the device was deployed to detect illegal use of mobile phones by prisoners illicitly communicating with the outside world. Although the IMSI catcher itself was legal, the Scottish Prison Service was very reluctant to talk about its use.

The Interception of Communications Commissioner’s Office (IOCCO) told The Register last year that it was waiting for a request from the Prime Minister to step in and regulate the use of IMSI catchers instead of Ofcom, this has not happened. Instead IOCCO is effectively being wound up, with some of its functions due to be transferred to a combined Investigatory Powers Commission.

In effect, use of IMSI catchers is effectively unregulated, albeit legal for the state and bodies authorised by the state under the Data Retention and Investigatory Powers Act 2014. It remains illegal for ordinary citizens to use them.

British police forces already own and operate IMSI catchers, though they refuse to talk about them for fear of a public backlash and the inevitable clipping of their wings. Despite this, The Register has previously reported on the purchases of such devices under the accounting euphemism “CCDC”, which stands for “covert communications data capture”.

Back in 2011 one-time Reg correspondent Bill Ray explained how IMSI catchers work:

2G networks only authenticate in one direction – the SIM proves its identity to the network – so creating a fake base station is relatively easy. The GSM standard also allows the base station to ask for an unencrypted connection, essential in countries where strong encryption isn't allowed, so a man-in-the-middle attack is very feasible. Handsets are supposed to provide an on-screen notification when encryption has been disabled, but conformance to that detail is very rare indeed.

But that's to listen in to calls. Tracking people is a good deal easier. Phones broadcast an identifying number (the TIMSI) which can't immediately be linked to an individual but can be used to track movements in an entirely passive way. The lack of identity actually makes the process (legally) easier, as under the current legislation (in 2011) the privacy implications disappear when there's no identity. Private companies such as Path Intelligence do exactly the same thing for shopping malls and suchlike, tracking footfall without knowing (or caring) whose feet are falling.

The police, however, are slightly different in that they can go back to the network operator later and link the TIMSI to a real IMSI. That will generally link to a physical person, who might then have to explain what his/her phone was doing at the time in question.

The Metropolitan Police in particular has been operating IMSI catchers, along with a covert air wing run through a front company registered to an anonymous mailbox in South London, since at least 2011. The Met’s surveillance aircraft, a twin-engined Cessna Caravan F406 with the registration G-BVJT, is a familiar sight to Londoners. It is thought the aircraft's surveillance fit includes IMSI catchers and live mobile phone tracking and eavesdropping capability. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

After all that! Ofcom proposes BT as only broadband universal services provider for whole of UK (except Hull)

Just 8 telcos applied, most didn't meet critera

Ofcom asks networks, ISPs: Hey, wouldn't it be nice if you let customers know the best deal once their contract's up?

You know, they've paid for the phone a few times over now...

Vodafone sues Ofcom to reclaim 'overpaid' mobe spectrum fees

EE set it up, now Voda's shooting for goal

Openreach v Ofcom dark fibre legal bill bounced back to Competition Appeal Tribunal

Court of Appeal rules it's wrong to assume regulator should pony up for cases it loses

UK comms watchdog Ofcom pokes probe into Vodafone and EE over network coverage numbers

One may have said too much, one may have said too little

Ofcom: More spectrum for all the good boys and girls. Except you, EE. You've had your fill

UK mobile networks had better open their wallets

Defence of the Dark Fibre Arts: Ofcom delays plans to force BT to open its network

None of the ISPs wanted the 'remedy'

Ofcom gives six operators green light to bid for spectrum

Includes Hull-based Connexin and US subsidiary Airspan

Making calls? Ha, not what most peeps use phone for – Ofcom

Scrolling Twitter more important than phoning home or anywhere else

Ofcom to probe Three and Vodafone over network throttling

Telcos may have breached EU net neutrality rules