€5,000 to compromise Ireland's mobile phone infrastructure

The 'GSOC saga' began a number of weeks ago with the revelation that the oversight body of the Irish police force, the Garda Siochana Ombudsman Commission (GSOC), may have been the target of sophisticated electronic surveillance. A security company, Verrimus, found that there was evidence that an IMSI Catcher device may have been deployed in the vicinity of GSOC's offices which could have intercepted all mobile phone communications of its officers and anyone visiting the offices. Following the appointment of a retired judge to inquire into this matter, the Minister responsible for the Irish police force and its oversight body, Alan Shatter, appeared before a parliamentary committee on 19 February 2014 to answer questions about the issue.

Unfortunately, rather than clarifying what is known to have occurred at the GSOC building, the Minister generated more uncertainty and also raised a number of further problems. During his evidence to the committee, the Minister made some stark admissions regarding the integrity and security of the Irish mobile phone infrastructure.

Not only available to government

The first of Minister Shatter's revelations was that under Irish law, IMSI Catchers may be lawfully available to anyone who wishes to procure one:

"There was a reference quite clearly in the security firm’s report to a device that allegedly is said only governments can acquire. You might recall Simon O’Brien he said something to the committee which was similar to what was said to me which ... he wasn’t convinced in fact that this was kit governments could only acquire, it might be kit that in law governments can only acquire, by the way I am not sure that’s necessarily right either, or that he didn’t accept [that] as a serious statement from his own security firm which is why I didn’t particularly highlight it." [emphasis added]

It is a remarkable admission that there is uncertainty around the legal regime in place for one of the most invasive mass surveillance devices available at the moment. One would have to ask what restrictions, if any, are in place in Ireland, given that the Irish Minister for Justice does not know whether a technology that can track up to 1,500 mobile phone users per minute in at least a 1Km radius can be acquired under Irish law by any individual or company.

€5,000 to compromise Ireland's mobile phone infrastructure

The second revelation was that the Minister was now aware of how cheaply someone could compromise the Irish mobile phone system with such a device:

"The equipment that security firm said can’t be acquired other than by governments is identifiable on the web for acquisition, costs about €5000 to acquire it … I am advised that the security firm Rits who looked at this have advised that it isn’t correct to say that this technology that can only be acquired by governments." [emphasis added]

The ramifications for mobile phone privacy in Ireland of the Minister's statement are quite serious. If what the Minister says is indeed true, then any business with €5,000 to spend can put any of their competitors within at least a 1Km range under surveillance. It also has serious ramifications for the secure administration of State agencies using mobile phones. As pointed out during the questioning of the Minister, these devices are designed to operate stealthily so the victims are not aware of the surveillance and it is difficult to detect.

Admission of open access

The final statement by the Minister sums up the current situation in Ireland at the moment in respect of Irelands mobile phone infrastructure:

"We all have these modern gizmos and the reality is they are extraordinarily vulnerable to any individual who may want to access be it what you're saying on the telephone or if you are using email or text on the phone." [emphasis added]

In light of these admissions by a government minister, and particularly the Minister of Justice, the Irish public needs to know what the Irish government is doing to protect individuals, businesses and State agencies in Ireland from being placed under surveillance.

Clarification

In order to seek clarification on this matter, Privacy International has written to the Ireland's Minister responsible for communications, Pat Rabbitte, seeking answers to the following questions:

• Are you aware that IMSI Catcher (aka IMSI Grabber/Stingray) technology exists?
• Are you aware that these devices can be used to intercept the mobile voice, text and data communications of an individual or business?
• Are you aware that these devices can be used to track people over a large geographic area via their mobile phones?

Privacy International also included the following questions in relation to Minister Alan Shatters evidence to the Parliamentary committee on 19 February 2014:

• Are you aware that IMSI Catcher devices may be purchased on line, and if so when did you become so aware?
• Do you agree with the Minister of Justice that it is unclear whether IMSI Catcher technology may only be purchased by Governments?
• What statute(s) lays out the precise regime that exists under Irish law in respect of the deployment and operation of an IMSI Catcher?
• Do you agree with the Minister of Justice's statement that Ireland’s mobile phone infrastructure is “vulnerable to any individual who may want to access, be it what your saying on the telephone or if you are using email or text on the phone”?

We also asked:

• In order to prevent Ireland's entire mobile phone infrastructure from being abused by a malicious party, are you developing guidance for State bodies, businesses, solicitors, doctors, and Irish citizens to prevent them from falling victim to an IMSI Catcher?
• Furthermore, what regulatory actions are you capable of taking to ensure Irish Mobile Phone operators and mobile phone manufacturers and other related companies deliver secure mobile communications for everyone in Ireland?

We will update the blog when and if we receive a reply from the Minister for Communications.