The London Police Need to Reveal if They're Secretly Monitoring Phones

This article originally appeared on VICE UK.

Walk around London today and there's every chance your text messages, phone calls, and location data will be swept up without you even realizing. After years of reports that fake phone masts are secretly being used by UK law enforcement to snoop on civilians, a Sky News investigation has produced hard evidence showing that the mass spying devices are nestled in and around the capital.

However, while it's clear that they're there, nobody has yet taken responsibility for them. When the Met Police were asked to confirm or deny their involvement, a spokesman told Sky News, "The only people who benefit are the other side, and I see no reason in giving away that sort of thing." When contacted for this piece, a spokesman gave me a standard "neither deny nor confirm" answer.

One of the many problems with this (basic transparency and accountability being two of the other big ones) is that if it is the police behind the technology, colloquially known as "Stingrays," until they come clean the public are going to have a hard time telling what sort of protections are in place to ensure their communications aren't being collected—or, if they already are, exactly when, how, and why this is happening.

The phone in your pocket is constantly sending out signals in an attempt to figure out where the closest mobile phone masts are, providing you with the best reception for your calls. This applies to non-smartphones, too—the kind that don't allow you to access Facebook, but won't smash if you drop them down a well.

But Stingrays, the sneaky fuckers they are, pretend to be legitimate phone towers, and your naive mobile phone—unable to tell the difference—willingly connects. Whoever is in control of the fake tower—be it a sophisticated cyber-criminal or a law enforcement agency—is now able to read messages or listen in on calls, depending on the particular model of the Stingray.

Originally, the devices were designed to only capture the unique SIM card number in the phone, called an International Mobile Subscriber Identity (IMSI). This is where the proper term for Stingrays—"IMSI catchers"—comes from. Conveniently, anyone can buy the briefcase-sized spy-kit online for just over a grand.

Rough range of Met Police's IMSI catcher if deployed near Parliament. 10km2. Indiscriminately suck up calls and texts — Joseph Cox (@josephfcox)October 25, 2014

Thing is, these devices aren't exactly precise. Instead of targeting an individual phone, they broadcast their signal across a huge area, some up to nearly four square miles, potentially sweeping up the communications of thousands of people, many of whom presumably haven't committed any crime, nor activity that warrants mass surveillance.

Sky News used a custom phone made by German security company GSMK Cryptophone to track symptoms of IMSI catchers as their journalist, Tom Cheshire, walked through the city. Lo and behold, there were plenty of red flags, but Cheshire didn't say how many Stingrays he possibly detected, nor where they were located.

READ ON MOTHERBOARD: Surveillance AI Is Learning To Interpret Human Behavior

The Guardian revealed that the Metropolitan Police had bought an IMSI catcher back in 2009 under the codename "Listed X," although the police force refused to admit this. Last year, I filed a Freedom of Information request asking for more details, and was met with a flat "neither confirm nor deny" response on whether the devices are held or used. More recently, the Times confirmed that the Met does use the devices, citing anonymous sources, and that the law used to cover their use was designed to regulate small-scale surveillance bugs, and dates back to 1997: hardly appropriate for something that can simultaneously monitor thousands.

This approach of refusing to answer questions about technology that directly affects anyone walking around central London with a mobile phone sits in stark contrast to the debate currently going on in the United States.

Over there, the FBI and local enforcement have also been using IMSI catchers for years. The feds were so concerned that the methods would become public that they attempted to have any mention of the gear removed from court documents, and have taken the position that warrants aren't even necessary when whacking an IMSI catcher in a public space. Worryingly, one county sheriff even used the tech over 300 times without a warrant.

As troublesome as all that is, at least there's a debate. Documents about Stringrays are released. Internal police emails on the subject get out. Journalists and civil liberties activists are able to have some sort of dialogue with law enforcement agencies about whether the way Stingrays are used is fair, proportionate or legal. Perhaps with that, progress will be made to ensure that the privacy of citizens is protected when one of these devices is used.

This is not the case in the UK. The police remain tight-lipped and refuse to engage at all. For that reason, we are left largely in the dark: in what situations are Stingrays used? Have they been deployed only to combat terrorism, or to track drug dealers? How is the data of innocents destroyed or protected? Without answers to these questions, we have no way of knowing whether the tech is being applied responsibly.

If they really are behind them, it's time for the police to own up to using Stingrays. We know they own them, and serious criminals are likely already aware of this, too. The only people losing out are the public, who have no idea what the hell is going on with their private data and communications.

Follow Joseph on Twitter.