5 years in prison for selling or using a WiFi enabled Voice over IP mobile phone ?
The "why is he still in a job" Home Office Minister Tony McNulty has put his fist to Statutory Instrument 2007 No. 858(C. 35) The Violent Crime Reduction Act 2006 (Commencement No. 2) Order 2007
Amongst other things, this commences i.e. brings into force, on 6th April 2007, the Violent Crime Reduction Act 2006 Section 62
62 Offering or agreeing to re-programme a mobile telephone In section 1(1) of the Mobile Telephones (Re-programming) Act 2002 (c. 31) (offence of re-programming mobile telephone etc.), omit "or" at the end of paragraph (a) and after paragraph (b) insert- "(c) he offers or agrees to change, or interfere with the operation of, a unique device identifier, or(d) he offers or agrees to arrange for another person to change, or interfere with the operation of, a unique device identifier."
This further broadens the scope of one of the most badly written bits of New Labour legislation dealing with technology and crime, which criminalises the new sector of WiFi enabled mobile phones, with a penalty of up to 5 years in prison.
Like most of New Labour's "must be seen to be doing something" legislation, it has not actually done anything about the social problem it was meant to fix- see our previous blog article "Stolen mobile phone blocking hype - this was all allegedly in place back in 2002"
Firstly there is the evil criminalisation of the mere possession of "dual use" equipment i.e. a computer, a serial cable or infrared IRDA or BlueTooth connection (e.g. a second mobile phone or a Personal Digital Assistant handheld device) and some software which could be used to re-programme a mobile telephone.
Then, there is the deliberate use of the the over broad and vague "unique device identifier".
Even when this wretched legislation was just a Bill, we pointed out that if they really meant the International Mobile Electronic Identity (IMEI) then they should have said so specifically.
The specious argument put forward in the Explanatory Notes to the Bill was that somehow the technology might change and that this wording would obviate the need for further legislation in the future. This is, of course, rubbish, since world wide international telecommunications standards are not agreed without plenty of warning, whilst portmanteau criminal legislation oozes out of the Home Office every year.
A short section in one of these annual Bills, (i.e. exactly what was done with the Violent Crime Reduction Act 2006) or even a Schedule of "Unique Identifiers" covered by the legislation, amendable by Statutory Instrument, is the proper way to cope with fast moving technology.
(2) A unique device identifier is an electronic equipment identifier which is unique to a mobile wireless communications device.
We would like to see someone dare to attempt to argue that the term "unique device identifier" does not also include the IP Address of the mobile device.
We also think that "unique device identifier" must also apply to any cryptographic keys used to secure any WAP or WTLS or SSL or TLS etc. encrypted sessions via such mobile telephones.
Even in 2002 there were already plenty of data enabled mobile phones, using WAP Wireless Access protocol, or providing other Internet data connections and services, alll through the IP Address allocated to the mobile phone.
Now in 2007 we see the likes of British Telecom promoting their BT Fusion service, which uses commercial, business and private home based WiFi / ADSL routers to allow Voice over IP mobile phone calls.
BT Fusion currently offers handsets such as the Samsung P200, Nokia 6136 and the Motorola A910. We cannot see , in any of the Terms and Conditions, any mention of the Mobile Telephones (Re-programming) Act 2002, especially Section 1 (3)
(3) But a person does not commit an offence under this section if- (a) he is the manufacturer of the device, or (b) he does the act mentioned in subsection (1) with the written consent of the manufacturer of the device.
Note how there is no mention whatsoever of any permission to be sought from or granted by any Mobile Phone Network Operators, e.g. Vodafone, Orange, T-Mobile, Three, etc.
Therefore, unless you have "the written consent of the manufacturer of the device." e.g. Motorola. Nokia, Samsung etc. specifically allowing you to change your IP Address e.g. as usually happens automatically through Dynamic Host Configuration Protocol (DHCP) with a WiFi ADSL router, then you will have committed a criminal offence, punishable by up to 5 years in prison.
(4) A person guilty of an offence under this section is liable- (a) on summary conviction, to imprisonment for a term not exceeding 6 months or to a fine not exceeding the statutory maximum or to both, or(b) on conviction on indictment, to imprisonment for a term not exceeding 5 years or to a fine or to both.
Why did the 2002 Act place this permission to re-programme solely in the hands of foreign mobile phone handset manufacturers, rather than the heavily regulated United Kingdom based Mobile Phone Network Operators ?
Neither Mobile Network Operators nor Mobile Phone Handset Manufacturers should have any say whatsoever over the re-programming of "unique device identifiers" like cryptographic keys used to secure "m-commerce" financial transactions or Virtual Private Network sessions or webmail logins etc. over the mobile telephone devices.
The new amendments brought in by the Violent Crime Reduction Act Section 62 and Statutory Instrument 898, mean that this also applies to the commercial operators of any WiFi hotspots (like BT Openzone, enabled coffee shops, cafés, airports, railway stations etc), or to Corporate or Domestic customers of say BT Fusion or other such WiFi and / or VoIP mobile telephony services, including Skype which is available via, say the Three 3GPP network.
Comments
I'm hoping I didn't miss the crucial bit, but doesn't all this mean that even if you *own* the device, you will be locked up for taking a hammer to it? This would impede the operation of the identifier, and is almost certainly outside the manufacturer's guidelines for normal usage.
It seems to me that we will be entirely dependent on how 'written consent' is interpreted. How explicit does it need to be? Would a manufacturer's description of functionality e.g. dhcp, crypto, certs etc qualify as implicit consent? Relying on how a law *may* be interpreted is clearly a Bad Thing...
Posted by: DW | March 22, 2007 12:39 PM
An IP Address may well not be a "unique device identifier" as it is usually assigned dynamically upon connection to a network. But what would surely qualify is the MAC Address of the device's network adapter, or equivalent.
Posted by: nedski | March 22, 2007 1:18 PM
@ nedski - so could a web browser session cookie or other GUID
Even a private address e.g. 192.168.0.* or 10.*.*.* is a "uinique device identifier" within the context of a particular WiFi ADSL internet router, or the "closed garden" WAP or Email gateway of a Mobile Phone Network.
Posted by: wtwu | March 22, 2007 3:04 PM
It also seems unclear to what kind of device this Act applies.
The title of section 1 mentions "Re-programming mobile telephone etc."
and the closest to a defintion is "(2) A unique device identifier is an electronic equipment identifier which is unique to a mobile wireless communications device."
How should this be interpreted? Does that apply to laptops with Wifi? DECT phones? CB radios? ...
Now, if you look at it from the (narrow) point of view of criminalising changing the IMEI, the changes do make sense and probably necessary.
As the original act came into force in 2002, do you know if there have been trials that may have clarified some of the possible (mis)interpretations?
br -d
Posted by: David Mery | March 23, 2007 2:26 AM
For some interesting comments from a legal point of view see the Home Office Circular 11 of 2007 section of http://www.crimeline.info/issue215.htm
br -d
Posted by: David Mery | April 29, 2007 6:16 PM
@ David - the whole idea behind this Mobile Telephones (Re-programming) Act 2002 was to reduce street robberies / muggings, which it failed to do in the first year that it was in force, and which it has still failed to do.
See The Independent:
There are no adverts or signs advertising mobile phone re-programming services at any of even the dodgiest looking second mobile phone shops etc. so one has to question the likely effectiveness of the new amendments.
This Act does nothing to stop the large number of petty insurance frauds where people who essentially want a free upgrade of their phone to the the latest model claim that they have lost it in a street robbery, which is how it gets recorded in the statistics.
Posted by: wtwu | April 29, 2007 8:39 PM