back to article Court papers indicate text messages from HMRC's 60886 number could snoop on Brit taxpayers' locations

Britain's tax collection agency asked a contractor to use the SS7 mobile phone signalling protocol that would make available location data of alleged tax defaulters, a High Court lawsuit has revealed. Her Majesty's Revenue and Customs had the potential to use SS7 to silently request that tax debtors' mobile phones give up …

  1. Doctor Syntax Silver badge

    Be careful firing someone who knows where the bodies are buried. (Also explains why Cummings didn't get fired when his Barnard Castle excursion came to light.)

    1. TRT Silver badge
  2. b0llchit Silver badge
    Flame

    The inevitables: death and taxes. Death does not provide adequate cover for taxes. And now we know you are kept on a short leash for the taxes too.

    Makes me wonder,... when will it become illegal not to own or carry a mobile phone?

    1. Pascal Monett Silver badge
      Windows

      That's actually a good question.

      Especially since one can argue that a desktop PC, laptop or tablet can have much the same functionality, but without the convenience of being frisked in the street.

      Oh man am I gonna be a pain in the Surveillance State' ass when I'm retired.

      1. Down not across

        Oh man am I gonna be a pain in the Surveillance State' ass when I'm retired.

        You're gonna go all Brill (Edward Lyle)? :-)

    2. Chris G

      Most government departments, banks and insurance companies already assume that everyone is connected so a legal requirement may not be that far off.

      Less contentious than chipping the population although suspect there may be some who have considered it.

      1. Andy The Hat Silver badge

        I believe you are behind the times as most people have happily accepted the Covid vaccine which contains a chip readable by satellites and aliens. I know this is true because Margret, expert in global pandemics and Hair and Beauty Therapist on Facebook, said so.

        1. Anonymous Coward
          Anonymous Coward

          I thought they were chips to enable 5G! Have I been lied to?

          1. phuzz Silver badge
            Trollface

            You'll need to get your booster dose for the antennas to grow to full lenght, otherwise you'll only get signal in urban areas.

            1. b0llchit Silver badge
              Big Brother

              Do not forget the once or twice yearly update shot to adjust the frequency range(s).

              1. ShadowSystems

                You don't need a covid shot...

                Pop a Viagra and you may develop a "tower mast antenna extension" that allows a much broader activity. ;-D

                1. b0llchit Silver badge

                  Re: You don't need a covid shot...

                  The thrust may cause Doppler shift in the signal. However, wiggling the tower mast antenna extension will be a fine modulated signal with significant educational content until it explodes.

            2. Anonymous Coward
              Anonymous Coward

              I have some sad news for you. The laboratory that was studying the potential for the Cordyceps fungi to infect mammals as well as invertebrates has reported a slight mishap, and several batches of the vaccine inadvertently was contaminated with Cordyceps teletubbi spores instead of the expected self assembly 5G chips. You will not notice the effects yourself, but observant persons in your family may detect some minor signs.

              Studies indicate that there will be no need to have a extra 5G booster for the affected persons, which is a small benefit in this unfortunate mix-up.

            3. Anonymous Coward
              Joke

              > You'll need to get your booster dose for the antennas to grow to full lenght, otherwise you'll only get signal in urban areas.

              Anyone can get signal in urban areas, what about signal in the nether regions?

        2. khjohansen
          Coat

          The "Bill Gates" vaccine

          - sure makes it a breeze to log on my Win11 laptop ;)

        3. hayzoos

          OK, Now the worldwide chip shortage makes sense. And here I thought it had something to do with factories shutting down.

      2. Valeyard

        my company set up 2FA for all our logins that used your mobile number. I have a friend who has no mobile phone, it was an interesting conundrum they hadn't thought of

        1. Woodnag

          I expect that there was a hidden option to select a landline, and get a VM instead of a text

          1. parlei Bronze badge

            The code was to be send by registered mail, but due to cost savings a postcard was used instead?

        2. phuzz Silver badge

          My dad had to fill out a passenger form recently, to fly back from Norway.

          Being my dad, he didn't bother reading the instructions, so when it asked him for a contact number, he put in his home landline number, which of course meant he couldn't receive the confirmation SMS.

          This got worse, because there was no way to change the phone number, and he couldn't create a new registration using the same email address.

          I got him to use my email address and forwarded it to my mum so they could get it done, but maybe I should have just have left him stuck in Norway ;)

          (Mind you, perhaps the page should have checked that the phone number started 07, and rejected or queried the number otherwise)

          1. ChrisC Silver badge

            SMS-based verification can be a problem even when you *are* using a mobile number... A few years ago when I was still working on cellular modem-based products, we used to have a pile of PAYG SIMs from various UK providers for testing how our stuff worked on different networks. One provider then decided, without warning, that their PAYG topup process would send a verification SMS to the SIM being topped-up, which you'd then have to read and enter the code into the topup page to complete the transaction...

            All well and good when the SIM is being used in a normal mobile phone with even rudimentary SMS capabilities.

            Not quite so good when it's in a device tucked away in part of a lab test setup which you'd need to switch off in order to extract the SIM, temporarily stick it in an old Nokia you've had to dig out of your box of crap at home (because the cellular modems are all using mini-SIMs and none of the work mobiles will take anything larger than a micro-SIM...) in order to get the code and confirm the topup went through OK, then put back into the test setup and get it running again.

            Even less good when it's in a device you've had installed on a remote test location without any issues for the past few months, which you'll now have to go visit just to swap out the SIM for one provided by one of the networks that still allows topups to be made without the need to verify anything...

          2. Doctor Syntax Silver badge

            "Mind you, perhaps the page should have checked that the phone number started 07, and rejected or queried the number otherwise"

            They're not alone.

            Exhibit 1. Local restaurant has (maybe had, for reasons which will become clear, I have no way of finding out) booking software which confirms the booking by text to the phone number. Some children at BT have decided that obviously landlines shouldn't be left out form the SMS fun and implemented S/W to accept an SMS, ring the landline and read out out This is a text message from $GabbledNumber $GabbledMessage

            The one thing that stuck from that was "thank you for signing up to our service". It's a scam, right? After finally sorting out what it was all about - nothing more than a booking confirmation - words were said which left the distinct impression that I hadn't signed up for anything and that if they thought I had I'd better be unsigned because SMS spam is even worse when it's read out as gabble. Given that they thought this was customer service I haven't booked there since, not even by mobile.

            Exhibit 2. You don't need a computer to make dumb assumptions. Our landline number is on a poster advertising SWMBO's patchwork class. The poster is in the hall where the class is held. Anyone standing there reading it should be well aware that it's a local number. So the phone rang with a text message from $GabbledNumber wanting to know if the caller should bring anything to the class. No chance of ringing back as the only contact was $Gabbled Number which has already receded into the irretrievable past. Whoever rung didn't turn up, presumably thinking that she'd been rudely ignored.

            If the children at BT who'd come up with this scheme had properly tested it, including sending SMS messages to test subjects who weren't expecting the call, they might have correctly decided that it wasn't fit for purpose and should be abandoned. If they had gone ahead they should at least have supplied the originating number as CLI for the call so the recipient would have a chance of calling back to ask what the gabble was about.

            1. ThatOne Silver badge
              Devil

              > that it wasn't fit for purpose

              Come on, since when this is a reason not to release something, if it has a slight chance of nevertheless earning you a couple bucks?...

              "Customer satisfaction" is an old quaint notion which has long gone the way of the Dodo, nowadays the name of the game is "shareholder satisfaction".

            2. adam 40 Silver badge

              Computer rude speak

              The BT SMS to a landline is great fun, especially at dinner parties.

              You text you host's landline and a few minutes later it rings, and reads out the solicitous message. It's even better on speaker!

        3. ricardian

          I do have a mobile phone but I can only get a signal if I stand at the bottom of the garden or over on the far side of the road. I moved from Santander to TSB because Santander insisted that I had to receive my OTP via mobile phone whereas TSB (and Paypal) are quite happy to use my landline phone.

      3. Jake Maverick

        you not heard of 'two step verification'.....?

    3. MickMackMoik

      Why would they make it illegal for citizens _not_ to do something like carry a tracking device or an ID card, when they can instead force regulated entities to make your life difficult if you don't do it?

      That way 'all this new-fangled tech' gets the blame, instead of explicit state regulations which people might hold the state accountable for.

      For example, PSD5 will make it impossible to use a card online without having your tracking device with you (and of course if you make a card payment in person, then they know your location because you're y'know - in person).

    4. my farts clear the room
      Big Brother

      Any anonymising forwarder services out there?

      What happens if the end user is connected via WiFi calling? - Three / O2 etc offer SMS and calls in and out bound over WiFi ......

      Is anyone virtualising mobiles into a voip / wifi concentrator that receives SMS/calls and routes them down tunnels to the remote handsets?

      Would all the crims be visible because their SS7 locations were a mast outside an industrial unit and a terraced house in Moss Side?

      Asking for a friend .....

      1. ThatOne Silver badge

        Re: Any anonymising forwarder services out there?

        > What happens if the end user is connected via WiFi calling?

        Actually even more precise location, since they know exactly where the WiFi endpoint you're connected to is, and WiFi has limited range.

        No matter if it's a commercial hotspot or some private WiFi, Google (and Apple) knows precisely where it is on the map, and will gladly tell anybody who asks nicely.

  3. Gordon 10
    Mushroom

    WTAF

    The operation of the service as described seems like a breach of GDPR to me.

    At no time has my network provider sought my consent to provide my location to various unsavoury third parties. (The rozzers/emergency services are fine imo)

    Telco Commentards - just how widely accessible/queryable is the SS7 protocol?

    Feels like a class action is in the offing.

    1. Natalie Gritpants Jr

      Re: WTAF

      Do you remember all those things you clicked OK on when you got your shiny new phone? It was probably in there.

      1. Gordon 10

        Re: WTAF

        "Do you remember all those things you clicked OK on when you got your shiny new phone? It was probably in there."

        Ultra dense unreadable T&C's - Meet GDPR's informed consent rule. TL:DR if its not obvious - its not informed consent.

    2. Down not across

      Re: WTAF

      Telco Commentards - just how widely accessible/queryable is the SS7 protocol?

      Kinda depends. The non-associated (not in voice-band) signaling used for SMS and HLR for example does require access to a Telco network. GIven fair few, some high profile, SS7 hacks in in last 10 years or so things have improved somewhat and its not quite as bad as it used to be. Still, all it takes is one telco to have a weak point.

    3. elsergiovolador Silver badge

      Re: WTAF

      You can report that and let us know how that goes.

      hint (likely answer from regulator): if you are not happy, you can change your network provider

    4. katrinab Silver badge
      Alert

      Re: WTAF

      Law enforcement is an exemption from the GDPR though.

      1. phuzz Silver badge
        Stop

        Re: WTAF

        I'm not sure why you got those downvotes, you're entirely correct. From the ICO:

        The UK GDPR does not prevent you sharing personal data with law enforcement authorities (known under data protection law as “competent authorities”) who are discharging their statutory law enforcement functions. The UK GDPR and the DPA 2018 allow for this type of data sharing where it is necessary and proportionate.

        Of course, we might think that HMRC having the ability to get location data from people's phones is not necessary or proportionate, but as the law stands, they are on the list of "Competent authorities" [sic] (see line 21).

        1. david 12 Silver badge

          Re: WTAF

          I've asked, and so far no one seems to know, in what way is this different from the USA? Why does GDPR prevent you from exporting data to the USA, where the government may demand access, but allow you to keep data in Germany, where the government may demand access?

          1. Claverhouse Silver badge

            Re: WTAF

            Because American administrations may have 'sharing' arrangements with American corporations ?

            And because what happens outside America is none of America's business.

            .

            .

            This applies to other huge governments who assume universal imperium as well. America is no worse than China.

          2. Gordon 10

            Re: WTAF

            @David12.

            It's complicated, and mostly one of outlook. The EU believes fundamentally in data privacy for individuals - the US doesn't. At the practical individual level you are right - there's probably not a lot to choose between them. Both the US and EU governments have stepped over the mark - but arguably its habitual in the US compared to EU.

            Its different in terms of magnitude and the differing treatment of EU citizens. EU governments - more precisely their security arms - are more constrained in what they do whereas the NSA/DoJ have a history of bulk hoovering and mass interception (and getting caught). There have been multiple instances of US Govt overreach that got the EU riled up. The Microsoft email case for example. US border cell phone seizures. Their habit of gaining secret access to data centres using FISA laws also doesn't endear them to the EU. Basically if you are an EU citizen in the US you have much less data rights than a US citizen and that pisses the EU off.

            Lastly the thing you have to realise is the Spirit of GDPR is really cool and hard to disagree with, however compliance to every last inch of a bunch of legal rules written by lawyers with only a faint grasp of technology is virtually impossible even before you get to cross border data exchanges.

            Which is why nearly everyone sensible takes a risk based approach, but on the one end you get Facebook and AdTech firms actively abusing it, others keeping their heads low (Telco's & SMS triangulation), and people like Max Schrems - whom I admire but is a bit of a fundamentalist on privacy - who will use any tiny clause of GDPR to go after Facebook and anyone else he fancies.

            HTH

          3. Ken G Silver badge

            Re: WTAF

            Foreign vs European

        2. spireite Silver badge

          Re: WTAF

          Ah, but HMRC doesn't fall under the classification. Experience on a yearly basis proves that HMRC are anything but a 'competent authority'.

      2. Slx

        Re: WTAF

        GDPR outside the EU (and even the EEA), under a Tory Government, with probably the most right wing Hom Sec in recent history …

        I’m sure that will be watertight and enforced against state agencies.

        Maybe someone should take a complain to the ECJ… oh wait lol

  4. TeeCee Gold badge
    Facepalm

    Funny...

    ...how most seem to think that people should be made to pay their taxes..... until HMRC actually does something about collecting them from those actively trying to avoid paying.

    1. Lon24

      Re: Funny...

      Yes, the delight of knowing which extradition treaty to bang the villain to rights had me agreeing.

      Till I thought about other government departments using the same idea to locate folks who have very good reason to not want to be located whilst they exercise the civil rights (or what's left of them). Like No.10 checking up some of Boris's own MPs who might be a little too near Melton Mowbray at this time.

    2. SundogUK Silver badge

      Re: Funny...

      Not me. All taxation is theft!

      1. Anonymous Coward
        Anonymous Coward

        Re: Funny...

        Presumably you've never (for example) used the NHS, and have paid them back any costs you incurred when you were born?

        Or are you just fine in reaping the benefits of taxation whilst not wanting to contribute?

      2. W.S.Gosset
        Happy

        Re: Funny...

        Reminds me of that old joke:

        Q: Why did Karl Marx never drink Twinings?

        A: Because proper tea is theft.

  5. Anonymous Coward
    Anonymous Coward

    Alternate headline

    Cattle offended by farmers use of electronic tracking devices.

    Bonus:

    Want to see who's tracking device was at the scene of a crime in the last 6 years, no problem.

    "mobile phones give up location data over the past six years,"

  6. Anonymous Coward
    Anonymous Coward

    "The Reg wonders why HMRC did not dispute this in the legal papers"

    Do you... do you really...

  7. elsergiovolador Silver badge

    Low hanging fruit

    It's always about chasing a commoner hiding a few grand (in the tax man eyes) from the greedy tax man paws.

    They can't afford legal defense, so often they just pay up, cry and forget.

    Meanwhile when real tax evaders come in, they get red carpet treatment.

    1. Andy The Hat Silver badge

      Re: Low hanging fruit

      Bet they didn't ring the CFO of Amazon UK's mobile phone and request location data ... :-)

      1. TheMeerkat

        Re: Low hanging fruit

        They probably did. For the taxes on his salary after he filled his self-assessment form.

        Why would you think otherwise?

    2. Aitor 1

      Re: Low hanging fruit

      It is more of shaking people for their valuables. Rich people tend to use expensive lawyers and accountants, so there are both more likely to file taxes correctly and be able to defend themselves. Plus they might be politically connected, so breaking the law to go after them might be risky.

      This is why when enforcement increases it is the middle class who suffers the inspections, the malpractices, etc, rich enough to collect, poor enough not to be able to defend themselves.

    3. Anonymous Coward
      Anonymous Coward

      Re: Low hanging fruit

      I'm not going to pretend that tax collection is ever going to be well loved but it's that inequity that really rankles with people.

      With a tax agency that's generally a bit crap and ineffective the missed revenues are nothing personal. A tax agency that pulls out all the stops to squeeze particular people looks selective and, historically, that's revolution fodder if it goes on long enough

  8. quadibloc2

    The Real Issue

    It's one thing if the police can locate people through data that is used internally by the telephone system.

    It's quite another thing, though if anyone - not just HM Revenue, but any private business - that uses a service, instead of a cell phone, to send text messages to people can request that their locations be given to it. The telephone service providers may have that information internally, as a result of how cellular phone calls are routed, but they should not be releasing it to anyone except the police.

    Actually, location info should, of course, be provided in one other case in addition to use in assisting police investigations. It should be provided when emergency calls are made for police, fire, or ambulance services, such as when calling 911 in North America, or, I believe, 999 in the UK.

    1. nobody who matters

      Re: The Real Issue

      In the UK at least, where location data is available it is normally provided to the emergency call centre for 999 or 112 calls (112 being the Europe-wide emergency number, which also applies in the UK).

  9. RogerT

    That's it.

    Tomorrow I'm ringing up HMSO to tell them I'm getting rid of my mobile. It's no use telling their call handler the real reason as they wont believe me.

  10. Anonymous Coward
    Anonymous Coward

    If only you knew

    Location? One of many things, like how many financial accounts you have, account numbers, balances...

  11. Anonymous Coward
    Anonymous Coward

    The irony… HMRC using a company owned in a tax haven

    MMGRP Limited, parent company in Gibraltar and sole director in Jersey.

    1. Anonymous Coward
      Anonymous Coward

      Re: The irony… HMRC using a company owned in a tax haven

      The freehold of HMRC buildings was sold to Bermuda-based Mapley STEPS as part of a 20-year PFI deal back in 2001, so the taxman has been paying rent to a tax-dodger... sorry, 'tax-payer in Bermuda'

      Hmm... wonder who owns the property now? Private Eye need to be told!

      1. Dave 15

        Re: The irony… HMRC using a company owned in a tax haven

        Yup, no wonder the government are screwing us all with yet another tax rise, they call it national insurance but it goes from my pay packet so it is income tax...

        I dont think the government needs all these tax types and tax agents, a single flat tax is all we need, and a single flat benefit to stop people starving to death (though to be honest given inflation in prices and deflation in the wages of 99.99% I am pretty sure we are going to see that soon)

    2. Citizen of Nowhere

      Re: The irony… HMRC using a company owned in a tax haven

      It would be ironic if they hadn't ;-)

      "HMRC pays rent on its 600 regional offices from a company called Mapeley Steps Limited, which is registered in the tax haven Bermuda, as the result of a private finance initiative (PFI)."

      April 2016

      https://www.indy100.com/news/hmrc-actually-rents-offices-from-a-company-registered-in-a-tax-haven-7294711

      "HM Revenue and Customs has struck a deal to relocate tax officials into a new office complex in Newcastle owned by major Conservative party donors through an offshore company based in a tax haven..."

      November 2021

      https://www.theguardian.com/politics/2021/nov/25/hmrc-to-relocate-to-newcastle-office-owned-by-tory-donors-via-tax-haven

  12. Anonymous Coward
    Anonymous Coward

    Location will NOT be available to HMRC via SMS

    Mobile operators implemented ‘home network routing’ for SMS many years ago, resulting in only the network operator name, or the fact the number is no longer in use being learnt via SMS sending. This is aligned with what the HMRC discloses.

    Even before they implemented home network routing, due to networks implementing ‘MSC in Pool’, you could only determine which country they were located in, and certainly not down to cell Id level.

    The ‘other’ HLR queries related to the SS7 scandal were not SMS related and were blocked by mobile operators in response.

    1. adam 40 Silver badge

      Re: Location will NOT be available to HMRC via SMS

      You can't "triangulate" either.

      A UE will be registered to one basestation at a time. (Ignoring 3G soft handover but that is getting turned off soon anyway).

  13. Colin Miller

    Delivery receipt?

    A mobile phone user can already turn on delivery receipts for all SMSs they send; when the SMS is delivered to the recipient's phone a SMS is sent back to the sender's phone. AFAIK the recipient can't prevent this.

    Likewise for MMSs you can request both delivery and read receipts, although the recipient can block sending both of the receipts.

    Is there any reason why HMRC didn't use this, instead of SS7?

  14. stungebag

    This is how SMS works

    Most bulk SMS senders wouldn't use SS#7 as that's the internal phone network protocol suite (or was, last time I looked some years ago). But this company did. That suggests that either they're being treated as a telco by their peers, or perhaps they aren't doing anything, a real telephone company is doing the work for them.

    In the GSM network any call or text causes a location lookup from the HLR. This is perfectly normal and not in any way sinister.

    How else can the call/text be routed to wherever the phone happens to be today?

    1. Teal Bee

      Re: This is how SMS works

      >How else can the call/text be routed to wherever the phone happens to be today?

      The same way a Skype message gets delivered to the same phone without revealing anything about its location, not even the country.

  15. Anonymous Coward
    Anonymous Coward

    In paranoia

    I wonder if that is why some suppliers' online forms mandate a phone number ostensibly to possibly send an SMS - and refuse any that are not mobiles.

  16. Anonymous Coward
    Anonymous Coward

    MMGRP director Daniel Layton better fit a revolving door

    He's going to spend the rest of his life in the company of Auditors

  17. Dave 15

    Big Brother is watching you

    As long as you are poor enough not to have fancy accountants and lawyers HMRC wants to know exactly where you are so they can come round and ream you.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like