The latest revelations from the Snowden leak show that Dutch technology supplier Gemalto, one of the largest sim card manufacturers in the world, has been hacked by operatives of both the American National Security Agency (NSA) and Britain's Government Communication Headquarters (GCHQ). This means that both these agencies could have carried out surveillance on billions of mobile phone users around the world.
A sim card is a microchip that allows your mobile phone to connect safely and securely to the mobile network run by your service provider – everyone has one in their mobile telephone. It logs the user into the network, allowing them to make and receive calls and write and send text messages securely by encrypting all of the data that passes through to the network via a mobile mast, which connects the data with its intended recipient. The files leaked by Edward Snowden show that in 2010 the NSA and GCHQ worked together to form the Mobile Handset Exploitation Team (MHET), a surveillance unit dedicated to targeting mobile telephones around the world. MHET hacked into the sim cards made by Gemalto by acquiring their encryption keys, a password which is able to decrypt the data sent by the mobile phone. In order to use these keys for surveillance purposes, an aerial would need to placed near the user to intercept the data, which would then be deciphered and accessed.
Gemalto manufacture around 2 billion sim cards each year for over 450 mobile telephone networks in 85 different countries around the world. Early indications show that mobile phone users in the United Kingdom on Vodafone, EE, O2 or Three could have been affected, as Gemalto is the primary supplier of sim cards for these networks. In the USA, Gemalto supplies sim cards to AT&T, Sprint, T-Mobile and Verizon. However, as most other mobile networks have used Gemalto sim cards at some point in their history, experts are suggesting that almost anyone with a sim card in their phone could potentially be affected by these revelations.
At this moment in time the Government and legal agencies are not quite sure where this hack sits within the law. However, what is certain is that listening in to private conversations does violate data protection laws most countries, including the United Kingdom. Some legal experts are predicting in order to obtain the encryption keys the NSA and GCHQ may have also violated Dutch law relating to business data protection. The use of the encryption keys in countries other than the UK and the USA could also breach security laws, for example if a key was used to hack the phone of Spanish citizen without informing the Spanish security agencies before doing so.
Gemalto and the mobile phone networks that they provide with sim cards are currently investigating the hack, and trying to determine if its effects can be halted. Surveillance and hacking experts, however, have suggested that aside from replacing all of the affected sim cards, there is little that can be done to prevent these agencies from potentially listening in to phone calls, or monitoring text messages. Users of specialist secure mobile telephones, like the encrypted Blackphone made by Silent Circle, or encrypted messaging applications like Chatsecure, won't be affected by the hack.
In the United Kingdom, however, the Regulation of Investigatory Powers Act (RIPA) (2000) already allows law enforcement agencies like the Police force or National Crime Agency to access the same level of data. Mobile phone networks and service providers are also required by law to allow live surveillance of specific users in cases of emergency, such as an abduction, or where phone records could aid a criminal investigation.