Some important news was announced at Mobile World Congress yesterday, but it will not receive much publicity because the detail is too complicated to interest the public and the proposed change will not boost revenues, although it addresses a problem that can have fatal consequences. It seems counterintuitive that the failings of a comms provider on the far side of the planet can help murderers locate their target, but that appears to have been the case in the 2022 assassination of Mexican journalist Fredid Román Román (pictured). Investigative journalists Crofton Black and Omer Benjakob set the scene for an exposé published by Haaretz last year.
A day before he was shot dead getting into his car outside his home in Chilpancingo, the capital of the southern Mexican state of Guerrero, journalist Fredid Román Román’s phone number was silently pinged in what confidential data seen by Lighthouse Reports, Haaretz and partners seems to suggest was an attempt to geolocate the reporter using a loophole in the mobile phone system.
I hope that most readers of Commsrisk already know about the harm that can be caused when bad actors exploit vulnerabilities inherent to global title, the addresses used when routing signals for SS7 networks. Scammers and spammers who flood networks with dangerous and unwanted SMS messages often evade detection by hiding behind somebody else’s global title. That is the side of global title abuse that affects very many people. Other forms of abuse are more particular, but with potentially devastating consequences. The telecoms industry has successfully implemented the means to allow mobile phones to connect to networks worldwide, but this puts individuals at risk when a bad actor uses this global infrastructure to locate and spy upon a phone user.
Several concerned parties have shown leadership by writing an industry code of conduct on the leasing of global titles. Criminals and spies want to hide in the shadows, and leasing global title gives them access to SS7 whilst allowing them to obscure their true identities by hiding behind the comms provider who owns the global title. Some comms providers are too easily tempted by the additional revenues generated by renting out global title to others, and do not make enough effort to verify who they are dealing with, or to monitor how the global title is being used in practice. The code of conduct, published by the GSMA, would tackle those issues if adopted widely.
That, as usual, is where the most challenging work begins. It is difficult to write and publish an industry code of conduct, although it is only a series of words. Getting a lot of businesses to respect the code of conduct is much harder, especially in the beginning. That is why it is a significant development that Deutsche Telekom announced they will comply with the code at Mobile World Congress yesterday. Per their slide pack, which was shared with Commsrisk in advance, Deutsche Telekom is the first operator to endorse the new code. Johannes Opitz, Vice President of Commercial Roaming and International Mobile Wholesale at Deutsche Telekom, joined Stephen Ornadel, the editor of the code, in outlining a five-point industry plan for tackling the abuse of global title leasing.
- Eliminate excuses and ignorance through education
- Set reasonable standards of behaviour through a CoC
- Flush out bad behaviour whilst protecting helpful solutions
- Drive up standards by enabling operators to publicly declare support and compliance
- Link standard roaming agreements to the CoC
Deutsche Telekom has gone first by declaring their support. Perhaps that was inevitable, given the apparent importance that Germans attach to privacy compared to some other nationalities. But this problem cannot be solved by a single telco working in isolation. Success will be determined by how many voluntarily follow, and how soon they choose to follow. Associations like the GSMA are willing to bring people together to draft codes of conduct, but they will not take any steps to enforce them until majority support is clearly established. To do otherwise would put the GSMA’s own revenues at risk, with nothing gained because bad actors will continue to misbehave as they did before. The onus must be on other big telcos to loudly and prominently commit to obeying the global title leasing code.
There have recently been quite a few big telcos claiming they fully support international collaboration against scams. This is one opportunity to distinguish between those who really mean it and those who are just mouthing platitudes about consumer protection when put under pressure. And whilst scam reduction is an important reason to tighten controls around global title, we should be equally mindful of the tragic implications when the intelligence-gathering capabilities of comms networks are commandeered by spies and thugs who intend to hurt somebody. Please encourage the adoption of this code, and let us all keep a watchful eye on those telcos that promise to obey it, and those which choose to ignore it.
The GSMA Global Title Leasing Code of Conduct is freely available from here.
