Many object to machines being allowed to scan the content of private messages, and I can understand why. Once a machine has the access needed to read and identify one kind of content in electronic communications, such as pornography or evidence of a crime, then it becomes easy to change the settings so it can block or report upon other kinds of content. Some people will be concerned about the potential abuse of this power. Nevertheless, there is an emerging trend among European countries willing to amend privacy laws to permit the automated scanning of SMS messages so telcos can identify content associated with consumer scams, such as the URL of a phishing website or a sequence of words that is designed to deceive.
We can examine the trend by looking at developments in Belgium, Poland, Ireland and Spain.
Belgium
A good example of the changes being considered can already be found in Belgium’s Loi relative aux communications électroniques (Electronic Communications Act). This law prohibits the reading of messages communicated electronically by anyone except the intended recipient, and prohibits the identification or storage of data about the people communicating, unless a specific exemption applies. The list of exemptions is given in Article 125 of the act, and this was modified through the addition of a new clause 7. The clause 7 exemption means Belgian telcos are empowered to block a scam message based on its contents. They are also allowed to replace a dangerous URL in the SMS with a warning or with a link to another webpage that presents a warning. Here is clause 7 in the original French, with my translation below.
7° lorsque les actes sont accomplis par les opérateurs dans le but exclusif de combattre la fraude commise au moyen de messages utilisant des numéros de téléphone, comme des messages SMS ou MMS, et aux conditions suivantes:
a) les actes restent limités à l’examen mécanique des messages afin d’établir la fraude; l’intervention humaine est autorisée exclusivement pour vérifier le bon fonctionnement des algorithmes informatiques;
b) les opérateurs sont transparents vis-à-vis des utilisateurs finaux, afin qu’il soit clair pour eux que les messages sont susceptibles d’être examinés mécaniquement dans le cadre de la lutte contre la fraude;
c) les données concernées ne peuvent être traitées que par des personnes chargées par l’opérateur de lutter contre la fraude;
d) le traitement des données concernées est limité aux actes et à la durée nécessaires pour lutter contre la fraude ou jusqu’à la fin de la période durant laquelle une action en justice est possible.
7° when the acts are carried out by operators with the exclusive aim of combating fraud committed by means of messages using telephone numbers, such as SMS or MMS messages, and under the following conditions:
a) the acts remain limited to the mechanical examination of messages in order to establish fraud; human intervention is authorized exclusively to verify the correct functioning of computer algorithms;
b) operators are transparent to end users, so that it is clear to them that messages are likely to be mechanically examined in the fight against fraud;
c) the data concerned may only be processed by persons instructed by the operator to combat fraud;
d) the processing of the data concerned is limited to the acts and duration necessary to combat fraud or until the end of the period during which legal action is possible.
Poland
In September 2023, Poland passed a new law dealing with a variety of methods used by fraudsters, including the generation of artificial traffic, CLI spoofing and smishing. The legislation, which is entitled Ustawa o zwalczaniu nadużyć w komunikacji elektronicznej (Combating Abuse in Electronic Communication Act), provides telcos with two reasons to block smishing messages according to its content.
- Telcos must block any SMS message where the content matches a pattern associated with smishing per CSIRT NASK, the Computer Security Incident Response Team of Poland’s National Research Institute. They must also cease blocking of any messages when CSIRT NASK says the pattern of content is not consistent with smishing.
- Telcos may block other SMS messages if indicated by another automated mechanism for identifying smishing.
Article 26 of the new law explicitly states that telcos may process the content of SMS messages in order to satisfy their anti-smishing obligations. It also states, in the original Polish with my translation beneath:
1. Przedsiębiorcy telekomunikacyjni mogą przetwarzać i wzajemnie udostępniać informacje, w tym informacje objęte tajemnicą telekomunikacyjną, z wyłączeniem komunikatu, w celu identyfikacji, zapobiegania i zwalczania nadużyć w komunikacji elektronicznej.
2. Przedsiębiorcy telekomunikacyjni mogą przetwarzać i wzajemnie udostępniać komunikat w celu identyfikacji, zapobiegania i zwalczania smishingu oraz wiadomości multimedialnych (MMS), o których mowa w art. 9 ust. 2.
1. Telecommunications undertakings may process and share information, including information covered by telecommunications secrecy, with the exception of messages, in order to identify, prevent and combat abuses in electronic communications.
2. Telecommunications undertakings may process and share messages in order to identify, prevent and combat smishing and multimedia messages (MMS) referred to in Art. 9 section 2.
Poland’s government has given telcos a general right to share information, other than messages, to tackle the abuse of comms networks. However, they also gave telcos a specific right to share messages when the goal is to block smishing messages, as described in Article 9 of the law.
Ireland
In June 2023, the Irish communications regulator, ComReg, issued a comprehensive series of proposals for how to tackle telephony and messaging-based scams. They recommended the implementation of both a SenderID registry and automated scanning of SMS messages, even though the latter requires a change to law.
ComReg was explicit about the desire to scan the content of SMS messages.
…the SMS Scam Filter would be able to address scam SMS in real time through the use of advanced real time data analytics using Machine Learning and Artificial Intelligent techniques to detect and act upon unusual patterns of content or hyperlinks in SMS messages.
The regulator was equally explicit about wanting to reverse the current prohibition on scanning the content of messages. Their consultation looked at how the law might be changed to accommodate their goals, beginning with the observation that implementing scanning of SMS messages…
…introduces potential legal issues on the protections of end user rights in relation to interception and data protection as provided in the ePrivacy directive and the GDPR. It is ComReg’s understanding that a change to current legislation to allow for such scanning is necessary. ComReg has been in constructive and detailed meetings with the Department of the Environment, Climate and Communications in relation to these issues and the matter is currently under consideration.
Nevertheless, ComReg’s impact assessment continued on the assumption that some legal accommodation would be made to permit the scanning of SMS content, or that consumers would be given the option to forego their privacy rights by choosing to have their messages scanned.
To the extent that such legislation is not forthcoming, ComReg notes that other alternatives might be available for assessment at that time, including the implementation of the SMS Scam Filter on an ‘Opt-in’ basis.
…However, the form and manner of any forthcoming legislation may provide for “Opt-Out” or other related measures which could potentially reduce the numbers of consumers benefiting from the protection provided by the SMS Scam Filter.
Regardless of its exact form and manner, such legislation would likely enable the SMS Scam Filter to be significantly more effective at reducing scams compared to Option 1 [implementing a SenderID registry without any message scanning]… Even, if legislation is not forthcoming, a SMS Scam Filter could be introduced as an “Opt-in” process, although such an approach would likely be sub-optimal, it may still represent an improvement on the current situation.
Perhaps the strongest sign that change will occur in Ireland, despite the legal hurdles, is that ComReg included the SMS scam filter in the infographic they created for the press to summarize their overall anti-scam plan.
Spain
The news from Spain represents the most recent indication of a trend forming across Europe. Last week the Spanish government launched a consultation on how to tackle scam calls and messages with a document that asked for feedback on an unusually large number of potential controls whilst being extremely short on detail. So it was notable that more of the consultation document was devoted to the scanning of SMS messages than any of the other controls discussed. The analysis surrounding automated scanning of SMS content occupied almost a third of the entire consultation document. This was partly because it quoted at length from the same Belgian and Polish laws mentioned above.
The natural inference is that the Spanish government expects automated scanning would be an effective way of tackling smishing messages and has researched its potential more than most of the other controls mentioned in this consultation. However, they must be conscious that the method cannot be adopted with making a change to national law which is right at the limits of what can be considered consistent with the European Union’s privacy directives. Per the consultation, with my translation beneath, SMS content scanning would…
…plantean ciertas dudas sobre su posible impacto y afectación de derechos fundamentales de los ciudadanos.
…raise certain doubts about the possible impact and consequences for fundamental rights of citizens.
We often see that a domino principle applies when national authorities consider changes to the methods used to tackle the abuse of communications networks. The first country to try a new approach also takes the most risk. If several countries have already enjoyed success with a particular technique then the risk is far less. The dominos do not always topple in the best direction; selfish countries will encourage others to copy flawed methods in order to disguise failure. But generally it makes sense for governments and regulators to replicate controls that have reportedly succeeded elsewhere. Spain’s interest in the Belgian and Polish adoption of SMS content scanning reveals a belief that the same method would also yield benefits in Spain, but also highlights the locus of risk. Any concerns about technical feasibility are minor compared to the legal and political risks associated with scanning the content of SMS messages.
The public may fear that the goal of consumer protection will be treated as the thin end of a wedge that is used to progressively undermine the right to privacy. Even if the public is generally supportive of European governments changing their laws to allow SMS scanning there remains the possibility of a successful legal challenge if an amendment to national law conflicts with European Union directives or the European Convention on Human Rights. That is why Spain and other countries will look closely at the experience of Belgium and Poland before deciding whether they will also have machines that scan SMS messages for fraudulent content.



