Critique of GSM Data Protection Directive R(95)4

29 December 2009. GSM A5 Files Published on Cryptome
1 November 1998
Source: Christian Masson
[To: Christian Masson]

Thanks for your information. It's very interesting. What do you think 
about our recommendation R(95)4, that has become a Directive of the EC?

Spyros Tsovilis
Section protection des données/Data Protection Section
Direction des Affaires Juridiques/Legal Affairs Directorate
Conseil de l'Europe/Council of Europe

http://www.coe.fr/dataprotection



[To: Spyros Tsovilis
From: Christian Masson
Date: Fri, 23 Oct 1998 02:32:29 PDT]

REF.: RECOMMANDATION (95)4
http://www.coe.fr/dataprotection


Sir Spyros,

Thanks for yr interest,

2.
All the time violated. E.g. France telecom got one authorization
and placed it in an access node (trunk in central, B-ISDN line
in central, main server TCP/IP in France Telecom,...) and so taps 
simultaneously 10,000 lines. (Source: CNIL, Mr. Drouard.)

2.2
Impossible and never applied.
Slot time GSM test is indirect tapping. Idem for gonio,
real time tapping. Anonymity in telecom system is impossible.
E.g. Swiss Natel Easy (anonymous GSM), except the first time,
leads sooner or later to the automatic tapping system: 
Cd-Cg P, CLIP, Forcer Identication, internal billing system,
PLU/back-up, words/voice recognition system, public phones automatic 
tapping system (airport, center of great town,...).

2.2
A wish, never applied.
(Strasbourg 81, STE, no 108, art. 8 CEDH,...) is impossible to be 
applied. There are actually too many automatic tapping system:
word(s) recognition, CLIP calling identification line system,
Called-calling Parties (Cd-Cg P), billing systems, trap, others
automatic identification system, public phones tapping,...

7.2
All billing information is kept 6 months-10 years. 
No effective control on back-ups (and back-ups of back-ups).

7.4
A wish. Actually EDVT electronic directory in public phones are tapped
by Swisscom. It's the same with others public electronic directory 
(Minitel, France Telecom telematic web directory,...) 

7.10
7.11
For me, commercial profile is public life.

7.16
7.17
Impossible, if customer can cancel (e.g. *31 or ask for operator)
the identication of their number; police, urgence, telecom... 
have all time the number: FORCER IDENTIFICATION SYSTEM, NORA,...  

7.19
Called-Calling Parties, CLIP,...: filters are impossible.
The last step (judge,...): yes  

7.20
In France and Belgium, each crypto system must be (quickly) breakable.
In others countries, crypto's freely available but also must be (slowly) 
breakable, http://www.crypto.ch. The length of crypto key means nothing 
(under 2100 bits). The illusion of protection helps generate profitable
interceptions.

7.21
Wrong and impossible.
Each GSM generates a cell trace. Each back-up & PLU is actually
freely accessiblefree for each GSM operator. CNIL suggests a European 
harmonization for it. For each GSM call, the originating cell is 
recording with a back-up and followed by cell/PLU trace/GSM in stand-by)
all the time and for each GSM. It's a real and massive problem.

  Phil Karn [Qualcomm Scientist/Cryptographer]: 
  "Cellular registration is one of the most problematical privacy 
  issues in modern telecommunications." 

In conclusion, this recommendation is contradicted by Enfopol 
(illegal but effective) ETSI tracing equipment recommendations
and the actual practice of interception.

A recommendation is not a law. Without technical control, it's a joke.

Pls, do not hesite to contact for any remarks,

Regards,


Christian Masson