Radio nerd who sipped NHS pager messages then streamed them via webcam may have committed a crime


radio-nerd-who-sipped-nhs-pager-messages-then-streamed-them-via-webcam-may-have-committed-a-crime

Our old friend the Investigatory Powers Act says so

Old radio engineering devices

A radio electronics geek has been caught eavesdropping on NHS medics’ pager messages, translating the signals into text while broadcasting them on the internet via a publicly available webcam stream – possibly committing a crime in the process.

Security researcher Daley Borda said he found the video stream by chance. The webcam was pointed at a computer monitor displaying decoded pager messages containing “details of calls” made by NHS and ambulance service dispatchers to on-call medics.

“You can see details of calls coming in — their name, address, and injury,” Borda told Techcrunch on Wednesday.

The radio eavesdropper had set up, what’s believed to be, a software-defined radio rig to receive and display the unnamed NHS trust’s pager messages, exploiting the fact that the antiquated technology behind the UK’s remaining pager deployments sends messages without any encryption at all.

We’re told the nerd’s ISP had alerted him to his unsecured internet-facing webcam, accessible via a public IP address, which he then shut down.

A pint of IPA

Regardless of whether he’s broadcasting it online or not, what the radio snooper was doing is illegal. Airband scanners are not in themselves illegal, and listening to published frequencies (like Radio 4 or Classic FM, or other light entertainment stations) is perfectly legal. Using tech to turn machine-readable messages into human-readable messages is a grey area depending on who you’re listening to. It is, however, a criminal offence under both the Wireless Telegraphy Act 2006 and the Snoopers’ Charter (aka the Investigatory Powers Act 2016, or IPA) to eavesdrop on messages that are not intended either for the public or for you personally.

Tech lawyer Neil Brown of decoded.legal told The Register: “It seems unlikely that the person who did this has the right to control the operation or use of the system, or had the consent of the person who had that right, so the defence under section 3(2) [of the IPA] would not apply.”

As for intercepting messages, Brown told us the criminal offence “includes ‘monitoring transmissions made by wireless telegraphy to or from apparatus that is part of the system’ while the communication is being transmitted, to make the content of the communication available to someone who is neither sender nor recipient”, summarising by saying: “From the screenshots in the TC article, it looks like content is being made available to anyone viewing the webcam stream.”

Accidentally stumbling across the frequency on which the BBC is broadcasting The Zoe Ball Breakfast Show is not a criminal offence, even if, as a listener, you feel like you are being punished for something…

Just to reassure those unfortunate members of society who do not listen to Classic FM or Radio 4, Brown added: “Accidentally stumbling across the frequency on which the BBC is broadcasting The Zoe Ball Breakfast Show is not a criminal offence, even if, as a listener, you feel like you are being punished for something.”

Ofcom, despite gentle prodding, refused to comment, saying only that nobody had complained about this particular act when The Register rang up to ask. Despite its curious silence, the spectrum regulator admits on its website that it is responsible for this area of law and policy and even states that “using radio equipment to listen in is an offence, regardless of whether the information is passed on.”

The Radio Society of Great Britain, which represents amateur radio hobbyists, did not respond to a request for comment. The society encourages all its members to abide by the International Amateur Radio Union’s ethics and operating procedure document. Among many other things, that states: “In most countries the authorities do not care in detail how hams behave on their [radio] bands, providing that they operate according to the rules laid down by the authorities.” ®

Sponsored:
Serverless Computing London – 6-8 Nov 2019

Previous Belgian city slurps mobile data to track visitors
Next ProtonMail shoves its iOS app's source code on GitHub for world+dog to rummage around in