Telcos claim innocence in Ukraine’s threatening text messages

On Tuesday, a new law went into effect imposing harsh penalties for “extremist activity” and limiting the rights of Ukrainians to protest. That same evening, those in the vicinity of the ongoing clashes between police and protestors received a text message reading, “Dear subscriber, you are registered as a participant in a mass disturbance.”

The text message is the latest in a series of actions that protesters say are intended to intimidate opposition to the sitting government. Over the past three days hundreds have been hurt in demonstrations as violence between protesters and authorities has escalated.

While governments have used real-time telco data to covertly track down activists in the past, this recent incident in Ukraine was perhaps the first time we’ve seen location tracking combined with overt, digital threats to protesters exercising their rights to free assembly and expression. Whoever sent these messages violated the recipients’ rights, and if a telco was involved, they must take immediate steps to help redress these violations.

Telcos facilitate intimidation?

Ukraine has three main cell phone services providers: Kyivstar, the largest, is a brand of Amsterdam-based Vimpelcom (Norway’s Telenor owns nearly 43% of Kyivstar’s parent company Vimpelcom). Second in market share is MTS-Ukraine, a fully-owned subsidiary of Russia’s Mobile TeleSystems, and the third is life:), a brand of the Ukrainian company Astelit.

Kyivstar has denied that it shared location or subscriber data with the Ukrainian government, attributing the text messages to a “pirate” cellular transmission. The two other major carriers have similarly denied any involvement with the messages.

It’s probable that Ukranian security forces have the technological capability to track mobile phones in real time based on their location, as well as send the messages in question. The Wikileaks Spy Files report that Altron, a Ukrainian company, advertises a device that is capable of deploying a secret local mobile network that can covertly identify phones in a given area and send them text messages. Altron lists the Ukrainian Ministry of Defense, Ministry of Internal Affairs, Security Service of Ukraine, as well as many local telcos among their clients.

Speaking to Mashable, security expert Ashkan Soltani supported the idea that a similar device — an “IMSI catcher” — may have been used to capture Ukrainian users’ International Mobile Subscriber Identity (IMSI) to send them intimidating text messages. Every mobile phone’s SIM card has a unique IMSI, which is regularly recorded by the network as part of normal network operating practices. However, the IMSI can also identify and track users, as Ukraine is one of many countries that requires users to register and provide personal information, like their home address, when they purchase a SIM.

Steps toward remedy

With questions still open about exactly who was responsible for the messages, it;s time for the Ukrainian telcos to clear the air. They must fully investigate their network logs and other relevant data in order to shed light on any role they may have played, even inadvertently, in sending the text messages designed to intimidate protesters.

If it turns out that the telcos’ services were involved, the telcos must provide the people who received the messages with ‘effective access to remedies.’ This means that the company should notify users that the company is aware of and investigating the incident; make a public explanation of any investigation’s findings; and conduct an internal review of relevant policies and network vulnerabilities to ensure this doesn’t happen again. Access describes these and other remedies at length in our report, Forgotten Pillar: The Telco Remedy Plan, a key document on the implementation of the Third Pillar of the U.N. Guiding Principles on Business and Human Rights in the telecoms sector.

We believe that telcos must integrate respect for human rights into their operations. Therefore, we call on Ukrainian operators to uphold domestic law as well as international human rights standards — particularly during this period of unrest. If Ukrainian authorities request telcos to provide location data or other subscriber information, telcos must insist that proper legal procedures are followed, and take the necessary steps to uphold international human rights norms as detailed in the Telco Action Plan. Any government request that may restrict the privacy, access to information, or free expression and assembly rights of users should be strictly reviewed to ensure it adheres to international human rights law and norms.

Abuses of user rights aren’t always as obvious as this one, with a mass text message directly threatening protesters’ privacy, free expression, and assembly rights. That’s why it’s crucial that telcos in the Ukraine and elsewhere take care to address this blatant violation, in order to demonstrate zero tolerance from telcos around the world going forward.