Minister Blümel's Ominous De-Anonymization Software

    18. April 2019, 16:55
    posten

    The Austrian government wants to use a service called Mobile Connect to eliminate anonymity on the internet. But the way the software works not only conflicts with the draft law – it could also violate the Austrian Telecommunications Act.

    You can read the German version here: Minister Blümels ominöse Software zur De-Anonymisierung

    If the Austrian federal government has its way, the planned end of internet anonymity will likely entail the use of a service that several of the country's mobile communications providers, including A1, T-Mobile and "3" intend to launch next year. Called Mobile Connect, the service is aimed at making authentication possible -- and not just in online forums. Reporting by STANDARD, however, has uncovered legal barriers that could stand in the way.

    On April 10, the government presented plans for a new law that would require internet forum participants to provide their real identities. Forum operators would then be required to pass that data on to the authorities if an investigation were to take place -- or even to private individuals in cases of civil suits filed in instances of insult or defamation.

    Practically, users would have to provide their name and address to the operators of platforms where they post, and operators of those platforms would be required to ensure that the data provided is valid. According to the draft law, it would be left up to the providers to determine how that verification process works. Media Minister Gernot Blümel of the conservative Austrian People's Party (ÖVP) explained in an interview with public television station ORF that there are "technical possibilities where software can run on the backend that can immediately identify: Does the registered mobile phone number match the name and address or not?"

    Mobile Connect in Development

    Blümel declined to provide more precise details, but information obtained by STANDARD indicates he may well have been referring to software that was central to considerations made during the drafting of the law. The service is called Mobile Connect and, according to a source familiar with the matter, it is slated to launch next year, possibly in September. The draft law requiring forum participants to reveal their true identity is set to go into effect in autumn 2020.

    Austrian broadcasting authority RTR has convened a working group with mobile operators and providers reviewing possibilities for implementing the service, as the agency confirmed when contacted by STANDARD. "The background behind the initiative is a request from A1 to discuss the roll-out of Mobile Connect with interested parties in a workshop," the agency added. RTR wants to ensure through the measure that A1's competitors also participate in Mobile Connect.

    The service, created by GSMA, an association representing the interests of mobile operators worldwide, allows users to use their mobile phone for authentication as an alternative to a normal log-in. Users provide their mobile phone number and then receive a link via text message. The respective network provider and the platform operator then receive confirmation that the user is actually the person in question. Taken together with a normal log-in, this enables two-factor authentication, since those accounts can only be verified once both steps have been taken.

    A Registration Obligation Without an Address

    The authors of the draft law, called "Diligence and Responsibility on the Web," believe the service could play a key role given that SIM cards have been subject to mandatory registration since the beginning of the year in Austria. Those using prepaid SIM cards are required to clearly identify themselves with a photo ID before they can begin using it.

    Hints that draft law authors were focused on Mobile Connect are also provided by earlier drafts of the legislation, which contain several precise specifications that correspond to the services parameters. In one instance, for example, there was a mention of the kind of identification number issued by the service. Though the current draft leaves the choice up to providers, the annotation that goes along with the draft law refers to confirmation by mobile phone number and two-factor authentication. In addition, a "cooperation with the operator of the telephone service" is proposed "if necessary."

    Implementation of the proposal could, however, prove problematic given that the SIM card registration requirement stipulates that a legal ID must be provided, but that only includes a person's first and last name, their participant number and their academic title -- and not the user's address.

    A Violation of the Telecommunications Act?

    The law would also require platform operators to maintain a user database including personal information about users due to the obligation that they pass information to authorities in the case of an investigation. In order to confirm the validity of the data, it would have to be compared with the data held by mobile operators. That, though, could violate Austria's Telecommunications Act (TKG), according to an analysis performed by the law firm Windhager.

    The TKG stipulates that master data -- such as name, address and date of birth -- may only be used for specific purposes, such as billing. The annotation of the draft law explicitly states that the TKG does not permit the disclosure of data to private individuals and that the draft would not change that. That, too, seems to indicate that Mobile Connect had been part of initial plans.

    Other methods that could potentially be used include requiring users to provide operators with their legal ID as well as a copy of their address registration with the local authorities (in Austria, all residents are required to register their home address with the authorities). However, it remains to be seen how implementation will work. What happens, for example, in instances of frequent address changes? It does not, for example, specify how frequently operators have to check the validity of the data in their possession.

    Thomas Lohninger of the civil rights group Epicenter Works in Vienna criticized the draft law in remarks made to STANDARD. "It is remarkable how little thought has gone into this," he said. He also warned that large discussion forums might have to be shut down because adherence to the law would be too expensive for them to implement. (Muzayen Al-Youssef, 18.4.2019)

    • Blümel wants to decrease anonymity on the Web – an upcoming software by the telecoms industry is viewed as the ideal tool to ensure that.
      foto: apa/helmut fohringer

      Blümel wants to decrease anonymity on the Web – an upcoming software by the telecoms industry is viewed as the ideal tool to ensure that.

    Share if you care.