It was a bad joke, if a long-running one. As the mobile phone boom took off in the early 1990s thousands of Irish people bought analogue mobiles and used them with the same assumption of confidentiality as they used the fixed-line telephone.
In fact, their conversations on these old 088-prefix phones were being broadcast in plain speech like a sort of two-way radio station. Anyone with a couple of hundred pounds to spend on a scanner could listen in. Often the listeners could not believe their ears as they heard loving endearments, business deals and family rows on the air.
Another risk was that analogue phones also broadcast their identification numbers in over the air. Criminals could (and did) easily capture those identifiers and build them into "clone" handsets. Calls made on those handsets were billed back to the legitimate phone owner.
The only saving grace for callers was that casual eavesdroppers could not reliably pick up the same phone again and again. The scanning receivers would hop across the range of frequencies used by phones, and could not pick out one phone deliberately. This gave a measure of security through obscurity, but that was about all the security on offer.
ALL of this changed with the arrival of digital mobile phones with 087 and 086 prefixes. The GSM (groupe speciale mobile) standard of the new phones was an international one, so an Irish GSM phone could be used in other European countries and as far afield as Hong Kong and Australia. Better still, the standard had been developed with security in mind and users were assured that their calls were safe from interception and that their phones could not be cloned.
These assurances seemed rock solid until the past month.
First, two RTE reporters who had uncovered wrongdoing at National Irish Bank were alleged to have been put under surveillance. Their mobile phones were reported to have behaved strangely, with dropped calls and unusual interference on the line. Anonymous private detectives were quoted as saying that equipment costing about £40,000 could be used to emulate the base station through which a mobile phone places calls, overriding the encryption which normally protects GSM calls by scrambling the contents.
Garda contacts are said to have advised the RTE reporters to switch from ordinary GSM phones to the "Christmas present" variety - phones sold off the shelf with prepaid call credits - so that billing records could not be used to find out who the reporters had been calling.
Second, US researchers announced that they had cracked the encryption used to protect the identity of a GSM mobile phone - opening up the sort of cloning nightmare that had plagued analogue phones. The researchers at the Smartcard Developers Association (SDA) and the University of California were scathing about what they had found.
"As shown so many times in the past, a design process conducted in secret and without public review will invariably lead to an insecure system," SDA director Marc Briceno said on the SDA Website. He was repeating a frequent statement by encryption experts: an encryption system can only be trusted as strong if its methodology is published for all interested parties to test it.
The SDA statement also says it found evidence that the security of GSM phones against eavesdropping had been deliberately weakened. It said the A5 cipher had a key size of 64 bits, but that the last ten bits had been set to zero, reducing the key size to 54 bits and making the cipher much less secure. "The only party who has an interest in weakening privacy is a national surveillance agency," said Briceno.
The third worry about GSM security dates back further. Since a mobile phone is effectively a small radio station, its signal makes its user's location trackable. Not many people were concerned when the fugitive US hacker Kevin Mitnick was arrested thousands of miles from home after police homed in on his mobile phone signal. But early this year it emerged that authorities in Switzerland had been using this principle not to catch criminals but to keep tabs on all their citizens. The locations of all mobile phones were being logged by the network. A regime similar to the electronic tagging of criminals was being applied to everyone who owned a mobile phone.
Ireland's two mobile network operators say they have full confidence in the security of GSM calls. Esat Digifone's technical director, Paul Craig, said it was not company policy to discuss its specific network security, but he said there was "no real evidence that the GSM SIMs are anything but secure". He discounted reports of expensive equipment being available to eavesdrop on conversations. "We use this sort of equipment for our own operational work and I can assure you we know the technical limitations of what's out there."
Staff at Eircell were more willing to discuss the technical issues. In response to emailed questions, Olivia Dobbs said all Eircell mobile calls were encrypted with full 64-bit keys, except for calls to emergency services where the phone did not contain a SIM card. Using a false base station was "theoretically possible" but this had never been demonstrated to any of the 260plus GSM operators worldwide and would be "very difficult" because the on-air identity of a mobile phone is changed from call to call.
She doubted the accuracy of the US reports that a SIM's identity had been cracked. "Even if true, this does not represent a significant breach of security for GSM" since it had been done only with physical possession of the SIM card. "Eircell considers all customer records as highly confidential," she said. Access to billing records within the company is on a need-to-know basis and staff sign confidentiality agreements. The company could provide unitemised bills and would work to try and help customers who needed even more privacy.
Some information on phone location is gathered by the network as part of the billing process, which records in which network cell a call was made. This data was protected by telecommunications legislation which required legal steps to be taken before it could be released.
Finally, Eircell emphasised that customers should set a personal password on their Playback voice-mailbox as soon as they got their phones. "We are completely confident about the integrity of security of GSM."
Across the Atlantic in New York CCS International, which operates the Counter Spy Shops in London, New York and other cities, disagrees. Not only does it sell equipment for this purpose to authorities such as police forces, it offers seminars on the subject. One staff member said "yes absolutely" when asked if GSM calls could be intercepted. The equipment cost about $100,000, (£71,000) had been used successfully and in some cases worked by emulating a base station and instructing a GSM handset to drop A5 encryption.
These points are far more than academic ones for electronic civil-rights activists or criminals who (naturally) want to escape the consequences of their actions to worry about. The questions of security and confidentiality are relevant to business people whose success may depend on easy and confidential contact with those they deal with. They are relevant for journalists who rely on contacts to want to provide information but cannot risk their livelihoods to do so. They are relevant too for doctors and lawyers who want to provide an efficient service while on the move but have a duty of confidentiality to their clients. Outside of any professional need for confidentiality, everyone should be able to expect that they can use a modern phone without having their conversations overheard, the numbers they call disclosed, or their movements tracked.
Ironically, the collateral threats to privacy - having the destination of calls recorded, or being physically tracked - are directly related to the intelligence built into the GSM network. The network has become smarter to serve us better, but part of the price we pay is to add to the wealth of information generated about us over which we have no control.
In many ways the issues which have now been raised over GSM security (against eavesdropping and theft), and privacy (against call logging and movement logging) are a parable of our times. Consumers are being asked to put their faith in an international standard which had not been tested by anyone except its designers, since the security provisions are kept secret. Even if the security systems work and protect conversations, the information gathered in using the service can infringe privacy and could be used by government agencies to spy on all of us in order to spy on some of us.
Today the issue is mobile phones. Tomorrow it will likely be medical records, financial records, tax affairs, census data, results of public examinations. As more and more of the details of our lives are recorded electronically we will be asked to put increasing faith in electronic systems to protect the information and in the people who operate those systems.
Encryption, privacy and data security are becoming as important to modern citizenship as the constitution, the legislature and the courts.