The UK government plans to introduce new legislation to ban SIM farms, which it views as a widely abused means for carrying out cyber fraud.

Upon introduction of the criminal offense, violating it will incur a penalty of an unlimited fine, the government said.

SIM farms are defined as devices that can hold four or more SIM cards while having the ability to make phone calls and send texts. They are often associated with groups that send spam texts and other types of bulk messages to scam people.

The devices offer organizations a cheaper way to send bulk SMS messages than normal application-to-person (A2P) messaging services, which are used by businesses to send SMS messages to customers, all with little to no identity verification process. 

"The new offense will mean criminals are no longer able to obtain SIM farms and similar technologies to commit fraud," said security minister Tom Tugendhat. "This will give police additional tools to disrupt the vile criminals that target the UK public."

The promise of a SIM farm ban came in the government's Fraud Strategy, published in May, as did a review into mass text aggregators and the introduction of new powers to take down fraudulent websites, among others, all by the end of the current parliament (January 2025).

While the anti-fraud, anti-scam angle was front-loaded in this week's announcement, there exist other reasons why the government would want to put an end to SIM farms. 

As noted in the government's original consultation proposal, due to the way in which SIM farms are constructed, they can make the jobs of law enforcement trying to intercept and decode communications data more difficult.

SIM farms, constructed with devices such as SIM boxes that hold multiple SIMs per box, essentially scramble the data being sent to and from the user - like a VPN for mobile comms. 

They were especially popular in the 1990s and 2000s when mobile call rates were much higher, offering cheaper calls than direct services, leading network operators to call for their ban.

Those calls were eventually met and SIM farms, or commercial multi-user gateways (COMUGs) as they were known back then, were indeed banned by Ofcom in the 2000s.

The technology has irked the Home Office for years. When Ofcom overturned its ban on SIM farms in July 2017, it promptly ordered the communications regulator to reinstate it just two months later, citing national security concerns.

The order issued by then-security minister Ben Wallace would ultimately be ruled by the UK Court of Appeal as the government acting ultra vires (legalese for acting beyond its legal powers) and invalid.

The Supreme Court then got involved [PDF] earlier this year, overruling the Court of Appeal and allowing the government to reintroduce the ban, hence the announcement this week.

How the consultation helped shape the new ban

One of the main issues quickly highlighted by responses was the government's definition of what a SIM farm was. Importantly, the government didn't originally account for legitimate SIM farm uses, which in some cases are used by emergency services to enable critical communications or send emergency alerts to the public.

Other legitimate uses include Public Electronic Communications Networks (PECNs), which are used to assess and maintain network security and resilience, and transport operators offering public Wi-Fi on trains, buses, and other modes of transport by switching between carriers that offer the best service in a given location.

Broadcasters are also known to use multi-SIM devices in specific areas of program making, but these devices aren't capable of making calls or sending text messages so don't really apply here anyway.

"Our primary objective is to stop criminals accessing SIM farms - it is not our intention to disrupt legitimate business or hinder technological development in the UK," the government said in its response here. "For that reason, we will ensure that the definition of SIM farms takes into account the concerns raised.

"In particular, our definition will capture devices that contain or incorporate five or more physical SIM cards for the purpose of making calls and/or sending SMS texts. However, we will exempt any data-only devices that are not capable of making calls or sending texts. We will ensure that a ban includes a defense for legitimate uses that will mean that legitimate businesses possessing or supplying SIM farms are not adversely affected, such as the broadcast and transport industries. It will also not apply to the Crown."

Some suggested that a ban on physical SIM farms would lead operators to establish eSIM farms instead, though the government felt there was insufficient evidence to include a provision for eSIM farms in the proposed ban. Plus, there was broad support for adding powers in the legislation for the Secretary of State to add further items to the list of banned technologies, which if passed could allow other hardware to be sanctioned even if it isn't covered in the original draft.

The vast majority of respondents to the consultation disagreed with every aspect of the government's plans to ban the manufacture, import, sale, hire, possession, and/or use of SIM farms. Alternative suggestions included a licensing program for legitimate use cases, and greater responsibility placed on network operators to scan for fraudulent activity, blocking messages or alerting users when it's detected.

"Our view is that a criminal offense would be more proportionate in line with the criminal nature of the activity that SIM farms can facilitate, and that licensing would actually be more burdensome for businesses than an exemption for legitimate uses," the government said in response.

It went on to acknowledge a ban "may not be fully effective in preventing criminals from accessing and deploying SIM farms," but would give law enforcement extra powers to detect and disrupt their use. Police would also benefit from "further investigatory opportunities" that could lead to crackdowns on other crimes enabled by SIM farms, like fraud and money laundering, it added. ®

https://www.theregister.com//2023/11/29/uk_sim_farm_ban/