On June 15, 2022, Poland announced a bill aimed at combating abuse in electronic communications. The bill responds to the growing number of abuse cases related to identity theft and CLI smishing that Poland has faced particularly in 2021.
As the bill reads, once the new law is enacted, telecommunications companies will be required to take “proportionate technical and organizational measures” aimed at preventing and combating abuse in electronic communications.
The abuses in electronic communications that are prohibited will cover in particular:
1) initiate the sending or reception of electronic messages or voice calls in a telecommunications network with the use of telecommunications devices or software, the purpose of which is not to use a telecommunications service, but to register them at the point of connection of telecommunications networks or through billing systems (“artificial traffic”);
2) sending short text messages (SMS), in which the sender impersonates another person in order to persuade the recipient of this message to take a specific action, including disclosing personal data, unknowingly disposing property, redirect to a website, request a contact phone call or install software (“smishing”);
3) unauthorized use by the user calling the voice call with the address information indicating a person or organizational unit other than that user, used to impersonate another entity in order to persuade the recipient of that call to undertaking a specific action, in particular the transfer of personal data, by unknowingly disposing of assets or installation software (“CLI spoofing”).
Based on short text messages (SMS) received from recipients, Computer Security Incident Response “NASK” monitors the occurrence of smishing and, based on this monitoring, creates a comprehensive smishing message pattern. The CSIRT “NASK” provides information on the occurrence of smishing, through the ICT system, to the Commander-in-Chief of Police, the President of the Office of Electronic Communications and telecommunications companies, together with a model message with the model of characteristics. The telecommunications company, upon receipt of the above information, is required to:
1) immediate blocking of short text messages (SMS) containing the content reflected in the message pattern as disclosed by the CSIRT “NASK”, with the use of an ICT system that allows the automatic identification of short text messages ( SMS);
2) to stop blocking short text messages (SMS) if information is obtained that the content reflected in the message template is not smishing or that further blocking of short text messages is unnecessary ( SMS) containing such content.
According to the bill, in order to prevent and combat CLI spoofing, the telecommunications company must block the voice connection or hide the identification of the calling number from the end user. The UKE (Polish telecommunications regulator) will maintain a list of telephone numbers used only for answering voice calls and publish it in the public information bulletin on its website. In order to include a number on the above list, entities in the public finance sector, as well as banks, will be permitted to provide the UKE with the telephone numbers used in its operations. Importantly, the UKE, at the request of a telecommunications company, only lists numbers used by the telecommunications company for customer service or hotline.
The email service provider for (i) at least 500,000 users or (ii) for a public entity, or 3) supporting at least 500,000 active email accounts, is required to use the SPF (Sender Policy Framework ), DMARC (Domain-based Message Authentication Reporting and Conformance) and DKIM (DomainKeys Identified Mail) mechanisms. From a business perspective, it may be critical for some providers that public entities be required to use only email protected by the mechanisms described above.
The above changes will also result in significant financial penalties for non-compliance.