On 15 June 2022 Poland published a draft law aimed at preventing abuses in electronic communication. The draft law that is now subject to public consultations is response to a growing practical problem of abuse cases with use of so-called CLI spoofing and "smishing" that Poland faced in particular in 2021.
According to the draft law, the telecommunications undertakings will be required to take "proportionate technical and organizational measures" in order to prevent and combat abuses in electronic communication. The draft law does not provide in greater detail what measures shall be used.
The list of abuses in electronic communication that are prohibited is open and will cover in particular:
1) initiating the sending or receiving of electronic messages or voice calls in a telecommunications network with the use of telecommunications devices or software, the purpose of which is not to use a telecommunications service, but to register them at the connection point of telecommunications networks or through billing systems ("artificial traffic");
2) sending short text messages (SMS), in which the sender impersonates another person in order to persuade the recipient of that message to take a specific action, in particular the disclose personal data, unknowingly dispose property, redirect to a website, request telephone contact or software installation ("smishing");
3) unauthorized use by the user calling the voice call with the address information indicating a person or organizational unit other than that user, used to impersonate another entity in order to persuade the recipient of this call to take a specific action, in particular the transfer of personal data, unknowingly disposing of property or installation software ("CLI spoofing").
On the basis of short text messages (SMS) received from recipients, CSIRT NASK monitors the occurrence of smishing and based on that monitoring, creates an exhaustive smishing messages pattern. CSIRT NASK provides information on the occurrence of smishing, via the ICT system, to the Police Commander in Chief, the President of the Office of Electronic Communications and to telecommunications undertakings, along with a message template with the features pattern. Under the draft, the telecommunications undertaking, upon receipt of the above information will be obliged to:
1) immediate blocking of short text messages (SMS) containing the content reflected in the message template as disclosed by CSIRT NASK, with the use of an ICT system that allows automatic identification of short text messages (SMS);
2) to stop blocking short text messages (SMS) in the event of obtaining information that the content reflected in the message pattern is not smishing or it is pointless to further block short text messages (SMS) containing such contents.
In order to prevent and combat "CLI spoofing", the telecommunications undertaking shall block the voice connection or hide the calling number identification from the end user. The UKE (Polish telecommunications regulator, Urzad Komunikacji Elektroincznej) will hold a list of telephone numbers used only for answering voice calls, and makes it available in the Public Information Bulletin on its website. In order to include a number on the above list entities from the public finance sector, as well as banks, will be authorized to notify the UKE about the telephone numbers used in its operations. What is important, the telecommunications regulator, at the request of a telecommunications undertaking, shall make an entry in the above list only for numbers used by the telecommunications undertaking for the purpose of customer service office or as a hotline.
What is also interesting and may be important for some e.g. hosting services providers, provider of email services for (i) at least 500 000 users or (ii) for a public entity, or 3) supporting at least 500,000 active e-mail accounts, is required to use the SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication Reporting and Conformance) and DKIM (DomainKeys Identified Mail) mechanisms. From a business perspective it may be crucial for some providers that the public entities will be obliged to use only electronic mail that is protected by the mechanisms described above.
The above changes will also trigger significant financial sanctions in case of non-compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
