Revealed: How HMRC has been quietly building surveillance capabilities

Is HMRC using IMSI-catchers to monitor mobile phones?

HMRC quietly acquired “data collection” equipment for surveillance, from controversial IMSI-catcher manufacturer Cellxion, as far back as 2021.

IMSI-catchers are invasive mobile surveillance tools that simulate phone towers. Devices in the area unwittingly connect to the IMSI-catchers, whereby unique information – such as a device’s international mobile subscriber identifier (IMSI) number – is logged, alongside precise geographical locations at the time of interception. Phone call and text message metadata can also be exposed, with some equipment capable of intercepting the content itself.

The contract with Cellxion began in 2021 with the procurement of a “surveillance system” worth £330,460. This was required to “upgrade” its “existing capabilities”, indicating that HMRC might have had similar equipment in the past.

Cellxion provides “cellular intelligence gathering and geolocation tools”, with past clients including the Metropolitan Police and Avon and Somerset Police. The company is well-known for its IMSI-catchers, which it has exported worldwide.

Ordinarily, public authorities publish detailed payment records relating to public procurement. However, HMRC did not disclose any payments relating to Cellxion until June 2025 – more than four years after it signed the contract – when it paid £102,000 to the company for software licences.

According to the contract, the equipment was installed in vehicles by Sonic Communications, another spytech company that specialises in technical surveillance. This is a common practice for the installation of IMSI-catchers, although they can also be carried in backpacks or mounted in a fixed location.

Using IMSI-catchers would allow the agency to conduct covert surveillance of tax fraud targets and criminal suspects, mapping their locations and building social network maps of people they come into contact with. The most obvious target for this is serious organised crime groups.

A leaked marketing brochure from 2017 highlighted the capabilities of Cellxion’s IMSI-catchers, including geolocation, voice call and SMS interception, alongside acquisition of up to 1,500 devices per minute. In recent years, it has also developed capabilities for 4G and 5G, according to its listing at the Home Office’s Security & Policing 2025 expo.

Freedom of information disclosures to Computer Weekly indicated that HMRC would “neither confirm nor deny” if it had procured IMSI-catchers from Cellxion, nor would it reveal information on data protection assessments.

The authority also added that information relating to the commercial relationship between HMRC and Cellxion cannot be disclosed as it would prejudice the prevention and detection of crime.

“Such information would be a valuable asset to those seeking to attack the tax system, allowing them to amend their activities in order to avoid detection,” the tax authority said.

What legal framework do IMSI-catchers operate under?

These same exemptions were upheld in Privacy International’s tribunal challenges against the various police forces that refused to confirm or deny the use of IMSI-catchers on the general public.

The digital rights group wrote to the investigatory powers commissioner, Brian Leveson, to clarify the legal frameworks under which IMSI-catchers can be used by law enforcement. The commissioner’s position was that a law enforcement agency would require a “targeted equipment interference warrant issued under Part 5” of the Investigatory Powers Act.

This is consistent with a section of the Cellxion contract, which laid out the requirement for HMRC to “upgrade their existing capability on the targeted equipment interference”, that this technology operates under the same legal framework as an IMSI-catcher.

Peter Sommer, a digital evidence expert witness, told Computer Weekly that he believes the technology is indeed an IMSI-catcher.

“Given how long IMSI-catchers have been around, it would be truly surprising if investigatory bodies like HMRC were not using them,” he said. “The most sophisticated models can not only spot cellphone activity, but can backtrack to their precise location, something that regular cell site analysis equipment cannot do.”

Sommer added that most warrants for targeted equipment interference are approved for intelligence gathering as opposed to direct evidence in court.

HMRC is one of the few law enforcement agencies that can conduct communications interception, alongside the police and intelligence services.

This capability has helped the tax authority fill “key gaps” in domestic communication data and content interception that MI5, MI6 and GCHQ are unlikely to cover, according to files leaked by Edward Snowden in 2013.

One document concluded that HMRC was “developing requirements” for “domestically focused collection” where the strategic solutions – referring to mass interception conducted by the intelligence community – are inadequate.

US and Germany more open about IMSI-catchers

Considering HMRC’s wider role within the intelligence gathering apparatus, it is likely that its surveillance equipment could be used to gather intelligence for law enforcement and spies.

Ilia Siatitsa, programme director and senior legal adviser at Privacy International, spoke about similar patterns in how the police and HMRC have refused to answer questions about IMSI-catchers.

“It’s the same company [the police used], and the ICO [Information Commissioner’s Office] decision mentions the same legal framework. There’s also the same practice of refusing to confirm or deny. It’s disappointing; other governments have, which is strange to me why the UK won’t.”

Those other governments include the US and Germany, with the latter even revealing how often they were used without any risk to law enforcement’s ability to function.

“It’s a question of transparency and rule of law; we can’t understand if we don’t know. The fact of not knowing also has an immense psychological impact on people, who will change their behaviour. It’s a chilling effect on the freedom of assembly, so not knowing is a major gap in the rule of law and oversight,” Siatitsa said.

She continued that the relevant warrants can also be used for interference of equipment in a broad geographic area: “We consider the thematic warrants to be bulk surveillance.”

These warrants, also referred to as subject-matter warrants, cover the interference of equipment belonging to a particular person, group of people, organisation, or in a particular location. This is one of the main concerns with the use of IMSI-catchers, which can target all individuals in an area rather than just the target. Without knowing the specifics of the warrants granted, it’s not known if innocent people could be caught up in the surveillance.

In response to questions about its use of targeted equipment interference, HMRC said: “It would be wrong to claim that our work to tackle tax fraud and evasion is invasive surveillance on ordinary taxpayers. Our powers are subject to the many safeguards referred to [see full HMRC response below] and are necessary to tackle criminality that would otherwise deprive the public of money needed to fund public services.”

Identifying the scale and specificity of HMRC’s targeted equipment interference warrants, even outside of the use of the Cellxion technology, is near impossible due to tightly imposed restrictions on transparency.

HMRC has activated the Investigatory Powers Act 2016 (IPA) more than 20,000 times since 2020, according to figures disclosed to Computer Weekly through the Freedom of Information Act. The IPA regulates the use of intrusive surveillance, such as communications interception.

HMRC would not, however, reveal how often it used targeted equipment interference as this would “indicate a departmental investigative strategy”.

While the Investigatory Powers Bill was being drafted in Parliament in 2016, Simon York, director of HMRC’s Fraud Investigation Service, told the joint committee: “Almost 100% of our [communication data] requests were in relation to preventing and detecting crime … This can be in relation to anything from smuggling to tax fraud to trying to criminally exploit HMRC’s repayment system.”

Richard Berry, the National Police Chiefs’ Council’s lead for communications data, also gave testimony about the uses of mobile phone cell site analysis: “It is commonplace now to produce … an analytical chart on the sequence of events showing communications and where people work geolocated by their phones, and to supplement that with other forms of evidence.”

Unlike cell site analysis, which triangulates general location based on connections to cellphone masts, IMSI-catchers provide precise geographic locations as intelligence for investigations, rather than evidence cited in court.

Most criminal defence lawyers, many of whom will be privileged to deeper insight into the evidence used in court, won’t have knowingly dealt with targeted interference data from IMSI-catchers, according to Siobhain Egan, a solicitor and director at Lewis Nedas.

“That material would be protected by public interest immunity. There isn’t a judge in the country that would refuse it,” Egan said.

HMRC’s arsenal of spy gadgets

HMRC recently said that investment in “counter-criminal technology and intelligence management” has strengthened its capabilities. While it’s not clear which specific technologies the tax authority was referring to, Computer Weekly has found that it has increasingly invested in mobile phone surveillance tools.

Since 2021, HMRC has paid almost £1m to Cellebrite, an Israeli firm whose products allow users – mostly law enforcement agencies – to harvest data from mobile devices. It was controversially used by the Police Service of Northern Ireland to break into a journalist’s phone, which would have held confidential information identifying sources.

Despite payment details published by HMRC itself, it would neither confirm nor deny if it holds any contracts or commercial relationships with Cellebrite.

HMRC has also spent £550,000 on Sonic Communications – the same contractor that installed the Cellxion equipment into HMRC vehicles – to provide camera and radio spy gear.

The tax agency’s recent initiatives have further aligned it with broader law enforcement agencies. It has trained with the City of London Police and the Ministry of Defence in recent years. It was also reported that HMRC recently doubled its physical surveillance workforce, expanding from 171 staff trained in covert surveillance to 337 by 2025, indicating a shift towards more aggressive investigations to catch people who claim to have lower incomes than they have reported.

Among the tax agency’s arsenal of investigative tools is HMRC Connect, a data intelligence platform in part developed by BAE Systems. It uses a range of data sources – bank records, income tax reports, credit agencies, social media scraping, among others – to detect fraudulent and criminal activity, which helped recover £4.6bn in unpaid taxes in the financial year 2024-25.

Waqar Shah, head of tax disputes and partner at law firm Kingsley Napsley, said: “For years, HMRC has been gathering information on everything from social media to reality TV (infamously, My big fat Gypsy wedding) to identify people who haven’t declared much income, despite spending thousands, if not more, on lavish lifestyles.”

Footage from reality show My big fat Gypsy wedding has been used by HMRC investigators to uncover under-reported income in the past. The agency was also recently found to be using AI to monitor social media for the same purposes – data that is also likely to be organised by HMRC Connect.

This principle of mass scouring might also shed light on how HMRC could use IMSI-catchers to monitor attendance at work, visits to luxury hotels and undeclared properties, or meetings at corporate offices. Intelligence gained from this could be used to infer that an individual is not declaring income they should be.

While Computer Weekly can’t confirm if surveillance data collected by targeted equipment interference technology is used by HMRC Connect, it is plausible, considering what we know about the system.

Data Protection Impact Assessments (DPIAs) disclosed by HMRC on freedom of information website WhatDoTheyKnow indicate that the software “holds personal data from any HMRC system”, which would presumably cover systems that store data collected by IMSI-catchers.

Computer Weekly has also learned that the system processes data from 100 million subjects, including people and businesses, alongside “intelligence data” and “known associates” related to crime information.

HMRC also told Computer Weekly that while the Connect system “does not request or use any special category personal data as part of its risking, case production or data analysis capabilities … it may be possible to infer certain special category information, such as sexual orientation or religious belief” from other data inputted into the system, for which it provided the example of spouse names.

An HMRC press officer said: “Connect does not use any analytical techniques to infer any protected characteristics; it is only used to link together data sets. We have used Connect since 2010, and it has helped make us a world leader in using data and insight to collect tax that’s gone unpaid. To be clear, it isn’t an AI tool.”

HMRC did not confirm or deny whether data collected by Cellxion or Cellebrite’s technology is used in Connect.