International Union

Technical Aspects of Lawful Interception www.itu.int/itu-t/techwatch ITU-T Technology Watch Report #6 May 2008

Printed in Switzerland Telecommunication Standardization Policy Division Geneva, 2008 ITU Telecommunication Standardization Sector International Telecommunication Union

Technical Aspects of Lawful Interception

ITU-T Technology Watch Report 6 May 2008

In this report, Lawful Interception (LI) describes the lawfully authorized interception and monitoring of pursuant to an order of a government body, to obtain the forensics necessary for pursuing wrongdoers. LI has existed from the times of shortrange telegraphy to today’s worldspanning Next-Generation Networks (NGNs). The report studies the technical concepts underlying LI, and describes existing standardization done in this field.

Telecommunication Standardization Policy Division ITU Telecommunication Standardization Sector

ITU-T Technology Watch Reports are intended to provide an up-to-date assessment of promising new technologies in a language that is accessible to non-specialists, with a view to: • Identifying candidate technologies for standardization work within ITU. • Assessing their implications for ITU Membership, especially developing countries.

Other reports in the series include: #1 Intelligent Transport System and CALM #2 Telepresence: High-Performance Video-Conferencing #3 ICTs and Climate Change #4 Ubiquitous Sensor Networks #5 Remote Collaboration Tools #6 Technical Aspects of Lawful Interception #7 NGNs and Energy Efficiency

Acknowledgements This report was prepared by Martin Adolph ([email protected]) with Dr Tim Kelly. It has benefited from contributions and comments from Anthony M. Rutkowski. The opinions expressed in this report are those of the authors and do not necessarily reflect the views of the International Telecommunication Union or its membership. This report, along with other Technology Watch Reports can be found at www.itu.int/ITU-T/techwatch. Please send your comments to [email protected] or join the Technology Watch Correspondence Group, which provides a platform to share views, ideas and requirements on new/emerging technologies and to comment on the Reports. The Technology Watch function is managed by the ITU-T Standardization Policy Division.

© ITU 2008

All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU.

ITU-T Technology Watch Reports

Technical Aspects of Lawful Interception

1 Interception (circa. 1844) The establishment of the International ITU treaties provide the basic legal text, Telecommunication Union (ITU) on 17 May incorporated into the national legislation of 1865 (originally named International many countries that establishes the Telegraph Union 1 ) was closely linked with principle of secrecy of telecommunications. the invention of the telegraph. Already, But the ITU basic texts also provide the some 20 years earlier, Samuel Morse had legal basis for lawful interception forensics sent the first public message over a 61 km in order to apply national laws and telegraph line between Washington and international conventions. 3 It is the Baltimore, and through that simple act, he technical implementation of those two ushered in the telecommunication age. opposing requirements – secrecy and Since those early days of electronic forensics – that is the topic of this report communications 2 , communicating parties (See Box 1). have come to expect that their messages

one to another will remain private. Indeed,

Box 1: Lawful Interception and Wiretapping in different eras of telecommunication

Telegraph era Telecommunication technologies were first created around 1840, and one of the earliest instances of telegraphic interception reportedly occurred in 1867, when a Wall Street stockbroker collaborated with Western Union telegraph operators to intercept telegraph dispatches sent to Eastern newspapers by their correspondents in the West. The intercepted messages were then replaced by counterfeit ones which reported bankruptcies and other financial disasters supposedly befalling companies whose stock was traded on the New York Stock Exchange. When the share prices were driven down, the wiretappers then purchased their victim’s stock.4

Telephone era Magazine ad (1962) for easy telephone with Tel-O Record.5

Digital network era During the 1990s, law enforcement struggled with the large-scale conversion of telecommunications to digital formats and equipment, including internet platforms. This resulted significant new legislation, standards cooperation and products in nearly every country and region to provide the forensic capabilities that previously existed. Adapted from various sources.

Technical Aspects of Lawful Interception (May 2008) 1 ITU-T Technology Watch Reports

In this report, Lawful Interception (LI) LI and the question how to deal with this describes the lawfully authorized topic have recently been discussed in interception and monitoring of telecommu- different ITU-T Study Groups. This report, nications pursuant to an order of a the sixth in a series of ITU-T Technology government body, to obtain the forensics Watch briefing papers, will focus on the necessary for pursuing wrongdoers. It is a technical concepts underlying LI, and need that has existed from the times of describes existing standardization done in short-range telegraphy to today’s world- this field. spanning Next-Generation Networks (NGNs).

2 When is interception lawful? For interception to be lawful, it must be specific network operator, access provider, conducted in accordance with national law, or network service provider, which is following due process after receiving proper obliged by law to deliver the requested authorization from competent authorities. information to a Law Enforcement Typically, a national Law Enforcement Monitoring Facility (LEMF: See Figure 1). Agency (LEA) issues an order for LI to a

Figure 1: Organizational flow chart for Lawful Interception

Law LI Enforcement Order Agency (LEA) Network Operator (NWO), Access Provider (AP), Law Service Provider (SvP) Enforcement Requested Monitoring Facility Information (LEMF)

Source: Adapted from ETSI TS 101 331, Definition of interception. See www.pda..org/pda.

In order to prevent investigations being telecommunications are to be intercepted. compromised, national law usually requires Lawful interception also implies that the that LI systems hide the interception data subject benefits from domestic legal or content from operators and providers protection. However, protections are concerned. Whilst the detailed complicated by cross-border interception. requirements for LI differ from one Decades ago, LI was typically performed by jurisdiction to another, the general applying a physical ‘tap’ on the targeted requirements are similar: The LI system telephone line, usually by accessing digital must provide transparent interception of switches of service providers. As the specified traffic only, and the intercept infrastructure converted to new digital subject must not be aware of the network and services formats, LI standards interception. Additionally, the service and systems were adapted to keep pace provided to other uninvolved users must with the new deployments. In bringing not be affected during interception. The about this transition, the principal concern term subject, as used here, can refer to one of operators was the question of “who person, a group of persons, or equipment pays?” Different nations have chosen acting on behalf of persons, whose means appropriate to their environment.

2 Technical Aspects of Lawful Interception (May 2008) ITU-T Technology Watch Reports

3 Common architecture LI may target two types of data: the actual Network, with standardized interfaces that contents of communications (CC) which manage the hand-over of data between may include voice, video or text message both networks. Three functions are contents, and Intercept Related Information responsible for the work within the PTN: (IRI, Call Data (CD) in the ). • The Administration Function (ADMF) IRI consists of information about the receives interception orders from the targeted communication itself: signalling LEA and hands them over to information, source and destination • Internal Intercept Functions (IIF), which (telephone numbers, IP or MAC addresses, are located tactically within network etc), frequency, duration, time and date of nodes and generate the two desired communications. On mobile networks, it types of information, CC and IRI. may also be possible to trace the • Meditation Functions (MF) take charge geographical origin of the call. 6 Network of delineation between the two operators have always been collecting some networks. They implement Internal IRI for billing and network management Network Interfaces (INI), which may be purposes and so it is relatively easy for law proprietary, to communicate within the enforcement agencies to gain access to this PTN, and standardized interfaces, to information, under subpoena. deliver requested information to one or The act of LI – independent of the type of more LEMFs. communication to be intercepted – may Figure 2 provides a more comprehensible logically be thought of as a process with overview of networks, functions, and three distinct steps: interfaces within a generalised LI 1. Capture – CC and IRI related to the architecture. subject are extracted from the network. 2. Filtering – information related to the For calls made over IP networks rather than subject that falls within the topic of the the PSTN, things look slightly different 7 : inquiry is separated from accidentally Each call consists of one or more call- gathered information, and formatted to signalling streams that control the call, and a pre-defined delivery format one or more call-media streams which carry 3. Delivery – requested information is the call’s audio, video, or other content, delivered to the LEMF along with information concerning how that data is flowing across the network. Capture and filtering may be facilitated by Together, these streams make up a so the use of the latest speech technologies: called “session”. As individual packets of Speaker identification, along with language data within a session might take different and gender recognition, combined with paths through the network, they may real-time keyword-spotting, can be become hard to relate with each other. In performed by specialized servers devoted Voice over Internet Protocol (VoIP) to collecting, analyzing and recording networks, a device named a Session Border millions of incoming calls as soon as they Controller (SBC) plays the role of exerting are intercepted. This can free operators to influence over the data streams that make carry out more specialized tasks requiring a up one or more sessions. higher level of identification and analysis. The word Border in SBC refers to the However, enabling secure private demarcation line between one part of a communications for its customers still network and another, which is a strategic remains the primary purpose of service point to deploy Internal Intercept Functions, providers. To prevent this service being as both targeted types of data – IRI and adversely affected by LI, the network the corresponding CC – pass through it. architecture requires that there be distinct This architecture is equally applicable to separation between the Public Telecom other IP-based services, where the IRI Network (PTN) and the Law Enforcement contains parameters associated with the

Technical Aspects of Lawful Interception (May 2008) 3 ITU-T Technology Watch Reports

type of traffic from a given application to be contains the source and destination e-mail intercepted. In the case of e-mail, IRI addresses and information about the time conforms to the header information of an the e-mail was sent. e-mail message. The header usually

Figure 2: Generalised view of the Lawful Interception architecture

Public Network LEA Network

LI Hand-over Interfaces (HI)

Network Operator’s HI1 Administration Function (AF)

Internal Intercept Function (IIF) IRI Meditation Function HI2 IRI (MF) CC

CC Meditation Function HI3 (MF) Internal Network Interfaces (INI)

Source: Adapted from ETSI TS ES 201 158.

4 Standardization activities Service providers and vendors are being addition, Cable Television Laboratories asked to meet legal and regulatory develops generic standards of cable system requirements for the production of forensics use. in a variety of countries worldwide. Common forensic standards are effectively Although requirements may vary from encouraged by the international Convention country to country 8 , most requirements on Cybercrime maintained by the Council of remain common. Europe which currently has 45 signatories – The principal global forums for specifying a number of which are outside Europe.9 For the requirements as well as specific a majority of the signatories, their standards are the European legislation requires technologies based on Telecommunication Standards Institute standards developed by TC LI and 3GPP SA (ETSI) Technical Committee on Lawful WG3. Interception (TC LI) and the 3rd Generation In RFC 2804, the Internet Engineering Task Partnership Project (3GPP). New NGN LI Force (IETF) feared that, by implementing standards are being developed through interception functionality, a system would ETSI TISPAN in collaboration with TC LI and be less secure and more complex than it 3GPP. Most of the world uses these could be had this function not been present. standards. Notable exceptions include the It noted that, being more complex, the risk USA CALEA related standards, and the of unintended security flaws in the system Russian Federation SORM specifications. In

4 Technical Aspects of Lawful Interception (May 2008) ITU-T Technology Watch Reports

would become larger. 10 RFC 3924, which Groups (SGs), Focus Groups and Global was published subsequently, describes Standards Initiatives (GSI) within ITU-T. Cisco’s Architecture for Lawful Intercept in However, LI is treated with differing IP Networks. priorities and intensity with some groups deciding that it is out of scope. Some view Lawful Interception intersects with LI as a national rather than an international technology, network management and matter while others fear that ITU efforts operational aspects of all types of would be duplicative of work elsewhere, telecommunications, and could therefore be notably in ETSI TISPAN. an item on the agenda of several Study

Box 2: Lawful Interception Standards published by ETSI The purpose of standardizing of lawful interception in ETSI is to facilitate the economic realization of lawful interception that complies with the national and international conventions and legislation. Examples of standards include: • ES 201 671 Handover Interface for the Lawful Interception of Telecommunications Traffic (revised). • ES 201 158 Requirements for Network Functions • TS 102 234 Service-specific details for Internet access services • TS 102 233 Service-specific details for e-mail services • TS 102 232 Handover Specification for IP Delivery • TS 102 815 Service-specific details for Layer 2 Lawful Interception • TS 101 331 Requirements of Law Enforcement Agencies • TR 102 053 Notes on ISDN lawful interception functionality • TR 101 944 Issues on IP Interception • TR 101 943 Concepts of Interception in a Generic Network Architecture Source: Adapted from www.portal.etsi.org/li/Summary.asp.

5 Market Watch For companies providing LI technology and retention technologies for the collection and services, the increasing numbers of people storage of intercept related information of worldwide with access to telecommu- all communications, have to be installed by nications, steadily advancing telecommu- service providers in a growing number of nication technologies, and frequently- states worldwide. These network amended laws, are both a challenge and a management and forensics solutions are blessing. The customers for LI services developed and sold by a huge number of include LEAs, national security agencies, or suppliers from different countries. Some of - where a private corporate or government them have formed a global industry forum network facility is involved – the party (the Global LI Industry Forum (GLIIF)) to responsible for this network. promote worldwide awareness, responsible development and market growth for LI The number of interception applications products and services. LI solutions on the authorised by LEAs continues to increase market are necessarily compliant with worldwide (especially in countries that either the ETSI Standards for most maintain extensive surveillance capabilities). countries, plus SORM in Russia and CALEA Besides lawful interception systems, other in the U.S. network forensics facilities, such as data

Technical Aspects of Lawful Interception (May 2008) 5 ITU-T Technology Watch Reports

6 Conclusion Information and communication applications. Accurate international technologies have supported Lawful standards-based network forensics Interception since the era of Morse’s technologies for lawful interception, data telegraph. Interception is actively practiced retention and network management are worldwide with an increasing number of needed to meet national requirements.

6 Technical Aspects of Lawful Interception (May 2008) ITU-T Technology Watch Reports

Glossary of abbreviations and acronyms used in the document

3GPP 3rd Generation Partnership Project ADMF Administration Function AP Access Provider CALEA Communications Assistance for Law Enforcement Act CC Contents of Communications CD Call Data ETSI European Telecommunications Standards Institute ICT Information and Communication Technology IIF Internal Intercept Function INI Internal Network Interface IRI Intercept Related Information ITU International Telecommunication Union ITU-T ITU Telecommunication standardization sector LEA LEMF Law Enforcement Monitoring Facility LI Lawful/Legal Intercept/Interception MAC Media Access Control MF Meditation Functions NGN Next-Generation Network NWO Network Operator PSTN Public Switched PTN Public Telecom Network QoS Quality of Service SA Services & System Aspects SBC Session Border Controller SvP Service Provider TC LI Technical Committee on Lawful Interception TISPAN Telecoms & Internet converged Services & Protocols for Advanced Networks VoIP Voice over Internet Protocol WG Working Group

Technical Aspects of Lawful Interception (May 2008) 7 ITU-T Technology Watch Reports

Notes, sources and further reading

1 To find out more about ITU’s history, see www.itu.int/net/about/history.aspx. 2 Of course, interception of messages predates the electronic age. In the Napoleonic wars, interception of semaphore signals was common, while in the Elizabethan era, breaking of secret codes and ciphers played a key role in the events that led to the execution of Mary Queen of Scots (see, for instance, Budiansky, S. (2000) “Battle of Wits”). But the intention here is to focus on lawful interception of telecommunications. 3 The relevant text is, inter alia, in Article 37 of the ITU Constitution, which states: a. Member States agree to take all possible measures, compatible with the system of telecommunications used, with a view to ensuring the secrecy of telecommunications. b. Nevertheless, they reserve the right to communicate such correspondence to the competent authorities in order to ensure the application of their national laws or the execution of international conventions to which they are parties. In addition to Article 37 of ITU’s Constitution, as cited above, Article 41 grants priority treatment to government telecommunications. 4 See Peter N. Grabosky and Russell G. Smith, “Crime in the Digital Age: Controlling Telecommunications and Cyberspace Illegalities,” 1998; www.books.google.com/books?id=7_z4Ihh49wAC&hl=en. 5 See www.spybusters.com/History_1962_Wiretap_ad.html. 6 See Newport Networks, “Lawful Interception Overview,” 2006; www.newport-networks.com/whitepapers/lawful- intercept1.html. 7 See A. Rojas, P. Branch, “Lawful Interception based on Sniffers in Next Generation Networks,” Australian Telecommunications Networks & Applications Conference 2004, Sydney, Australia, December 8-10, 2004; www.caia.swin.edu.au/pubs/ATNAC04/rojas-branch-2-ATNAC2004.pdf. 8 See SS8 Networks, “The Ready Guide to Intercept Legislation 2;” www.ss8.com/ready-guide.php. 9 See Council of Europe, ETS No. 185, Convention on Cybercrime. Title 5 – Real-time collection of computer data. Articles 20 and 21. www.conventions.coe.int/Treaty/EN/Treaties/Html/185.htm. The Convention has been signed by 45 Member States and non-Member States, see www.conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=1&DF=9/2/2006&CL=ENG. 10 See Susan Landau, "Security, Wiretapping, and the Internet," IEEE Security and Privacy, vol. 3, no. 6, pp. 26-33, Nov/Dec, 2005. Also see Vassilis Prevelakis and Diomidis Spinellis, “The Athens Affair,” IEEE Spectrum, July, 2007; www.spectrum.ieee.org/print/5280.

8 Technical Aspects of Lawful Interception (May 2008) International Telecommunication Union

Technical Aspects of Lawful Interception www.itu.int/itu-t/techwatch ITU-T Technology Watch Report #6 May 2008

Printed in Switzerland Telecommunication Standardization Policy Division Geneva, 2008 ITU Telecommunication Standardization Sector