ETSIETSI && LawfulLawful InterceptionInterception ofof IPIP TrafficTraffic

ƒJaya Baloo RIPE 48

ƒMay 3 Amsterdam, The Netherlands ContentsContents

ƒ Introduction to Lawful Interception

ƒ Interception of Internet services

ƒ Origins in The European Community

ƒ The European Interception Legislation in Brief

ƒ ETSI Standards – 101 232, 101 233, 101 234

ƒ Interception Suppliers & Discussion of Techniques

ƒ Future Developments & Issues IntroductionIntroduction toto LawfulLawful InterceptionInterception

ƒ ETSI definition of (lawful) interception:

ƒ interception: action (based on the law), performed by an network operator/access provider/service provider (NWO/AP/SvP), of making available certain information and providing that information to a law enforcement monitoring facility. Law LI Enforcement Network Operator, order Agency (LEA) Access Provider or Law Deliver requested Service Provider Enforcement information Monitoring Facility LILI’’ss RaisonRaison DD’’etreetre

ƒƒ WhyWhy intercept?intercept? ƒƒ TerrorismTerrorism ƒƒ PedophiliaPedophilia ringsrings ƒƒ CyberCyber stalkingstalking ƒƒ DataData thefttheft ––IndustrialIndustrial espionageespionage ƒƒ DrugDrug dealersdealers onon thethe internetinternet ƒƒ WhyWhy not?not? ƒƒ PrivacyPrivacy ƒƒ SecuritySecurity LegalLegal IssuesIssues inin LILI

ƒ Judge: "Am I not to hear the truth?" Objecting Counsel: "No, Your Lordship is to hear the evidence."

ƒ Some characteristics of evidence- relevance to LI ƒ Admissible – can evidence be considered in court– *differs per country ƒ Authentic – explicitly link data to individuals ƒ Accurate – reliability of surveillance process over content of intercept ƒ Complete – tells a “complete” story of a particular circumstance ƒ Convincing to juries – probative value, and subjective practical test of presentation AdmissibilityAdmissibility ofof SurveillanceSurveillance EvidenceEvidence

ƒ Virtual Locus Delecti ƒ Hard to actually find criminals in delicto flagrante

ƒ How to handle expert evidence? Juries are not composed of network specialists. Legal not scientific decision making.

ƒ Case for treating Intercepted evidence as secondary and not primary evidence ƒ Primary – is the best possible evidence – e.g. in the case of a document – its original. ƒ Secondary – is clearly not the primary source – e.g. in the case of a document – a copy. InterceptionInterception ofof InternetInternet servicesservices InterceptionInterception ofof InternetInternet servicesservices WhatWhat areare defineddefined asas InternetInternet services?services? ƒ accessaccess toto thethe InternetInternet ƒ thethe servicesservices thatthat gogo overover thethe Internet,Internet, suchsuch as:as: ƒƒ surfingsurfing thethe WorldWorld WideWide WebWeb (e.g.(e.g. html),html), ƒƒ ee--mail,mail, ƒƒ chatchat andand icqicq,, ƒƒ VoIPVoIP,, FoIPFoIP ƒƒ ftp,ftp, ƒƒ telnettelnet WhatWhat aboutabout encryptedencrypted traffic?traffic?

ƒ Secure e-mail (e.g. PGP, S/MIME) ƒ Secure surfing with HTTPS (e.g. SSL, TLS) ƒ VPNs (e.g. IPSec) ƒ Encrypted IP Telephony (e.g. pgp -phone and Nautilus) ƒ etc. ƒ If applied by NWO/AP/SvP then ƒ encryption should be stripped before sending to LEMF or ƒ key(s) should be made available to LEA else ƒ a challenge for the LEA LogicalLogical OverviewOverview TechnicalTechnical ChallengesChallenges

ƒ Req.Req. ––MaintainMaintain TransparencyTransparency && StandardStandard ofof CommunicationCommunication ƒ IdentifyIdentify TargetTarget -- MonitoringMonitoring RadiusRadius –– missesmisses disconnectdisconnect ƒ CaptureCapture InterceptIntercept informationinformation –– EffectiveEffective FilteringFiltering SwitchSwitch ƒ PacketPacket ReassemblyReassembly ƒ SoftwareSoftware complexitycomplexity increasesincreases bugginessbugginess ƒ PeeringPeering withwith LEMFLEMF –– monitoringmonitoring multiplemultiple XDSLXDSL cctsccts.. OriginsOrigins inin TheThe EuropeanEuropean CommunityCommunity WhatWhat isis LILI basedbased onon inin thethe EU?EU?

ƒƒ LegalLegal BasisBasis ƒ EUEU directivedirective ƒ ConventionConvention onon CybercrimeCybercrime –– CouncilCouncil ofof EuropeEurope-- ƒ Article 20- Real time collection of traffic data ƒ Article 21- Interception of content data ƒ NationalNational lawslaws && regulationsregulations ƒƒ TechnicallyTechnically ƒ NotNot CarnivoreCarnivore ƒ NotNot CaleaCalea ƒƒ Standards,Standards, BestBest PracticesPractices basedbased approachapproach ƒ IETFIETF’’ss standpointstandpoint (RFC(RFC 28042804 IETFIETF PolicyPolicy onon WiretappingWiretapping )) TheThe EuropeanEuropean InterceptionInterception LegislationLegislation inin BriefBrief SolutionSolution RequirementsRequirements EuropeanEuropean InterceptionInterception LegislationLegislation

ƒƒ FranceFrance ƒƒ CommissionCommission NationaleNationale dede ContrContrôôlele desdes InterceptionsInterceptions dede SSéécuritcuritéé ---- LaLa loiloi 9191--636636 ƒƒ LoiLoi sursur lala SecuriteSecurite QuotidienneQuotidienne –– NovemberNovember 20012001 ƒƒ GermanyGermany ƒƒ GG--1010 –– 20012001-- ””GesetzGesetz zurzur BeschrBeschräänkungnkung desdes BriefBrief--,, PostPost-- undund FernmeldegeheimnissesFernmeldegeheimnisses”” ƒƒ TheThe CounterCounter terrorismterrorism ActAct –– JanuaryJanuary 20022002 UKUK InterceptionInterception LegislationLegislation

ƒ UK

ƒ Regulation of Investigatory Powers Act 2000

ƒ Anti-terrorism, Crime and Security Act 2001

ƒ “The tragic events in the United States on 11 September 2001 underline the importance of the Service’s work on national security and, in particular, counter-terrorism. Those terrible events significantly raised the stakes in what was a prime area of the Service’s work. It is of the utmost importance that our Security Service is able to maintain its capability against this very real threat, both in terms of staff and in terms of other resources. Part of that falls to legislation and since this website was last updated we have seen the advent of the Regulation of Investigatory Powers Act 2000, Terrorism Act 2000 and the Anti- Terrorism Crime and Security Act 2001. Taken together these Acts provide the Security Service, amongst others, with preventative and investigative capabilities, relevant to the technology of today and matched to the threat from those who would seek to harm or undermine our society. “ – The UK Home Secretary’s Foreword on MI5 TheThe CaseCase inin HollandHolland

ƒ At the forefront of LI : both legally & technically

ƒ The Dutch Telecommunications Act 1998– Operator Responsibilities ƒ The Dutch Code of Criminal Proceedings – Initiation and handling of interception request ƒ The Special Investigation Powers Act -streamlines criminal investigation methods ƒ WETVOORSTEL 20859 – backdoor decree to start fishing expeditions for NAW info – Provider to supply info not normally available

TIIT STANDARD – predecessor to current ETSI standards

ƒ LIO – National Interception Office – in operation since end of 2002 EuropeanEuropean TelecommunicationsTelecommunications StandardsStandards InstituteInstitute ETSIETSI TRTR 101101 944944

ƒ Responsibility- Lawful Interception requirements must be addressed separately to Access Provider and Service Provider. ƒ 5 layer model - Network Level & Service Level division ƒ Implementation Architecture –

ƒ Telephone cct. (PSTN/ISDN)

ƒ Digital Subscriber Line (xDSL)

ƒ Local Area Network (LAN) ƒ Permanent IP Address ƒ Security Aspects ƒ HI3 Delivery TheThe ETSIETSI modelmodel

NOW / AP / SvP‘s domain domainLEA

NWO/AP/SvP’s administration function HI1 intercept related information (IRI) Network IRI mediation Internal function Functions content of HI2 communication (CC)

IIF CC mediation function HI3

INI LEMF LI handover interface HI HI1: administrative information IIF: internal interception function HI2: intercept related information INI: internal network interface HI3: content of communication SampleSample ArchitectureArchitecture forfor HI2HI2 andand HI3HI3

S1

T2 T1 (LEA1) interception S2 S1 gathering & interception transport HI2 & HI3 T1 T2 (LEA2) S1 interception S3 T1 management box Mediation Function Internet Law Enforcement Monitoring Facility (LEMF)

ISP

Law LI LI Warrant Enforcement order Admin Desk HI1 Agency (LEA) ETSIETSI 101101 232232 –– IPIP DeliveryDelivery

ƒƒ Specifies:Specifies: modularmodular approachapproach usedused forfor specifyingspecifying IPIP basedbased handoverhandover interfacesinterfaces header(s)header(s) toto bebe addedadded toto IRIIRI && CCCC sentsent overover HI2HI2 && HI3HI3 (R4 LIID) (R5 & R7 Communication Identifier) (R37 & R38 Timestamp) (R15 & R19 Sequence Number) (R10 Direction) (R9 Payload Type) (R8 Interception Type) protocolsprotocols forfor thethe transfertransfer ofof IRIIRI && CCCC protocolprotocol profilesprofiles forfor thethe handoverhandover interfaceinterface ETSIETSI –– 101101 232232 –– ProtocolProtocol StackStack

ƒ

LAYER NAME OSI Layer Clause Responsibilities Handover 6 & 7 6.2 Create & maintain one or more delivery functions. Error Reporting. Aggregate PDUs; Associate header info; Create padding PDUs; Assign PDUs to delivery functions

Session 5 6.3 Create & maintain a single transport connection and monitor its status. Run keepalive mech.; Encode/ decode PDU elements; integrity mech, Buffer data

Transport 4 6.4 Create & maintain a network cct. Network 3 6.5 Network Protocol ETSIETSI 101101 233233 –– EMAILEMAIL

ƒƒ ““StageStage 11””descriptiondescription ofof interceptioninterception info.info. inin processprocess ofof sendingsending && receivingreceiving emailemail ƒƒ ““StageStage 22”” descriptiondescription ofof whenwhen IRIIRI && CCCC shallshall bebe sentsent andand whatwhat infoinfo itit shallshall containcontain ƒƒ EmailEmail SendSend EventEvent ƒƒ EmailEmail RecieveRecieve EventEvent ƒƒ EmailEmail downloaddownload eventevent –– distinctiondistinction –– clientclient

ƒƒ ContentContent interceptintercept oror completecomplete sessionsession ƒƒ WebmailWebmail ETSIETSI 101101 234234-- InternetInternet AccessAccess ServicesServices ƒƒ ““StageStage 11”” descriptiondescription ofof thethe interceptioninterception informationinformation inin relationrelation toto thethe processprocess ofof bindingbinding aa ““targettarget identityidentity”” toto anan IPIP addressaddress whenwhen providingproviding IASIAS ƒƒ ““StageStage 22”” descriptiondescription ofof whenwhen IRIIRI && CCCC shallshall bebe sentsent andand whatwhat info.info. itit shallshall containcontain

LILI RequirementsRequirements --administrativeadministrative asas wellwell asas capturingcapturing ofof traffictraffic PreventingPreventing overover andand underunder collectioncollection ofof interceptintercept datadata ReferenceReference TopologiesTopologies && ScenariosScenarios FurtherFurther RadiusRadius && DHCPDHCP IPIP IRIIRI interceptsintercepts && TCP,UDPTCP,UDP IRIIRI interceptsintercepts ETSIETSI 101101 234234-- InternetInternet AccessAccess ServicesServices contd.contd. 22 ƒƒ TargetTarget IdentityIdentity-- UsernameUsername oror NetworkNetwork AccessAccess IdentifierIdentifier IPIP addressaddress (Ipv4(Ipv4 oror Ipv6)Ipv6) EthernetEthernet addressaddress DialDial--inin NumberNumber callingcalling lineline identityidentity CableCable ModemModem IdentifierIdentifier OtherOther uniqueunique identifieridentifier agreedagreed beteweenbeteween APAP && LEALEA ResultResult ofof interceptioninterception-- providedprovided whenwhen AttemptAttempt toto accessaccess thethe accessaccess networknetwork WhenWhen accessaccess toto accessaccess networknetwork permittedpermitted /not/not OnOn changechange ofof status/status/ locationlocation ETSIETSI 101101 234234-- InternetInternet AccessAccess ServicesServices contd.contd. 33 ƒƒ IRIIRI containscontains-- IdentitiesIdentities usedused byby oror associatedassociated withwith thethe targettarget identityidentity (( dialdial inin callingcalling lineline numbernumber andand calledcalled lineline number,number, accessaccess serverserver identity,identity, ethernetethernet addresses,addresses, accessaccess devicedevice identifieridentifier DetailsDetails ofof servicesservices usedused andand theirtheir associatedassociated parametersparameters Info.Info. relatingrelating toto statusstatus TimestampsTimestamps CCCC shallshall bebe providedprovided forfor everyevery IPIP datagramdatagram that:that: HasHas thethe target'starget's IPIP addressaddress asas thethe IPIP sourcesource addressaddress HasHas thethe target'starget's IPIP addressaddress asas thethe IPIP destinationdestination addressaddress CCCC shallshall ccontainontain aa streamstream ofof octetsoctets forfor eeveryvery InterceptionInterception SuppliersSuppliers && DiscussionDiscussion ofof TechniquesTechniques LILI ImplementationsImplementations

ƒ Verint formerly known as Comverse Infosys ƒ ADC formerly known as SS8 ƒ Accuris ƒ Pine ƒ Nice ƒ Aqsacom ƒ Digivox

ƒ Telco/ ISP hardware vendors

ƒ Siemens

ƒ Alcatel

ƒ Cisco

ƒ Nortel ImplementationImplementation techniquestechniques

ƒƒ ActiveActive-- directdirect locallocal interceptioninterception –– i.e.i.e. Bcc:Bcc: ƒƒ SemiSemi--ActiveActive-- interactioninteraction withwith RadiusRadius toto capturecapture andand filterfilter traffictraffic perper IPIP addressaddress ƒƒ PassivePassive-- nono interactioninteraction withwith ISPISP requiredrequired onlyonly interceptioninterception pointpoint forfor LEALEA devicedevice ƒƒ MostMost ofof thethe followingfollowing areare activeactive oror aa combinationcombination ofof activeactive andand semisemi--activeactive implementationsimplementations VerintVerint == ComverseComverse -- InfosysInfosys

ƒƒ BasedBased inin IsraelIsrael –– ReRe :: PhrackPhrack 5858--1313 ƒƒ UsedUsed byby DutchDutch LEMFLEMF ƒƒ UsedUsed extensivelyextensively internationallyinternationally –– supportssupports CALEACALEA && ETSIETSI ƒƒ UseUse ofof TopTop LayerLayer switchswitch ƒƒ ResponseResponse NICENICE

ƒƒ UsedUsed inin BEBE asas t1t1 ƒƒ ProprietaryProprietary –– implementedimplemented forfor ETSIETSI ƒƒ Feat.,Feat., topictopic extraction,extraction, KeywordKeyword Spotting,Spotting, RemoteRemote SendSend ofof CCCC ƒƒ AutoAuto Lang.Lang. detectiondetection andand translationtranslation ƒƒ RunsRuns onon WindowsWindows NTNT &2000&2000 SvrSvr.. ƒƒ StandStand alonealone internet/internet/ telephonytelephony solutionsolution ADCADC == SS8SS8

ƒƒ UseUse ofof proprietaryproprietary hardwarehardware ƒƒ UsedUsed forfor largelarge bandwidthbandwidth cctsccts.. ƒƒ KnownKnown toto bebe usedused inin SatelliteSatellite TrafficTraffic centerscenters ƒƒ SupportsSupports CALEACALEA –– ETSIETSI ƒƒ UseUse ofof TopTop LayerLayer switchswitch AccurisAccuris

ƒƒ Max.Max. ofof 5050 concurrentconcurrent tapstaps ƒƒ SolutionSolution notnot dependantdependant onon switchswitch typetype ƒƒ CanCan useuse singlesingle s2s2 asas concentratorconcentrator ƒƒ OfferOffer GigabitGigabit SolutionSolution –– butbut dependsdepends onon selectedselected switchswitch capabilitycapability andand integrationintegration withwith filterfilter settingsetting ƒƒ SupportsSupports CaleaCalea && ETSIETSI ItIt’’ss allall aboutabout thethe M$M$neyney

ƒ Solutions can cost anywhere from 100,000 Euro to 700,000 Euro for the ISP ƒ UK Govt. expected to spend 46 billion over the next 5 years- subsequently reduced to 27 billion ƒ Division of costs

ƒ Cap Ex = ISP

ƒ Op Ex = Govt. ƒ Penalties for non-compliance

ƒ Fines – up to 250,000 euros

ƒ Civil Charges

ƒ House Arrest of CEO of ISP ƒ Cooperation between ISPs to choose single LI tool ConclusionsConclusions forfor LawLaw EnforcementEnforcement

ƒ ““IfIf youyou’’rere goinggoing toto dodo itit …… dodo itit rightright”” ƒ Disclosure of tools and methods ƒ Adherence to warrant submission requirements ƒ Completeness of logs and supporting info. ƒ Proof of non- contamination of target data ƒ Maintaining relationship with the private sector ƒ LawLaw EnforcementEnforcement personnelpersonnel ƒ Training ƒ Defining role of police investigators ƒ Defining role of civilian technicians ƒ Handling Multi – Focal investigations FutureFuture DevelopmentsDevelopments && IssuesIssues

ƒ EUEU ExpansionExpansion –– EuropolEuropol stipulationsstipulations ƒ DataData RetentionRetention DecisionsDecisions ƒ ENFOPOLENFOPOL organizationorganization ƒ BorderlessBorderless LILI ƒ ISPISP RolRolee ƒ EUEU widewide agreementsagreements onon InterceptIntercept InitiationInitiation ƒ QuantumQuantum CryptographyCryptography ƒ WLANWLAN challengeschallenges ƒ TheThe FutureFuture ofof PrivacyPrivacy LegislationLegislation ?? WebWeb SitesSites

ƒ www.www.opentapopentap.org.org ƒ http://www.http://www.quintessenzquintessenz.at/.at/cgicgi-- bin/index?bin/index?funktionfunktion==doqumentsdoquments ƒ www.www.phrackphrack.com.com ƒ www.www.cryptomecryptome.org.org ƒ www.www.statewatchstatewatch.org.org ƒ www.privacy.orgwww.privacy.org ƒ www.www.iwariwar.org..org.ukuk ƒ www.www.cipherwarcipherwar.com.com ƒ www.cyberwww.cyber--rights.org/interceptionrights.org/interception Q&AQ&A // DiscussionDiscussion

ƒƒ DoesDoes LILI deliverdeliver addedadded valuevalue toto LawLaw EnforcementEnforcement’’ss abilityability toto protectprotect thethe public?public? ƒƒ WhatWhat aboutabout openopen sourcesource InterceptionInterception tools?tools? ƒƒ WillWill therethere bebe aa returnreturn ofof thethe ClipperClipper Chip?Chip? ƒƒ ShouldShould therethere bebe mandatedmandated KeyKey EscrowEscrow ofof ISPISP’’ss encryptionencryption keys?keys? ƒƒ WhatWhat typestypes ofof oversightoversight needneed toto bebe builtbuilt intointo thethe systemsystem toto preventprevent abuse?abuse? ThankThank You.You.

JayaJaya BalooBaloo jayajaya@@baloosbaloos.org.org +31+31--66--5156910751569107