ETSIETSI && LawfulLawful InterceptionInterception ofof IPIP TrafficTraffic
Jaya Baloo RIPE 48
May 3 Amsterdam, The Netherlands ContentsContents
Introduction to Lawful Interception
Interception of Internet services
Origins in The European Community
The European Interception Legislation in Brief
ETSI Standards – 101 232, 101 233, 101 234
Interception Suppliers & Discussion of Techniques
Future Developments & Issues IntroductionIntroduction toto LawfulLawful InterceptionInterception
ETSI definition of (lawful) interception:
interception: action (based on the law), performed by an network operator/access provider/service provider (NWO/AP/SvP), of making available certain information and providing that information to a law enforcement monitoring facility. Law LI Enforcement Network Operator, order Agency (LEA) Access Provider or Law Deliver requested Service Provider Enforcement information Monitoring Facility LILI’’ss RaisonRaison DD’’etreetre
WhyWhy intercept?intercept? TerrorismTerrorism PedophiliaPedophilia ringsrings CyberCyber stalkingstalking DataData thefttheft ––IndustrialIndustrial espionageespionage DrugDrug dealersdealers onon thethe internetinternet WhyWhy not?not? PrivacyPrivacy SecuritySecurity LegalLegal IssuesIssues inin LILI
Judge: "Am I not to hear the truth?" Objecting Counsel: "No, Your Lordship is to hear the evidence."
Some characteristics of evidence- relevance to LI Admissible – can evidence be considered in court– *differs per country Authentic – explicitly link data to individuals Accurate – reliability of surveillance process over content of intercept Complete – tells a “complete” story of a particular circumstance Convincing to juries – probative value, and subjective practical test of presentation AdmissibilityAdmissibility ofof SurveillanceSurveillance EvidenceEvidence
Virtual Locus Delecti Hard to actually find criminals in delicto flagrante
How to handle expert evidence? Juries are not composed of network specialists. Legal not scientific decision making.
Case for treating Intercepted evidence as secondary and not primary evidence Primary – is the best possible evidence – e.g. in the case of a document – its original. Secondary – is clearly not the primary source – e.g. in the case of a document – a copy. InterceptionInterception ofof InternetInternet servicesservices InterceptionInterception ofof InternetInternet servicesservices WhatWhat areare defineddefined asas InternetInternet services?services? accessaccess toto thethe InternetInternet thethe servicesservices thatthat gogo overover thethe Internet,Internet, suchsuch as:as: surfingsurfing thethe WorldWorld WideWide WebWeb (e.g.(e.g. html),html), ee--mail,mail, chatchat andand icqicq,, VoIPVoIP,, FoIPFoIP ftp,ftp, telnettelnet WhatWhat aboutabout encryptedencrypted traffic?traffic?
Secure e-mail (e.g. PGP, S/MIME) Secure surfing with HTTPS (e.g. SSL, TLS) VPNs (e.g. IPSec) Encrypted IP Telephony (e.g. pgp -phone and Nautilus) etc. If applied by NWO/AP/SvP then encryption should be stripped before sending to LEMF or key(s) should be made available to LEA else a challenge for the LEA LogicalLogical OverviewOverview TechnicalTechnical ChallengesChallenges
Req.Req. ––MaintainMaintain TransparencyTransparency && StandardStandard ofof CommunicationCommunication IdentifyIdentify TargetTarget -- MonitoringMonitoring RadiusRadius –– missesmisses disconnectdisconnect CaptureCapture InterceptIntercept informationinformation –– EffectiveEffective FilteringFiltering SwitchSwitch PacketPacket ReassemblyReassembly SoftwareSoftware complexitycomplexity increasesincreases bugginessbugginess PeeringPeering withwith LEMFLEMF –– monitoringmonitoring multiplemultiple XDSLXDSL cctsccts.. OriginsOrigins inin TheThe EuropeanEuropean CommunityCommunity WhatWhat isis LILI basedbased onon inin thethe EU?EU?
LegalLegal BasisBasis EUEU directivedirective ConventionConvention onon CybercrimeCybercrime –– CouncilCouncil ofof EuropeEurope-- Article 20- Real time collection of traffic data Article 21- Interception of content data NationalNational lawslaws && regulationsregulations TechnicallyTechnically NotNot CarnivoreCarnivore NotNot CaleaCalea Standards,Standards, BestBest PracticesPractices basedbased approachapproach IETFIETF’’ss standpointstandpoint (RFC(RFC 28042804 IETFIETF PolicyPolicy onon WiretappingWiretapping )) TheThe EuropeanEuropean InterceptionInterception LegislationLegislation inin BriefBrief SolutionSolution RequirementsRequirements EuropeanEuropean InterceptionInterception LegislationLegislation
FranceFrance CommissionCommission NationaleNationale dede ContrContrôôlele desdes InterceptionsInterceptions dede SSéécuritcuritéé ---- LaLa loiloi 9191--636636 LoiLoi sursur lala SecuriteSecurite QuotidienneQuotidienne –– NovemberNovember 20012001 GermanyGermany GG--1010 –– 20012001-- ””GesetzGesetz zurzur BeschrBeschräänkungnkung desdes BriefBrief--,, PostPost-- undund FernmeldegeheimnissesFernmeldegeheimnisses”” TheThe CounterCounter terrorismterrorism ActAct –– JanuaryJanuary 20022002 UKUK InterceptionInterception LegislationLegislation
UK
Regulation of Investigatory Powers Act 2000
Anti-terrorism, Crime and Security Act 2001
“The tragic events in the United States on 11 September 2001 underline the importance of the Service’s work on national security and, in particular, counter-terrorism. Those terrible events significantly raised the stakes in what was a prime area of the Service’s work. It is of the utmost importance that our Security Service is able to maintain its capability against this very real threat, both in terms of staff and in terms of other resources. Part of that falls to legislation and since this website was last updated we have seen the advent of the Regulation of Investigatory Powers Act 2000, Terrorism Act 2000 and the Anti- Terrorism Crime and Security Act 2001. Taken together these Acts provide the Security Service, amongst others, with preventative and investigative capabilities, relevant to the technology of today and matched to the threat from those who would seek to harm or undermine our society. “ – The UK Home Secretary’s Foreword on MI5 TheThe CaseCase inin HollandHolland
At the forefront of LI : both legally & technically
The Dutch Telecommunications Act 1998– Operator Responsibilities The Dutch Code of Criminal Proceedings – Initiation and handling of interception request The Special Investigation Powers Act -streamlines criminal investigation methods WETVOORSTEL 20859 – backdoor decree to start fishing expeditions for NAW info – Provider to supply info not normally available
TIIT STANDARD – predecessor to current ETSI standards
LIO – National Interception Office – in operation since end of 2002 EuropeanEuropean TelecommunicationsTelecommunications StandardsStandards InstituteInstitute ETSIETSI TRTR 101101 944944
Responsibility- Lawful Interception requirements must be addressed separately to Access Provider and Service Provider. 5 layer model - Network Level & Service Level division Implementation Architecture –
Telephone cct. (PSTN/ISDN)
Digital Subscriber Line (xDSL)
Local Area Network (LAN) Permanent IP Address Security Aspects HI3 Delivery TheThe ETSIETSI modelmodel
NOW / AP / SvP‘s domain domainLEA
NWO/AP/SvP’s administration function HI1 intercept related information (IRI) Network IRI mediation Internal function Functions content of HI2 communication (CC)
IIF CC mediation function HI3
INI LEMF LI handover interface HI HI1: administrative information IIF: internal interception function HI2: intercept related information INI: internal network interface HI3: content of communication SampleSample ArchitectureArchitecture forfor HI2HI2 andand HI3HI3
S1
T2 T1 (LEA1) interception S2 S1 gathering & interception transport HI2 & HI3 T1 T2 (LEA2) S1 interception S3 T1 management box Mediation Function Internet Law Enforcement Monitoring Facility (LEMF)
ISP
Law LI LI Warrant Enforcement order Admin Desk HI1 Agency (LEA) ETSIETSI 101101 232232 –– IPIP DeliveryDelivery
Specifies:Specifies: modularmodular approachapproach usedused forfor specifyingspecifying IPIP basedbased handoverhandover interfacesinterfaces header(s)header(s) toto bebe addedadded toto IRIIRI && CCCC sentsent overover HI2HI2 && HI3HI3 (R4 LIID) (R5 & R7 Communication Identifier) (R37 & R38 Timestamp) (R15 & R19 Sequence Number) (R10 Direction) (R9 Payload Type) (R8 Interception Type) protocolsprotocols forfor thethe transfertransfer ofof IRIIRI && CCCC protocolprotocol profilesprofiles forfor thethe handoverhandover interfaceinterface ETSIETSI –– 101101 232232 –– ProtocolProtocol StackStack
LAYER NAME OSI Layer Clause Responsibilities Handover 6 & 7 6.2 Create & maintain one or more delivery functions. Error Reporting. Aggregate PDUs; Associate header info; Create padding PDUs; Assign PDUs to delivery functions
Session 5 6.3 Create & maintain a single transport connection and monitor its status. Run keepalive mech.; Encode/ decode PDU elements; integrity mech, Buffer data
Transport 4 6.4 Create & maintain a network cct. Network 3 6.5 Network Protocol ETSIETSI 101101 233233 –– EMAILEMAIL
““StageStage 11””descriptiondescription ofof interceptioninterception info.info. inin processprocess ofof sendingsending && receivingreceiving emailemail ““StageStage 22”” descriptiondescription ofof whenwhen IRIIRI && CCCC shallshall bebe sentsent andand whatwhat infoinfo itit shallshall containcontain EmailEmail SendSend EventEvent EmailEmail RecieveRecieve EventEvent EmailEmail downloaddownload eventevent –– distinctiondistinction –– clientclient
ContentContent interceptintercept oror completecomplete sessionsession WebmailWebmail ETSIETSI 101101 234234-- InternetInternet AccessAccess ServicesServices ““StageStage 11”” descriptiondescription ofof thethe interceptioninterception informationinformation inin relationrelation toto thethe processprocess ofof bindingbinding aa ““targettarget identityidentity”” toto anan IPIP addressaddress whenwhen providingproviding IASIAS ““StageStage 22”” descriptiondescription ofof whenwhen IRIIRI && CCCC shallshall bebe sentsent andand whatwhat info.info. itit shallshall containcontain
LILI RequirementsRequirements --administrativeadministrative asas wellwell asas capturingcapturing ofof traffictraffic PreventingPreventing overover andand underunder collectioncollection ofof interceptintercept datadata ReferenceReference TopologiesTopologies && ScenariosScenarios FurtherFurther RadiusRadius && DHCPDHCP IPIP IRIIRI interceptsintercepts && TCP,UDPTCP,UDP IRIIRI interceptsintercepts ETSIETSI 101101 234234-- InternetInternet AccessAccess ServicesServices contd.contd. 22 TargetTarget IdentityIdentity-- UsernameUsername oror NetworkNetwork AccessAccess IdentifierIdentifier IPIP addressaddress (Ipv4(Ipv4 oror Ipv6)Ipv6) EthernetEthernet addressaddress DialDial--inin NumberNumber callingcalling lineline identityidentity CableCable ModemModem IdentifierIdentifier OtherOther uniqueunique identifieridentifier agreedagreed beteweenbeteween APAP && LEALEA ResultResult ofof interceptioninterception-- providedprovided whenwhen AttemptAttempt toto accessaccess thethe accessaccess networknetwork WhenWhen accessaccess toto accessaccess networknetwork permittedpermitted /not/not OnOn changechange ofof status/status/ locationlocation ETSIETSI 101101 234234-- InternetInternet AccessAccess ServicesServices contd.contd. 33 IRIIRI containscontains-- IdentitiesIdentities usedused byby oror associatedassociated withwith thethe targettarget identityidentity (( dialdial inin callingcalling lineline numbernumber andand calledcalled lineline number,number, accessaccess serverserver identity,identity, ethernetethernet addresses,addresses, accessaccess devicedevice identifieridentifier DetailsDetails ofof servicesservices usedused andand theirtheir associatedassociated parametersparameters Info.Info. relatingrelating toto statusstatus TimestampsTimestamps CCCC shallshall bebe providedprovided forfor everyevery IPIP datagramdatagram that:that: HasHas thethe target'starget's IPIP addressaddress asas thethe IPIP sourcesource addressaddress HasHas thethe target'starget's IPIP addressaddress asas thethe IPIP destinationdestination addressaddress CCCC shallshall ccontainontain aa streamstream ofof octetsoctets forfor eeveryvery InterceptionInterception SuppliersSuppliers && DiscussionDiscussion ofof TechniquesTechniques LILI ImplementationsImplementations
Verint formerly known as Comverse Infosys ADC formerly known as SS8 Accuris Pine Nice Aqsacom Digivox
Telco/ ISP hardware vendors
Siemens
Alcatel
Cisco
Nortel ImplementationImplementation techniquestechniques
ActiveActive-- directdirect locallocal interceptioninterception –– i.e.i.e. Bcc:Bcc: SemiSemi--ActiveActive-- interactioninteraction withwith RadiusRadius toto capturecapture andand filterfilter traffictraffic perper IPIP addressaddress PassivePassive-- nono interactioninteraction withwith ISPISP requiredrequired onlyonly interceptioninterception pointpoint forfor LEALEA devicedevice MostMost ofof thethe followingfollowing areare activeactive oror aa combinationcombination ofof activeactive andand semisemi--activeactive implementationsimplementations VerintVerint == ComverseComverse -- InfosysInfosys
BasedBased inin IsraelIsrael –– ReRe :: PhrackPhrack 5858--1313 UsedUsed byby DutchDutch LEMFLEMF UsedUsed extensivelyextensively internationallyinternationally –– supportssupports CALEACALEA && ETSIETSI UseUse ofof TopTop LayerLayer switchswitch ResponseResponse NICENICE
UsedUsed inin BEBE asas t1t1 ProprietaryProprietary –– implementedimplemented forfor ETSIETSI Feat.,Feat., topictopic extraction,extraction, KeywordKeyword Spotting,Spotting, RemoteRemote SendSend ofof CCCC AutoAuto Lang.Lang. detectiondetection andand translationtranslation RunsRuns onon WindowsWindows NTNT &2000&2000 SvrSvr.. StandStand alonealone internet/internet/ telephonytelephony solutionsolution ADCADC == SS8SS8
UseUse ofof proprietaryproprietary hardwarehardware UsedUsed forfor largelarge bandwidthbandwidth cctsccts.. KnownKnown toto bebe usedused inin SatelliteSatellite TrafficTraffic centerscenters SupportsSupports CALEACALEA –– ETSIETSI UseUse ofof TopTop LayerLayer switchswitch AccurisAccuris
Max.Max. ofof 5050 concurrentconcurrent tapstaps SolutionSolution notnot dependantdependant onon switchswitch typetype CanCan useuse singlesingle s2s2 asas concentratorconcentrator OfferOffer GigabitGigabit SolutionSolution –– butbut dependsdepends onon selectedselected switchswitch capabilitycapability andand integrationintegration withwith filterfilter settingsetting SupportsSupports CaleaCalea && ETSIETSI ItIt’’ss allall aboutabout thethe M$M$neyney
Solutions can cost anywhere from 100,000 Euro to 700,000 Euro for the ISP UK Govt. expected to spend 46 billion over the next 5 years- subsequently reduced to 27 billion Division of costs
Cap Ex = ISP
Op Ex = Govt. Penalties for non-compliance
Fines – up to 250,000 euros
Civil Charges
House Arrest of CEO of ISP Cooperation between ISPs to choose single LI tool ConclusionsConclusions forfor LawLaw EnforcementEnforcement
““IfIf youyou’’rere goinggoing toto dodo itit …… dodo itit rightright”” Disclosure of tools and methods Adherence to warrant submission requirements Completeness of logs and supporting info. Proof of non- contamination of target data Maintaining relationship with the private sector LawLaw EnforcementEnforcement personnelpersonnel Training Defining role of police investigators Defining role of civilian technicians Handling Multi – Focal investigations FutureFuture DevelopmentsDevelopments && IssuesIssues
EUEU ExpansionExpansion –– EuropolEuropol stipulationsstipulations DataData RetentionRetention DecisionsDecisions ENFOPOLENFOPOL organizationorganization BorderlessBorderless LILI ISPISP RolRolee EUEU widewide agreementsagreements onon InterceptIntercept InitiationInitiation QuantumQuantum CryptographyCryptography WLANWLAN challengeschallenges TheThe FutureFuture ofof PrivacyPrivacy LegislationLegislation ?? WebWeb SitesSites
www.www.opentapopentap.org.org http://www.http://www.quintessenzquintessenz.at/.at/cgicgi-- bin/index?bin/index?funktionfunktion==doqumentsdoquments www.www.phrackphrack.com.com www.www.cryptomecryptome.org.org www.www.statewatchstatewatch.org.org www.privacy.orgwww.privacy.org www.www.iwariwar.org..org.ukuk www.www.cipherwarcipherwar.com.com www.cyberwww.cyber--rights.org/interceptionrights.org/interception Q&AQ&A // DiscussionDiscussion
DoesDoes LILI deliverdeliver addedadded valuevalue toto LawLaw EnforcementEnforcement’’ss abilityability toto protectprotect thethe public?public? WhatWhat aboutabout openopen sourcesource InterceptionInterception tools?tools? WillWill therethere bebe aa returnreturn ofof thethe ClipperClipper Chip?Chip? ShouldShould therethere bebe mandatedmandated KeyKey EscrowEscrow ofof ISPISP’’ss encryptionencryption keys?keys? WhatWhat typestypes ofof oversightoversight needneed toto bebe builtbuilt intointo thethe systemsystem toto preventprevent abuse?abuse? ThankThank You.You.
JayaJaya BalooBaloo jayajaya@@baloosbaloos.org.org +31+31--66--5156910751569107