Professional Documents
Culture Documents
Technical Aspects
of Lawful Interception
www.itu.int/itu-t/techwatch I T U - T T e c h n o l o g y W a t c h R e p o r t # 6
May 2008
Technical Aspects
of Lawful Interception
ITU-T Technology Watch Report 6
May 2008
Acknowledgements
This report was prepared by Martin Adolph (tsbtechwatch@itu.int) with Dr Tim Kelly. It has
benefited from contributions and comments from Anthony M. Rutkowski.
The opinions expressed in this report are those of the authors and do not necessarily reflect
the views of the International Telecommunication Union or its membership.
This report, along with other Technology Watch Reports can be found at
www.itu.int/ITU-T/techwatch.
Please send your comments to tsbtechwatch@itu.int or join the Technology Watch
Correspondence Group, which provides a platform to share views, ideas and requirements
on new/emerging technologies and to comment on the Reports.
The Technology Watch function is managed by the ITU-T Standardization Policy Division.
© ITU 2008
All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without
the prior written permission of ITU.
ITU-T Technology Watch Reports
Telephone era
Magazine ad (1962) for easy telephone
surveillance with Tel-O Record.5
In this report, Lawful Interception (LI) LI and the question how to deal with this
describes the lawfully authorized topic have recently been discussed in
interception and monitoring of telecommu- different ITU-T Study Groups. This report,
nications pursuant to an order of a the sixth in a series of ITU-T Technology
government body, to obtain the forensics Watch briefing papers, will focus on the
necessary for pursuing wrongdoers. It is a technical concepts underlying LI, and
need that has existed from the times of describes existing standardization done in
short-range telegraphy to today’s world- this field.
spanning Next-Generation Networks
(NGNs).
Law
LI Enforcement
Order Agency
(LEA)
Network Operator (NWO),
Access Provider (AP),
Law
Service Provider (SvP)
Enforcement
Requested
Monitoring Facility
Information
(LEMF)
3 Common architecture
LI may target two types of data: the actual Network, with standardized interfaces that
contents of communications (CC) which manage the hand-over of data between
may include voice, video or text message both networks. Three functions are
contents, and Intercept Related Information responsible for the work within the PTN:
(IRI, Call Data (CD) in the United States). • The Administration Function (ADMF)
IRI consists of information about the receives interception orders from the
targeted communication itself: signalling LEA and hands them over to
information, source and destination • Internal Intercept Functions (IIF), which
(telephone numbers, IP or MAC addresses, are located tactically within network
etc), frequency, duration, time and date of nodes and generate the two desired
communications. On mobile networks, it types of information, CC and IRI.
may also be possible to trace the
• Meditation Functions (MF) take charge
geographical origin of the call. 6 Network
of delineation between the two
operators have always been collecting some
networks. They implement Internal
IRI for billing and network management
Network Interfaces (INI), which may be
purposes and so it is relatively easy for law
proprietary, to communicate within the
enforcement agencies to gain access to this
PTN, and standardized interfaces, to
information, under subpoena.
deliver requested information to one or
The act of LI – independent of the type of more LEMFs.
communication to be intercepted – may
Figure 2 provides a more comprehensible
logically be thought of as a process with
overview of networks, functions, and
three distinct steps:
interfaces within a generalised LI
1. Capture – CC and IRI related to the
architecture.
subject are extracted from the network.
2. Filtering – information related to the For calls made over IP networks rather than
subject that falls within the topic of the the PSTN, things look slightly different 7 :
inquiry is separated from accidentally Each call consists of one or more call-
gathered information, and formatted to signalling streams that control the call, and
a pre-defined delivery format one or more call-media streams which carry
3. Delivery – requested information is the call’s audio, video, or other content,
delivered to the LEMF along with information concerning how that
data is flowing across the network.
Capture and filtering may be facilitated by
Together, these streams make up a so
the use of the latest speech technologies:
called “session”. As individual packets of
Speaker identification, along with language
data within a session might take different
and gender recognition, combined with
paths through the network, they may
real-time keyword-spotting, can be
become hard to relate with each other. In
performed by specialized servers devoted
Voice over Internet Protocol (VoIP)
to collecting, analyzing and recording
networks, a device named a Session Border
millions of incoming calls as soon as they
Controller (SBC) plays the role of exerting
are intercepted. This can free operators to
influence over the data streams that make
carry out more specialized tasks requiring a
up one or more sessions.
higher level of identification and analysis.
The word Border in SBC refers to the
However, enabling secure private
demarcation line between one part of a
communications for its customers still
network and another, which is a strategic
remains the primary purpose of service
point to deploy Internal Intercept Functions,
providers. To prevent this service being
as both targeted types of data – IRI and
adversely affected by LI, the network
the corresponding CC – pass through it.
architecture requires that there be distinct
This architecture is equally applicable to
separation between the Public Telecom
other IP-based services, where the IRI
Network (PTN) and the Law Enforcement
contains parameters associated with the
LI Hand-over
Interfaces (HI)
Network Operator’s
HI1
Administration Function
(AF)
Internal
Intercept Function (IIF) IRI
Meditation Function HI2
IRI (MF)
CC
CC
Meditation Function HI3
(MF)
Internal Network
Interfaces (INI)
4 Standardization activities
Service providers and vendors are being addition, Cable Television Laboratories
asked to meet legal and regulatory develops generic standards of cable system
requirements for the production of forensics use.
in a variety of countries worldwide.
Common forensic standards are effectively
Although requirements may vary from
encouraged by the international Convention
country to country 8 , most requirements
on Cybercrime maintained by the Council of
remain common.
Europe which currently has 45 signatories –
The principal global forums for specifying a number of which are outside Europe.9 For
the requirements as well as specific a majority of the signatories, their
standards are the European legislation requires technologies based on
Telecommunication Standards Institute standards developed by TC LI and 3GPP SA
(ETSI) Technical Committee on Lawful WG3.
Interception (TC LI) and the 3rd Generation
In RFC 2804, the Internet Engineering Task
Partnership Project (3GPP). New NGN LI
Force (IETF) feared that, by implementing
standards are being developed through
interception functionality, a system would
ETSI TISPAN in collaboration with TC LI and
be less secure and more complex than it
3GPP. Most of the world uses these
could be had this function not been present.
standards. Notable exceptions include the
It noted that, being more complex, the risk
USA CALEA related standards, and the
of unintended security flaws in the system
Russian Federation SORM specifications. In
5 Market Watch
For companies providing LI technology and retention technologies for the collection and
services, the increasing numbers of people storage of intercept related information of
worldwide with access to telecommu- all communications, have to be installed by
nications, steadily advancing telecommu- service providers in a growing number of
nication technologies, and frequently- states worldwide. These network
amended laws, are both a challenge and a management and forensics solutions are
blessing. The customers for LI services developed and sold by a huge number of
include LEAs, national security agencies, or suppliers from different countries. Some of
- where a private corporate or government them have formed a global industry forum
network facility is involved – the party (the Global LI Industry Forum (GLIIF)) to
responsible for this network. promote worldwide awareness, responsible
development and market growth for LI
The number of interception applications
products and services. LI solutions on the
authorised by LEAs continues to increase
market are necessarily compliant with
worldwide (especially in countries that
either the ETSI Standards for most
maintain extensive surveillance capabilities).
countries, plus SORM in Russia and CALEA
Besides lawful interception systems, other
in the U.S.
network forensics facilities, such as data
6 Conclusion
Information and communication applications. Accurate international
technologies have supported Lawful standards-based network forensics
Interception since the era of Morse’s technologies for lawful interception, data
telegraph. Interception is actively practiced retention and network management are
worldwide with an increasing number of needed to meet national requirements.
1
To find out more about ITU’s history, see www.itu.int/net/about/history.aspx.
2
Of course, interception of messages predates the electronic age. In the Napoleonic wars, interception of
semaphore signals was common, while in the Elizabethan era, breaking of secret codes and ciphers played a key
role in the events that led to the execution of Mary Queen of Scots (see, for instance, Budiansky, S. (2000) “Battle
of Wits”). But the intention here is to focus on lawful interception of telecommunications.
3
The relevant text is, inter alia, in Article 37 of the ITU Constitution, which states:
a. Member States agree to take all possible measures, compatible with the system of telecommunications used,
with a view to ensuring the secrecy of telecommunications.
b. Nevertheless, they reserve the right to communicate such correspondence to the competent authorities in
order to ensure the application of their national laws or the execution of international conventions to which
they are parties.
In addition to Article 37 of ITU’s Constitution, as cited above, Article 41 grants priority treatment to government
telecommunications.
4
See Peter N. Grabosky and Russell G. Smith, “Crime in the Digital Age: Controlling Telecommunications and
Cyberspace Illegalities,” 1998; www.books.google.com/books?id=7_z4Ihh49wAC&hl=en.
5
See www.spybusters.com/History_1962_Wiretap_ad.html.
6
See Newport Networks, “Lawful Interception Overview,” 2006; www.newport-networks.com/whitepapers/lawful-
intercept1.html.
7
See A. Rojas, P. Branch, “Lawful Interception based on Sniffers in Next Generation Networks,” Australian
Telecommunications Networks & Applications Conference 2004, Sydney, Australia, December 8-10, 2004;
www.caia.swin.edu.au/pubs/ATNAC04/rojas-branch-2-ATNAC2004.pdf.
8
See SS8 Networks, “The Ready Guide to Intercept Legislation 2;” www.ss8.com/ready-guide.php.
9
See Council of Europe, ETS No. 185, Convention on Cybercrime. Title 5 – Real-time collection of computer data.
Articles 20 and 21. www.conventions.coe.int/Treaty/EN/Treaties/Html/185.htm. The Convention has been signed
by 45 Member States and non-Member States, see
www.conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=1&DF=9/2/2006&CL=ENG.
10
See Susan Landau, "Security, Wiretapping, and the Internet," IEEE Security and Privacy, vol. 3, no. 6, pp.
26-33, Nov/Dec, 2005. Also see Vassilis Prevelakis and Diomidis Spinellis, “The Athens Affair,” IEEE Spectrum,
July, 2007; www.spectrum.ieee.org/print/5280.
Technical Aspects
of Lawful Interception
www.itu.int/itu-t/techwatch I T U - T T e c h n o l o g y W a t c h R e p o r t # 6
May 2008