Legal and Technical Standards for Lawful Intercepts
Special Topic of Telecommunication NetworkChapter 3Legal and Technical Standardsfor Lawful Intercepts Aris Cahyadi Risdianto 23210016
IntroductionThe basic functions of lawful intercepts (LIs)accessing data, processing data, converting data into information,delivering information to handover interfaces (HIs) with lawenforcement agencies (LEAs), and securing all communications.Lawful Intercepts ( LIs) is different at geographical areasResponsibilities of service providers and LEAsTechnical and legal prerequisites very different in different contextsLegal basis for LIs is a very different issue
Principal Group of LIs IssuesThree principal groups of issues to be address1) Legal background of surveillance2) Duties of telecommunications service providers (TSPs) (alongwith access providers, network operators, licensed operators,communications service providers, electronic communicationsservice providers, and telecommunications carriers)3) Controls and sanctions for noncomplianceLIs powerful standardsNorth American (J-STD-025) standardsEuropean (ETSI) standards
Legal Background of SurveillanceBasics of Intercept Laws US FCC established CALEA France French law forms the basis for intercept regulations UK The Regulation of Investigatory Power Act (RIPA) Japan •No laws or acts focusing on LIs •Law "no censorship shall be maintained, or secrecy of any means of communications be violated”Legal GuidelinesUS OCCSSA (wiretap), ECPA (microwave, fax, cordless, etc), CALEA (conference call, call waiting, etc), U.S. Patriot Act (wiretaps, pen register, etc)France criminal codes :Loi n0 91-636 du 10 juilliet 1991 Decret n0 93-119 du 28 janvier 1993UK RIPA chapter 1 (IOCA), chapter 2Japan Telecommunication is privacy, no surveillance activity. Related law : CCP for telecom in crime investigation
Legal Background of SurveillanceServices Subject to SurveillanceUS Oral surveillance : person-to-person communications Wire surveillance : electronic human voice communications including mobile and satelit communication. Electronic surveillance : includes all other electronic communications exceptf financial transactions.France All telecommunications services are subject to surveillanceUK person based rather than based on an address or telephone numberJapan voice telephony, facsimile, and e-mailObjectives of Surveillance US not permit general surveillance of communications France During a trial, both prosecutors and defense can review the intercepted information UK surveillance results can be used in trials Japan to fight serious and organized crime (Yakuza mafia and the Aum sect)
Duties of TSPs and OperatorsCooperation with LEAUS •Isolating content of targeted communication •Identifying origin and destination of targeted communication •Provide intercept communication and CII to LEA over line or facilities leased by LEA •Carry out intercepts not be aware by the target.France ●High rank LEA can assign interceptions tasks to any employee of france telecoms or other operator ●In case strategic surveillance, prime minister issues an requestUK ●RIPA applies all TSP offerinf guidelines for data retention ●periodic meetings between government and TSPs to discuss the intelligence needs of LEAs ●TSPs may seek advice from Technical Advisory Board (TAB) for assistance of complicated technical requestsJapan ●All TSPs must comply with LI legislation and guidelines ●Primary prerequisite is that warrants be issued by prosecutors or high-ranking police officers.
Duties of TSPs and OperatorsTechincal RequirementsUS Summarized in the J-STD-025-A standard ●France ●State-of-the-art intercept technology to be used to intercept communication data and content ● All data is collected by the Groupe Interministeriel de Controle (GIC), which in turn relays data to LEAsUK ●Surveillance include all communication, intercepted data provided in real time to interface with LEA ●Data transfer support simultaneous content and intercept condition ●HI must support international standard (eg. ETSI) ●Data should be filtered, only relevant data forwarded ●Encrypted data should be decrypt ●TSP support surveillance for 0,1 percent of subscriber ●TSP use reliable intercept and surveillance equipmentJapan ●LEA can provision devices for LI on case to case basis ●Email communication supervised via temporary mailbox which installed and supervised by LEA ●National Police Agency approach NTT DoCoMo to develop and install LI surveillance, but it cant be forced
Duties of TSPs and OperatorsOrganizational RequirementsUS ●TSP assign LI tasks to experience expert ●TSP must specify rules and process in writing ●TSP must log their LI action ●Protocols and survelannce log must be sign by expert ●Protocols and logs must be save for reasonale duration ●TSP expected to document and maintain materialFrance ●High security clearance personel conduct surveillance ●Continuity terms of human resources ●Log and protocols must be maintained ●All privacy rules mut be followUK ●All equipment delivered in one working day ●Surveillance equipment must be accessible for audit ●Surveillance requirement met without notification ●Surveillance mut have minimal performance impactJapan ●Physical present of experts on behalf of TSP for the duration of surveillance ●LEA including National Police Agency and Public Prosecutors Office conduct workshop with TSP on the topic area of LI
Duties of TSPs and OperatorsExceptionUS CALEA, no exception for TSP but may apply individual case ●France ●No exception for TSP, ●Doctors, lawyer, and pastor protectedUK ● Exception for TSP under 100000 subscribers, and serve a close community (bank, insurance, financial community, etc) ●Special approval for Journalist, doctors, lawyer, and pastorJapan ●If surveillance technology and human resource are expensive ●Required new HW and SW ●Company is too smallCompliance ControlUS No Regulation to enforce, TSP self-certification procedure ●France No specific procedures on technical and organization ●UK ●Government may provide handbook guidelines on technical and organization, but not yetJapan ●Only existing network are used for LI, special procedures are not required
Control and SanctionsControlling EntitiesUS ●Based Omnibus Crime Control Act, administrative Office of the U.S. Courts is expected to prepare an annual report for Congress, outlining surveillance statisticsFrance ●National Committee for Lawful Intercepts (CNCIS) handle LI data initiated by government. ●CNCIS member : president, senate and national assemblyUK ●Interception of Communications Commissioner (ICC) : independent individual report to the PM,who decide publication of report ●Investigatory Powers Tribunal (IPT) : independent court responsible for adjudicating complaints regarding LIs ●secret services surveillance are regulated by the Institution of Surveillance Commissioner (ISC).Japan ●Surveillance activities controlled by physical presence expert TSP and executed by LEA member ●Not crime-related data must be deleted
Control and SanctionsReporting DutiesUS ●Each judges must report each warrant for surveillance to the Administrative Office of the U.S. Courts ●Prosecutors report directly to the administrative office in regard to all requested warrantsFrance ●LEA members must log all activities ●Warrants are maintained locally ●National statistics are not maintainedUK ● Involved parties mandatory to follow guidelines from ICC and provide the necessary data for annual reportsJapan ● Members of LEAs must log all surveillance actions
Control and SanctionsSanctions for Non-complianceUS ●If TSPs cant provide information, technical assistance to complete interception, they face criminal or civil liability or good faith reliance defense, and will the sanction are enforced on the basis of the Communication Act of 1934France ●no formal procedures for sanctions ●CNCIS issued critics for surveillance decisions, and violates act illegal wiretaps and other actionUK ●Intentional noncompliance is rare, but sanctions are severe ●Today, no implementation of sanctions has been reportedJapan ●Sanctions in terms of abuse of surveillance and surveillance instruments ● no known sanctions against TSPs who unable or choose not to cooperate with LEAs
CALEA Reference ModelCALEA Interfaces1. Surveillance administration system (SAS): performs provisioning and receives alarms to CALEA interfaces2. Call data channel (CDC): network connection reporting from the switch to the LEA3. Call content channel (CCC): network connection delivering call content from the switch to the LEACALEA Principal Functions1) Access functions (AFs) (include network elements such MSC, HLR,etc) who provide access to and replication of intercepted traffic.2) Delivery function (DF) (include target and warrant information, interfaces, intercepted traffic) to CF3) Collection function (CF) collect and records lawfully authorized intercepted communications and CII for LEAs
ETSI Reference ModelETSI Principal Interfaces1) HI1 : Interface for Administration Information Transports administrative information from or to the LEA and NWO/AP/SvP2) HI2 : Interface for IRI Transmit information or data associated with the telecommunications services of the target identity apparent to the network.3) HI3 : Interface for IRI transports the CC of the intercepted telecommunications service to the LEMF.
ConclusionsETSI Principal Interfaces1) HI1 : Interface for Administration Information Transports administrative information from or to the LEA and NWO/AP/SvP2) HI2 : Interface for IRI Transmit information or data associated with the telecommunications services of the target identity apparent to the network.3) HI3 : Interface for CC Transports the CC of the intercepted telecommunications service to the LEMF.