Lawful interception (LI) is an essential tool for law enforcement to investigate crime and terrorism. It’s the only legally grounded process by which a network provider or telecom service gives law enforcement agencies access to organizations or individual subscriber communications. Service providers have the obligation to grant governments access to important information when that information is requested. However, at the same time, they have a responsibility towards their customers and their business privacy. There is a very fine line between them which should be treated with care. In this presentation, we discuss the legal framework around lawful interception and how hosting providers intercept emails. For more information, you can also check out our dedicated blog post: https://www.axigen.com/articles/lawful-interception-for-service-providers_111.html

1. EMAIL INTERCEPTION
FOR THE GOOD GUYS
Why and How Would My Hosting Service Intercept Emails?
How Do the Rules Apply in Real Life?

2. BOGDAN MOLDOVAN
CEO
Head of Sales and Professional Services
Phone: +40-21-303-2080
Mobile: +40 722 402 868
Skype: bogdan_m
Email: bogdan.moldovan@axigen.com

3. Integrated all-in-one
email, calendaring &
collaboration, masterfully
built on unique mail
server technologies, for
increased speed &
security.
• Developed by Axigen Messaging, EU-
based vendor in the messaging industry
• Designed to meet the email hosting
needs of Service Providers of all sizes
• Axigen’s mission is to enable CSPs to
deliver a premium, all-in-one
communication and collaboration
service, with an awesome experience for
their end customers.

4. You’ll most likely find
the content relevant if
you’re wearing one of
these hats
• Product Manager for the Email Hosting
Service
• Compliance Officers
• Technical Architects of Email Hosting
Services
• Technical Level - Intermediate to
advanced
• Curious about legal provisions regarding
lawful interception in the EU and
Romania

5. What this presentation
covers
• Intro to the Legal Framework, legal
provisions
• We’ll focus on the EU and deep dive into
some examples of the Romanian (our HQ)
Legislation
• We’ll also touch (a few notes) on the statutory
provisions in the US (although we did not
investigate American case-law)
• A selection of technical strategies and
tactics that apply to email legal
interception

6. What you’ll NOT
find here
• Legal hold
• Workplace surveillance

7. DID YOU SEE WHAT HAPPENED RECENTLY?

8. EU RELEVANT LEGAL FRAMEWORK
Different Location, Different Lawful Interception Regulations
Your company will have to comply with local and national laws. It’s mandatory to seek
legal advice for what is relevant in your national law, and we recommend doing so as early
as possible during the setup procedures.
When you talk to a legal representation in your local country, you must brief them about
your current logging procedures; what you currently log and why, what you do with it,
and who has access to that so they can tell you from the purpose of lawful intercept what
you should do moving forward.
This is done on a case-by-case basis, only under legal advice. It helps to be prepared. You
will usually have a specific amount of time (depending on the country) to comply and
respond, so it will be challenging to comply if you aren’t prepared.

9. • European Convention on Human Rights
• Budapest Convention on Cybercrime
• Case-law of the European Court of Justice
(mainly judgements in cases Digital Ireland,
Tele2 Sverige and La Quadrature du Net) and of
the European Court of Human Rights
EU RELEVANT LEGAL FRAMEWORK
• Directive 2002/58/EC concerning the
processing of personal data and the
protection of privacy in the electronic
communications sector
• Principle of communications’ confidentiality –
article 5
• Exception – article 15(1)
• Charter of Fundamental Rights of the EU

10. • CJEU declared the Directive 2006/24/EC invalid,
considering that the EU legislature exceeded the
limits of the proportionality principle:
EU law does not currently provide for
an obligation to retain data.
• However, Member States remain able to
introduce exceptions to the main obligation of
ensuring confidentiality of electronic
communications
EU LEGISLATION – DIRECTIVE 2006/24/EC
• Article 5 of Directive 2006/24/EC provided for
the retention of data necessary to:
• trace and identify the source of a communication;
• identify the destination of a communication;
• identify the date, time and duration of a
communication;
• identify the type of communication;
• identify users’ communication equipment;
• identify the location of mobile communication
equipment.
• Article 5 paragraph 2 of Directive 2006/24/EC:
No data revealing the content of the
communication may be retained
pursuant to this Directive
“

11. EU: EXCEPTIONS TO THE MAIN OBLIGATION OF
ENSURING CONFIDENTIALITY OF ELECTRONIC
COMMUNICATIONS
The exact conditions under which data
must be retained and disclosed to
authorities are governed by national laws.
• A national measure that derogates from
the confidentiality of communications and
related traffic data principle must be
strictly proportionate to the intended
purpose; such measure must comply to
several rules.

12. SHORT U.S. NOTES
The Fourth Amendment,
governing the right to privacy
Electronic Communications Privacy
Act (“ECPA”), enacted by the
Congress in 1986
Stored Communication Act.
Title II of the ECPA
Case-law on these matters

13. CASE STUDY: ROMANIA
GEO 111/2011, Decision 987/2012 and
Decision 987/2012
• Mostly aimed to assist the Romanian Informational
Service
Criminal Procedure Code
• In the Romanian law, service providers are
obliged under the Criminal Procedure Code to
cooperate with authorities and respond to
their requests regarding data.
• The cooperation can take the following forms:
• Interception of any type of distance communication
(Art. 138-146 of the Criminal Procedure Code);
• Preservation of computer data (Art. 154 of the
Criminal Procedure Code).
Law 506/2004
• Covers the processing of personal data and the
protection of private life in the area of electronic
communications
• The approval of the court has the role of censoring
potential violation of private life and the provider
can not censor or limit the request.

14. CASE STUDY: ROMANIA
Things to ask yourself.
• What is the obligation to keep historical
records of content (e.g. actual email and
attachments)?
• Can I (as an operator) be required by local
authorities to provide communication
content (e.g. actual email and attachments)?
• How can I (as email hosting operator)
validate that the request is valid?
• Who are the email addresses that our
suspect (suspect@domain.com) has
communicated with in the past 30 - 60
days?
• What are the emails currently in his
mailbox?
• We need to monitor all future email
communication and intercept also content
of emails?
• For how long does an operator need to
keep historical records of metadata (who
sent an email to whom on which date)?

15. SOME TECH STUFF… FINALLY…
Core Basic Concepts
• Email Communication & Mailbox Access Logs
• Accessing the email content (Subject and Body)
Several aspects behind all these
questions that span:
• product capabilities,
• internal processes,
• various other integration points with other
systems (Monitoring and Alarming, Logging
and Reporting, Backup and Restore, etc).
# Logs, Logs, Logs

16. Email Communication
SOME TECH STUFF… FINALLY…
• Querying these logs should be subject to access
control lists and should be audited
• Example of such a log line (anonymized with
***):
• Is is best practice to aggregate all the logs
from all the nodes in your email hosting
platform into a separate platform
• A syslog server
• An Axigen log gathering server
• An ElasticSearch / Kibana server
• A Graylog server (see more here)
• Any other log centralization solution
• That platform should implement the retention
policies in sync with regulatory requirements
2021-04-08 14:20:08 +0300 08 mailPROCESSING:001141BE:
New mail <1617880807728676528@fe1.axigen.lan>
received from fe1.axigen.lan (192.168.1.226) with
envelope from <r***n@axigen.com>, authenticated as
<r***n@axigen.com>, recipients=8 (a***u@axigen.com,
i***s@axigen.com, v***n@axigen.com, f***a@axigen.com,
b***m@axigen.com, t***k@axigen.com, c***e@axigen.com,
r***n@axigen.com), size=7236, enqueued with id 2215C4
(orgid=2A2B93)

17. Mailbox Access logs
SOME TECH STUFF… FINALLY…
• Example of such a log line:
• On all Axigen Systems logs, there is a special
log file, called security.txt, which is also
captured and sent to the OBF Platform.
• This log file captures the logins via various
client access protocols (Mailbox REST API,
WebMail, IMAP, SMTP, etc.), remote IP
address, and corresponding statuses
(successful or unsuccessful).
2021-04-08 12:24:53 +0300 02 mail
SECURITY:WEBMAIL;000235BD;192.168.1.226;37885;OP_OK;a
xigen.test99@axigen.com;Android-
Mail/2021.03.07.364486182.Release;Authentication
successful;

18. Accessing the Email Content (Subject, Body, Attachments)
SOME TECH STUFF… FINALLY…
• All of these cases require various configurations
that can be made on the existing product and
existing integrations.
• For a more detailed discussion, you can refer
to How to Implement Email Archiving with
Axigen and our dedicated Lawful Interception
for Service Providers article.
• Now, from a product standpoint, the email
content of an email can be accessed:
• by the user himself
• by any other user which is granted access on the
original user’s mailbox (e.g. Sharing)
• by creating a copy of the message and storing it
in an separate mailbox along with the original
mailbox
• by redirecting a copy of inbound and/or
outbound messages of a certain user to an
external mailbox (can be an email address from
the legal authorities)
• by accessing a past backup and extracting the
NOT TO BE ALLOWED UNDER NORMAL CIRCUMSTANCES.
MUST BE GATED BY PROCESSES AND ACCESS RESTRICTIONS.

19. Our email server:

20. Thank you for reading!
Follow us on Facebook, Twitter, or LinkedIn