World Class Standards

Lawful interception
and Retained Data
Presentazione per lOsservatorio Sicurezza
Anfov

Autore:Dionisio Zumerle
Technical Officer - ETSI
dionisio.zumerle@etsi.org
ETSI 2007. All rights reserved
Osservatorio Sicurezza ANFOV - Milano, 14 Novembre 2007

World Class Standards

Why Lawful Interception implementation in EU

17th January 1995: EU Council of Ministers
adopted resolution COM 96/C329/01 on Lawful Interception

The providers of public telecommunications networks and

services are legally required to make available to the authorities
the information necessary to enable them to investigate
telecommunications

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

What is Lawful interception?

A legally sanctioned official access to private communications
telephone calls
e-mail messages

A security process: a communication service provider collects

and provides law enforcement with intercepted communications
of private individuals or organizations

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Scenario and actors

Interception
interface

Regulators

Correspondent
Interception Vendors

Providers

target
Mediation Vendors

Handover interface
Collection Vendors

Monitor

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Why standardisation of LI?

Easier to define own LI mechanism
Guidance is given for network architecture
No need to define/invent complete own LI system

Less expensive LI products

Manufacturers need to develop one basic product
National options are additional

Intercepted result is meeting international requirements by

Law Enforcement Agencies
Worldwide input

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Lawful Interception TC in ETSI

ETSI/Technical Committee Security (TC SEC)
Working Group Lawful Interception (SEC-WGLI) (1997)

ETSI/Technical Committee Lawful Interception (TC LI)

Established as stand-alone TC in Oct 2002

Meetings
Three plenary meetings a year (65-75 participants)
Rapporteur meetings on specific technical issues
(4 Rapp meetings per year average, 15-25 participants)

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

What does ETSI TC LI do?

Cost

Political

Interception

Business

Retrieval

Handover

Analysis

Legal

process
Relations
Storage

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Participation in ETSI TC LI
Law Enforcement Agencies / Governments organisations
NL, UK, DE, AS, S, GR, ES, FR, RU, FIN, IT, NO, CY, HU
USA, CA, AU, KR

Operators
KPN (NL), DT (DE), BT (UK), TeliaSonera (S), Inmarsat, Telenor (NO),
UPC, Telecom Italia, Telstra (AU), T-Mobile (DE), Vodafone (DE)

Manufacturers (switch)
Nokia Siemens Networks, Ericsson, Cisco,
Alcatel Lucent, Nortel, Marconi, Motorola

Manufacturers (mediation / LEA equipment)

Pine Digital Security, Aqsacom, ETI, VeriSign, Siemens, GTEN,
Utimaco Safeware, Verint, Detica, NICE Systems, Thales, AREA,
ATIS Systems, SS8, Spectronic, Group 2000, ZTE
Manufacturers may be active in all areas

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

LI Handover Interface
Handover Interface for Lawful Interception (TS 101 671)
Generic flow of information and procedures and information
elements
Applicable to any future telecommunication network or service
Circuit switched and packet data
Covered technologies:

PSTN/ISDN
GSM
UMTS (CS)
GPRS
TETRA
wireline NGN (including PES)
wireline IMS PSTN simulation

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

The ETSI LI Model

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Types of Lawful Intercepted data

Content of Communication (CC)
Information exchanged between two or more users of a
telecommunications service

Intercept Related Information (IRI)

Collection of information or data associated with telecommunication
services involving the target identity:
communication associated information or data
(including unsuccessful communication attempts)
service associated information or data
(e.g. service profile management by subscriber)
location information

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Handover Interface ports (TS 101 671)

HI1: for administrative information
Request for lawful interception:
target identity, LIID, start/duration, IRI or IRI+CC,
IRI delivery address, CC delivery address, ...
Management information

HI2: for delivery of Intercept Related Information

All data related to establish the telecommunication service and to
control its progress
Correlation information

HI3: for delivery of Content of Communication

Transparent en-clair copy of the communication
Correlation information

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Parameters in IRI records (TS 101 671)

LI related identities
LIID, target, network operator, network element, call ID, ...

Timestamp
Intercepted call direction (to / from target)
Intercepted call state (in progress, connected)
Address: Calling party / Called party / Forwarded-to-party / ..
E164, TEL URI, IMSI, IMEI, MSISDN, SIP URI,

Ringing tone duration / conversation duration

Type of intercept:
PSTN, ISDN, GSM (CS), TETRA, GPRS (PD), UMTS (CS)

Supplementary service information

Location information
National parameters
IRI record type (Begin, Continue, End, Report)
....

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Handover of LI via IP Networks

TS 102 232-1: Delivery of IP based interception

Handover aspects (based on TS 101 671) for IP-based platforms

Header added to IRI and CC sent over the HI2 and HI3 interfaces
Protocols for transfer of IRI and CC across HO interfaces
Other parts define the service-specific IRI data formats
Generic header information to be added to HI2 and HI3 traffic

LIID
Communication Identifier
Sequence number
Timestamp
Payload direction
IRI record type (Begin, Continue, End, Report)
...

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

IP Service-Specific Details (SSD)

TS 102 232-2: SSD details for E-Mail Services
Description for handover of E-mail messages (POP3, IMAP4)

TS 102 232-3: SSD for Internet Access Services

Description for handover of Internet Access Information and TCP/IP
information (DHCP, RADIUS)

TS 102 232-4: SSD for Layer 2 Services

Description for LI functionality of Layer 2 access

TS 102 232-5: SSD for IP Multimedia Services

Based on SIP and RTP, and services described by ITU-T H.323, H.248

TS 102 232-6: SSD for PSTN/ISDN Services

TS 102 232-7: SSD for Mobile Packet Services (drafting stage)

Osservatorio Sicurezza ANFOV - Milano,

TS 102 232 IP HO World

Family
Class Standards
Application

SSD
for
E-mail

SSD
for
Internet

SSD
for
Layer-2

SSD
for IP

SSD
for

multimedia

PSTN/ISDN

Services

Services

Services

Services

Services

part 02

part 03

part 04

part 05

part 06

SSD
for
Mobile
Services
part 07

Presentation

Generic Headers

Session
Transport

Handover manager
Delivery session
Transport layer
Network layer

Network
and below

Delivery network
TS 102 232-1

Osservatorio Sicurezza ANFOV - Milano,

Reference model for LI in IP World

networks
(TR 102 528)
Class Standards

(ETSI TR 102 528)

CSP Domain

HI

(ETSI TR 102 528)

HI1

LI Administration Function
(AF)

INI1b

INI1a
Intercept Related
Information Internal
Interception
Function (IRI-IIF)

Content of
Communication
Trigger Function
(CCTF)

INI1c

LEA Domain
Authorisation
authority /
Law
Enforcement
Agency

INI2

CCTI

Lawful
Interception
Mediation
Function
(MF)

CCCI

Content of
Communication
Internal Interception
Function (CC-IIF)

INI3

HI2
(IRI)

Law
Enforcement
Agency

HI3
(CC)

Osservatorio Sicurezza ANFOV - Milano,

World Class
Standards
LI scenario on a VoIP MM platform
(TR 102
528)

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Basic IP Multimedia message exchange

Target
End Point

CCIF

IRIIF

Remote
End Point

(TR 102 528)

LIAF
LIMF

LEA
LEMF

HI1 court order (1)

INI1a LI_Activation_Req (2)
Invite (3)
INI2 Begin (4)

HI2 Begin (5)

INI1b LI_Activation_Req (6)

INI2 Begin_Ack (7)
180 Ringing (8)
200 OK (11)
ACK (14)
RTP (17)

INI2 Continue (9)

HI2 Continue (10)

INI2 Continue (12)

HI2 Continue (13)

INI2 Continue(15)

HI2 Continue (16)

RTP (17)
INI3 RTP (18)

HI3 RTP (19)

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

General on security of LI
Protection of Target information
Protection of Rooms, Systems, Connections, Signalling

Local staff
Only authorised personnel has knowledge that interception has been
activated on a target

Target
Target should not be able to detect that interception is taking place

Other parties
Other parties of any telecommunications service should not be able,
by any means, to detect that any interception facility has been
(de)activated or that interception is taking place

DTR/LI-00044
Security framework in Lawful Interception and Retained Data
environment

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

LI specifications in 3GPP and TISPAN

TS 133 106 (3GPP TS 33.106)
Lawful interception requirements
provides basic interception requirements
partly based on ETSI TS 101 331

TS 133 107 (3GPP TS 33.107)

Lawful interception architecture and functions
TS 133 108 (3GPP TS 33.108)
Handover interface for Lawful Interception
TS 187 005
NGN Lawful Interception; Lawful Interception functional entities,
information flow and reference points

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Retained Data in EU
15th of March 2006: the European Parliament
and the Council of the European Union adopted
Directive 2006/24/EC on Data Retention

Data generated or processed in connection with the provision

of publicly available electronic communications services or of
public communications networks need to be retained

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Relation of RD to LI
Retention of Data is similar to LI
Process of providing information on private communications
Legally sanctioned
Concerns stored traffic, rather than traffic in transit (LI)

In ETSI, the stakeholders are the same

Regulators
LI equipment vendors
Telecom equipment vendors
Communication Service Providers

Similar technology and protocols

Similar EU Regulatory framework

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Applicability of the Directive

The content of the communication (CC) is not part of the directive
only signaling (IRI)

Storage of all types of communication:

Wireline
Wireless
Internet services
Successful AND unsuccessful communication attempts

Provided data must identify:

source of a communication
destination of a communication
date, time and duration of a communication
the type of communication
users' communication equipment
location of mobile communication equipment

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Retained Data Handover Interface

Handover Interface HI-A
administrative
Communication

Service
Provider
Handover Interface HI-B
transmission RD material

Requesting
Authority /
Law
Enforcement
Agency

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Retained Data Handover Protocol

CSP

Successful delivery

LEA

REQUEST: Request for Retained Data (HI-A)

REQ(ACK): Acknowledge request (HI-A)

Results of RD request (HI-B)

RESPONSE: confirm results have been sent (HI-A)
RES(ACK): Acknowledge Res message (HI-A)

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Modular approach

Framework standard
Message sets for request and delivery
Secure and reliable transport

Annex:
PSTN

Annex:
GSM

Annex:
Internet
access
services

Annex:
Multimedia
services

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

Actual RD working/study issues in TC LI

ETSI TS 102 656 (to be published)
Requirements of LEAs for handling Retained Data
guidance and requirements for the delivery and associated issues of
retained data of telecommunications and subscribers
set of requirements relating to handover interfaces for retained data
requirements to support the implementation of Directive 2006/24/EC

ETSI TS 105 601 (to be published)

Handover interface for the request and delivery of retained data
handover requirements and handover specification for the data that is
identified in EU Directive 2006/24/EC on retained
considers both the requesting of retained data and the delivery of the
results
defines an electronic interface

Osservatorio Sicurezza ANFOV - Milano,

World Class Standards

More information

http://portal.etsi.org/li
http://www.etsi.org/WebSite/Technologies/LawfulInterception.aspx

Osservatorio Sicurezza ANFOV - Milano,