Supporting lawful data intercept requests is becoming increasingly important for service providers. At the same time, it’s also become a new challenge for enterprises. The world’s nations are writing laws legally mandating access to communications, and expanding access to all types of user information including voice, video, data, and even location information. It doesn’t stop there: the requirements and legal application of laws vary by country, and even by state.
This whitepaper from Ixia provides a basic overview of lawful data intercept, as well as some recommendations for best practices to help you meet basic compliance for several of the mandated lawful intercept scenarios.
Regardless of the communication format or provider, most lawful intercept laws (like CALEA1 in the USA) demand access to the appropriate content and that access must be provided in real-time. According to the Administrative Office of the United States Courts, which writes an annual wiretap report,2 there were 2,732 intercept applications submitted by the US federal government or state governments during 2011. In 2012, there were 3,395 intercept orders. Figure 1 shows a summary of CALEA requests for the last three years. The average access warrant in 2012 lasted 39 days, but seems to be growing in 2013.
Short Overview of Lawful Intercept
So, what is lawful intercept? As stated previously, it is the requirement to support a government agency in the collection of communication set-up information and communication content. Most, but not all, countries around the globe have some set of laws authorizing the interception of communications for legal purposes. Some countries (like China) are quite transparent about this interception, while others are not.
We won’t review all of the country requirements for lawful intercept, but let’s look at a few. CALEA (Communications Assistance for Law Enforcement Act) is the most predominant law in the United States of America. It was enacted in 1994, and complete compliance mandated by 2007, to help clarify what the requirements are for telecommunication
service providers in the area of lawful intercept. It wasn’t the first law though. Congress had already passed the Omnibus Crime Control and Safe Streets Act in 1968 to legalize electronic surveillance. Congress followed up in 1970 and then in 1986 with the Electronic Communications Privacy Act, to further strengthen the 1968 law by clarifying that the law extended to telecommunications providers and also went beyond voice communication to include electronic mail, data transmissions, faxes, and pagers.
In 1994, the CALEA law clarified what and how service providers needed to deliver lawful intercept information to US law enforcement agencies. This law was needed to ensure that law enforcement could actually get useful information within a useful timeframe to investigate criminal actions. After the initial law was passed, the Department of Justice
and Federal Communications Commission further clarified the law to include packet-based communications and mandated that CALEA must be supported by all service providers. There were also six other areas clarified to be included as part of the law:
• Content of subject-initiated conference calls
• Party hold, join, drop messages
• Access to subject-initiated dialing and signaling
• In-band and out-of-band signaling (notification message)
• Timing to associate call data to content
• Dialed digit extraction (post-cut-through dialed digits)
Common Implementation for Lawful Intercept Monitoring
Now that we’ve explained what lawful interception is and why it has to be supported, this section contains an overview of how to implement it. Organizations must comply with the legal intercept laws or be held accountable. When faced with a lawful intercept order, an entity (whether it is a service provider, ISP, government agency, or private enterprise) has one of four options:
1. Do not comply. In the case of CALEA, this will typically result in fines of up to $10,000 per day and possible arrest of anyone within the organization failing to implement the court order. Laws in other countries are similar.
2. Install the technology. Integrate the technology required for lawful intercept and perform the actions authorized by the court order
3. Obtain third party services. Hire a trusted 3rd party (that is legally authorized) to perform the activities requested under the court order
4. Close down the entity. Law enforcement officials will still demand access to equipment and records acquired up to the point of closure, and possible criminal actions can be sought against the managerial leadership of the entity closing down, depending upon their relationship to the suspect identified in the court order.
Best Practice Recommendations for Monitoring and Lawful Intercept
Ixia has gathered extensive knowledge over several years on how to properly filter packet data for private enterprise, service providers, and government agencies. Based upon this knowledge base, we offer the following recommendations in regards to lawful intercept:
• Use taps, not SPANs, as the information collection point
• Install proper filtering to capture the necessary content quickly and easily
• Address your equipment security concerns upfront
• Make sure you protect the captured evidence
While both SPANs and taps can be used to provide lawful intercept information to a monitoring switch, taps are the superior equipment to use. SPANs, by their nature, can limit the information that is passed on to the monitoring switch. Taps are completely passive and do not limit or consolidate any of the information. Everything is forwarded downstream.
Using a network monitoring switch will make complying with legal intercept laws a lot easier. One benefit is that intercept requests can be made without change board approvals to interconnect monitoring tools and connection setups for the lawful intercept. When a request is made the IT department can quickly provision circuits and routes without any executive approvals, and without any impacts to the production network.
Security is a major concern. As mentioned earlier with the SPAN device discussion, network security must be addressed for all components in your network that are used for lawful intercept. Any access device can be called into question in civil and criminal cases over security and access concerns
As mentioned previously, the chain of evidence must be preserved. This is typically mandated by government laws on legal intercept. It does no good for the law enforcement agency to receive incriminating information on suspects when that data will be challenged and dismissed in court proceedings.
There are some basic things that the IT department can do to protect the evidence:
• Provide only the evidence specifically requested in the warrant – an approach of providing everything possible is a poor approach that could actually “contaminate” good data
• Separate the data for each warrant – if more than one warrant is received at a time, correlate the specific content for each warrant rather than combining multiple streams of information and intermingling the content of different wiretaps
• Show other access, hyperlinks or redirections used by a suspect separately to the LEA
• Collect tracking and location information separately. Depending on the prevailing law, separate warrants may be required for the different sets of information.
• Prevent the loss of the lawful intercept data within your network
• Periodically validate your collection and delivery processes to ensure that they are correct, particularly your routing and storage paths
• Maintain intercept log books to keep up with any activities associated with the wiretaps – this includes logs of who has access to any and all parts of the access technology, written and saved logs of setups and procedures used, and details about all the warrants or routine monitoring.
Lawful intercept applicability and responsibilities are expanding far into the data world. All service providers are directly affected by international laws governing this area. Private businesses can be affected as well – many have already found that they too can be issued warrants for monitoring. To protect your interests, there are several best practices that
you can employ to make compliance with these laws less stressful for your organization:
• Deploying Ixia taps and network monitoring switches for selected visualization are
an efficient and easy way to help you support those lawful intercept requests – not to mention your own analysis, monitoring, compliance and auditing demands.
• A monitoring (filtering) switch gives you the capability to divert relevant information to the right monitoring tool at the right time for the correct purpose. The Ixia Anue Net Tool Optimizer (NTO) product is quick and efficient for all entities (traditional telephony service provider, Internet service provider, government agency or enterprise) to deploy to meet your filtering obligations.
• A filtering switch also provides traffic aggregation, load balancing and header
stripping to further make your life easier when complying to a lawful intercept request
• A security-related Best Practice recommendation is to periodically validate your network security, especially as it applies to lawful intercepts. This assessment includes hacker accessibility (through SNMP, FTP, etc.) and the use of role-based permissions.
• A final best practice is to ensure that your lawful intercept policies and procedures address protecting the chain of evidence. IT needs policies, practices and procedures for lawful intercept as well as for their everyday monitoring, auditing, security compliance and scans, analysis, server access studies, etc., plus a list of who has access to what and how.
Contributed by Ixia