Lawful interception (LI) is obtaining telecoms network data pursuant to lawful authority for the purpose of analysis or evidence. Such data generally can consist of signalling or network management information or sometimes the content of the communications.
There are many bases for this activity that include infrastructure protection and cybersecurity. In general, the operator of public network infrastructure can undertake LI activities for those purposes. Operators of private network infrastructures have the right to maintain LI capabilities within their own networks unless otherwise prohibited.
Another base for LI is the interception of telecoms by law enforcement agencies (LEAs), regulatory or administrative agencies, and intelligence services, in accordance with local law. Under some legal systems, implementations may require receiving proper authorization from competent authorities (e.g. see UK Government's Regulation of Investigatory Powers Act (RIPA)). This legislation covers warrant based Lawful Intercept of both (i) call, session and message data records (Data Retention) and (ii) content.
The UK Communication Service Providers (CSPs) were not historically compelled by law to retain data. CSPs would keep billing records of all phone calls for their own business reasons. The UK Security and Intelligence Agencies (SIAs) and other authorised bodies would access this retained data within the confines of the RIPA framework. This method of intelligence gathering is used primarily by the security services to build a picture of target networks and to rule out innocent parties.
Today communication methods are complex, a number of different access methods exist to reach the internet and once accessed the ubiquitous IP/TCP transport makes the use of many different services possible.
The majority of CSPs routinely bill based on data usage but have no visibility of the communication sessions being carried on top of that data meaning that for many communication sessions useful records are not generated.
The terrorist attacks of 9/11 and 7/7 prompted legislation in the US and Europe to force the CSPs to retain Communications Data (CD) for up to 12 months. It is important to note the differentiation between CD and Communications Content (CC). CD is metadata about the communication like the parties involved, time and date of the communication but does not include any of the actual communication itself (e.g. text, web pages, voice etc.). CC however, is the actual intercepted communication content and interception can only be initiated with a warrant from the home office for a targeted individual.
The EU Data Retention Directive 2006 initiated the UK Data Retention Directive 2009 (the US law is called the Anti-terrorism, Crime and Security Act 2001 (ATCSA)). The EU Data Retention Directive has since been declared invalid by the European Court of Human Rights as contravening an individual's right to privacy. However the UK Government continues to enforce the UK Data Retention Directive believing it is critical to national security and crime prevention.
Despite the 2009 directive, UK Government and CSPs concede that there is a capability gap in the current data retention systems. The UK Government is seeking to introduce more powers under what's referred to as the “Draft Communications Bill”. The Draft Communications Bill focuses on addressing this capability gap in three areas:
1. The Attribution of IP address to an individual.
2. Identifying the internet services or websites being accessed (social media).
3. Data from overseas CSPs.
The details of and acceptability of this bill are still being discussed
Prior art solutions monitors interfaces on the internet side of the network. A problem arises with this technique because of the NAT (Network Address Translation) that occurs when, where for Mobile Operators there is not a one to one correlation of subscribers (who could use the web at any one time) and the number of IP address they have available to them under IPv4. This means that it is often not possible to uniquely identify the user of the web session, rendering the collected information useless.
The IP protocol is a ‘network’ level protocol and is absolutely fundamental to how the internet works. It uses a source and destination IP address to route traffic from one node to another across a network of interconnected routers i.e. “the internet”. The IP protocol is used to route all traffic across the internet. Today the IPv4 version of the protocol is used for 95% of all traffic. Although a newer version of the IP protocol is available (IPv6) with far more unique addresses, its uptake requires a very costly update of network infrastructure for anyone wishing to use it, and hence has not been widely adopted.
IPv4 addresses were originally a reliable indication of end point identity, what that means is that typically only one piece of terminating equipment would be using a unique IP address at any one time and that IP address would only be changed infrequently.
However, more recently, with only 4.2 billion IPv4 addresses available for all IP communications globally, the pool of free addresses is beginning to run out. Many CSPs have already exhausted their quota of IPv4 addresses. As a result of IPv4 address exhaustion CSPs and others who allocate IP addresses are implementing methods of sharing addresses between multiple nodes.
Methods of optimising IPv4 address usage such as dynamic IP address allocation and Network Address Translation (NAT) extend the use of IPv4 addresses, but break the one to one static allocation of a unique address to an individual. This high volume, highly optimised and rapidly churning NAT within the carrier network is termed Carrier Grade NAT (GCNAT) and is now used in almost all mobile networks and increasingly in fixed line broadband networks. This causes a serious problem for any authorised organisation as any retained CD seen within the internet is not readily nor reliably attributable to a single identity.
An additional problem is the high data speeds in the network make real-time manipulation of data highly challenging. Comparative technology generally operates with software based solutions where higher speeds are attained by simply increasing the power and number of processing units. Such solutions are unsatisfactory owing to cost, difficulty in designing the architecture and difficulty in scaling the architecture to higher throughput or type of traffic. Such systems struggle to cope with the very high throughput demanded in modern applications, which is only expected to increase in the future. Such systems typically have to be finely tuned to the application causing delays and overheads in product development.
What is needed is a network probe that addresses some or all of these problems.