In most countries communication or service providers are obliged by law to enable interception of the customers' communication for law enforcement agencies like secret services, criminal investigation departments, as well as national and international crime fighting and crime prevention organizations. Telecommunication service providers have thus to provide telecommunication and IT infrastructures in order to enable law enforcement agencies to intercept voice and data traffic. Basically the following main principles have to be assured:                1. The interception must be invisible and unrecognizable for the person whose communication is intercepted.        2. The interception must be invisible and unrecognizable for the service provider's staff.        3. Only the communication of legally determined suspect persons is allowed to be intercepted.        
Whereas traditional voice communication is based on circuit switched network technologies and interception is fairly easy to achieve at the access point, IP data traffic based on packet switched technologies uncovers several obstacles with regard to the above mentioned principles. A commonly used approach for intercepting data traffic is to log all IP datagrams of several user sessions at specific interception points, doing a filter analysis afterwards in order to regenerate the complete user session. Mainly three reasons are showing the inefficiency of this practice: huge amounts of data needs to be stored, managed and analyzed. Furthermore logging of the data traffic not necessarily captures all communication data, since packet switched networks could use unpredictable routes and nodes. The interception is not real time and legal issues may be affected, since more user data is stored than needed.
Therefore interception is done in telephony networks both public switched telephony networks and public land mobile networks within the interconnecting switches. The switches are interlinked to mediation devices that are connected with law enforcement agencies. The switch uses the telephone number (ISDN/MSISDN) as interception criteria. The incoming or outgoing call for a certain telephone number is intercepted at the switch. The switch is duplicating the communication content. In addition to the transmission between caller and callee the data is transferred to the law enforcement agency via the mediation device.
In TCP/IP based networks the interception is very similar to the telephony networks. The switch is linked with the mediation device that is connected to the law enforcement agencies. Instead of a telephony number either the source address field of an IP address, the destination address field of an IP address or both are used as the interception criteria. A common practice is to capture all connection data (but not necessarily the whole content) from or towards a given IP address. There are several types of information sources from which the communications data records could be extracted for example from IP router log files, from HTTP server log files, from network protocol analyzers or from dynamic traffic filtering.
IP based interception uses a defined IP address to intercept the communication from or towards a specific IP address. However if the user has no well known/fixed IP address such as a dynamically assigned IP address provided by a third party for example an internet access provider, interception based on the IP address is insufficient. The application session established by the user to be intercepted with such IP addresses would not be captured. IP based interception could record all communication for a specific application or the whole infrastructure. However, the amount of data that would be recorded is enormous for high volume applications/websites. The management and handling of these data require massive effort and resources, for example in the form of an enormous amount of data storage devices. Since all application sessions would be intercepted in this case, privacy issues do exist and legal aspects do apply. To get the content of the applications sessions of interest out of the recorded data, filtering has to be performed. Since this involves a huge amount of data the filtering is time and resource consuming.
Furthermore, the data recorded by IP address interception can be encrypted using transport layer security protocol (TLS) or secure socket layer (SSL). The analysis of standard applications and infrastructure logs such as HTTP web server logs or application logs does not contain the whole content of the communication. To get the whole application session content the applications need to be modified to implement the required logging.
Therefore, there is a need for an improved method and data processing system for intercepting data traffic.