Virtually every state now has a legal framework to mandate communications service providers (CSPs) to provide a lawful interception (LI) capability. These systems are used by law enforcement or national security agencies to investigate and, where applicable, prosecute criminal acts that involve the use of a telecoms service.
However, there is little standardisation internationally in the implementation of these requirements. This can pose problems for CSPs – but should also be seen as an opportunity. CSPs can actually influence the LI compliance process to reduce costs, and minimise the impact of such technology on their networks.
Lawful interception: a crucial responsibility and a non-recoverable cost
For most CSPs, lawful interception is recognised as a crucial responsibility to support national security. However, from a corporate perspective, it is seen as a non-recoverable cost caused by legal compliance. In most instances, CSPs will endeavour to meet the national specification or requirement for the lowest possible cost. This can sometimes be in stark contrast to the needs of the law enforcement organisations that ultimately process this information. CSPs should take the opportunity to work with the enforcers.
LI is mainly composed of call data records (CDRs) – essentially metadata regarding the telecoms service transaction that occurred, which may need to be supplemented with communications content (CC).1 CC now predominantly comes in the form of either voice or IP session content, and increasingly the two services converge in the form of voice-over-IP (VoIP) services.
Increasingly, CSPs are looking to roll out new services in the shortest possible time, often with LI requirements imposed as a pre-condition of licence applications. Given these circumstances, many CSPs are struggling to understand the nature of the technical requirements – which are often drafted for legacy technologies – and how these should be applied to the roll-out of new services, such as high-bandwidth IP services.
CSPs have an opportunity to influence the standardisation process
The International Chamber of Commerce (ICC) published an international assessment of LI requirements, concluding that LI obligations should be determined between governments and individual service providers, based on transparent, standardised and modular guidelines.2 While the recommendations of the report highlighted the need to develop more-rigid standards, it is crucial that these standards can be effectively applied to new technologies and, furthermore, can be adapted to deal with regional legislative differences.
As a result, CSPs are increasingly being asked to respond to loosely defined compliance criteria for new technologies while regulations are being developed. This means CSPs actually have the chance to influence the technology requirements and, moreover, the standardisation process itself.
This could result in reduced capital and (if applicable) operational costs to the CSPs, and also allow them to optimise the service or infrastructure architecture. This would minimise the negative impacts of implementing LI technology, and could provide higher functionality for the law enforcement agency.
Analysys Mason has worked on a variety of projects to help service providers, regulators and national security organisations to plan for and implement a range of LI, intelligence and location-based platforms. For more information, please contact David Cohen at firstname.lastname@example.org, or read more about our information security expertise.
1 Live CDRs are also referred to as intercept-related information (IRI), which is used to correlate service metadata with the relevant communication content (for example, voice or data session content).
2 ICC June 2010 Document 373-492.