If you’re a fan of the cinema, you’d know that just about every Hollywood spy movie involves some level of sensationalised, lawful interception (although for entertainment’s sake, the ‘lawful’ part is regularly dubious on the big screen).
But what exactly is lawful interception (LI)? Who is subject to lawful interception? Can government agencies intercept whatever they want? Did Lavabit shut down due to lawful interception? And does my company need to do anything?
Let’s walk through it together…
What Exactly is Lawful Interception?
A lawful interception, in layman terms, is basically a wiretap.
Lawful interception technologies let governments selectively gather communications from specific users. They’re technologies that are put in place by telecommunications companies (including email, phone and wireless providers).
These systems let government agencies (usually with warrants) intercept communications between certain users. Lawful interception gateways allow them to capture communications without mass surveillance techniques that gather huge amounts of information.
In some jurisdictions, agencies can intercept communications without alerting telecoms providers. In others, they need to let the telecom or service provider know that they’re collecting data.
Laws for this type of interception differ around the world. Most of the world subscribes to specific standards for lawful interception defined by ETSI (European Telecommunications Standards Institute). So, in many countries, telecoms providers are required to provide these types of capabilities.
Cisco, Siemens and Utimaco are examples of companies that provide lawful interception tech to service providers to meet these requirements.
Who is Subject to Lawful Interception Regulations?
In general, both voice and data providers need to cooperate with government requests for lawful interception. That includes landline phone service providers, cell and mobile data providers, as well as internet service providers.
Though the extent to which different types of service providers may differ between countries, it’s safe to assume that law enforcement agencies in just about any country have the ability to intercept communications when they have a warrant to do so. Although just like in the movies… not all lawful interception requests come with warrants.
“Carriers and service providers, including Internet service providers, have legislative obligations under Part 14 of the Telecommunications Act 1997 to provide assistance to law enforcement and national security agencies. Amongst other things, carriers and service providers are required to assist such agencies to carry out their duties, maintain lawful interception obligations, and try to ensure that telecommunications facilities and networks are not used in the commission of offences. For those carriage service providers that offer prepaid mobile services, there are additional obligations relating to the identity verification.”
“In general terms, unless exempted, all carriers and carriage service providers (including Internet service providers) must provide facilities which enable them to execute a warrant for interception and to provide special assistance to law enforcement and national security agencies. All carriers and certain nominated carriage service providers are also required to submit an annual Interception Capability Plan outlining the carrier’s or carriage service provider’s policies in relation to interception and their strategies for complying with their obligations to the Communications Access Co-ordinator (the CAC). The CAC is an officer of the Attorney-General’s Department, as outlined in section 6R of the TIA Act. The CAC acts on behalf of all the national security and enforcement agencies Attorney-General’s Department.” Source
In the United States…
“three Federal statutes authorise lawful interception. The 1968 Omnibus Crime Control and Safe Streets Act, Title III pertains mainly to lawful interception criminal investigations. The second law, the 1978 Foreign Intelligence Surveillance Act, or FISA, as amended by the Patriot Act, governs wiretapping for intelligence purposes where the subject of the investigation must be a foreign (non-US) national or a person working as an agent on behalf of a foreign country. The Administrator of the U.S. Courts annual reports indicate that the federal cases are related to illegal drug distribution, with cell phones as the dominant form of intercepted communication.” Source
“Interception mandates in Europe are generally more rigorous than those of the US; for example, both voice and ISP public network operators in the Netherlands have been required to support interception capabilities for years. In addition, publicly available statistics indicate that the number of interceptions in Europe exceed by many hundreds of times those undertaken in the U.S.” Source
Can Government Agents Intercept Whatever They Want?
The exact answer to this question depends on where you live. Different jurisdictions have different rules. Wikipedia is a great resource for checking lawful interception laws in different areas of the world.
Generally speaking, lawful interception should not have any widespread impact on most telecom companies or their consumers. Law enforcement agents need a very good reason to request lawful interception of communications and they’ll usually need to have their request approved by a court. (Some people have doubts as to whether the courts in question are critical of these requests and/or if the courts can be bought. But that is a whole other discussion for a whole other day.)
To get detailed information on what can be intercepted, by whom, and what they’re required to show, you’d be wise to do some research on your own local jurisdiction.
What Kind of Information is Lawfully Intercepted?
Most of the time, lawful interception technology is employed in criminal investigations. Wiretapping and the interception of emails are typically used in investigating white-collar crime, drug trafficking and other forms of crime in which communication leaves a trail.
But there are examples of all sorts of arrests being made with lawfully intercepted evidence. Conspiracy to commit murder, weapons possession, drug manufacturing and child pornography arrests have all been supported with evidence gathered from lawful interception.
Intelligence agencies also use these techniques in cases where foreign agents are concerned and in investigations of potential terrorist activity.
Did Lavabit Shut Down Due to Lawful Interception?
Lavabit, an open source webmail provider, is an (unusual) example of when lawful interception gets complicated.
Lavabit gained notoriety when the U.S. government tried to spy on the emails of Edward Snowden. Lavabit’s encryption of customer emails meant that the federal government couldn’t intercept Snowden’s emails even if they wanted to. So, rather than turn over its Secure Sockets Layer (SSL) private keys, Lavabit suspended its service in August 2013.
The company started operating again in January 2017, using the new Dark Internet Mail Environment (DIME), which is an end-to-end email encryption platform designed to be more surveillance-resistant. Source
Does My Company Need to Do Anything?
If you are a provider of a telecommunications, mobile or internet service, you are probably already very familiar with your company’s responsibilities and legal obligations.
If not, you might want to go chat with your legal and infrastructure teams before you are at the receiving end of a lawful interception request, because telcos must have the capability to provide access to customer communications, if needed. (The type of access depends on the type of provider you are.)
Importantly, if you are a telco or ISP that provides an email service for your customers, you especially might want to check if your email platform is LI-compliant. If it’s not, we invite you to take a look at our LI-compliant atmail cloud. Letting us manage your hosted email platform then becomes one less responsibility that your in-house technical team needs to worry about.
As a whole, the onus is on law enforcement agencies to do the right thing. Their actions are (ideally) held accountable by stringent legislation – and that includes getting warrants before they try to intercept communications.
As a telecommunications company or internet service provider, you should already have the policies and infrastructure in place for lawful interception. If you don’t think you do, perhaps everything is in order but has just not been communicated with you? Double-check.
As a consumer of telco or ISP services, you probably don’t need to take any action at all. Lawful interception capabilities are pre-built into the systems that need them, so if you’re working with reputable companies, you should be able to trust that all of your communications infrastructure is compliant.
For more information about lawful interception and how it might affect you, please visit the relevant authority sites in your specific location.
New to atmail?
With 20 years of global, white label, email expertise serving telecommunications and hosting providers across every continent, you can trust us to keep your email platform secure, reliable, private and LI-compliant. We offer user-friendly, white labelled, cloud hosted email with 99.99% uptime and your choice of US or (GDPR compliant) EU data centres. If you want to stay in-house, we offer on-premises webmail and/or mail server options. We power 170 million mailboxes worldwide and our customer satisfaction rating is 99%.
So, if you’re looking for a trusted email services provider to manage your customer email for you, so that your technical team can hand over email management and get back to core business, we can help.
Written by Dann Albright, with contributions from Nathan Salt and Andrea Martins