Global Safeguards: Lawful interception standards across various countries
Telecom services have enriched lives, helped raise the standard of living and augmented the reach to rural remote areas. However, as telecommunication services have grown, so has the need to avoid breach of network security. There is increasing incidence of criminal activities and misuse of telecom services. In this respect, lawful interception has emerged as an important means of ensuring national security, for investigating criminal activities and combating terrorism.
Lawful interception is essentially legal sanction for access to private communication including telephone calls and emails. It is a security process in which a network operator or service provider gives law enforcement officials access to the communication of private individuals or organisations. Countries around the world have drafted and enacted laws for interception procedures and technology specifications.
The principal global treaty-based legal instrument relating to lawful interception is the Convention on Cybercrime (Budapest, November 23, 2001). The secretariat for the convention is the Council of Europe. However, the treaty itself has signatories worldwide and has global scope.
Besides this, individual countries have different legal requirements relating to lawful interception. The Global Lawful Interception Industry Forum lists many of these, as does the Council of Europe secretariat. For example, in the UK, the law is known as the Regulation of Investigatory Powers Act (RIPA); in the US, there are a series of federal and state criminal laws; and in the Commonwealth of Independent States countries, it is known as the System for Operative Investigative Activities.
To ensure systematic procedures for carrying out interception while also lowering the costs of interception solutions, industry groups and government agencies worldwide have attempted to standardise the technical processes behind lawful interception. One organisation that has played a key role in setting lawful interception standards in Europe is the European Telecommunications Standards Institute (ETSI), and its norms are followed worldwide.
The ETSI architecture attempts to define a systematic and extensible means by which network operators and law enforcement agents can interact, especially as networks grow in sophistication and scope of services. This architecture applies to not only traditional wireline and wireless voice calls but also to IP-based services such as voice over IP, email and instant messaging. The architecture is now applied worldwide (in some cases with slight variations in terminology), for instance, in the US in the context of Communications Assistance for Law Enforcement Act (CALEA) conformance.
USA
The US’s interception standards that help network operators and service providers conform to CALEA are mainly those specified by the Federal Communications Commission (which has both plenary powers and the authority to review), and the Alliance for Telecommunications Industry Solutions.
In the US, interception of communication is illegal unless authorised by stringent rules, which have been designed to allow the investigation of crime and protect privacy. There are two basic pieces of federal legislation – the Electronic Communications Privacy Act (ECPA), which concerns criminal investigations, and the Foreign Intelligence Surveillance Act (FISA), which concerns intelligence and counter-intelligence operations.
Wiretap laws and procedures used by state courts and law enforcement agencies to implement those laws are subject to two important constraints – the Fourth Amendment to the United States Constitution, as incorporated in and made applicable to the states by the Fourteenth Amendment; and the restrictions of the ECPA.
These restrictions are imposed to ensure that law enforcement officers, in their attempts to gather evidence of crimes through communication systems, comply with decrees that protect individual privacy. Where interceptions are made by law enforcement agencies, the ECPA specifies the authorisation levels of officials who may apply for an order; the crimes or categories of crimes in connection with which an order may be sought; and the probable cause showing that lawful interception is mandatory.
Stringent procedure violations may result in the imposition of civil liability actions on law enforcement officials. Under the ECPA, the interception of oral or wire communication has to be authorised by the highest judicial officers such as the attorney general, deputy attorney general, associate attorney general, and any assistant attorney general. For accountability purposes, the ECPA also requires state and federal courts to issue interception orders to make detailed reports concerning those orders to the Administrative Office of the United States Court.
Europe
In the European Union (EU), the European Council Resolution of January 17, 1995 on the lawful interception of telecommunications mandated measures similar to CALEA on a pan-European basis. Although some EU member countries reluctantly accepted this resolution out of privacy concerns (which are more pronounced in Europe than the US), there appears to be general agreement with the resolution now. Interestingly, interception mandates in Europe are generally more rigorous than those of the US. For instance, both voice and internet service providers in the Netherlands have been required to support interception capabilities for years. In addition, statistics indicate that interceptions in Europe are more in number than those undertaken in the US.
Europe continues to maintain its global leadership in this sector by adopting the far-reaching Data Retention Directive in 2006. The provisions of the directive are addressed broadly to almost all public electronic communication and require the information and location data for every communication. The information must be stored for a period of at least six months and up to a maximum of two years and made available to law enforcement agencies upon lawful request. The directive has been widely emulated in other countries.
Lawful interception in the UK is primarily governed by the RIPA, 2000, and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations, 2000. RIPA provides for and regulates the use of investigative powers by public authorities. It updates the law on the interception of communications, previously provided by the Interception of Communications Act, 1985 and the Police Act, 1997. It enables state authorities to intercept communications in line with technological changes like the growth of the internet.
Under the RIPA, the police; inland revenue, customs and excise; and the security services may acquire access to communications data via the warrant. Also, this may be extended to other local authorities by seeking the order from the secretary of state, thus allowing such authorities to lawfully intercept communications data.
In order to ensure that the authorities enabled to access communications data under the RIPA do not abuse such powers, safeguards such as specifying clearly the persons designated to seek access to communications data; and an accreditation scheme for certain individuals with access to communications data and strict compliance with RIPA statutory code of practice have been introduced.
Australia
Interception in Australia, under the amended Telecommunications (Interception and Access) [TIA] Act is defined as techniques to tap live or real-time communications. Both the TIA Act (in its original and various amended forms) and the Telecommunication Act, 1997 prohibit the interception of communications, other than in the case of specific exceptions.
The TIA Act has two main objectives – to provide users of Australian telecom services with privacy, and allow for lawful interception under a warrant, in which certain listed offences are deemed necessary to investigate.
To enforce the seriousness of this legal prohibition, any person who violates the interception provisions of the TIA Act is subject to imprisonment up to two years. Multiple monitoring and review structures have been put in place, intended to ensure that interception activities are conducted appropriately.
At the time of the enactment of the Interception Act in 1979, it was recognised by Parliament that the TIA Act was highly intrusive and that significant safeguards needed to be built into the legislation to protect it from abuse. Accordingly, a number of important safeguards were built into the original legislation and these have been refined by legislative amendments in the intervening years. These safeguards include both internal (warrant procedures) and external (monitoring and reporting) structures.
Other countries
Most countries worldwide maintain lawful interception requirements similar to those in Europe and the US, and have moved to the ETSI standards. The Convention on Cybercrime requires such capabilities for communication in all nations.
While interception capabilities are a must to ensure national security and to curb illegal use of communication services, the use of lawful interception must be dealt with with caution. While allowing for interception, governments need to be careful as it also gives leeway for invasion of privacy and the safety of individuals. Also, some level of encryption is mandatory for services like mobile banking and payments. A high level of encryption in financial services using telecom or for highly confidential data is required and interception to a complete extent may lead to security issues for individuals.
- Most Viewed
- Most Rated
- Most Shared
- Related Articles