Lawful Interception Data Retention Regulation ... - IEEE Xplore

The 6th International Conference on Telecommunication Systems, Services, and Applications 2011

Lawful Interception Data Retention Regulation Recommendation Recommendations for countries that do not have relevant regulations of this field Sigit Haryadi, Indira Malik Telecommunication Department, School of Electrical Engineering and Informatics, Institute Technology Bandung Jalan Ganesha no. 10 Bandung 40132, INDONESIA [email protected], [email protected]

Abstract—since the need of the communication data in revealing the crime are just emerged after the event detected, communication data retention for lawful interception (LI) are really demanded. This paper aim to give recommendation for telecommunication regulatory body in making communication data retention regulation. This research describes points of recommendation to National Telecommunication Regulatory Body in establishing LI data retention regulation which conducted by the Communication Service Provider in the country. These recommendations are very useful for countries that do not have relevant regulations of this field.

valuable source of information in revealing the bribery cases. It is also true in drugs and terrorist cases.

This paper suggests that propose data retention system must have an ability to run administrative function, data collection function and data management function. Each function should maintain such a log. Administrative log has to keep warrant information include target identity and date start, and the duration of data retention needed. In telecommunication infrastructure target are either MSISDN, IMEI or IMSI. For communication data through IP mechanism, target is either email address, account name or IP address.

in some countries, for example in Indonesia, recently only has Government Regulation on Telecommunication Arrangement that obligate Telecommunication Service Provider to keep their customer usage record, but this only applies for record related for billing purpose. This data are far beyond the law enforcement need to help them in revealing the crime. In internet domain, there is not any regulation provided, although internet user is still growing fast now.

Information item that have to be retained are include subscriber data, usage data and traffic data, equipment data, network element data, additional service data and the call contents. If storage capacity are not fully provided yet, the retention for data that need the largest storage space such as video and file might be less priority. Regulatory Body must determine the data retention format based on handover interface. To prevent abuse of data, regulation should put clauses that obligate each party to delete data longer than retention period. Besides this paper recommends decentralize location of storage media, apart from operational system and have a hot site backup. data

Keywords-component; regulation

I.

retention,

lawful

interception,

INTRODUCTION

One of the oldest and most dangerous corruption crimes is bribery. In many bribery cases, evidence comes from communication data between briber and one who receive bribe. It is because almost no documents could be presented as an evident. This makes communication data as one of the most

Communication data availability is very important for law enforcement. But unfortunately the needs are just emerged after the crime take place. This is the reason why many countries now established new regulation on Lawful Interception (LI) Data Retention for telecommunication data that obligate communication service provider to retain their telecommunication data that produced or originated from their system.

This research aimed to provide academic paper regarding data retention on Lawful Interception Regulation, covers both regulation and technical part. The objectives are to provide guidelines for National Telecommunication Regulatory Body in implementing Data Retention on LI Regulation. This research will describe: x Party obligate to retain the data x Data item should keep for this LI purpose x Storage capacity requirement regarding to country elecommunication volume x Any consideration regarding to retention and storage system This research is conducted by doing benchmarking to similar arrangement that run in some countries and available technical guidelines that can be used to implement the regulation, including advantages and disadvantages for each approach. This research also take a look at which data must retained to fulfill law enforcement need. Besides we have to look at existing storage technology and several arrangement that need to implement in the data retention governance and the compatibility with country

978-1-4577-1442-9/11/$26.00 ©2011 IEEE

81


environment. This research will not discuss which regulation form used to implement the system. Technically, it also not considers the point of interception should take place in order to get retained data.

II.

REGULATION AND STANDARD AVAILABLE

A. LI Regulation Review In South Africa, Australia, United States, Israel, Japan and Korea, lawful interception are regulated by ad hoc interception law, but in Dutch, German, Malaysia and New Zealand, lawful interception regulation are part of telecommunication and multimedia law or law on criminal act handling. Since the terrorist attacks in New York, Madrid, and London, the European countries need to accelerate cooperation in investigation. EU then enacts Directive 2006/24/EC [1]. Its aim was to facilitate European cooperation in criminal investigations. Under the Directive, electronic communications service providers and networks service provider are required to keep their traffic data related to phone calls and emails for a period of six months to two years, depending on the Member State. According to the Directive, data to be kept is: a) data necessary to trace and identify the source of a communication; b) data necessary to identify the destination of a communication; c) data necessary to identify the date, time and duration of a communication; d) data necessary to identify the type of communication; e) data necessary to identify users’ communication equipment or what purports to be their equipment; and f) data necessary to identify the location of mobile communication equipment. This Directive relates only to data generated or processed as a consequence of a communication or a communication service and does not relate to data that are the content of the information communicated. Source of communication data in fixed network telephony, mobile telephony, internet access, internet e-mail and internet telephony. In the USA, data retention is carried by each communication service provider. America does not recognize data retention, but preservation of data, where companies can be requested not to remove their communication data for certain period. [2] Preserved data are not only used by law enforcement, but also can be used by cyber security researchers with number of conditions. Currently ISPs have voluntarily store the data communications of their customers, such as email data for the certain time. ECPA (Electronic Communications Privacy Act) [3] issued to enable law enforcement have access to the preserved data. In Malaysia, telecommunication data retention for interception done merely by law enforcement and not retain by communication service providers. Record keeping or retention rule are determined by the law enforcement [4]. ITU-D recommends the necessary to retain data for investigation as

important as immediate access to the data for handling the crime. B. Technical Guidelines The most advance technical guideline in LI Data Retention is collection of ETSI technical specification and technical report. ETSI TS 102 656 [5] said that CSP (Communication Service provider) are shall to: x retained and delivered their telecommunication data subject to its national law; x provide subscriber data and subscriber related traffic data that was generated or processed within the retention period within its telecommunications system; x provide data received from other networks that were generated or processed (originated, terminated or forwarded) within the retention period within its telecommunications system. The data retained does not include data that are the content of the information communicated. The obligation to retain data may apply only in respect of data from the providers other network providers own services. ETSI TS 102 657 [6] said that retained data is broken down into the following categories: x Subscriber data: information relating to a subscription to a particular service x Usage data: information relating to usage of a particular service Equipment data: information relating to an enduser device or handset. x Network element data: information relating to a component in the underlying network infrastructure x Additional service usage: information relating to additional services used (e.g. DNS). This document also gives reference model for the request and transmission of retained telecommunications data. The term Authorized Organization covers any agency legally authorized to make RDHI (Retention data Handover Interface) requests HI-B delivers data from CSP to the Authorized Organization. Fig 1 shown within the Authorized Organization block, two functions can be identified: an Issuing Authority who’s responsible for initiating new RDHI requests; a receiving authority to accept the RDHI responses. In many situations, the authority issuing a request will also be the authority to receive the responses. However, the Issuing Authority may indicate a different delivery point for HI-B responses, in which case the issuing authority and receiving authority will be different. ETSI 102 661 [7] explain that similarly to the LI case, Data Retention (DR) systems, Log systems and Network and IT systems enhanced with DR functionality are the main functional entities. "Log administration function" aims to have a central log management and mediation role among the LI/DR nodes; all log nodes and the possible CSP external authorities

978-1-4577-1442-9/11/$26.00 ©2011 IEEE

82


Fig. 1 Reference model data retention system

Fig 2. Functional architecture for LI operation

From the operational point of view, it is identified with the "Mediation Log Device". "Log event Collection function" aims to collect the log information from all involved nodes. From the operational point of view, it can be functioning either within the "Secure Log Server" or within the "Mediation Log Device" or within both parts."Log store management function" aims to have a central storing management role. From the operational point of view, it is identified with the main storing part of the "Secure Log Server”. This document also mentions at least 10 threats to be considered, which is: x Disclosure of information assets (sensitive data) x Modification of information assets. x Unauthorized access to the LI/DR data. x Unauthorized access to the LI/DR or Log infrastructure. x LI/DR infrastructure (or service) abuse. x Illegal use of the retained data. x Repudiation, fake warrant x Prolonged interception or retention of data. x Recovery of unintended data. x Denial of Service. C. Data Retention Without Regulation In order to give an idea of how the data retention conducted in a country that does not have regulations regarding data retention, the facts outlined in this paper about the conditions in Indonesia. Interception in Indonesia is accepted only for serious crimes which has at least five years prisons as sentences. From nine Indonesian laws which mention interception articles, some laws state the duration limitation of interception, but all of the laws are silent about data retention

provisions of both LI data retention conducted by law enforcement and the data retention by communications service providers. Interceptions currently put into operation only to telecommunications interceptions. If the data retention regulation will be implemented, from infrastructure readiness perspective the most ready to implement is data retention by provider of telecommunications services and data retention by Full Network Service Provider Indonesian Communication Minister Regulation 11/2006 on Lawful Interception state that the technical configuration and equipment or interception devices must comply with the accepted international standards. Standard used is the ETSI (European Telecommunication Standard Institute) and CALEA (Communications Assistance for Law Enforcement Act). Interception conducted is merely for interception telecommunication through the fixed network and mobile phone networks. Data Interception to the internet has not been implement in Indonesia. If data retention for IP interception will be conducted, then in terms of LI data retention currently infrastructure readiness in Indonesia, the most prepared are the data retention of telecommunications data and the data retention of communications data via IP by FNSP (Full Network Service Provider). Drug Act describes the different definition or scope of interceptions from one that stipulated by the Ministry of Communications and Informatics Regulation 11/2006. LI data retention, as defined in the Drug Act, except the internet interception, is not included in the interception as considered in this research. III.

IMPLEMENTATION CONSIDERATION IN DATA RETENTION REGULATION

A. Constraints in LI Data Retention Regulation Implementation Article 5 of the European Union Data Retention (DR) Directive said that DR for Internet is only applied to internet access, internet e-mail and internet telephony but excludes all other forms of messaging. Nonetheless, actually there are many forms of messaging, and most of communication now done through the messaging system. Therefore, data retention merely on Internet email is not enough; data retention should also include data from all other types of messaging. Spam emails are emails that are not needed by the email receiver. For the law enforcement, email spam information also meaningless. Email spam should be excluded from the data to be retained. In the existing IP data transmission there are entities that only pass data through the Internet network, but does not provide access to the Internet and e-mail service, nor a VOIP service - which was then called the ‘transport provider’. Since they only act as intermediaries, transit providers will also should excluded from the service provider that must retained their data. The regulation does not mention about the place of storage, then the data can be stored anywhere, and may in the other

978-1-4577-1442-9/11/$26.00 ©2011 IEEE

83


countries, where it could economically considered cheaper to store data. Data can also be stored by the other party outside the service provider itself. If the data retention are stored in third party, the responsibility for securing and delivering the data to the receiving authority still remain in the services telecommunications providers. In terms of security, there should be a rule which stipulates that: 1) Data should only be accessed by those authorized by the law 2) Data must be destroyed immediately after the retention period ends 3) Technically, service providers must provide a sufficient buffer to anticipate if the data are not sent to the retention due to broken links. 4) There should be procedures that can be audited to prevent abuse of data B. Data items that must be retained Items of information that must retain at least include: a. Customer data: name, address, place and date of birth. b. Usage data: including data communications traffic c. Equipment data: information relating to the equipment or use the end-user d. Network element data: information relating to network infrastructure components; e. Additional service usage data; f. Content of communication (call content); include the voice, SMS and MMS Since data integrity is an important aspect to ensure the data can become evidence, then the use of special formats are necessary to ensure the completeness of data to be retained. In addition, the use of this RDHI (Retention data Handover Interface) format for all operators can also ensure the interoperability of systems in the country Consequently; national regulatory body should set the data format to be used. Since the lawful intercept only accept for the serious crime, and crime that are sentenced by death or life imprisonment, then according to procedure act, the prosecutions time will be expired after eighteen years. Therefore the maximum time to retained a data should not exceed 18 (eighteen) years, since the data retained can no longer be used as evidence for criminal prosecution. Interception is serious interfere of human rights, and this make telecommunications data obtained from the lawful interceptions should protected. These data are vulnerable to be misused by irresponsible people and must be kept only for using in law enforcement activities in handling serious crimes. There must be mechanisms to ensure LI retained data by each law enforcement are removed when the case closed or having a legal permanent force. Considering of the sustainability of the system, there are at least 4 types of external backup system arrangement, which is the cold site, warm site, hot site and the reciprocal agreement [80]. In the hot site model, the system is expected to run immediately after a major system failure. The site not

only keeps the hardware and software, but it also stores all of the data. On data retention, the sustainability of the system is an important issue, but the issue of data security is more important because of the stored data is data that are confidential. By using hot site model CSP can make the backup site as the only place to store backup data. This will ensure none of data will stored in other media and RD record can be deleted when the retention period has expired. C. Example of How to Calculate the Volume of Data Retention Suppose the total time GSM mobile phone conversations for a year as much as 130.3 billion minutes. GSM format requires a capacity of 13.2 kbps or 792 kb for each minute sound, then the need for storage capacity is the sound of conversation = 130.3*109*792 kb / year = 103,118 TB / year. If the sound that will be stored only for a period of 3 (three) months, then the storage media requirements for TB = 103,118 *3/12 = 25,780 TB = 25.8 PB. If the data is stored for 18 years, then the media storage to be provided is equal to 25.8*(12/3)*18 = 1857.6 PB = 1.8576 exabytes EMC as one of the leading companies in the data storage market in May 2011 has marketed the storage media that can store up to 15 PB of data on one file server [9]. This technology is also used by Apple's iTunes users to store their files. In the same time IBM also launch a product than can keep 2.8 Exabyte(EB) data in one single tape library [10]. If the national telecommunications service provider are required to store the content of communication data, it would take a huge storage, but the technology that allows data storage media for huge data are already available in commercial markets. Should for certain reasons, the storage capacity could not provided yet, then the data requires the largest capacity could be the last priority to retained, such as video calls and data files. D. Centralized or Decentralized. Retained data storage can have two options, whether centralized or decentralized. Decentralized is keeping the RD in each CSP, not centralized in one place or organization. Decentralized makes it difficult or need more effort for people who want to hack retained data. But centralized made the request of law enforcement is only directed to one point of data retention. Providers do not need to know who requested them; the overhead costs of data storage may also be covered with cost center if the retention is equally shared by the provider when applying centralized data storage. But since security considerations of data is more important than cost considerations, it is not recommended to put RD in centralized data storage. If the decentralized storage is applied, then still two options available, which is separate storage where data is extracted from network nodes and transferred to area that is dedicated to RD or integrated storage where set of data to be retained si labelled and protected against deletion from network nodes during time of retention [11].

978-1-4577-1442-9/11/$26.00 ©2011 IEEE

84


Because of very rapid technological change, operating system update process at communication service providers could occur rapidly along with the communications service providers need to utilize the latest technology in order to win competition. Updates to the system can be at risk of data stored in the system, it is arecommende to provide a separate storage area to keep the RD. IV.

CONCLUSIONS AND RECOMMENDATIONS

The key points below are recommended to include in the LI data retention regulation in a country that does not have regulations regarding data retention: 1. National Regulatory Bodies are required to codifying regulation for Lawful Interception Data Retention by Communication Service Provider. 2. To standardized the architecture, the data retention system must have at least three functions, which is Administrative functions, Data collection function and Data management functions. 3. To ensure the accountability system, each of the above function must have its own logs. Administrative logs must store the information warrants, the identity of the target date and duration of the wiretap. 4. For telecommunications data , the target identities are either MSISDN, IMEI or IMSI. For data communication via the IP identity of the target is one of the email address, account name or IP address 5. Items of information that must retained are: a. Customer data: name, address, place and date of birth. b. Usage data: including communications traffic data. c. Equipment data: information relating to the equipment or use the end-user d. Data network elements: information relating to network infrastructure components e. Additional service usage data f. Content of communication (call content) data: voice, SMS, MMS 6. Regulators should specify the data format (based on the handover interface format) to ensure completeness of data, easy data search and ensures interoperability of systems. 7. Should for certain reasons, the storage capacity could not provided yet, then the data requires the largest capacity could be the last priority to retained, such as video calls and data files. 8. Data retention regulation must obligate CSP to destroye LI retained data immediately after the retention period ended both in the telecommunication service providers as well as retained data in the law enforcement agency. 9. It is recommended to use a decentralized storage that share the storage load in one place and also reduce a cost and risks, while additional technical complexities posed relatively remain under control. 10. It is recommended to keep separate storage from the operational system to maintain data integrity and prevent disruption occurs when updating to the service providers operating system.

11. It is recommended to use a hot site backup model, to ensure data backup systems are also deleted when the retention period has ended.

V.

REFERRENCES

[1] The Council of The European Union. (2006). Directive 2006/24/EC of The European Parliament and of The Council. [2] Ringland, K. (2009). The European Union's Data Retention Directive and the United States's Data Preservation Laws. Law and Technology Journal , 5 (Spring (3) 2009). [3] J. Burstein, A. (2008). Amending the ECPA to enable a culture of cybersecurity research. Harvard Journal of Law and Technology , 22 (No 1). [4] MACC. (2011, Juni). Data Retention di SPRM. [5] ETSI. (2009). Lawful Interception (LI); Retained Data, Requirements of Law Enforcement Agencies for handling Retained Data. Technical Specification, European Telecommunications Standards Institute. [6] ETSI. (2009). Lawful Interception (LI); Retained data handling; Handover interface for the request and delivery of retained data. Technical Specification. [7] ETSI. (2008). Lawful Interception (LI); Security framework in Lawful Interception and Retained Data environment. European Telecommunications Standards Institute. European Telecommunications Standards Institute [8] Weber, R. (1999). Information Systems Control and Audit (1 ed.). USA: Prentice Hall, Inc. [9] Hutchinson, L. (2011). Retrieved from Big data meets big storage: an in-depth look at Isilon's scale-out storage. [10] Harris, C. (2011, May). Retrieved from Information Week: http://www.informationweek.com/news/storage/systems/2 29403078 [11] ETSI. (2011). Lawful Interception (LI); Retained daata handling ; System Architecture and Internal Interfaces. European Telecommunication Institute. European Telecommunications Standards Institute.

978-1-4577-1442-9/11/$26.00 ©2011 IEEE

85