Lawful Interception in the world...
I'm trying to collect some informations on Lawfull Interception over the world... Does any country in the world require such things ? LOGS (6 months archive required) - mail header logs (all mails, in, out, relay) - pop3/imap/webmail access logs (all accounts) - dhcp/dial/adsl/gprs/whatever accounting logs (all users) RealTime - mail interception (IN,OUT,RELAY) for a certain From/To address or a certain IP. the mail has to be encrypted with PGP and sent directly to the Law enforcement as a mail attachement. Thank you for taking 2 minutes to answer to nanog or privatly, this is important. P.
Pascal Gloor wrote:
Does any country in the world require such things ?
To put a small operational comment here [this is NANOG isn't it?], customers with Slammer worm -really- blow out internal NetFlow between themselves and the nearest filter blocking them. We had a lot of 56k modem customers with Slammer so we hadn't noticed them in terms of any throughput graphs, and their actual traffic gets blocked at various points, but before it does it has a drastic effect on the NetFlow server. So if anyone else is keeping complete NetFlows of every router in your network and wondering why they've grown so much over the past few weeks... find everything to UDP destination 1434 and get someone to contact the customer *sigh* In Australia you aren't -required- to keep anything, but anything you do happen to have/keep (eg. proxy logs, NetFlow, mail logs, RADIUS logs, etc) you are required to hand over on a proper request. And if you do happen to keep reasonable logs and co-operate with authorities where required (very rare that it's actually required), then they're unlikely to do something unkind such as take your ISP's servers as "potential evidence" for six months, which of course they'd be perfectly entitled to do (after months of careful analysis they may find some old logs that have been written over 100 times by carefully removing each magnetic signal to reveal traces of the one before, for example - so it's a justified but far from idea action). I've never had an unreasonable or intrusive request from the authorities, even as an example when a suspected murderer who had contacted his alleged victim(s) via the internet had left his email on the server they did not request his email as that was beyond the bounds of what they are comfortable to request (fortunately - because we would have had to consult the lawyers on the legality of releasing actual communications content; the analogy of the envelope and the contents is an often used one, in traditional mail the writing on the envelope is essentially public knowledge but the contents of the envelope are subject to strict privacy laws. NetFlow inspects packet headers - envelope. Proxy logs contain only the size and address of requests - envelope. Similarly mail logs; address, return address, size, etc - envelope details again. But mailbox contents correspond to envelope contents, so they're a much harder question). The authorities are usually quite understanding that logs are quite large, and if they have a request they must get it to us quickly to expect a useful response. And the response is has been in 100% of cases that we've identified a customer who happens to be a Net Cafe... so they get to go and try their luck on getting a Net Cafe to identify a customer from their proxy logs and customer records (yeah, sure). Note that caller ID is very special here. Specifically, the caller ID used to connect to an account must NOT be revealed to the account holder (think: account holder checks usage, finds out who did it, and goes over to go kill person responsible for large bill), and must ONLY be revealed to responsible authorities with some very specific paperwork. This is contrary to, for example, Singapore (where our parent company operates), where each customer sees the caller ID details on their online usage summary. As to extremes of lawful interception - try Singapore and China. Singapore Govt require the use of a proxy (if the proxies are all down, the internet is down), so I'd assume they also require keeping of the proxy logs. I don't know if it's still the case, but it used to be that Singapore had a "banned list" for the proxies and China took things to a further extreme by having an "ok sites list" rather than a "banned list". David. -- David Luyer Phone: +61 3 9674 7525 Network Development Manager P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE http://www.pacific.net.au/ NASDAQ: PCNTF
I'm trying to collect some informations on Lawfull Interception over the world... Does any country in the world require such things ?
LOGS (6 months archive required) - mail header logs (all mails, in, out, relay) - pop3/imap/webmail access logs (all accounts) - dhcp/dial/adsl/gprs/whatever accounting logs (all users)
RealTime - mail interception (IN,OUT,RELAY) for a certain From/To address or a certain IP. the mail has to be encrypted with PGP and sent directly to the Law enforcement as a mail attachement.
Thank you for taking 2 minutes to answer to nanog or privatly, this is important.
There are requirements to be able to do lawful interception, some countries such as Switzerland have defined the mechanism, some countries such as the UK have not yet done this. I think Germany has done this. Regards, Neil. -- Neil J. McRae - Alive and Kicking neil@DOMINO.ORG
Pascal Gloor wrote:
I'm trying to collect some informations on Lawfull Interception over the world... Does any country in the world require such things ?
Have a look at Jaya Baloo's talk from Hivercon and 19C3 (Lawful Interception of IP Traffic in the European Context): http://www.hivercon.com/hc02/talk-baloo.htm Nico. -- Nicolas FISCHBACH (nico@securite.org) <http://www.securite.org/nico/> Senior Manager - IP Engineering/Security - COLT Telecom Securite.Org Team <http://www.securite.org/>
On Tue, 11 Feb 2003, Pascal Gloor wrote:
I'm trying to collect some informations on Lawfull Interception over the world... Does any country in the world require such things ?
It is always best to consult a lawyer suitably licensed to give legal advice in the jurisdiction of interest. Lawyers for US ISPs should be aware of the http://www.cybercrime.gov/ web site from the Computer Crime division of the US Department of Justice. It provides a good overview of US Federal law on "computer crime" and suggested investigation techinques. However, they have nothing to do with National Security investigation interceptions. The American Library Association http://www.ala.org/alaorg/oif/ provides information which is a little easier for non-lawyers to read. The Electronic Frontier Foundation http://www.eff.org/ has links to numerous groups.
At 13:34 11/02/2003, Pascal Gloor wrote:
I'm trying to collect some informations on Lawfull Interception over the world... Does any country in the world require such things ? Pascal,
** I am not a lawyer and my opinions are my own ** There is some major work going on around the world in multiple legal constituencies on this issue. In Europe there is currently some work underway by ETSI http://www.etsi.org/ to define a common technical infrastructure and standard for lawful interception. The idea is that ISP's then have a common requirement for implementing technical solutions. I believe the numbers are EG 201 781, ES 201 158 and ES 201 671. The Dutch government has moved ahead of this standard and has implemented TIIT http://www.nlip.nl/nl/nao/aftappen/main/docs.html , which is currently on 0.2.0 Mostly the standards relate to implementing a technical solution within an ISP to capture packets and pass them to the relevant legal authority. I hope this helps? Joe
participants (6)
-
David Luyer -
Joe Dauncey -
neil@DOMINO.ORG -
Nicolas FISCHBACH -
Pascal Gloor -
Sean Donelan