The challenges of Internet intercepts and wiretaps
By Kevin Graves, Chief Technology Officer, IP Fabrics
The increased usage of Internet-based communications such as chat, instant messaging, blogs, VoIP services, and the old standby, email, has placed a new challenge to our technical surveillance teams – how to mine this intelligence source.
The biggest challenge facing our technical investigative teams is that many service providers haven’t complied with the FCC’s CALEA (Communications Assistance for Law Enforcement Act) and aren’t able to execute court-ordered intercepts. As a quick refresher, CALEA is the legislation that requires all telecommunications providers (including ISPs and VoIP providers that have their own servers/equipment) to provide lawful interception assistance to law enforcement. Specifically, CALEA requires these service providers to essentially deliver to law enforcement the data/communications specified in pen register/trap and trace and full content (Title III) court orders. In other words, you present them with the valid court order and they are supposed to send you the intercept data – just like the process for tapping a landline or wireless phone.
This non-compliance problem is most evident with IP-based service providers, and more specifically, smaller ISPs and VoIP providers. When this occurs, the LEA is faced with taking action against the service provider to get them to become compliant (usually very time-consuming), just ignoring the intercept, or providing their own equipment (sometimes called a probe or a tactical intercept system) and executing the intercept themselves – often called a tactical intercept.
Ideally, systems used for this type of tactical intercept have several key features:
1. They Need to be Portable and Remotely Accessible: packaged in a small form-factor such as a rack-mount server or luggable system. The system needs to be easily transported to the service provider facilities and be installed in existing racks, on top of other equipment, or placed on the floor. It should be available with either AC or DC power supplies, and needs to be accessible/managed locally and remotely across a network (e.g., Internet).
2. They Need to be Passive: the probe surveillance interfaces need to be completely passive and not affect the service provider’s network traffic (e.g., don’t add additional latency, don’t degrade signal quality, etc). Also, they need to be identity-free, so they aren’t visible to other devices on the network.
3. They Need to be Intelligent and Self-Contained: The tactical intercept system needs to incorporate the probe/access point, mediation, and administration functions of the typical intercept system – all in a single system. They need to be capable of doing intelligent discovery of targets. For example, they need to be able to discover a target based on a userID, a dynamically assigned IP address, or a phone number. Additionally, they can’t rely on service provider equipment such as routers or session border controllers to perform intercepts.
The VoIP Problem
Figure 1: VoIP call setup is often routed differently than the voice
Without altering the normal network routing (sometimes called a ‘forced routing’) the best place to perform the intercept is close to the user, which is normally at the user’s ISP.
To perform these intercepts, LEAs need tactical intercept systems that can be transported to the target’s ISP, and, these systems need to be capable of intercepting VOIP calls (see figure #2)
Figure 2: Tactical Internet Wiretap System
To summarize, Internet-based communications is here today and growing, thus driving the need for Internet intercepts. Barring a change in the FCC’s CALEA enforcement practices, technical investigators will need to be prepared to mobilize and deploy a tactical intercept system (probe) to facilitate these intercepts.