Published on November 11th, 2021 | by Rory Quann
As the volume, variety, and velocity of data potentially available to lawful intelligence grow exponentially, the control mechanisms that govern its interception become more critical. Lawful intercept access and mediation solutions must fit seamlessly into communication service provider (CSP) networks.
Equally important, lawful intercept platforms must provide configurability and controls to accommodate regional variations in delivery standards and regulatory requirements. They must be capable of identifying and accessing targeted information when and where it can be readily intercepted, in a format that is useable by law enforcement agencies. They must also address legal and administrative requirements, such as warrant provisioning and management, to govern surveillance and intercept activities in a way that helps CSPs fulfill their obligations in protecting data privacy.
A Period of Transition in Warrant Management and Data Handling
The significance and gravity of improperly handling lawful intercept data are made clear in the Irish conviction and appeal of Graham Dwyer for the murder of Elaine O’Hara. Dwyer was convicted to life imprisonment in 2015 for the 2013 murder, in part by matching metadata from his phone to that of the victim’s. Dwyer successfully appealed that conviction in 2018 on the grounds that the data had been retained indiscriminately and without sufficient safeguards.
The case has subsequently been escalated through the Irish Supreme Court to the European Court of Justice (ECJ), where it is currently ongoing. As many as 15 other murder conviction appeals in the Republic of Ireland could be impacted by the ECJ’s findings.
The ECJ is also currently hearing arguments on assertions by German internet service provider SpaceNet AG that blanket data retention requirements are in violation of EU privacy laws, including the EU Charter of Fundamental Rights. Both these cases are being watched closely for their significance to all EU member states, as well as acting as an example for potential regulatory shifts globally.
Meanwhile, in South Africa, legal conflicts continue to arise as the result of the 2019 High Court ruling that the country’s Regulation of Interception of Communications Act (RICA) is constitutionally invalid. That ruling was upheld by the Constitutional Court—the highest court in the South African judicial system—in 2021, finding that the law carried insufficient safeguards around lawful intercept authorization and data handling, among other issues. Moreover, Justice Bess Nkabinde, the judge responsible for evaluating and granting lawful intercept warrants, indicates that her office has no way of verifying the truthfulness of those warrant requests.
Another area of legal concern that falls on CSPs relates to the data-privacy implications of the intercepted data they turn over to LEAs. For example, if a CSP were to provide an LEA with communications data beyond what is specified in the associated warrant, that excess data would be unwarranted. That improperly disclosed data could be a GDPR violation or otherwise place legal liability on the CSP.
These ongoing legal developments confirm that the global regulatory environment around the lawful interception of communications is in a period of rapid change. To keep pace, CSPs need rich, granular control over lawful intercept data that enables them to meet warrant-specific requirements in the context of an evolving legal framework. Fine-tuning practices related to warrant management and data privacy is likely to become more important as time goes on, both to satisfy changing regulatory requirements and to avoid the risk of fines or legal liability.
Handling Complex, Shifting Lawful Intelligence Requirements
SS8’s Xcipio access and mediation platform for lawful interception provides flexible, full-featured warrant management. The solution enables processes to be provisioned for securely requesting and handing over intercepted data while helping ensure compliance with regulatory requirements. Developed over the course of more than two decades, Xcipio offers an unmatched depth of configurability in its information controls for data acquisition and handling. Xcipio helps CSPs meet demanding data privacy requirements by enabling them to precisely specify what data is intercepted and passed to LEAs.
To avoid potential legal complications over data exposures in mass collection scenarios, LEA analysts can often benefit from access to anonymized data sets. Xcipio supports such functionality with the ability to hand over data using pseudo-identifiers to obscure the identities of the people involved. For example, a randomized number can replace personally identifiable information such as a device ID or phone number.
Using patterns of information discerned from the anonymized data set, investigators can establish digital trails of breadcrumbs compelling enough to identify subjects of interest for which the LEA can seek a warrant to unmask the identities of the individuals involved. This approach enables investigative latitude while preventing collateral damage to the privacy of innocent bystanders and protecting the CSP from liability.
Xcipio’s scalable and modular architecture helps ensure that CSP environments are future-ready for change. The platform is built to be easily modifiable, to support changing factors such as network traffic volumes, monitoring patterns, and reporting requirements. As the technology landscape shifts, Xcipio easily integrates new network elements, topologies, and protocols, as well as cost-effectively and smoothly interfacing with new external systems.
Xcipio Management System (XMS) provides GUI-based provisioning and management of access and mediation for lawful interception, including warrant management. In addition to the ability to configure and manage court orders and the associated filtering hierarchies, XMS governs user-access controls that help the CSP enforce data access, a critical aspect of regulatory compliance. XMS also provides auditability and reporting around data handling and use.
Xcipio provides CSPs with granular, flexible control over lawful intercept access and mediation, including warrant management and related processes for data handling and privacy. As legal proceedings related to lawful interception unfold globally, these mechanisms help ensure that providers can meet requests from LEAs for the timely handover of data while fully complying with current and future regulatory and technical requirements.
Ensure your organization is both compliant and future-ready by contacting the SS8 team today.
About Rory Quann
Rory Quann is Head of International Sales at SS8 Networks and brings with him over 10 years of experience in the Lawful Interception and Data Analysis industry. He is responsible for the organizations international sales policies, objectives and initiatives in the Middle East, Asia, and Eastern Europe.
Prior to joining SS8 in 2013, Rory worked for BAE System Applied Intelligence where he was focused on large scale Government deployments of Intelligence Solutions. Rory has held multiple positions in the Lawful Intelligence space ranging from Deployment Engineer, System Consultant, and Sales Engineer with focus being on Country-wide Passive deployments. Rory is a Certified Microsoft MCSA Engineer and EMC Certified deployment Engineer.
About SS8 Networks
SS8 provides Lawful Intelligence platforms. They work closely with leading intelligence agencies, communication providers, law enforcement agencies and standards bodies. Xcipio® is already proven to meet the very high demands of 5G and provides the ability to transcode (convert) between lawful intercept handover versions and standard families. Intellego® XT is a monitoring center that includes MetaHub, a best-in-class data analytics tool for intercepted, 3rd party and location data. Both product portfolios are used worldwide for the capture, analysis, and delivery of data for the purposes of criminal investigations.