15 March 1999
Date: Sun, 14 Mar 1999 21:02:02 +0000
To: ukcrypto@maillist.ox.ac.uk
From: Duncan Campbell <duncan@gn.apc.org>
Subject: Some extracts from ENFOPOL 98
ENFOPOL 98 : REQUIREMENTS RELATING TO SERVICE PROVIDERS WITH REGARD TO
CRYPTOGRAPHY
Based on a lawful enquiry and given a target identifier or other information
about the target or encrypted data with related information, law enforcement
agencies require:
¨ full details of the target including service number;
¨ information that will fully identify the cryptographic services used by
the target; and
¨ the technical parameters of the method used to implement the
cryptographic service.
Law enforcement agencies require access to the decrypted message as quickly (in
urgent cases within a few hours or minutes). The law enforcement agencies will
specify how it wishes to achieve this result; either through the provision of
cryptographic key material and all necessary information to decrypt the data or
exceptionally by provision of the data as plaintext. Access to the decrypted
message must be available for those encryption systems that allow for both
national and international operation.
The handover of cryptographic key material should be immediate. The
computational and operational process a law enforcement authority needs to
undertake to decrypt the data, including any reconstruction or rebuilding of
keys, should involve minimal time and resources to ensure an efficient,
economic and timely operation.
The provision of data as plaintext should take place as soon possible; in
urgent cases within a few hours or minutes.
ENFOPOL 98 : REQUIREMENTS RELATING TO CALL AND SUBSCRIBER ASSOCIATED DATA
Law enforcement agencies require a real-time, full-time monitoring capability
for the interception of telecommunications. Call associated data should also
be provided in real-time. If call associated data cannot be made available in
real time, law enforcement agencies require the data to be available as soon as
possible upon call termination
The identifier for an Internet service which is a target service will usually
be the means by which the service is known to the service provider and used to
authenticate (and possibly to bill) a person attempting to use the service
and/or the means by which traffic is directed to the service. Examples of
service identifiers are:
¨ IP address (for services with a fixed IP address)
¨ Account number
¨ Logon id/password
¨ PIN number
¨ E-mail address
Call associated data refers to the signalling information contained within the
IP datagrams and also where appropriate, to the calling line identifier of the
telephone service used by the interception subject to connect to the Internet
provider.
Before implementation of the interception, law enforcement agencies require:
(1) the interception subject's identity, service number or other distinctive
Identifier, (2) Information on the services and features of the
telecommunications system used by the interception subject and delivered by
network operators/service providers, and (3) information on the technical
parameters of the transmission to the law enforcement monitoring facility
Law enforcement agencies require access to information about subscribers to all
telecommunications services including, but not limited to, the following:
circuit switched telephony services,
¨ PSTN,
¨ ISDN;
¨ terrestrial mobile services, e.g. GSM, AMPS, D-AMPS, CDMA, DCS-1800;
¨ satellite-based mobile services, e.g. IRIDIUM, Globalstar, ICO;
¨ Trunked mobile services, e.g. TETRA;
¨ Internet services both dial -in and fixed based;
¨ calling card services both pre-paid and account based;
¨ call-back services;
¨ long distance and international services;
¨ paging services;
¨ data services, e.g. X.25, X.400, ATM, frame relay, and;
¨ voice mail services.
Law enforcement agencies also require the means to access information about
subscribers in other countries in situations where those subscribers may be
operating within the agency's jurisdiction. Examples of these situations
include, but are not limited to the following:
¨ Internationally roaming mobile subscribers;
¨ Subscribers to S-PCS services such as Iridium, and;
¨ Subscribers to international carriers where the subscriber database is
in another country.
Law enforcement agencies require access to information kept by the providers of
telecommunications networks, telecommunications services and Internet services
on the subject's Identity. Examples of this information include, but are not
limited to, the following:
¨ the full name and address of the Interception subject including postal
code;
¨ the full name and address, including postal code, of the party which
pays the bill for the services provided to the interception subject;
¨ sufficient credit card details to identify the account if the
interception subject pays by credit card, and
¨ the directory name and address as shown in the directory.
Law enforcement agencies require access to information kept by the providers of
telecommunications networks, telecommunications services and Internet services
on the interception subject's service number or other distinctive Identifier.
Examples of this information may include, but are not limited to the following:
Types of services and features used by the interception subject;
¨ Wire line directory numbers;
¨ Technical identifiers and codes of the telecommunications equipment
such as the MSISDN, IMSI and IMEI GSM identifiers, which are supplied by
the provider to the interception subject;
¨ The means by which a provider identifies a subscriber of Internet on
cable TV;
¨ User identifier or code given by a caller and used by an Internet
provider to authenticate and bill the user;
¨ Cable or channel identifiers for fixed point services;
¨ IP address for users of fixed Internet services;
¨ Associated directory number on a voice mail service;
¨ E-mail address;
¨ The PIN or code given by the caller and used by the provider to
authenticate and bill a user of calling card services, and;
¨ The means by which an international or long distance service provider
authenticates a caller.
Law enforcement agencies require access to traffic and billing records of an
interception subject.
-----
I will be taking about some this stuff at LSE on Tuesday : (snip from Peter's
posting)
Global information surveillance:
Intelligence and law enforcement
planning and capabilities
Duncan Campbell will report on and discuss
his current work for the European
Parliament on such systems as
Echelon and proposed legislation /
mutual assistance arrangements as
Enfopol and the US Communications
Assistance to Law Enforcement Act.
See http://csrc.lse.ac.uk/Colloquia/colloquia1.htm for further information.
Duncan