2 December 2009. Thanks to A.

The Modern Spook's Data Retention Wish List

Concerning retained traffic, geolocation and financial data in circuit switched wireline and 3G mobile networks as well as the Internet

Part One

Pressured by the British, French and Swedes, and accompanied by the applause of the Bush administration, the European Union decided in 2006 to systematically spy upon EU citizens.

The Data Retention Directive forces telco incumbents, mobile phone companies and TCP/IP providers throughout the Union to retain a certain amount of their customers' traffic and geolocation data for a minimum of six months and up to two years. This is defined on national levels.

I will spare you further political delicacies, let us see how this directive is woven into technical standards and where spooks do what.

The Data Retention Standards

Standardization is done in the European Telecom Standards Institute -- mainly in a Technical Committee -- and in a Working Group. The industrious folks in TC LI "Lawful interception" have been producing "law enforcement agencies requirements" and tons of other technical "deliverables" for the surveillance of all kinds of circuit switched [GSM/UMTS family] networks from 1997.

Now they are standardizing the handover interface, related protocols and database structures for retained traffic, geolocation and other data.

The role of NTAC/GCHQ

The Technical Specification TS 102 657, "Handover interface for the request and delivery of retained data," was published in version 1.3.1 in September. A certain Mark Shepherd was responsible for version 1.1.1, and a Mark Canterbury was in charge of the recent 1.3.1.

Both gentlemen are from NTAC (National Technical Assistance Centre) which is part of the British Government Communications Headquarters (GCHQ), the UK counterpart to the NSA. NTAC is one of the driving forces in both ETSI surveillance groups.

Swelling the options

Back to the standard itself.

Version 1.3.1 has swollen from three dozen to 89 pages, and requirements to add new "optional" data-fields have been pouring in. In B.2.2.4, SubscribedTelephonyServices, twelve new "parameters" have been added, two of them are designated for the PUK codes. PUKs are the two "Personal Unblocking Keys" of your mobile phone that rule the SIM card and the PIN code.

What else do they want?

A "List of all known devices allocated to this user for this subscription" [sic!] which denotes: All Mac and IMEI Addresses of all user equipment known to the provider.

SWIFT payment records

Further? Next Paragraph B.2.2.4.2, BillingDetails, expresses the urgent wish for "a sequence of billing records, one for each payment by the subscriber" in every detail.

The GCHQ wants your bank account number as well as the BIC, IBAN or SEPA codes. So the data retention data sets can be matched easily against SWIFT transaction records.

A note on the publication of this document and the ETSI in general

Disclaimer

Please bear in mind when reading: this weird stuff is produced by only two of a few hundred working groups in ETSI. The overall number of spooks should be less than two dozen and the protagonists of this series are not ETSI staffers but externals.

ETSI even offers this and other specs free of charge (in a very limited number, alas). As the procedure is somewhat cumbersome and there are sensitive people who might be offended by the all-windows database environment for techno-aesthetical reasons we offer this document here as well for peer review.

Type in: "TS 102 657: here:

http://pda.etsi.org/pda/queryform.asp

Or get it from Cryptome:

ETSI TS 102 657 V1.3.1 (2009-09)
Technical Specification
Lawful Interception (LI);
Retained data handling;
Handover interface for the request and
delivery of retained data

http://cryptome.org/ETSI_TS_102_657_V1.3.1_(2009-09).pdf (89pp, 470KB)

***

There is more to come on the role of NTAC/GCHQ - and other spook agencies involved - in the next part of this series.

Please report findings and other expertise or metacritique of the document using this info:

29DD 76FF 67E3 1051 914B 2E66 A3BE 9B4E BCC5 5231

and this link

http://pgp.mit.edu:11371/pks/lookup?search=Harkank&op=index