The harmonisation of international requirements for interception.
The efforts to bring the Internet and encryption under control have, by their very nature, an international character. The Internet is, after all a worldwide communications network, and therefore requires worldwide control. One of the authorities’ first concerns was to ensure that they could intercept all the new communication systems that followed each other in such rapid tempo. The harmonisation of the technology needed for interception and the devising of means to ensure that the telecommunications industry complies with these requirements are chief topics at international meetings on interception.
An informal international group organised around the subject of intercepting information was founded in 1987. This Quantico group, known as ILETS (International Law Enforcement on Telecommunications Seminar), was founded on the initiative of America’s FBI. The National Security Agency (NSA), America’s most secret intelligence service, which specialises in intercepting anything that it’s possible to intercept, plays a guiding role, albeit in the background. The rapid technological developments in the telecommunications sector, the privatisation of this sector and the advent of global communication systems provided the motivation for the United Stated to seek to cooperate with other western powers. The member states of the European Union, the then aspiring EU states Norway, Sweden, Finland and Austria and the Echelon partners Australia, New Zealand and Canada, are regular participants at these meetings. An important purpose of the Quantico meetings is the collective manipulation of the telecommunications industry. Intercepting telephone lines used to be a relatively simple matter. The technology was not very complicated and the telephone companies were in the hands of the government. Since the privatisation of the telecom market, the number of telephone providers has multiplied. Technology has lead to a host of new communication methods and international communication is becoming increasingly common.
The main question plaguing those involved in intercepting communication is, in the midst of the constantly expanding communications jungle of GSM, satellite telephones, e-mail, the Internet and miscellaneous modern gadgetry, how its continued interception can be ensured. The integration of modern encryption techniques in communication methods has given law enforcement yet another headache. The ILETS participants want to be assured that the private telecom providers will cooperate just as constructively as the old state-owned companies. They consider it extremely important that even in the early development phases of new technologies, the possibility to intercept the equipment concerned is taken into consideration.
The Working Group on Police Cooperation, a sub-group of the European Council of Justice and Home Affairs (JHA Council), carries out this work for the European Union. In 1993, it was commissioned to draw up a report on the state of affairs in the modern telecommunications world. The Netherlands’ delegates to this working group are among others the Central Information Service CRI and the National Security Service BVD. “ The initial contacts with various consortia have led to the most diverse reactions, ranging from great willingness to cooperate on the one hand, to an almost total refusal even to discuss the question”, wrote the working group. “It is very urgent for governments and/or legislative institutions to make the new consortia aware of their responsibilities.”
In this particular case, the desired awareness was awakened by threats of financial losses. In January 1995 the JHA council adopted a resolution on “the legal interception of communication”. The resolution summed up the technical demands formulated by America and the European Union to which telecom providers were obliged to comply. The Quantico group’s next step was to ensure that the collectively determined interception norms were applied as comprehensively as possible. The “Memorandum of Understanding on the legal interception of telecommunications” which was signed on 23 November 1995, informed other countries of the Quantico initiative and urged them to adopt these interception norms. The memorandum stated that the possibilities for intercepting telecommunications were becoming increasingly threatened. The writers considered it necessary to introduce “international interception standards” in addition to “norms for the telecommunications industry in carrying out interception orders”.
The international telecommunications industry was approached with a letter addressed to international institutions concerned with the standardisation of telecommunications equipment such as the International Telecommunication Union (ITU) and the European Telecommunications Standards Institute (ETSI). In this letter, the signatory countries declared that they would hold telecommunications providers to previously formulated technical demands. The message was unmistakable; any telecommunications provider wishing to do business in the large industrialised countries must produce equipment that can be tapped according to these standards.
In 1997, the ITU adopted a resolution in which they called for priority to be given to the harmonisation of technical requirements to make interception possible. Within the ETSI, the Technical Committee Security (TC SEC) is responsible for the translation of interception requirements. This working group works on both crypto standards and interception standards for the Lawful Interception Ad Hoc group; what a convenient arrangement!
Ready for interception
The Internet and encryption occupy an increasingly central place at informal international meetings. What applied to the cooperation in listening to ordinary and mobile telephones applies big time to the interception of the Internet; the main question is how to ensure that the Internet is and stays interceptible. The usual tried and trusted methods have been put into practice – lists of demands for the industry and exercising pressure on standardising organs and Internet companies.
In European context, new technical demands to which telecom providers must comply are being worked on. The first new technical requirements were leaked in September 1998. A catalogue summing up these requirements appeared in the document Enfopol 98 which was published in the German Internet magazine Telepolis. Judging from this document, it appears that the European countries are going for the safest option; all forms of communication must be open to interception. Telephone conversations, e-mail, encrypted messages, beepers, redirected calls, faxes, ISDN lines, mobile phones, satellite connections, voice mail, tele-meetings – it must be made possible to intercept them all directly. Connections that are not put through must also be able to be registered. Data traffic has to be redirected to the interception centres in a matter of ‘milliseconds’. If necessary, more services from different countries must also be able to listen in simultaneously.
The Internet in particular is targeted. Passwords, the routes followed through the Internet, e-mail correspondence, downloaded information- the law wants to be privy to it all. The document states that telecom companies which offer encryption as a service to their customers are legally obliged to hand over either the key, or intercepted messages in plain text. “Legally empowered authorities must be able to observe the all telecommunications traffic permanently and in real time”. The ministers of justice are called on to pass the requirements on to the ministers responsible for telecommunications and to collectively ensure that the policy is implemented.
Later versions of the document show that different topics were divided up and discussed at different levels. At the beginning of 2000, it is still unclear exactly where this will lead. It seems that the JHA ministers bit off more than they could chew when they decided to deal with both the Internet and encryption. Charles Elsen, responsible for this policy within the General Secretariat of the European Council, indicated at the end of 1999 that a separate solution for the Internet was necessary. “The Internet has produced a great number of new problems. These problems are not only technical but also concern the content of material available on the Internet. A separate solution must be found for the Internet.”
The technical problems referred to by Elsen were also mentioned by the Internet industry. The wide scale interception of the Internet has produced technical problems that have not all as yet been solved. Additionally, the terminology used in the Enfopol was extremely vague. Many Internet providers think that the wishes of the JHA Council belong to the realms of the impossible. A study by the STOA reveals that the NSA has the means to monitor Internet traffic. “Snooping software” has been installed at Internet interchanges in order to observe e-mail and Internet traffic. Using digital dictionaries and clever search programs, the intercepted messages are then scanned for key words. It is expected that first more meetings between Internet providers and the authorities will take place to discuss both the technical possibilities and the matter of who will pay for the costs incurred. The latter has become something of a sore point in the discussion.
The control that the police and judicial authorities want to exercise over the Internet is also producing political problems. Both privacy groups and the business sector are becoming worried. The requirements formulated at JHA level have generated a great deal of resistance in the business sector, as reliable encryption is an absolute prerequisite for trade via the Internet. In this situation, the economic interests of the business sector and the wishes of the police and law enforcement are diametrically opposed.
The resolution that will eventually be presented to the JHA council for approval will probably have a global character. It has currently been renamed to incorporate a separate “Resolution on the lawful interception of telecommunications in relation to the new technologies”. It states that the requirements formulated in 1995 also apply to new means of communication like satellite communication and the Internet, and that these requirements must be adjusted to accommodate the new developments.
Dividing the original resolution into separate parts is not an unusual practice within the EU. If a subject presents too many problems or is too comprehensive, the political agreements are divided up and the remaining technical problems are dealt with in various working groups. The great advantage of this is that the political permission to start work can be given straight away.
The Internet Engineering Task Force (IETF) is the international standardisation organisation for the Internet. Last year a furious debate broke out amongst the IETF members when the American FBI asked to be allowed to build standard bugging devices into Ipv6, the new worldwide Internet protocol currently being developed by the IETF. “Should the IETF develop new protocols or modify existing protocols to support mechanisms whose primary purpose is to support wire-tapping or other law enforcement activities?” asked the organisation of itself in an appeal to its members to discuss the issue. The civil liberties movement ‘American Civil Liberties Union’ (ACLU) was strongly opposed to the standard inclusion of wire tapping possibilities in the system architecture of the Internet. “What law enforcement is asking you to do is the equivalent of requiring the home building industry to place a ‘secret’ door in all new homes to which only they would have the key”, the society wrote to the IETF.
In November, the majority of the IETF members decided not to go along with the demands made by the FBI. However, a large number of businesses made it clear that they would build interception facilitators into their own hardware and software. For example, Brian Rosen of Force System said, “we’re going to take the protocol that is designed here and we’re going to modify it. I assure you that a very large number of companies will implement the protocol with the tap”.
The FBI warned of the consequences of a negative decision in advance. “The worst case scenario is if the standard doesn’t include provisions to address court authorised electronic surveillance,” said Barry Smith, special agent of the Digital Telephony and Encryption policy unit of the FBI. “Criminals will communicate even more frequently through the use of ISPs” he warned. However, he also pointed out that even if the IETF decision was negative, companies could still design and insert surveillance protocols. “By choosing to turn a blind eye to reality, this standard-setting body will be making a statement, but companies are still going to have to function in the real world and meet their governmental obligations”.
 Mr. J.F.M. Pouw, Towards a European domestic security policy? European cooperation and the autonomy of national security agencies, Clingendael, Den Haag, May 1995; Duncan Campbell, ILETS, die geheime Hand hinter Enfopol 98, Telepolis 29-4-1999
 The BVD also participated in the sub working group Interception of Trevi 2, part of the JHA council’s predecessor, the Trevi Agreement. The head of the BVD was also in the Committee of High Officials, the highest official board in the Trevi group.
 Report from the Presidency to the working group on police cooperation, Enfopol 1, 4118/2/95 Rev2, Limite, Brussels 2-6-95.
 Council resolution on the lawful interception of communications, C 329, 04-11-96; Memorandum of Understanding concerning the lawful interceptions of telecommunications, Enfopol, 112, 10037/95, Limite, Brussels 25-11-95
 Memorandum of Understanding concerning the lawful interception of telecommunications, Enfopol 112, 10037/95, Limite, Brussels 25-11-95
 Draft letter to be sent to the international standardisation bodies concerning the Council Resolution of 17 January 1995 on the lawful interception of communications.
 Resolution 1115, document C97/135-E Restricted, ITU, Geneva 27-6-1997
 Interception of telecommunication; draft council decision in the light of the new technologies. Chairmanship of Working Group on Police Cooperation, 10951/98 Enfopol 98, Limite, Brussels, 3-9-98
 Christine Schulski-Haddouti, “Wir arbeiten seit 1996 daran”, Spiegel on-line 30 September 1999
 Interception capabilities 2000, Science and Technology Options Assessment, Brussels, June 1999
 Interception of telecommunication, draft resolution on new technologies. Chairmanship of the Working Group on Police Cooperation, 6715/99, Enfopol 19 Limite, Brussels 15-3-99
 distributed via q/depesche mailing-list, 13 October 1999
 Barry Steinhardt, associate director American Civil Liberties Union, letter 5 November 1999, published in q/depesche mailing-list, 11 November 1999
 Wired News, 11 November 1999
 Wired News, 13 October 1999