Lawful Interception in the world...

I'm trying to collect some informations on Lawfull Interception over the
Does any country in the world require such things ?

LOGS (6 months archive required)
    - mail header logs (all mails, in, out, relay)
    - pop3/imap/webmail access logs (all accounts)
    - dhcp/dial/adsl/gprs/whatever accounting logs (all users)

    - mail interception (IN,OUT,RELAY) for a certain From/To address or a
certain IP.
    the mail has to be encrypted with PGP and sent directly to the Law
enforcement as a mail attachement.

Thank you for taking 2 minutes to answer to nanog or privatly, this is


Pascal Gloor wrote:

Does any country in the world require such things ?

To put a small operational comment here [this is NANOG isn't it?],
customers with Slammer worm -really- blow out internal NetFlow between
themselves and the nearest filter blocking them. We had a lot of
56k modem customers with Slammer so we hadn't noticed them in terms
of any throughput graphs, and their actual traffic gets blocked at
various points, but before it does it has a drastic effect on the
NetFlow server. So if anyone else is keeping complete NetFlows of
every router in your network and wondering why they've grown so much
over the past few weeks... find everything to UDP destination 1434
and get someone to contact the customer *sigh*

In Australia you aren't -required- to keep anything, but anything you do
happen to have/keep (eg. proxy logs, NetFlow, mail logs, RADIUS logs, etc)
you are required to hand over on a proper request. And if you do happen
to keep reasonable logs and co-operate with authorities where required
(very rare that it's actually required), then they're unlikely to do
something unkind such as take your ISP's servers as "potential evidence"
for six months, which of course they'd be perfectly entitled to do
(after months of careful analysis they may find some old logs that have
been written over 100 times by carefully removing each magnetic signal
to reveal traces of the one before, for example - so it's a justified
but far from idea action).

I've never had an unreasonable or intrusive request from the authorities,
even as an example when a suspected murderer who had contacted his
alleged victim(s) via the internet had left his email on the server they
did not request his email as that was beyond the bounds of what they are
comfortable to request (fortunately - because we would have had to consult
the lawyers on the legality of releasing actual communications content;
the analogy of the envelope and the contents is an often used one, in
traditional mail the writing on the envelope is essentially public
knowledge but the contents of the envelope are subject to strict privacy
laws. NetFlow inspects packet headers - envelope. Proxy logs contain
only the size and address of requests - envelope. Similarly mail logs;
address, return address, size, etc - envelope details again. But mailbox
contents correspond to envelope contents, so they're a much harder

The authorities are usually quite understanding that logs are quite
large, and if they have a request they must get it to us quickly to
expect a useful response. And the response is has been in 100% of cases
that we've identified a customer who happens to be a Net Cafe... so they
get to go and try their luck on getting a Net Cafe to identify a
customer from their proxy logs and customer records (yeah, sure).

Note that caller ID is very special here. Specifically, the caller ID
used to connect to an account must NOT be revealed to the account holder
(think: account holder checks usage, finds out who did it, and goes
over to go kill person responsible for large bill), and must ONLY be
revealed to responsible authorities with some very specific paperwork.

This is contrary to, for example, Singapore (where our parent company
operates), where each customer sees the caller ID details on their online
usage summary.

As to extremes of lawful interception - try Singapore and China.
Singapore Govt require the use of a proxy (if the proxies are all down,
the internet is down), so I'd assume they also require keeping of
the proxy logs. I don't know if it's still the case, but it used to
be that Singapore had a "banned list" for the proxies and China took
things to a further extreme by having an "ok sites list" rather than
a "banned list".


Pascal Gloor wrote:

I'm trying to collect some informations on Lawfull Interception over the
Does any country in the world require such things ?

Have a look at Jaya Baloo's talk from Hivercon and 19C3
(Lawful Interception of IP Traffic in the European Context):


It is always best to consult a lawyer suitably licensed to give legal
advice in the jurisdiction of interest.

Lawyers for US ISPs should be aware of the web
site from the Computer Crime division of the US Department of Justice.
It provides a good overview of US Federal law on "computer crime" and
suggested investigation techinques. However, they have nothing to do with
National Security investigation interceptions. The American Library
Association provides information which is a
little easier for non-lawyers to read. The Electronic Frontier Foundation has links to numerous groups.


** I am not a lawyer and my opinions are my own **

There is some major work going on around the world in multiple legal constituencies on this issue.

In Europe there is currently some work underway by ETSI to define a common technical infrastructure and standard for lawful interception. The idea is that ISP's then have a common requirement for implementing technical solutions. I believe the numbers are EG 201 781, ES 201 158 and ES 201 671.

The Dutch government has moved ahead of this standard and has implemented TIIT , which is currently on 0.2.0

Mostly the standards relate to implementing a technical solution within an ISP to capture packets and pass them to the relevant legal authority.

I hope this helps?