ETSI standard for lawful interception triggers privacy questions

By EDRi · August 1, 2012

This article is also available in:
Deutsch: [ETSI-Standard für rechtmäßige Überwachung wirft Datenschutzfragen auf | https://www.unwatched.org/EDRigram_10.15_ETSI_Standard_fuer_rechtmaessige_Ueberwachung_wirft_Datenschutzfragen_auf?pk_campaign=twun&pk_kwd=20120801]

The draft UK Communication Bill raises new privacy concerns after it
has been revealed that the UK has also been driving the development of
a European Telecommunications Standards Institute (ETSI) standard
framework that allows interception of the content of communication as
well. The Bill will allow the government to compel service companies
like Google and Facebook to provide information to the police and
intelligence services, while the framework sets out the technical
standards for this.

The draft Communication Bill is supposed to deal only with traffic data,
according with the Government position: “The changes we are making only
relate to the who, where and when of communications data. The
interception of the content of any communications is a completely
separate matter and continues to be strictly controlled by the
Regulation of Investigatory Powers Act, requiring a warrant signed by
the secretary of state” said a Home Office spokesman.

But an April 2012 draft report from ETSI on Lawful Interception (LI)
and Cloud/Virtual Services explains that an electronic communication
provider that offers cloud services must maintain its obligation to
LI. This means that “the cloud service provider must implement a Cloud
Lawful Interception Function (CLIF). This can be by way of Applications
Programming Interface (API) or more likely ensuring presentation of
information in a format recognisable to interception mechanisms.”

The Guardian explains it as being measures to monitor “nomadic access”,
which means surveillance of an individual whether they go online from
their home computer, mobile or an Internet café.

“They are saying this is only about communications data, but in fact it
is not. If you build the infrastructure that ETSI have agreed, it can be
used for interception. The documents show that there is a clear and
continuing intention to use it for interception”, explains Prof. Ross
Anderson, from the University of Cambridge Computer Laboratory,

“We’re seeing moves at an international level to make it easier for the
content of communications to be intercepted. For Home Office officials
behind the communications data bill, spying on who we are emailing or
Skyping is not their final objective. Officials from Britain are working
internationally to force service providers to ensure that their systems
are easy to tap into,” concluded Nick Pickles, from Big Brother Watch.

Security services to get more access to monitor emails and social media
(28.07.2012)
http://www.guardian.co.uk/technology/2012/jul/28/isecurity-services-emails-social-media

Draft ETSI DTR 101 567 V0.0.5 (2012-04) – Lawful Interception (LI);
Cloud/Virtual Services (CLI)
http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_LI/2012_45_Bratislava/SA3LI12_044.doc

EDRi-gram 10.10: Concerns over the proposed Communication Bill in UK (23.05.2012)
https://edri.org/edrigram/number10.10/draft-communications-bill-uk