Updated: March 4, 2022
ISPs and other service providers have a responsibility to governments to grant them access to important information when that information is requested.
They also have a responsibility to customer and business privacy. There is a very fine line between them which should be treated with care.
In this article and video, I’ll talk about what lawful interception means, how and why hosting providers intercept emails, and how the rules apply in our day-to-day lives.
This topic is near and dear to us at Axigen, and it speaks to the core of our business & concern for email security and privacy. That’s why I put together the presentation in the video below, based on many hours of research & several law firms’ legal opinions, and presented it during CloudFest Academy 2021.
Lawful Interception — A Short Overview
Lawful interception (LI) is the legally grounded process by which a network provider or telecom service gives law enforcement agencies access to organizations or individual subscriber communications. It has become an essential tool for law enforcement and intelligence agencies worldwide to investigate crime and terrorism.
Most countries have specific regulations in place to cover interceptions. Additionally, most countries require telecom operators to have Legal Interception Gateways (LIG) and Legal Interception Nodes (LIN), which allow them to intercept phone calls, messages, emails, and some file transfers in real-time across wired, wireless, and mobile networks.
Legal Framework and Provisions — The How and Why
To understand how hosting providers intercept emails, we must first understand why. Publicly available electronic communications services (emails, messages, etc.) on the internet present great possibilities for users. The downside to this is they also present a great risk concerning their privacy and personal data. Hence, legislation aimed at protecting people’s fundamental rights and freedoms and the legitimate interests of legal persons exists.
Below, you’ll find a series of regulations from directives adopted by EU legislative bodies, including provisions from Romania and a bit of information on US provisions.
It’s important to remember that these EU-level directives are mostly regulatory principles and rules. Member states’ laws must abide by these directives but can differ quite a lot from country to country. Therefore, member state laws typically have a much more significant impact on lawful intercept.
Different Location, Different Lawful Interception Regulations
Your company will have to comply with local and national laws. It’s mandatory to seek legal advice for what is relevant in your national law, and we recommend doing so as early as possible during the setup procedures.
When you talk to a legal representation in your local country, you must brief them about your current logging procedures; what you currently log and why, what you do with it, and who has access to that so they can tell you from the purpose of lawful intercept what you should do moving forward.
This is done on a case-by-case basis, only under legal advice. It helps to be prepared. You will usually have a specific amount of time (depending on the country) to comply and respond, so it will be challenging to comply if you aren’t prepared.
~ Member States cannot listen, tap, store, or do any other kind of interception or surveillance of communications and any related data by persons other than the user without the user’s consent, except if legally mandated to do so.
~ Member States can adopt legislative measures to retain data for a limited period (this period depends on the local laws of each respective country) if there are grounds for safeguarding national or public security, defense, and the prevention, investigation, detection, and prosecution of criminal offenses or unauthorized use of the electronic communication system.
Essentially, Member States can introduce exceptions to the main obligation of ensuring personal data confidentiality. However, these exceptions should not become a rule. Therefore, a national measure that affects the confidentiality of private communications and any related traffic data must be strictly proportionate to its intended purpose and must comply with the following rules:
- you must retain data for a limited period
- there must be a justifiable reason to retain data (matter of national security, etc.)
- you cannot provide the general and indiscriminate retention of all data traffic and location data from every subscriber and registered user relating to all electronic communication means (unless a Member State is facing a serious threat to national security)
- the competent national authority requesting access to retained data must be subject to a prior review after submitting a reasoned request from a court or an independent administrative body to be granted access to said data
- hosting providers must have appropriate technical and organizational measures in place to guarantee a high level of protection and security to ensure the full integrity and confidentiality of data
- the national legislation must provision for the data to be retained within the EU and irreversibly destroyed at the end of the data retention period.
The EU law doesn’t currently provide an obligation to retain data. Directive 2006/24/EC was used to regulate data retention at the EU level but has since been declared invalid by the Court of Justice of the European Union (CJEU).
The exact conditions under which data must be retained and disclosed to authorities are governed by national laws. As such, it’s important to consult with local legal representation so you know how to validate the data request and be ready to fulfill it should the request come.
Large service providers can receive upwards of 700 lawful intercept requests every year, with the obligation under some member states’ laws to fully bear the financial responsibilities. So you must be prepared to expedite such requests with great speed.
All of the above provisions apply, including, but not limited to:
~ Service providers must cooperate with authorities and respond to their requests regarding data. Cooperation can take either of the following two forms:
- Interception of any type of distance communication
- Preservation of computer data
Criminal investigation bodies can request cooperation within a period of 48 hours after court approval for a maximum of 30 days. The 30 day period may be prolonged for a maximum period of six months in the same manner. Additionally, authorities can request intercepted data retention for a maximum period of five years.
~ Under Romanian law, interception of electronic communications, a measure that targets future communications and includes content data, must be ordered by a court.
~ Providers in Romania must allow legal entities to intercept data, suffer the costs of the legal intercept, and mention technical issues when the legal intercept happens. They must then take all the necessary technical measures to enable the intercept and have the speed to act before receiving the request.
~ In case of a lawful intercept request, as part of the setup procedures, providers in Romania must consult legal firms to have the system in place to fulfill the “speed to act” provision.
~ Providers receiving a request from criminal investigation bodies have no more than 48 hours to make traffic and location data and any other requested data available. Providers cannot change or limit the request.
The United States has the Communications Assistance for Law Enforcement Act (CALEA) as the most predominant law. Enacted in 1994, with a complete compliance mandate by 2007, it clarifies the lawful intercept requirements for service providers. This act was put in place to ensure law enforcement had useful information within a practical timeframe to investigate criminal actions further.
The complete compliance mandate states that all service providers must support CALEA. So by mid-2007 onward, all ISPs and communications service providers must capture and send all communications and associated information to the Department of Justice when requested. The contents of the communications can involve any of the following components:
- Pen registers
- Trap and trace
- Capturing electronic mail and text
- Capturing images
- Location information
2022 Update – Australia & US Sign Cloud Act
In late December 2021, Australia and the US signed The Cloud Act agreement which essentially facilitates & optimizes information sharing processes between tech giants and law enforcement agencies.
The current agreement falls under the existing Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was signed into US law in March 2018. It enables both parties to send lawful intercept requests to entities within the others’ jurisdiction. The act applies to:
- Email providers
- Telcos & service providers
- Social media platforms
- Cloud storage services
The US attorney general, Merrick Garland, has stated the deal targets serious crime and terrorist networks, while defending privacy and civil liberties. However, questions have been consistently raised both about this deal’s impact on the move towards encryption and the potential of serious privacy abuses.
The US-Australia Cloud Act comes as a natural follow-up to the October 2019 US-UK agreement of the same type which largely had similar provisions for facilitating LI between the two legal entities.
Rules for Accessing Email Content — How the Rules Apply in Real Life
A selection of tactics and email strategies to keep in mind:
Email communication logs show when a user’s email entered their inbox. The most important logs are (probably) the ones for SMTP activity. If you have a large email hosting infrastructure, it’s a best practice to aggregate all the logs from all the nodes in your email hosting platform into a separate platform such as:
- A Syslog server
- An Axigen log gathering server
- An ElasticSearch / Kibana server
- A Graylog server
- Any other log centralization solution (you should be able to have at least one of these options).
Your hosting platform should implement the retention policies (I need or want to keep the logs for 5 years) of all of the logs in sync with regulatory requirements. Another best practice is to ship all of the logs out of the email processing nodes. Minimal logs should also be available to administrators who need access to those nodes to operate the platform or to restart a node if it fails. Continue to offload all of the sizable logs from the processing nodes. Having a centralized logging solution also helps.
Querying these logs should be subject to access control lists and should be audited. It’s important to note that this doesn’t fall under lawful intercept, but it’s a criminal offense to query these logs without a legal basis for it, so it can help you respond to lawful intercept.
Mailbox access logs are when a user logged in using a client access protocol (Mailbox REST API, WebMail, IMAP, SMTP, etc.) so authorities know when the user downloaded the email onto a device. With these types of logs, one can see the remote IP address of the user device and the type of device used.
Accessing the email content (subject, body, attachments) must be gated by processes and access restrictions. It should be noted that anyone other than the user should not be allowed to access the email under normal circumstances. From a product standpoint, in the case that you have a valid lawful intercept request, the email’s content may be accessed by:
- the users themselves
- any other user who has access to the original user’s mailbox (sharing) - but this is ok because the user himself enabled sharing
- creating a copy of the message and storing it in a separate mailbox along with the original mailbox
- redirecting a copy of a certain user’s inbound and/or outbound messages to an external mailbox (can be an email address from the legal authorities)
- accessing a past backup and extracting the required email from there. If you have this capability, you should ensure that you don’t abuse this with the help of processes and access restrictions. Otherwise, you can be held liable for incorrectly attempting to access a user’s privacy. So it needs to be executed according to a lawful intercept.
Beyond this, however, providers have an obligation to keep the data private and access to email gated by many processes and access restrictions. Specifically, when dealing with a lawful intercept request, electronic data providers must make sure only a limited number of people get to see the data before providing it to the authorities. Furthermore, they must ensure the data is never copied and immediately deleted after the lawful intercept.
Checklist of Things to Ask Yourself When Receiving a Legal Intercept Request
A general checklist to always keep handy for legal intercept requests:
- How can I (as an email hosting provider) validate that the request is valid?
- With which email addresses has our suspect (email@example.com) communicated in the past 30 - 60 days?
- What emails are currently in their mailbox?
- Do we need to monitor all future email communications and intercept the content of emails?
- For how long does an operator need to keep historical metadata records (who sent an email to whom on which date)?
- What is the obligation to keep historical records of content (actual email and attachments)?
- Can I (as an operator) be required by local authorities to provide communication content (actual email and attachments)?
Good Solutions Make Lawful Interception Easier
Service providers are directly affected by the lawful interception laws governing their region. Any private business or company can be affected too. However, service providers and companies have options to safeguard information when requests occur.
Network security is a crucial factor when talking about lawful interception, and Axigen offers a highly customizable mail server that guarantees secure reception, transit, and email delivery for extra security.
We help service providers from different countries abide by their respective lawful interception regulations. We also help you meet regulatory compliance requirements of major international standards. Let’s move securely forward, on your terms.