[4338] in cryptography@c2.net mail archive
Some extracts from ENFOPOL 98
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Sun Mar 14 22:50:32 1999
Date: Sun, 14 Mar 1999 18:40:44 -0500
To: cryptography@c2.net, cypherpunks@cyberpass.net
From: Robert Hettinga <rah@shipwright.com>
--- begin forwarded text
Date: Sun, 14 Mar 1999 22:19:39 +0000
To: usual@espace.net
From: Duncan Campbell <duncan@gn.apc.org> (by way of Fearghas McKay
<fm@mids.org>)
Subject: Some extracts from ENFOPOL 98
Reply-To: "Usual People List" <usual@espace.net>
Sender: <usual@espace.net>
List-Subscribe: <mailto:requests@espace.net?subject=3Dsubscribe%20usual>
ENFOPOL 98 : REQUIREMENTS RELATING TO SERVICE PROVIDERS WITH REGARD TO
CRYPTOGRAPHY
Based on a lawful enquiry and given a target identifier or other informat=
ion
about the target or encrypted data with related information, law enforcem=
ent
agencies require:
=A8 full details of the target including service number;
=A8 information that will fully identify the cryptographic services=
used by
the target; and
=A8 the technical parameters of the method used to implement the
cryptographic service.
Law enforcement agencies require access to the decrypted message as quick=
ly (in
urgent cases within a few hours or minutes). The law enforcement agencie=
s will
specify how it wishes to achieve this result; either through the provisio=
n of
cryptographic key material and all necessary information to decrypt the d=
ata or
exceptionally by provision of the data as plaintext. Access to the decry=
pted
message must be available for those encryption systems that allow for bot=
h
national and international operation.
The handover of cryptographic key material should be immediate. The
computational and operational process a law enforcement authority needs t=
o
undertake to decrypt the data, including any reconstruction or rebuilding=
of
keys, should involve minimal time and resources to ensure an efficient,
economic and timely operation.
The provision of data as plaintext should take place as soon possible; in
urgent cases within a few hours or minutes.
ENFOPOL 98 : REQUIREMENTS RELATING TO CALL AND SUBSCRIBER ASSOCIATED DATA
Law enforcement agencies require a real-time, full-time monitoring capabi=
lity
for the interception of telecommunications. Call associated data should =
also
be provided in real-time. If call associated data cannot be made availab=
le in
real time, law enforcement agencies require the data to be available as s=
oon as
possible upon call termination
The identifier for an Internet service which is a target service will usu=
ally
be the means by which the service is known to the service provider and us=
ed to
authenticate (and possibly to bill) a person attempting to use the servic=
e
and/or the means by which traffic is directed to the service. Examples of
service identifiers are:
=A8 IP address (for services with a fixed IP address)
=A8 Account number
=A8 Logon id/password
=A8 PIN number
=A8 E-mail address
Call associated data refers to the signalling information contained withi=
n the
IP datagrams and also where appropriate, to the calling line identifier o=
f the
telephone service used by the interception subject to connect to the Inte=
rnet
provider.
Before implementation of the interception, law enforcement agencies requi=
re:
(1) the interception subject's identity, service number or other distinct=
ive
Identifier, (2) Information on the services and features of the
telecommunications system used by the interception subject and delivered =
by
network operators/service providers, and (3) information on the technical
parameters of the transmission to the law enforcement monitoring facility
Law enforcement agencies require access to information about subscribers =
to all
telecommunications services including, but not limited to, the following:
circuit switched telephony services,
=A8 PSTN,
=A8 ISDN;
=A8 terrestrial mobile services, e.g. GSM, AMPS, D-AMPS, CDMA, DCS-=
1800;
=A8 satellite-based mobile services, e.g. IRIDIUM, Globalstar, ICO;
=A8 Trunked mobile services, e.g. TETRA;
=A8 Internet services both dial -in and fixed based;
=A8 calling card services both pre-paid and account based;
=A8 call-back services;
=A8 long distance and international services;
=A8 paging services;
=A8 data services, e.g. X.25, X.400, ATM, frame relay, and;
=A8 voice mail services.
Law enforcement agencies also require the means to access information abo=
ut
subscribers in other countries in situations where those subscribers may =
be
operating within the agency's jurisdiction. Examples of these situations
include, but are not limited to the following:
=A8 Internationally roaming mobile subscribers;
=A8 Subscribers to S-PCS services such as Iridium, and;
=A8 Subscribers to international carriers where the subscriber data=
base is
in another country.
Law enforcement agencies require access to information kept by the provid=
ers of
telecommunications networks, telecommunications services and Internet ser=
vices
on the subject's Identity. Examples of this information include, but are =
not
limited to, the following:
=A8 the full name and address of the Interception subject including=
postal
code;
=A8 the full name and address, including postal code, of the party =
which
pays the bill for the services provided to the interception subject;
=A8 sufficient credit card details to identify the account if the
interception subject pays by credit card, and
=A8 the directory name and address as shown in the directory.
Law enforcement agencies require access to information kept by the provid=
ers of
telecommunications networks, telecommunications services and Internet ser=
vices
on the interception subject's service number or other distinctive Identif=
ier.
Examples of this information may include, but are not limited to the foll=
owing:
Types of services and features used by the interception subject;
=A8 Wire line directory numbers;
=A8 Technical identifiers and codes of the telecommunications equip=
ment
such
as the MSISDN, IMSI and IMEI GSM identifiers, which are supplied by the
provider to the interception subject;
=A8 The means by which a provider identifies a subscriber of Intern=
et on
cable TV;
=A8 User identifier or code given by a caller and used by an Intern=
et
provider to authenticate and bill the user;
=A8 Cable or channel identifiers for fixed point services;
=A8 IP address for users of fixed Internet services;
=A8 Associated directory number on a voice mail service;
=A8 E-mail address;
=A8 The PIN or code given by the caller and used by the provider to
authenticate and bill a user of calling card services, and;
=A8 The means by which an international or long distance service pr=
ovider
authenticates a caller.
Law enforcement agencies require access to traffic and billing records of=
an
interception subject.
I will be taking about some this stuff at LSE on Tuesday : (snip from Pe=
ter's
posting)
Global information surveillance:
Intelligence and law enforcement
planning and capabilities
Duncan Campbell will report on and discuss
his current work for the European
Parliament on such systems as
Echelon and proposed legislation /
mutual assistance arrangements as
Enfopol and the US Communications
Assistance to Law Enforcement Act.
See http://csrc.lse.ac.uk/Colloquia/colloquia1.htm for further informatio=
n.
Duncan
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
