|
TECHNICAL SPECIFICATION
LTE;
5G;
Digital cellular telecommunications system (Phase 2+) (GSM);
Universal Mobile Telecommunications System (UMTS);
Lawful Interception requirements
(3GPP TS 33.126 version 15.0.0 Release 15)
---------------------- Page: 1 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 1 ETSI TS 133 126 V15.0.0 (2018-09)
Reference
RTS/TSGS-0333126vf00
Keywords
5G,GSM,LTE,SECURITY,UMTS
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88
Important notice
The present document can be downloaded from:
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
If you find errors in the present document, please send your comment to one of the following services:
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
© ETSI 2018.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M logo is protected for the benefit of its Members.
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
---------------------- Page: 2 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 2 ETSI TS 133 126 V15.0.0 (2018-09)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP).
The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or
GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables.
The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under
.
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI
---------------------- Page: 3 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 3 ETSI TS 133 126 V15.0.0 (2018-09)
Contents
Intellectual Property Rights . 2
Foreword . 2
Modal verbs terminology . 2
Foreword . 4
Introduction . 4
1 Scope . 5
2 References . 5
3 Definitions and abbreviations . 5
3.1 Definitions . 5
3.2 Abbreviations . 7
4 Jurisdiction specific Lawful Interception requirements . 7
5 General interception lifecycle and model . 8
5.1 Lifecycle . 8
5.2 Model . 8
6 Fundamental Requirements . 9
6.1 Overview . 9
6.2 Identification . 9
6.3 Detect and Capture . 10
6.4 Delivery . 13
6.5 Lawful Compliance . 14
6.6 Security . 14
Annex A (informative): Guidance on regulatory and capability Issues . 16
A.1 Introduction . 16
A.2 Service specific obligations . 16
A.3 Roaming obligations clarification . 16
A.4 Delivery . 16
A.5 Quality . 16
A.6 Security. 16
A.7 Mission Critical . 17
Annex B (informative): Change history . 18
History . 19
ETSI
---------------------- Page: 4 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 4 ETSI TS 133 126 V15.0.0 (2018-09)
Foreword
rd
This Technical Specification (TS) has been produced by the 3 Generation Partnership Project (3GPP).
The contents of the present document are subject to continuing work within the TSG and may change following formal
TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an
identifying change of release date and an increase in version number as follows:
Version x.y.z
where:
x the first digit:
1 presented to TSG for information;
2 presented to TSG for approval;
3 or greater indicates TSG approved document under change control.
y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections,
updates, etc.
z the third digit is incremented when editorial only changes have been incorporated in the document.
Introduction
The present document has been produced by the 3GPP TSG SA to enable standardisation of Lawful Interception (LI) of
telecommunications. The present document provides requirements for Lawful Interception.
Laws of individual nations and regional institutions, and sometimes licensing and operating conditions, define a need to
intercept targeted telecommunications traffic and related information in communication systems. Lawful Interception
applies in accordance with applicable national or regional laws and technical regulations.
ETSI
---------------------- Page: 5 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 5 ETSI TS 133 126 V15.0.0 (2018-09)
1 Scope
The present document specifies Stage 1 Lawful Interception requirements for 3GPP networks and services.
Regional interception requirements can be satisfied by meeting the correct subset of requirements from the present
document. Which CSP services are subject to Lawful Interception is defined by national regulations.
The presence of a requirement in the present document does not in itself imply or mandate that a 3GPP operator has an
obligation to implement any network service capability, which is not otherwise required to meet LI obligation
compliance in relation to specific regulated services, offered by that 3GPP operator. Only those specific requirements
and sub-clauses of the present document which are applicable to specific network and/or service capabilities
implemented in a 3GPP operator's network will be considered in scope for that operator. In all cases, laws and
regulations define which requirements are applicable to 3GPP operators in each country relative to the services offered
by each 3GPP operator.
As such not all requirements in the present document will apply in all national jurisdictions or to all 3GPP operator
deployments (e.g. if an operator does not offer voice services, then voice LI requirement in the present document do not
apply).
The interception system defined in the present document provides LI based on specific target identifiers.
2 References
The following documents contain provisions which, through reference in this text, constitute provisions of the present
document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or
non-specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including
a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same
Release as the present document.
[1] 3GPP TR 21.905: "Vocabulary for 3GPP Specifications".
[2] ETSI GS NFV-SEC 012: "Network Functions Virtualisation (NFV) Release 3; Security; System
architecture specification for execution of sensitive NFV components".
[3] 3GPP TS 33.127: "Lawful interception architecture and functions".
[4] 3GPP TS 33.128: "Handover interface for Lawful Interception (LI)".
[5] ETSI TS 103 280: "Lawful Interception (LI); Dictionary for common parameters".
[6] ISO/IEC 27000: "Information technology; Security techniques; Information security management
systems - Overview and vocabulary".
[7] ETSI TS 102 165-1: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (CYBER); Methods and protocols; Part 1: Method and proforma for
Threat, Risk, Vulnerability Analysis".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in 3GPP TR 21.905 [1] and the following
apply. A term defined in the present document takes precedence over the definition of the same term, if any, in 3GPP
TR 21.905 [1].
ETSI
---------------------- Page: 6 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 6 ETSI TS 133 126 V15.0.0 (2018-09)
activation/deactivation: The large time scale action (i.e. on the same order as subscription lifetimes, that encompass
multiple sessions, e.g. subscribing to “call hold” service). (See also Invocation)
capture: The action taken by the CSP to separate and copy the communications associated with a target identifier.
Content of Communication (CC): Information exchanged between two or more users of a communications service,
excluding intercept related information. This includes information which may, as part of some communications service,
be stored by one user for subsequent retrieval by another.
context of communication: Information needed to recreate the state known in the CSP's network of the Target
Communication. For example the direction of initiation on communication (to or from), direction of data flow (to or
from), direction association with the identifiers to and from addresses), actions taken by the CSP on behalf of the target
or identity translations.
Communication Service Provider (CSP): The entity that owns or operates the network that provides a service to a
subscriber.
delivery: The action taken by the CSP to perform the necessary correlation and processing of communications
associated with a target, and delivering the result to the LEA.
de-provisioning: The action taken by the CSP, that may be in response to an interception termination request from the
LEA, or automatically once the warrant period has expired, to remove from its network functions the information and
reporting pertaining to the target.
detection: The action taken by the CSP to identify communications associated with a target identifier.
edge interception: Interception performed in less secure locations that could be at customer's premises e.g. H(e)NB,
ProSe relays.
group identifier: A group identity provides a reference to a defined group of one or more users. The use of this group
identity applies to all users in the group.
interception: The actions of Provisioning, Detection, Capture, Delivery, and De-Provisioning.
interception product: The Intercept Related Information (IRI) and/or Content of Communication (CC) generated as a
result of isolating the target's communications for the purpose of delivery to the requesting LEA.
Intercept Related Information (IRI): Information or data associated with communication services involving the target
identity, specifically communication associated information or data (e.g. unsuccessful communication attempts), service
associated information or data, and location information.
invocation: The short, intra-session time scale action (i.e. the activation of the hold feature in the middle of a call
session). (See also Activation).
Lawful Access Location Services (LALS): Action performed by a CSP of obtaining a target's location information by
means of Location Services (LCS), and providing that information to an LEA.
Lawful Interception (LI): Actions taken by the CSP that include: provisioning the target identity in the network to
enable isolation of target communications (separating it from other users' communications), duplicating the
communications for the purpose of sending the copy to the LEA, and handing over the Interception Product to the LEA
that served the CSP with the warrant. An interception is associated with exactly one warrant.
lawful interception identifiers: Target identifying details as defined in ETSI TS 103 280 [5].
LI delivery latency: The time between isolation in the Point of Interception and delivery of the Product of Interception
at the LEA at the agreed point of handover.
location information: Information relating to the geographic/ physical or logical location of a target.
Mediation Function and Delivery Function (MF/DF): Functions that convert the CSP internal formats and protocols
to the agreed formats and protocols for handover from the CSP to the LEA.
party role: The role of a user identifies whether the user was for example the initiating party or the addressed party or
intermediate addressed party in a communication.
production: The actions of Detection, Capture, and Delivery.
ETSI
---------------------- Page: 7 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 7 ETSI TS 133 126 V15.0.0 (2018-09)
provisioning: The action taken by the CSP to insert into its network functions information that identifies the target and
the specific communication services of interest to the LEA, sourced from the LEA provided warrant.
target communication: All communications, communication attempts (successful or not), and network interactions
that originate from, are directed to, are controlled by, or are associated with, the target's identifiers, equipment, facilities
or services, including actions taken by the network on behalf of the target, that are available in the CSP's network.
target identity: A network or service identity that uniquely identifies a target for interception from all other non-targets
within one or more CSP services. One target may have one or several target identities. The target identity can be a long
term subscription based identity, a short term network identity, a public available identity or an internal used (private)
identity.
third party: A resource or entity which is not fully owned and fully controlled by the CSP.
warrant: The formal mechanism to require Lawful Interception from a LEA served to the CSP on a single target
identifier. Depending on jurisdiction also known as: intercept request, intercept order, lawful order, court order, lawful
order or judicial order (in association with supporting legislation).
3.2 Abbreviations
For the purposes of the present document, the abbreviations given in 3GPP TR 21.905 [1] and the following apply. An
abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in
3GPP TR 21.905 [1].
ADMF ADMinistration Function
CAT Customized Alerting Tone
CC Content of Communication
CRS Customized Ringing Signal
CSP Communications Service Provider
DF Delivery Function
gNB 5G NodeB
GUTI Globally Unique Temporary Identifier
HeNB Home eNodeB
H(e)NB HNB and HeNB
HNB Home NodeB
IRI Intercept Related Information
LALS Lawful Access Location Services
LEA Law Enforcement Agency
LEMF Law Enforcement Monitoring Facility
LI Lawful Interception
MCPTT Mission Critical Push to Talk
MF Mediation Function
POI Point Of Intercept
SUCI SUbscription Concealed Identifier
SUPI SUbscription Permanent Identifier
UTC Coordinated Universal Time
4 Jurisdiction specific Lawful Interception requirements
Lawful Interception requirements are subject to jurisdiction specific regulations and should be interpreted accordingly.
Requirements called out in jurisdiction specific Lawful Interception regulatory requirements are supported by the
system defined in the present document.
Lawful Interception requirements often have national requirements specific to local jurisdictions relating to operational
aspects of interception (e.g., interception equipment location and interception scope).
ETSI
---------------------- Page: 8 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 8 ETSI TS 133 126 V15.0.0 (2018-09)
5 General interception lifecycle and model
5.1 Lifecycle
Figure 5.1 depicts the general Lawful Interception lifecycle.
Interception
Target
Communications
Provisioning Detection Capture Delivery De-provisioning
Interception product
Warrant
(from LEA) (to LEA)
Production
Figure 5.1: Generic Lawful Interception lifecycle
The Lawful Interception lifecycle has five main stages. The first and last stages consist of provisioning and de-
provisioning the Lawful Interception system. In the middle three stages (labelled "production" in Figure 5.1) the Lawful
Interception systems detect, capture and deliver Interception Product to the LEA. These three production stages occur
each time a targeted communication is identified, and therefore may happen many times during the lifecycle.
5.2 Model
Figure 5.2 depicts the general interception model. Lawful Interception (LI) is implemented in a 3GPP Communication
Service Provider (CSP) network by the logical elements shown in the figure. Detailed LI architecture and functions are
found in TS 33.127 [3], while delivery details are found in TS 33.128 [4].
The Administration Function (ADMF) provides the CSP's administrative functions for the LI capability, including
provisioning and de-provisioning the Point(s) Of Intercept (POI) and the Mediation and Delivery Function (MF/DF).
A POI detects and captures the target's communications, based on information provided by the ADMF, passing the
Interception Product to the Mediation and Delivery Function.
The MF/DF performs any necessary mediation of the Interception Product before delivering it on to the LEA's Law
Enforcement Monitoring Facility (LEMF).
The LEMF is the logical element in the LEA which receives Interception Product.
ETSI
---------------------- Page: 9 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 9 ETSI TS 133 126 V15.0.0 (2018-09)
3GPP CSP
LEA
warrant
ADMF
intercept management
IRI
mediation
POI
Target
CC
LEMF
& delivery
Figure 5.2: Generic Lawful Interception model
6 Fundamental Requirements
6.1 Overview
In the present document some requirements are cumulative in nature, and rely on implicit compliance with other
requirements.
The network shall be able to provide a Lawful Interception capability which meets the relevant regulatory and
operational obligations. In general, this gives rise to the following high-level summary requirements:
- Target Identification: The CSP shall use the target identity provided in the warrant to provision interception of
the target. The CSP shall ensure that the target identity is converted when necessary, by the network, to
corresponding identities used in the network.
- Detect: The network shall be able to detect all content and metadata (required to produce IRI) associated with
targeted communications as provided in the network, in order for the LEA to fully understand the Context of
Communication.
- Capture: The network shall be able to capture all content and metadata (required to produce IRI) associated with
targeted communications as provided in the network, in order for the LEA to fully understand the Context of
Communication.
- Delivery: The network shall be able to deliver Interception Product in agreed format to the LEA, such that the
LEA can fully understand the Interception Product as provided by the CSP.
- Lawful: The CSP's Lawful Interception capability shall comply with the relevant obligations, restrictions and
reporting regimes in the warrant, including (but not limited to) period, duration, locality, services.
- Security: Lawful Interception by the CSP shall be undetectable by any party not explicitly authorised to have
knowledge of it, and cannot be modified, altered or degraded by such a party.
6.2 Identification
R6.2 - 10 User Identification - The CSP shall maintain an association among subscription identifiers or MEs or
UEs registered on the network, using private or public, long term or short term available identifiers (e.g. SUPI, GUTI,
SUCI, MSISDN, IMEI, SIP-URI, IMSI, TEL-URI), such that LI can be performed at any time the target interacts with,
or acts within, the CSP network, or the CSP network acts on behalf of the user. This requirement shall not be interpreted
to conflict with regulations pertaining to unauthenticated emergency calls.
R6.2 - 20 LI using Group Identities - The CSP shall be able to perform LI based on user group identifiers (e.g.
Closed Subscriber Group (CSG), H(e)NB, ProSe relay, Conference Call).
ETSI
---------------------- Page: 10 ----------------------
3GPP TS 33.126 version 15.0.0 Release 15 10 ETSI TS 133 126 V15.0.0 (2018-09)
R6.2 - 30 Group Communication Identification - The CSP shall be able to perform LI on group communication
using the identity of the group communication instance (e.g. 3 way call, conference call, MCPTT group call).
R6.2 - 40 Target Role in Communication - The CSP shall be able to intercept based on the target identifier,
regardless of the target's role in the communication.
R6.2 - 50 Target Communication Identification - The CSP shall be able to distinguish specific usages of the
network by the target (e.g. access or service) from all other usages in the network, based on the target identifier.
R6.2 - 60 Long Term Identifiers - The CSP shall be able to intercept based on long term identifiers.
R6.2 - 70 Short Term Identifiers - The CSP shall be able to intercept based on valid short-term identifiers.
R6.2 - 80 Private Identifiers - The CSP shall be able to intercept based on private identifiers.
R6.2 - 90 Public Identifiers - The CSP shall be able to intercept based on valid public identifiers.
R6.2 - 100 Short to Long Term Identifier Mapping - The CSP shall be able to translate a valid short-term
identifier to the corresponding long-term identifiers in near real time and provide this information to the LEA.
R6.2 - 110 Long to Short Term Identifier Mapping - When a long-term identifier is provided in the warrant, the
network shall be able to perform interception based on corresponding short-term identifiers.
R6.2 - 120 Non-Local Target Identification - The CSP shall be able to isolate communications passing through its
network based on a visible target identity, when the target identifier is not assigned, or managed, by the CSP.
R6.2 - 130 Target Service Subscription Change - The CSP shall be able to notify the LEA of target's service
subscription changes.
R6.2 - 140 Target Service Metadata Change - The CSP shall be able to notify the LEA of target's service
association change events such as change of identifiers (e.g. association in a group call).
R6.2 - 150 Targeted Group Communication - The CSP shall be able to ensure that any changes in the membership
in a targeted group communication are updated in the short or long term identifiers used to perform interception.
R6.2 - 160 Target Mapping - The CSP shall be able report to the LEA parameters used for interception, including
any subsequent modifications (e.g. target identifier derivation).
R6.2 - 170 Isolation - The CSP shall be able to isolate and intercept Target Communications, as specified in the
warrant.
R6.2 - 180 Completeness - The CSP shall be able to intercept all Target Communications as specified in the
warrant.
rd
R6.2 - 190 CSP managed 3 party functions - To the extent that a CSP manages or controls a Third Party network
function (e.g. relay or forwarding functions), the CSP shall be able to perform LI on the function.
6.3 Detect and Capture
R6.3 - 10 Access Level Interception - The CSP shall be able to perform network access level interception in both
the core and on the edge of the network (e.g. IP-CAN level interception).
R6.3 - 20 Servic
...