What is Lawful Interception?
Lawful Interception (LI) is a tool for police and other Law Enforcement Agencies (LEAs) when investigating serious crimes. Sometimes called ‘wiretapping’, LI is the process where an LEA can require a telecommunications provider to intercept the voice, data and message-based communications of a subscriber and pass them to the LEA.
The word ‘lawful’ is used because the process is based on the law of that jurisdiction. The OpenLI project, working through the University of Waikato, received two grants from ISIF Asia to assist with LI deployment in the Pacific. The first piece of work has been to understand the laws that apply to LI across the region’s economies.
Read more: OpenLI: An open source alternative for meeting lawful Interception Requirements
What lawful interception legislation is there in the Oceania region?
APNIC recognizes 26 economies in the Oceania region. Seven of these are territories with laws derived from other economies. This includes Norfolk Island (Australia), Pitcairn Island (UK), Guam, American Samoa and the Northern Mariana Islands (USA) and the French Southern Territories, Wallis and Futuna Islands (France). In addition, both New Caledonia and French Polynesia have only partial independence from France. France, Britain, Australia and the USA all have well developed legislation and regulation covering LI.
Tokelau and Niue are both very small and we could not find relevant legislation. The legislation of three economies, Tuvalu, the Marshall Islands and the Federated States of Micronesia deals with the establishment of a telecommunications corporation or similar and does not mention interception at all. We have, however, had an expression of interest from the Marshall Islands National Telecommunications Authority that we are following up. The Cook Islands also have no legislation covering LI, however Telecom Cook Islands has suggested that the National ICT Committee might introduce relevant rules. The remaining eleven economies all have some legislation.
Two economies in Oceania have well developed use of LI: Australia and New Zealand.
Australia’s primary LI legislation is the Telecommunication (Interception and Access) Act 1979, which runs to 434 pages and also includes data retention and relationships between agencies domestic and international. This is now an old act in the telecommunications space but it was reviewed in 2015 and has been regularly amended. It requires licensed carriers and nominated carriage service providers to submit an annual plan showing they have the capability to intercept services and deliver intercepted data to a collection point.
New Zealand extended its requirements for LI with the Telecommunications (Interception Capability and Security) Act 2013, which replaced the earlier Telecommunications (Interception Capability) Act 2004, which, in turn, replaced some provisions of the Telecommunications Act 1987. Unlike Australia, it has no stored data provision but it does have a section that deals with network security. The act requires that any network operator with more than 4,000 customers deploy LI capability. The Act allows the minister to regulate the acceptable formats for interception data. In August 2017 a NZ Gazette notice specified the LI standards that are required.
The remaining Pacific Island economies all have provisions for LI in either their Telecommunications Act or cybercrime legislation or in Samoa, the Police Powers Act.
The Solomon Islands only has a clause in the Telecommunications Act 2009, after clauses guaranteeing the privacy of communications, noting that it does not prohibit government authorities from accessing private communications in a lawful manner.
Palau introduced a telecommunications regulatory framework in 2017 that has several pages devoted to interception. It notes that warrants for interception can only be issued for the investigation of crimes punishable by more than two years in prison. It requires that any telecommunications network or service must be capable of interception in response to a warrant. It also defines carefully when interception is and isn’t lawful. The regulator from Palau indicated to us that although they have made progress on most of the framework they have not implemented lawful interception yet.
In Samoa, surveillance warrants and emergency permits are authorized under the Police Powers Act 2007. This sets out the conditions under which a warrant can be issued. It also notes that it is a requirement under the Telecommunications Act 2005 that telecommunications licencees assist the police in executing a warrant or permit. We have been told that Samoa is likely to review and perhaps update its legislation in the near future.
Nauru has two similar clauses in the Cybercrime Act 2015 and Papua New Guinea has two clauses in the Cybercrime Code Act 2016 that are quite similar. These specify that under a warrant the person in control of data or an ISP may be required to record the associated data and/or contents of communication or assist the police to do so. The concept of collecting both the contents of communications and the traffic data (signalling) is clear in LI standards. Both these economies use the same wording of the requirements for collecting traffic data and communications content. Papua New Guinea has a review of legislation underway currently. Several industry people have told us that they expect LI implementation will be required after the outcome of the legislation.
Four Pacific Island economies have recently updated their legislation. Tonga introduced its Computer Crimes Bill in 2019. In 2021, Fiji, Kiribati and Vanuatu passed Cybercrime Acts. These four pieces of legislation are broadly similar regarding LI. They have provisions for warrants for subscriber data, telecommunications data and communications content. In Fiji and Tonga, the legal standard for obtaining a warrant for communications content (for the investigation of serious crimes) is higher than for telecommunications data or subscriber data. All four economies use the term “real-time” regarding the collection of telecommunications data. Fiji and Kiribati allow for real-time collection of content and Tonga allows for “content data in its passage over a communications network”. The acts also allow for ‘requiring data to be preserved’ and specifically cover ‘sharing data with agencies from other jurisdictions’.
The use of the term “real-time” is significant in that generally real-time requirements are met through the use of LI standards such as the European ETSI standards or the US Calea standards. Australia and NZ do not specify real-time in their legislation but NZ specifies ETSI standards with real-time capability in the associated regulations and this is the preferred standard in Australia too.
OpenLI project members attended the PITA 27th AGM & Business Forum Expo 23 in Port Moresby held from 29 May to 1 June 2023 and were able to discuss LI with regulators and telecommunication operators from most Pacific economies. Many people we talked to were aware of the legislation, particularly in economies with recently updated laws. However, it also appears that none of the Pacific Islands have progressed further towards practical implementation of LI systems. LI is primarily a tool for law enforcement and we have not been able to talk to any police forces to know whether they are hoping to use it. We are not aware of any economies, beyond Australia and NZ that have developed regulations covering the implementation of LI.
Conclusions
For the OpenLI project the main conclusions from this stage of our project have been:
- It is premature to consider training for telecommunications staff when it is not clear which, if any, jurisdictions are going to require LI capabilities.
- If OpenLI is to be useful in the Pacific we need to increase our currently limited support of mobile networks.
- It may be useful to produce a tool that allows police forces to experiment with the LEA side of an LI system.
Richard Nelson is a Senior Lecturer in the Computer Science Department at the University of Waikato.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.