Surveillance of 5G: Governments plan to change laws

5G telephony makes communication more secure. Connections, subscriber and device identifiers are partly encrypted, also conventional IMSI catchers become useless. Providers could therefore be forced to install new surveillance technology.

With Multi-Access Edge Computing (MEC), the fifth mobile phone generation (5G) decomposes the transmission of telephone calls into individual stages and and encrypts them. Telecommunications providers no longer process the traffic centrally, but via various network edges. The metadata and content is only decrypted at these decentralized nodes.

That means that with 5G telephony, communication becomes much more secure. This poses a problem for police forces and secret services. The German Federal Ministry of the Interior is therefore announcing an amendment to the Telecommunications Act and the Telecommunications Surveillance Regulation. Companies operating in Germany such as O2, Vodafone and Telekom are to ensure that decoded 5G connections are available for authorities.

International traffic also affected

The servers through which 5G traffic is routed are sometimes located in other countries. The German government is also planning changes to the law in this regard. All companies providing publicly accessible telecommunications services in Germany will then have to cooperate with national law enforcement authorities and secret services. This might force a provider operating in Germany to store decrypted communication data of German connections also in neighbouring countries.

According to the plans, the official request for these 5G data stored abroad would not be made via international legal assistance, but based on German laws. To this end, the German government also intends to adapt the Technical Guideline for the Implementation of Legal Measures for the Monitoring of Telecommunications (TR TKÜV).

„Significantly higher data rate“ at interception interfaces

All telecommunications providers operating in Germany must provide interception interfaces for the police, customs and secret services. In the Internet of Things under 5G, the authorities expect a „considerably higher data rate“ at the data interception interfaces. For this reason, companies are to be forced to install new surveillance technology „if necessary“. This is why the Federal Government is considering corresponding changes to the law.

Finally, the encryption of subscriber and device identifiers (IMSI and IMEI), which has been introduced under 5G, is also causing headaches for the authorities. Conventional IMSI catchers, which can be used to detect or intercept nearby telephones, therefore become unusable. The German Ministry of the Interior therefore speaks of „technical and legal adjustments“ for providers regarding the 5G standard. It would be conceivable that decoded IMSI or IMEI data could in future be requested from the companies by court order. This would also allow cell site analysis under 5G to continue.

New standard in December

The technical standards for the fifth generation of mobile communications are discussed and defined in international organizations. One of them is the European Telecommunications Standards Institute (ETSI), which in turn cooperates with the worldwide 3rd Generation Partnership Project (3GPP). The 3GPP belongs to the International Telecommunication Union (ITU) of the United Nations, with which the specifications determined there are also adopted by its member organizations.

The definition of standards for decrypting, processing and forwarding communication data to authorities takes place in special networks. In ETSI this is the TC LI working group („Technical Committee Lawful Interception“), in 3GPP the SA3 LI working group („Lawful Interception“) is responsible for this. In December of this year, ETSI intends to define a final standard for the monitoring of 5G (Release #16).

According to Alf Zugenmaier, Professor for Mobile Networks and Security at the Munich University of Applied Sciences, this specification has long been fixed and will only be formally adopted. He himself is vice chairman of a 3GPP working group dealing with security and data protection.

ZITiS supports BKA and Verfassungsschutz

Nevertheless, European police forces and intelligence services are urging haste and calling for greater influence in standardisation bodies. The Federal Criminal Police Office (BKA), the domestic secret service and the Federal Network Agency have also been participating in the interception working groups for many years, and at state level the Bavarian Criminal Police Office and the Criminal Police Office of Lower Saxony are active there.

In spring, the EU Counter-Terrorism Coordinator Gilles de Kerchove had suggested that Europol, the EU police agency, should also become a member of the ETSI working group. Most of his demands are mainly based on proposals written by the BKA, the German Ministry of the Interior confirms. Europol had also published a position paper on 5G for law enforcement authorities.

Germany sends digital cavalry

The two documents were discussed at two „expert meetings“ at Europol. The heads and deputy heads of the organisational units of European police forces responsible for telecommunications surveillance were invited.

Presumably to increase the pressure on the standardisation committees, the German Ministry of the Interior subsequently sent another authority to ETSI and 3GPP in the form of the Central Office for Information Technology in the Security Sector (ZITiS). This digital cavalry was created in 2017 to counter the „increasing use of new forms of communication by criminals and the growing number of encryption methods“.

Image: kyle smith on Unsplash