Blog Careers Support +1 408 944 0250

Five Challenges of Gathering Digital Evidence in a 5G World

Five Challenges of Gathering Digital Evidence in a 5G World

It’s an irony of this moment that, even as 5G networks increase the amount of data on public networks by orders of magnitude, the technology itself obscures more and more of it from lawful intelligence operations. Alongside the problem of sheer scale, investigators must contend with pervasive encryption of communications, highly distributed traffic processing at the network edge, and the endless diversity of the internet of things (IoT), to name a few. SS8 is working to develop new technologies and capabilities to overcome key lawful intelligence challenges associated with 5G networks.

Challenge 1: Data Handovers Are Now Too Large for Existing Protocols

Dramatic increases in traffic volumes are a key consideration with 5G networks. Where in the past, data handovers to law enforcement were typically on the order of one gigabit per second (Gbps) or less, the scale is now potentially far greater—as much as 5-10 Gbps—often with strict latency requirements. Interception and handover of high-bandwidth user traffic are complicated by a transmission control protocol (TCP) connection’s theoretical limit of 1.47 Gbps, which shrinks to approximately 1.2 Gbps in practice, even with ideal network conditions.

While user datagram protocol (UDP) offers higher throughput than TCP, its inability to resend dropped packets for assured transmission makes it an ineffective choice, particularly for the handover of real-time communications. SS8 has developed the ability to aggregate multiple TCP connections to overcome this limitation, enabling this technology feature on both the Xcipio mediation platform for communication service providers (CSPs) and the Intellego XT lawful intelligence platform for law enforcement agencies (LEAs). SS8 is also engineering the ability to cache, filter out ancillary content, such as streaming media entertainment from providers like as Hulu or Netflix whilst still providing metadata summary information.

Challenge 2: Home Routing Can Thwart Lawful Interception

A persistent problem for lawful interception across both 4G and 5G involves subscribers that use end devices connected to a home network outside the relevant legal jurisdiction, sometimes to avoid being monitored. In this scenario, a phone purchased in Country A and used in a roaming context within Country B, for example, would have its voice transmissions home routed to the switching infrastructure in Country A. This arrangement bypasses the core network in Country B, evading lawful intercept measures. That situation potentially creates compliance gaps for CSPs as well as intelligence gaps for LEAs.

To help address this challenge, SS8 created passive capabilities that enable interception of 4G roaming traffic, listening on the S8 home routing interface (S8HR). With the advent of the Subscription Concealed Identifier (SUCI) in 5G, subscriber identities are cloaked by encryption, thwarting passive lawful intercept measures. Replacement approaches to lawful interception that target 5G’s N9HR interface are therefore far more complex than predecessors. SS8 is working with standards bodies and the rest of the telecommunications ecosystem to develop measures that will help mitigate these challenges going forward.

Challenge 3: Use of Temporary SUCIs Obscures Subscriber Identities

As alluded to above, 5G user equipment (UE) identities may be obscured from lawful intelligence efforts by means of a hidden mapping between the unique Subscription Permanent Identifier (SUPI) and the temporary, encrypted SUCI. In particular, the tactical practice of geographically locating devices of interest using International Mobile Subscriber Identity (IMSI) catchers depended on the fact that IMSIs were broadcast in the clear. Therefore, that approach is no longer viable in 5G networks. Likewise, single-use temporary IMSIs (TIMSIs)—pseudo-random, periodically replaced numbers generated from IMSIs—can defeat IMSI catchers.

SS8 is actively involved in developing draft standards for caching capabilities that will make the correlations between permanent and temporary subscriber IDs available under lawful request. In addition, 5G Ultra-Reliable Low-Latency Communication (URLLC) will form the basis of location-based lawful intelligence under 5G that is far superior to what was possible with IMSI catchers. The small cells associated with 5G, down to the millimeter wave level, will make it possible to locate UE devices far more accurately than previous granularity that was measured in tens of meters, particularly with regard to the z-axis altitude of the device.

Challenge 4: Ubiquitous Virtualization Creates Novel Threats

The shift in 5G from centralized, hardware-based CSP architectures to distributed, cloud-native ones has dramatically changed the network attack surface. Rather than focusing on individual devices within a set perimeter for attack prevention, detection, and response, security operations must protect software-defined network functions running on widely distributed equipment, including in unsecured locations.

This scenario potentially exposes lawful intercept practices to new attack vectors. In addition, the complexity of 5G network topologies amplifies the risk that small but important factors will be overlooked, from an individual port not being locked down, to improper rights being assigned to an admin function.

Observability across a virtualized network is inherently challenging, which can also make attack detection difficult. Sophisticated attackers such as state actors and criminal enterprises may therefore be able to interfere with lawful intelligence, straining CSP compliance efforts and disrupting LEA investigations. SS8 is currently working with CSPs and enforcement entities to harden lawful intelligence operations and develop industry best practices.

Challenge 5: National Laws Struggle to Keep Up

Especially with regard to the continuing build-out of IoT, 5G is closely associated with machine-to-machine communication, complicating or even severing the one-to-one relationship between devices and human operators. This shift requires refactoring how legal frameworks relate to lawful intercept targets. For example, a lawful request that targets a digital assistant device in a public space would necessarily carry collateral intrusion concerns that could impinge the privacy rights of parties unrelated to the investigation.

The scope of policy needed for lawful interception in a 5G world includes unfamiliar challenges. For example, regulatory bodies must also determine the appropriate lawful intercept requirements for unconventional traffic sources that range from thermostats and appliances to industrial controls and critical infrastructure. SS8 applies more than two decades of lawful intelligence expertise to help global legislators and other regulators navigate the challenges of these transitions, as the evolution of public networks continues to accelerate.

To learn more about the lawful interception technologies SS8 is developing to overcome challenges associated with 5G networks, visit

About David Anstiss

David Anstiss Head Shot

David Anstiss is a Senior Solutions Architect at SS8 Networks. He has been with SS8 since 2015 and has significant experience in critical network architecture technology and advanced data analytics. He is responsible for working with both intelligence agencies and Communication Service Providers (CSPs) around the world and is instrumental in helping them transition to 5G, defining system requirements to meet regulatory compliance. As a member of ETSI, he represents SS8 to ensure the adoption of cloud-native infrastructure is met with industry best practices and to guarantee that compliance of lawful interception is maintained.

About SS8

SS8 provides Lawful Intelligence platforms. They work closely with leading intelligence agencies, communication providers, law enforcement agencies and standards bodies and their technology incorporates the methodologies discussed in this blog. Xcipio® is already proven to meet the very high demands of 5G and provides the ability to transcode (convert) between lawful intercept handover versions and standard families. Intellego® XT natively supports ETSI, 3GPP and CALEA handovers, as well as national variants. Intellego XT’s MetaHub component is a best-in-class data analytics tool. Both product portfolios are used worldwide for the capture, analysis and delivery of data for the purposes of criminal investigations.

Tweet Us @SS8                        Follow Us LinkedIn

SS8 Newsletter



How to Ingest, Filter and Query 5G Volumes

Webinar Presented by Kevin McTiernan

CLICK HERE to watch!