Blog Careers Support +1 408 944 0250

Lawful Interception for IoT at the Network Edge

Digital cell phone towers emitting signals

The increasing popularity of Internet of Things (IoT) applications and smart devices has led to a coexistence between 4G and 5G networks. As a result, mobile network operators (MNOs) have achieved efficiencies and cost savings by consolidating lawful intercept solutions for each. This reality of today’s communication networks is one of many sources of increasing complexity for law enforcement. Along with the massive diversity of devices connecting to the internet, this scope of potential information sources for investigations presents unique challenges for lawful intelligence gathering.

There are consumer, commercial, and industrial usages, among others, for IoT devices, each of which present varied opportunities for useful interception. Even within the consumer sector, IoT applications range from AI assistants and smart-home appliances to safety-critical systems for autonomous driving. To provide fast responsiveness across these usages, MNOs place computer processing capabilities close to the point where the data is generated, at the network edge. This is the basis of multi-access edge computing (MEC), a core enabler for IoT.

In a cloud-enabled network topology, edge network services are dynamically created and eliminated as needed, which complicates interception compared to older, static networks with predictable structures. In addition, data that is created and consumed at the edge is not backhauled to the network core. Therefore, interception of this traffic must be accomplished at the edge, which requires responsiveness to the changing network topology on a minute-to-minute basis. SS8 is advancing lawful intelligence tools and capabilities to adapt to these dynamic architectures and their related challenges.

Interception in Self-Redefining Networks

The services that perform the workloads of 5G networks – —such as the User Plane Function (UPF) and Virtual Radio Access Network (vRAN) – are based on Virtualized Network Functions (VNFs) that duplicate core network elements in the network edge. These virtual functions, which are built to be linked together for more complex functionality, can be instantiated and terminated on demand, at any edge location on the network. SS8 has invested significantly to provide a fully cloud-ready mediation platform based on containerized VNFs (also known as CNFs). This architecture enables the agility to deploy points of interception as needed, with minimal latency.

When a UPF instance is spun up for packet delivery at a network edge location, for example, the SS8 platform spins up a Communication Content Packet Aggregator (CCPAG). That function provides the X3 interface used to transmit the locally intercepted traffic to a centralized mediation entity, or directly to the requesting agency. These dynamic architectures tend to be complex and fast-changing, making software-defined networking, including high-speed discovery and routing-table updates to maintain network performance, instrumental to their functioning.

Information-Centric Networking (ICN) is the ability to automate network discovery and visibility in dynamically defined networks. For example, if a local breakout with the UPF has been established for interception at the edge and a file cache is created there, ICN services can identify that change to the lawful intelligence apparatus, providing an updated understanding of the local network environment. The SS8 platform draws on this network visibility to deploy cloud-native interception instances as needed, across the dynamic edge.

Network slicing, another key technology of 5G networks, is the ability to provide differentiated levels of service within a common network. From the network traffic point of view, slicing is a logical network overlay that allows prioritization of traffic by class of service. This allows critical flows with low-latency and safety requirements, such as emergency calls, to have high priority. These characteristics of network traffic flows are part of the complete picture needed by the mediation platform.

Unifying Interception for 4G and 5G Networks

The transition from 4G to 5G networks tends to be gradual and uneven. On one hand, many carriers are delivering 5G services over their 4G cores. On the other hand, many are deploying 4G services using the same distributed, cloud-native architecture used for 5G. ETSI defines CCPAG as a 5G technology, however, which is a significant limitation in a world where MNO networks consist of various combinations of 4G and 5G technologies, including at the network edge.

SS8 offers our proprietary Xcipio® Content Packet Aggregator (XCPAG) to uniquely extend CCPAG functionality beyond 5G networks to include 4G traffic as well. XCPAG supports interception of both 5G and 4G data while maintaining fidelity with industry standards for CCPAG, allowing it to interoperate with existing CCPAG implementations, across vendors, with a cloud-ready architecture. XCPAG provides the ability to respond to changes in the network topology, including the instantiation of new VNFs, with low latency.

Spikes in network demand, such as major sporting events, may cause many VNFs to be spun up at a specific network edge site. In addition to discovery and co-placement of XCPAG instances where they are needed, the SS8 platform maintains the security functions and certificates to quickly establish and maintain secure connections with each of these on-demand 4G and 5G network elements, allowing first responders to respond efficiently.

As more and more IoT devices connect to 4G and 5G networks, Xcipio’s ability to unify basic lawful intelligence capabilities across network generations is essential for public safety.

About David Anstiss

David Anstiss Blog Head Shot - SS8 Networks

David Anstiss is Director of Solution Engineering at SS8 Networks. He has been with SS8 since 2015 and has significant experience in critical network architecture technology and advanced data analytics. He currently works as part of the Technical CTO Group under the leadership of Dr. Cemal Dikmen and is responsible for leading engagement with both intelligence agencies and Communication Service Providers (CSPs) around the world. He has been instrumental in helping them transition to 5G, defining system requirements to meet regulatory compliance. As a member of ETSI, he represents SS8 to ensure the adoption of cloud-native infrastructure is met with industry best practices and to guarantee that compliance of lawful interception is maintained. Learn more about David here on his LinkedIn profile.

About SS8 Networks

As a leader in Lawful and Location Intelligence, SS8 helps make societies safer. Our commitment is to extract, analyze, and visualize the critical intelligence that gives law enforcement, intelligence agencies, and emergency services the real-time insights that help save lives. Our high performance, flexible, and future-proof solutions also enable mobile network operators to achieve regulatory compliance with minimum disruption, time, and cost. SS8 is trusted by the largest government agencies, communications providers, and systems integrators globally.

Intellego® XT monitoring and data analytics portfolio is optimized for Law Enforcement Agencies to capture, analyze, and visualize complex data sets for real-time investigative intelligence.

LocationWise delivers the highest audited network location accuracy worldwide, providing active and passive location intelligence for emergency services, law enforcement, and mobile network operators.

Xcipio® mediation platform meets the demands of lawful intercept in any network type and provides the ability to transcode (convert) between lawful intercept handover versions and standard families.

To learn more, contact us at

Follow Us LinkedIn       Tweet Us @SS8

SS8 Newsletter



How to Ingest, Filter and Query 5G Volumes

Webinar Presented by Kevin McTiernan

CLICK HERE to watch!