The Lawful Access Regulation
Article 78 of the Telecommunications Law of 2002 stipulates the following:
Licencees’ obligations concerning national security
Every Licensed Operator shall undertake to provide, at its own expense, all technical resources, including Telecommunications Equipment, systems and programs relating to the Telecommunications Network that it is licensed to operate and which allow security organs to have access to the network for fulfilling the requirements of national security […] in accordance with the provisions of the regulations and decisions issued by the Authority [TRA]. 1
In September 2008, Ahmed Aldoseri (Director of Cyber Safety of the Telecommunications Regulation Authority)2 implied that the practical implementation of Article 78 was under debate, particularly around the question of who should finance monitoring and surveillance components, and if the operators should bear the cost, whether they should have to finance ‘the monitoring centres at each law enforcement agency’ as well. Aldoseri requested examples of ‘lawful intercept’ legislation overseas which could guide the decision–making process in Bahrain. 3
Aldoseri then took the lead on drafting a ‘lawful access’ regulation setting out the duties of licensees with respect to fulfilling Article 78, 4 which was released by the Telecommunications Regulation Authority (TRA) for public consultation in February 2009.
The final version of the Lawful Access Regulation (Resolution No. 8 of 2009) 5, was released by the TRA in November 2009. It came into effort upon its publication in the Official Gazette of Bahrain, without having been subject to the scrutiny of the Bahraini Parliament or received its assent. 6
The Lawful Access Regulation imposes a condition on every license issued by the TRA that the operator devise and carry out a ‘Lawful Access Implementation Plan’ and bear its entire cost. To comply with the regulation, the ‘Lawful Access solution’ chosen by the licensee must enable it to:
- allow security services with access to call content and ‘Access Related Information’ sent via the their network
- retain all Access Related information for one year
- retain all data used to interpret Access Related Information, such as ‘clarifications or mappings of the relationship between authentication username and IP address’
- provide requested Access Related Information to security organisations within a day
- provide the ability to electronically search retained Access Related Information quickly
Access Related Information is defined as all communications data, including messages, sounds, visual images or signals, which pass through a network, excluding Call Content. It includes:
Fixed and mobile voice calls:
- All numbers including local, international or other identifications that could be used for Calling Line Identification, IMEI and IMSI numbers
- Date, start time and end time
- Call parties’ locations at the start and end of the call as an address or longitude and latitude
Data calls such as 3G and GPRS:
- Date and time of call
- Caller IMSI number
- IP or other relevant address
SMS, EMS and MMS:
- Caller and receiver numbers and IMEI numbers
- Date and time of call
- Longitude and latitude of call parties’ location when sending/receiving
- E-mail access data, including authentication username, date and time of login and logout and IP address logged in from.
- Data of the e-mail sent, including authentication username, e-mail addresses used in all the fields (From/To/CC/BCC) and date and time of sending the e-mail.
- Data of the e-mail received, including authentication username, e-mail addresses used in all the fields (From/To/CC) and date and time of receiving the e-mail.
General internet use
- Authentication username,
- Date and time of login and logout.
- IP address used.
- Proxies record data, including time, date, IP addresses used by all parties, website addresses visited, services used and the type of protocol used.
The Lawful Access Regulation also specifies ETSI numbers ‘Lawful Access solutions’ should comply with.
While the Regulation does not mandate the retention of any email or call content (as was reiterated in the TRA’s report on the responses to the consultation document, 7 released in December 2009), it does imply that security organisations must have access to call content. This could possibly be in real time, via the monitoring centres based in-house at security agencies, as mentioned by Aldoseri. 8
A report of the consultation process was released in December 2009 9. The list of respondents includes surveillance company ETI Connect and ‘several confidential responses’. Major concerns expressed by respondents included the infringement of privacy, constitutional rights and human rights. The TRA rejected these concerns, pointing out the constitutional and regulatory safeguards contained in the Constitution of the Kingdom of Bahrain, the Telecommunications Law, the Criminal Procedures Law, and the Law on Protecting Society from Terrorism.
- 1. http://www.tra.org.bh/en/pdf/TelecommunicationsLaw-secondedition-English.pdf
- 2. http://bh.linkedin.com/in/aldoseri
- 3. http://www.linkedin.com/answers/technology/informationtechnology/telecommunications/TCH_ITS_TCI/326497-10344219
- 4. http://www.bloomberg.com/news/2011-08-22/torture-in-bahrain-becomes-routine-with-help-from-nokia-siemens-networking.html
- 5. http://www.tra.org.bh/en/pdf/PublishedLawfulAccessRegulation.pdf
- 6. http://www.ju.edu.jo/Resources/EconomicObservatory/Lists/Conferences/Attachments/6/11-Telecommunications%20(interception%20and%20access)%20and%20its%20Regulation%20in%20Arab%20Countries.pdf
- 7. http://www.tra.org.bh/en/pdf/LawfulAccessConsultationReport_en.pdf
- 8. http://www.linkedin.com/answers/technology/informationtechnology/telecommunications/TCH_ITS_TCI/326497-10344219
- 9. http://www.tra.org.bh/en/pdf/LawfulAccessConsultationReport_en.pdf