Description
Lawful Interception (LI) is a comprehensive, standardized architecture and set of interfaces defined by 3GPP that allows Network Operators (NOs) and Internet Service Providers (ISPs) to provide legally authorized interception of telecommunications traffic and associated information to Law Enforcement Agencies (LEAs). It is not a single component but a system involving multiple network functions, interfaces (known as Handover Interfaces - HI), and a strict separation between the network's operational functions and the interception functions. The LI system is designed to be activated only upon presentation of a valid legal warrant and operates covertly, without alerting the target subscriber (the Intercept Subject).
Architecturally, a 3GPP LI system is divided into three main functional groups: the Intercepting Control Element (ICE), the Mediation Function (MF), and the Law Enforcement Monitoring Facility (LEMF). The ICE is embedded within the network nodes that handle the target's communications, such as the MME, SGW, PGW, SMF, UPF in 5G, or MSC, SGSN, GGSN in earlier generations. Its role is to duplicate and divert a copy of the Intercept Related Information (IRI) – which includes call signaling data, location information, and service usage data – and the Content of Communication (CC) – the actual voice, video, or user plane data packets – towards the MF. The MF, often a separate mediation device, normalizes, formats, and delivers this intercepted data to one or more LEMFs via standardized Handover Interfaces (HI1, HI2, HI3). HI1 is for interception order management, HI2 delivers IRI, and HI3 delivers CC.
How it works begins when a LEMA (Law Enforcement Monitoring Agency) sends a lawful authorization (warrant) to the network operator. The operator's administration system configures the relevant ICEs within the network to identify traffic for the specified target (using identifiers like IMSI, MSISDN, or IP address). Once activated, the ICE performs deep packet inspection and signaling monitoring to capture all IRI and CC associated with the target. This data is then sent to the MF, which ensures it is formatted according to standards like ETSI ES 201 671 or 3GPP TS 33.108 and delivered securely to the LEMF. The system is designed for high reliability, security (to prevent unauthorized access), and scalability to handle multiple simultaneous intercepts without impacting the quality of service for other subscribers. Its role is to provide a legally compliant, auditable, and technically robust mechanism for surveillance, which is a mandatory requirement for telecom operators in most jurisdictions.
Purpose & Motivation
Lawful Interception exists to balance two fundamental societal needs: the individual's right to privacy and the state's duty to investigate crime and ensure national security. Before standardization, interception capabilities were vendor-proprietary and often incompatible, making it difficult for law enforcement to work across different network operators and jurisdictions. This lack of standardization could also lead to legal challenges regarding the admissibility of intercepted evidence. 3GPP LI standardization, beginning in earnest from Release 4 onwards, was driven by regulatory requirements from governments worldwide, mandating that public communications networks must have built-in capabilities to support authorized interception.
The primary problems it solves are providing a consistent, reliable, and legally defensible method for intercepting modern digital communications and ensuring that such powerful capabilities are implemented with strong safeguards against abuse. It addresses the technical challenge of intercepting packet-switched data (in addition to circuit-switched voice), which became predominant with GPRS, UMTS, and later technologies. The standardized architecture ensures that interception can be performed regardless of the underlying network technology (2G, 3G, 4G, 5G, IMS) or the vendor equipment used, facilitating interoperability for law enforcement. It also defines strict security requirements for the Handover Interfaces and the mediation function to protect the integrity and confidentiality of both the interception process and the intercepted data.
Historically, its evolution has been closely tied to new network architectures and services. Each new 3GPP system release introduced LI specifications for new network entities and services, such as the IP Multimedia Subsystem (IMS) in Release 5, LTE/EPC in Release 8, and 5G System in Release 15. This continuous evolution ensures that LI capabilities keep pace with technological advancements like VoLTE, network slicing, and edge computing, preventing the existence of 'lawful intercept blind spots' that could be exploited. The framework is essential for network operators to meet their license obligations and avoid penalties, while providing LEAs with the tools needed for effective investigation in the digital age.
Detected Changes Across Releases
from 3GPP Change RequestsSpecific changes extracted from the „Change history“ tables of 3GPP specifications (156 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.
Studied in Rel-4, normative work from Rel-15.
In Release 15, the Lawful Interception function was enhanced to support Voice over New Radio (VoNR) and to address specific procedural gaps for starting interception. Key additions included the ability to trigger interception for a UE with an established PDU session and for a registered UE, with specific Stage 3 text provided for these procedures from the MDF2. The release also introduced and clarified interception capabilities for in-bound roaming scenarios at anchor and branching UPFs, and added support for reporting a SUCI at the start of interception.
- LI Support for VoNR in R15 TS 33.127CR0001
- Missing trigger for the start of interception with established PDU session TS 33.128CR0004
- Missing Stage 3 text - Start of Interception with registered UE from MDF2 TS 33.128CR0006
- Missing stage 3 text - Start of Interception with established PDU session from MDF2 TS 33.128CR0007
- In-bound roaming interception at anchor UPFs TS 33.128CR0010
- Anchor UPF interception clarification TS 33.128CR0014
+ 3 more changes
In Release 16, the Lawful Interception function was enhanced with new capabilities for 5GC and IoT, including the introduction of a CC POI Aggregator for 5GC LI and support for LI in a VPLMN with home-routed roaming. It also expanded virtualization with LI Virtualisation Procedures, added support for manual LI Suspend and Resume, and introduced specific provisions for IoT UE NIDD LI in EPS. Furthermore, the release updated IMS LI options and ported EPC and HSS LI specifications into the TS 33.127 series.
- IoT UE NIDD LI stage 3 (EPS) TS 33.108CR0416
- Artificial Intelligence in network automation: draft rules related to LI in TS 33.126 TS 33.126CR0006
- LI in VPLMN with home routed roaming scenario TS 33.127CR0044
- Porting LI for EPC into TS 33.127 TS 33.127CR0047
- Support of manual LI Suspend and Resume TS 33.127CR0061
- Update to LI at the SMSF TS 33.128CR0139
+ 20 more changes
In Release 17, the Lawful Interception function was extended to cover new services and network functions, including AKMA, NEF services (with NIDD), and SCEF services. The release also introduced detailed procedures for LI state transfers within the SMF and specified new LI interfaces and triggering mechanisms for N9HRLI and S8HR roaming scenarios, such as LI_X1, LI_X2, and LI_X3_LITE. Furthermore, corrections and enhancements were made to the LI architecture for the SGW/PGW (including CUPS) and the UDM.
- IMS: Addressing the interception due to the application of special media TS 33.127CR0119
- LI for NEF Services (NIDD included) TS 33.127CR0127
- LI for SCEF services TS 33.127CR0128
- Correction to LI Architecture for the SGW/PGW TS 33.127CR0132
- CR adding LI for AKMA (stage 2) TS 33.127CR0140
- LI for EPC-5GC Interworking Stage 2 TS 33.127CR0153
+ 56 more changes
In Release 18, the Lawful Interception function was expanded to cover new services and network functions, including the interception of 5G Media Streaming (5GMS) control plane, AF and AS sessions with QoS, and IMS Data Channels. It introduced support for Handover LI procedures, LI for Trace at the AMF, and ProSe LI reporting at the UDM, while also providing enhancements to LI notification messages and corrections to existing specifications.
- Addition of Handover LI Stage 2 TS 33.127CR0167
- LI of 5G Media Streaming (5GMS) (Control plane) TS 33.127CR0186
- HSS-UDM Interworking LI Stage 2 TS 33.127CR0191
- LI for AF Session with QoS (Stage 2) TS 33.127CR0192
- LI for AS Session with QoS (Stage 2) TS 33.127CR0193
- Addition of LI for Trace at the AMF Stage 2 TS 33.127CR0211
+ 22 more changes
In Release 19, the Lawful Interception function was extended to cover several new 5G services and architectures. Key additions include interception capabilities for Non-Terrestrial Networks (NTN), 5G ProSe Direct Communication and Communication via relays, 5G LAN groups, and Mission Critical Services (MCX). Furthermore, new interception points were specified for the Charging Function (CHF) and for parameters related to the IMS HSS and IMS Data Channel enhancements.
- Location Dependent Interception for NTN and MBSR TS 33.126CR0032
- LI for 5G LAN parameter provisioning (VN Group) TS 33.127CR0253
- LI for IMS HSS Stage 2 TS 33.127CR0266
- SMF enhancement for LI for 5G ProSe Communication via 5G ProSe UE-to-Network Relay - Stage 2 TS 33.127CR0272
- LI for 5G ProSe Direct Communication - Stage 2 TS 33.127CR0273
- LI at the CHF TS 33.127CR0279
+ 25 more changes
Explore further
Broader topics and technologies where LI plays a role.
Defining Specifications
3GPP specifications that define or reference LI, with the latest known release. Sourced from the 3GPP document catalog — see methodology.
| Specification | Title | Release |
|---|---|---|
| TR 21.905 vj00 | 3GPP Technical Terms and Definitions | Rel-19 |
| TS 22.495 v1700 | NGN Requirements for IMS Services | Rel-7 |
| TS 22.822 vg00 | Satellite Access in 5G Study | Rel-16 |
| TS 23.889 va00 | Local Call Local Switch Core Network Impact Study | Rel-10 |
| TR 23.919 vj00 | 3GPP Direct Tunnel Deployment Guidelines | Rel-19 |
| TS 25.322 vj00 | RLC Protocol Specification | Rel-19 |
| TS 26.346 vj20 | MBMS User Services Media Codecs & Protocols | Rel-19 |
| TR 26.998 vj00 | 5G AR/MR Glasses Integration Study | Rel-19 |
| TS 31.102 vj40 | USIM Application Specification | Rel-19 |
| TS 31.103 vj00 | ISIM Application Specification | Rel-19 |
| TS 33.106 vj00 | Lawful Interception Requirements (Pre-Rel-15) | Rel-19 |
| TS 33.108 vj00 | LI Handover Interface Specification | Rel-19 |
| TS 33.126 vj30 | Lawful Interception Requirements | Rel-19 |
| TS 33.127 vj50 | Lawful Interception Architecture and Functions | Rel-19 |
| TS 33.128 vj50 | 3GPP TS 33.128: Lawful Interception Protocols | Rel-19 |
| TS 33.501 vk00 | 5G Security Architecture and Procedures | Rel-20 |
| TS 33.831 vc00 | Study on Spoofed Call Detection & Prevention | Rel-12 |
| TR 33.848 vi00 | Technical Report on Virtualisation Security | Rel-18 |
| TS 33.880 vf10 | Security Study for Enhanced Mission Critical Services | Rel-15 |
| TS 36.322 vj00 | E-UTRA Radio Link Control Protocol Specification | Rel-19 |
| TS 38.212 vj10 | NR Multiplexing and Channel Coding | Rel-19 |
| TS 38.214 vj10 | NR Physical Layer Procedures for Data | Rel-19 |
| TR 38.882 vi00 | Technical Report on UE Location Service | Rel-18 |
| TR 38.889 vg00 | NR-based access to unlicensed spectrum study | Rel-16 |