WO2013088118A1 - System and method to provide secure access to sensitive data - Google Patents

System and method to provide secure access to sensitive data Download PDF

Info

Publication number
WO2013088118A1
WO2013088118A1 PCT/GB2012/052994 GB2012052994W WO2013088118A1 WO 2013088118 A1 WO2013088118 A1 WO 2013088118A1 GB 2012052994 W GB2012052994 W GB 2012052994W WO 2013088118 A1 WO2013088118 A1 WO 2013088118A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
search
authority
computer
implemented method
Prior art date
Application number
PCT/GB2012/052994
Other languages
French (fr)
Inventor
Philip Charles HANVEY
Niel DUNNAGE
Original Assignee
Olton Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Olton Limited filed Critical Olton Limited
Publication of WO2013088118A1 publication Critical patent/WO2013088118A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/308Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content

Definitions

  • the present invention relates to systems and methods for providing secure access to sensitive data. More particularly, the present invention relates to systems and methods for providing secure access to sensitive data, such as communications data, to an authorized party in a manner that strictly complies with a specific authority granting access to the sensitive data.
  • sensitive data such as communications data
  • Examples of some of the most popular instant messaging services include, but are not limited to, Blackberry ® Messenger (BBMTM), Windows LIVE Messenger (which may be used on Microsoft's Xbox), Play Station Network Messaging, Yahoo! Messenger, Gmail Messenger and Facebook Chat. Examples of some of the most common social media services include Facebook and Twitter. Due to the prolific use of social media and private messaging as a means for communicating between individuals, law enforcement agencies have a need to access and intercept, for intelligence and investigatory purposes, instant messages and other social media data.
  • RIPA allows for the interception of communications traffic by certain organisations - for example, Security Service, Secret Intelligence Service, the Government Communications
  • an interception warrant which sets out the specific data that may be obtained and the conditions under which it can be obtained.
  • section 8(1) of RIPA states that an interception warrant must name or describe either one person as the interception subject, or a single set of premises where the interception is to take place.
  • Section 8(2) of RIPA further states that an interception warrant must describe the communications which may be intercepted including one or more schedules setting out the addresses, numbers, apparatus or other factors, or combination of factors, that are to be used for identifying the communications that are to be intercepted.
  • An interception warrant can only be issued on one of the following grounds: in the interests of national security; for the purposes of preventing or detecting serious crime; for the purpose of safeguarding the economic well-being of the United Kingdom; or for the purpose, in specified circumstances, of giving effect to the provisions of any international mutual assistance agreement.
  • An interception warrant is usually only valid for three months. A warrant may be renewed during this three month period for a further six months if considered necessary under one of the grounds listed above.
  • the authorized entities or bodies e.g. Security Service, Secret Intelligence Service, GCHQ, police, or Customs
  • the authorized entities or bodies are often unable to obtain the communications data in a manner that does not breach the conditions of the warrant.
  • the data communications of interest are typically stored by the providers of such communications services (e.g. Research in Motion (RIM), Microsoft, Yahoo !, Google, and Facebook) and are only forwarded and deleted in accordance with company policy, the authorized entities must rely on the communication service providers supplying them the relevant information.
  • Most service providers are unable or unwilling to provide the level of filtering required to provide only the data specified in the warrant.
  • most service providers are unable to isolate from the complete worldwide dataset individual messages or communications.
  • the authorized entities or bodies are prevented by legislation, such as RIPA, from accepting all of the messages en masse and then performing their own search to identify the messages of interest.
  • a system for securely storing data comprising: a secure data store; a secure data network configured to transmit data; a receiving module configured to receive data over the secure data network from one or more data supplying bodies; a storage module configured to securely store the data on a temporary basis; a search module configured to search the stored data in accordance with terms of an authority to generate a search boundary to produce a set of search results; and a further search data store configured to store the set of search results, wherein the further search data store is configured so the set of search results are only accessible to one or more data accessing bodies authorised by the authority, whereby the system is configured not to permit direct access to the complete set of data stored temporarily in the secure data store.
  • the sensitive data Since the sensitive data is copied, transferred and securely stored at the secure data store without any human intervention the sensitive data has not been "intercepted".
  • the sensitive data has merely been processed - e.g. routed and stored. Accordingly, the transfer and storage of sensitive data to such a secure data store is unlikely to be in contravention of the appropriate legislation (e.g. RIPA) relating to interception of sensitive communications.
  • RIPA appropriate legislation
  • the system for securely storing data includes a deletion module configured to automatically delete at least a portion of the data upon expiration of a predefined time period.
  • the system for securely storing data includes a deletion module configured to automatically delete at least a portion of the data when a limit of storage capacity has been reached.
  • data may be stored temporarily in the secure data store for a predefined period of time, whereupon the data is then deleted and purged from the data store.
  • the predefined period may be based on at least one of: the type of data, and an agreement.
  • the data includes one or more portions and the storage module is configured to generate and store an index for each portion of the data.
  • the secure data store includes a data integrity audit module configured to monitor the storage module.
  • the data integrity audit module may monitor all activity of the storage module and automatically generate incorruptible activity logs and history files.
  • the activity logs and history files may be used to ensure that the data stored in the storage module is in the same state as it was when it was received from the one or more bodies - e.g. it has not been manipulated (e.g. that there have been no changes, additions and/or deletions) or structurally changed.
  • the data integrity module is configured to record instances of access to the data.
  • the data includes communication data, and preferably includes a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata, and preferably each communication message may be one of a text message, an instant message and a telephone call.
  • the data is received as a stream of data.
  • the system for securely storing data includes a data filter module configured to filter the data prior to being received and stored by the secure data store.
  • the data filter module is configured to organise the data.
  • the secure data network includes a wireless data network, or a wired data network, or a combination of a wired and wireless data network.
  • the storage module includes a database.
  • the system for securely storing data includes a search audit module configured to monitor the search module and produce evidence that any searches performed on the data are in accordance with the authority.
  • the search module is configured using search parameters.
  • the search parameters are constrained by boundaries based on the terms of the authority.
  • the search parameters are constrained with templates.
  • the search boundary is automatically generated.
  • the system for securely storing data includes a search parameter set-up module configured to: receive the terms of the authority granting access to the data; and automatically generate a maximum search boundary for the data based on the received terms.
  • the system for securely storing data includes a user interface module configured to enable the one or more data accessing bodies authorized by the authority to access the set of search results stored in the further search data store.
  • access to the set of results includes the assessment, and/or analysis of the results to enhance the usability of the search results saved in the search data store.
  • access to the set of results includes the tagging, organisation, sorting, and commenting upon the search results to enhance the usability of the search results saved in the search data store.
  • the terms of the authority includes at least one of: identification of a subset of the data accessible under the authority; identification of a time period the authority is valid; and
  • the subset of the data accessible under the authority is identified by at least one of a telephone number, an internet protocol (IP) address, a device identification number, an email address, a username and a personal identification number, or is identified as being associated within a specified location.
  • IP internet protocol
  • generating the maximum search boundary includes generating at least one search string based on the terms of the authority.
  • the search parameter set-up module is further configured to verify that the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
  • the search module is further configured to repeat the search on the temporarily stored data on a periodic basis to produce subsequent sets of search results.
  • the authority is one of a warrant and an agreement.
  • a computer-implemented system to provide secure access to data stored in a secure data store, the system comprising: a search parameter set-up module configured to: receive terms of an authority granting access to the data; and automatically generate a maximum search boundary for the data based on the received terms; and a search module configured to search the data in accordance with the maximum search boundary to produce a set of search results.
  • This system to provide secure access to data stored in a secure data store ensures that access granted to sensitive data under a specific authority is provided only in accordance with the specific authority.
  • the system is designed to ensure that the data accessing body authorized under the authority can only access the sensitive data explicitly specified in the authority and no more.
  • the system to provide secure access to data stored in a secure data store further includes a search audit module configured to monitor the search module and produce evidence that any searches performed on the data are in accordance with the authority.
  • the search audit module may be configured to receive and record the terms of the authority from the search parameter set-up module, and monitor and record all search activity performed by the search module for future audit purposes.
  • the system to provide secure access to data stored in a secure data store includes a further search data store configured to store the set of search results.
  • the set of search results stored in the further search data store are only be accessible to one or more data accessing bodies authorized by the authority.
  • the system to provide secure access to data stored in a secure data store includes a user interface module configured to enable the one or more data accessing bodies authorized by the authority to access the set of search results stored in the further data store.
  • the terms of the authority includes at least one of: identification of a subset of the data accessible under the authority, identification of a time period the authority is valid, and identification of one or more data accessing bodies authorized to access the subset of the data by the authority.
  • the subset of the data accessible under the authority may be identified by at least one of a telephone number, an internet protocol (IP) address, a device identification number, an email address, a username and a personal identification number.
  • IP internet protocol
  • generating the maximum search boundary comprises generating at least one search string based on the terms of the authority.
  • the search parameter set-up module is further configured to verify that the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
  • search module is further configured to repeat the search on a periodic basis to produce subsequent sets of search results.
  • the system Preferably, for the system to provide secure access to data stored in a secure data store, wherein the data is communication data.
  • the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
  • the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
  • each communication message is one of a text message, an instant message, and a telephone call.
  • the system to provide secure access to data stored in a secure data store, wherein the authority is one of a warrant and an agreement.
  • a computer-implemented method of storing data in a secure data store comprising: receiving data from one or more data supplying bodies over a secure data network; and securely storing the data temporarily in a secure data store; searching the data in accordance with terms of an authority to generate a search boundary to produce a set of search results; saving the set of search results in a further search data store, wherein the further search data store is configured so the set of search results are only accessible to one or more data accessing bodies authorised by the authority, whereby the method is configured not to permit direct access to the complete set of data stored temporarily in the secure data store.
  • the computer-implemented method further comprises an audit process to determine compliance with the authority.
  • the computer-implemented method further comprises automatically deleting at least a portion of the data from the secure data store upon expiration of a predefined time period.
  • the predefined time period is based on at least one of: the type of data, and an agreement.
  • the method further comprises generating and storing in the secure data store an index for each portion of the data.
  • the computer-implemented method further comprises monitoring activity related to the secure data store and generating records of the activity.
  • the computer-implemented method further comprises filtering the source data prior to receiving the data into the secure data store.
  • the data is communication data.
  • the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
  • the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
  • each communication message is one of a text message, an instant message and a telephone call.
  • the data is received as a stream of data.
  • the secure data network comprises a wireless data network, or a wired data network, or a combination of a wired and wireless data network.
  • the storage module comprises a database.
  • the computer-implemented method further comprises a search audit module configured to monitor the search module and produce evidence that any searches performed on the data are in accordance with the authority.
  • searching the data is in accordance with search parameters.
  • the search parameters are constrained by boundaries based on the terms of the authority.
  • the search parameters are constrained with templates.
  • the search boundary is automatically generated.
  • the computer-implemented method further comprises a search parameter set-up module configured to: receive the terms of the authority granting access to the data; and automatically generate a maximum search boundary for the data based on the received terms.
  • the computer-implemented method further comprises a user interface module configured to enable the one or more data accessing bodies authorized by the authority to access the set of search results stored in the further search data store.
  • access to the set of results stored in the search data store comprises the assessment, or analysis of the results to enhance the usability of the search results.
  • access to the set of results stored in the search data store comprises the tagging, organisation, sorting, and commenting upon the search results to enhance the usability of the search results.
  • the terms of the authority comprise at least one of: identification of a subset of the data accessible under the authority; identification of a time period the authority is valid; and identification of one or more data accessing bodies authorized to access the subset of the data by the authority.
  • the subset of the data accessible under the authority is identified by at least one of a telephone number, an internet protocol (IP) address, a device identification number, an email address, a username and a personal identification number.
  • IP internet protocol
  • generating the maximum search boundary comprises generating at least one search string based on the terms of the authority.
  • the search parameter set-up module is further configured to verify the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
  • search module is further configured to repeat the search on the temporarily stored data on a periodic basis to produce subsequent sets of search results.
  • the data is communication data.
  • the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
  • the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
  • each communication message is one of a text message, an instant message, and a telephone call.
  • the authority is one of a warrant and an agreement.
  • a computer-implemented method of providing secure access to data stored temporarily in a secure data store comprising: receiving terms of an authority granting access to the data; automatically defining a maximum search boundary for the data based on the terms of the authority; and searching the data stored in the secure data store in accordance with the maximum search boundary to produce a set of search results.
  • the computer-implemented method further comprise monitoring the searching performed on the data and generating records of the searching to ensure that any searching is in accordance with the authority.
  • the computer-implemented method further comprises storing the search results in a further search data store.
  • the set of search results stored in the further search data store are only accessible to one or more data accessing bodies authorized by the authority.
  • the computer-implemented method further comprises providing only the one or more data accessing bodies authorized by the authority access to the set of search results stored in the further search data store.
  • the terms of the authority comprise at least one of: identification of a subset of the data accessible under the authority; identification of a time period the authority is valid; and identification of one or more data accessing bodies authorized by the authority.
  • the subset of the data accessible under the authority is identified by at least one of a telephone number, a username, an internet protocol (IP) address, an email address, and a personal identification number.
  • IP internet protocol
  • generating the maximum search boundary comprises generating at least one search string based on the terms of the authority.
  • the computer-implemented method further comprises verifying that the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
  • the computer-implemented method further comprises repeating the searching on the temporarily stored data on a periodic basis to produce subsequent sets of search results.
  • the data is communication data.
  • the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
  • the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
  • each communication message is one of a text message, an instant message and a telephone call.
  • the authority is one of a warrant and an agreement.
  • apparatus for providing secure access to data stored in a secure data store comprising one or more computers each comprising one or more processors, the apparatus being configured to implement any of the systems described above.
  • the method of providing secure access to data may include storing of the secure data.
  • Figure 1 is a block diagram of a system for obtaining and storing sensitive data from a
  • Figure 2 is a block diagram of a system for providing secure access to sensitive data in accordance with an authority granting access to the sensitive data
  • Figure 3 is a schematic of an exemplary interception warrant
  • Figure 4 is a schematic of an exemplary user interface for the search parameter set-up module of Figure 2;
  • Figure 5 is a schematic of an exemplary user interface module of Figure 2;
  • Figure 6 is a flow chart of a method for obtaining and storing sensitive data from a communications service provider
  • Figure 7 is a flow chart of a method for providing secure access to sensitive data in accordance with an authority granting access to the sensitive data
  • Figure 8 is a block diagram of a system for a plurality of entities to share and access sensitive data in accordance with an authority granting access to the sensitive data.
  • the methods and systems described herein are designed to provide secure access to sensitive data in accordance with a specific authority to access the sensitive data.
  • authority is intended to cover a form of authority granted to an individual or organisation and may take the form of an agreement, contract, warrant or permission.
  • providing secure access to sensitive data can mean providing secure and restricted access to sensitive data.
  • Sensitive data is intended to cover any data that is not generally available to the public. Typically sensitive data can only be accessed under a proper authority. Sensitive data may include, but is not limited to, records of personal communications, such as telephone calls, text messages and instant messages; confidential information; and other personal information.
  • Unauthorized access to sensitive data may result in personal or confidential information being compromised.
  • FIG. 1 illustrates an exemplary system 100 for obtaining and securely storing sensitive data from a communications service provider 101.
  • the communications service provider 101 is described as an instant message service provider and the sensitive data is instant message records, however, it will be evident to a person of skill in the art that the general principles described herein may be equally applied to any communications service provider and any data produced by a communication service provider.
  • the term "communication service provider" is intended to cover any organisation that provides services that allow two or more entities to communicate with each other. Communications service providers include, but are not limited to, cellular phone service providers, text message service providers, instant message service providers, and social networking service providers.
  • data that may be produced by a communications service provider includes, but is not limited to, telephone call records, text message records and instant message records.
  • the communications service provider 101 provides a communication service to a plurality of users or subscribers 102, 103 and 104.
  • the communication service allows the users 102, 103 and 104 to communicate with one another.
  • an instant message service provider may provide an instant message service that allows users or subscribers of the service to exchange text messages.
  • Each communication transmitted from a user or subscriber 102, 103 or 104 is received by the communications service provider 101 which creates and stores a record of the communication.
  • an instant message service provider may create and store a record of each instant message sent by its users. Since each communication record is a record of a personal conversation it forms sensitive data.
  • the communication records are stored in a secure database 105 maintained by the communications service provider 101, however, it will be evident to a person of skill in the art that the communication records may be stored by the communications service provider 101 in any suitable manner.
  • the communications service provider 101 may alternatively store the communication records on tape, compact disc (CD), or digital video disk (DVD).
  • the communications service provider 101 may only store the communication records for a limited period of time. For example, the communications service provider 101 may only store the communication records for a period long enough to complete the process. Alternatively, the communications service provider 101 may only store the communication records until the secure database 105 becomes full and requires purging to make room for new communication records.
  • the communications service provider 101 then processes and analyses the communication to identify the intended recipient(s) and forwards the communication to the intended recipient.
  • the user or subscriber 102, 103 or 104 may encrypt each communication prior to transmission.
  • each user or device 102, 103 or 104 may be assigned a unique global encryption key which is used to encrypt each communication.
  • the processing and analysis performed by the communications service provider 101 may include decrypting the communication.
  • the sensitive data stored by the communications service provider 101 can prove invaluable to criminal investigations, however, law enforcement agencies can only lawfully access the sensitive data in accordance with an authority granted under the appropriate legislation. For example, in the UK, law enforcement agencies can only lawfully intercept personal communications after they have obtained an interception warrant under IPA.
  • the problem is that even if a law enforcement agency is able to obtain an authority under the appropriate legislation to access the sensitive data, communications service providers do not typically have the information technology (IT) capabilities to be able to provide the sensitive data in a format that complies with the authority. Specifically, they do not typically have the searching or filtering capabilities to be able to provide the authorized law enforcement agency with only the sensitive data specified in the authority.
  • the law enforcement agencies similarly can't be given carte blanche access to the sensitive data to perform their own searches or filtering because this would expose the law enforcement agencies to information that falls outside the scope of the authority.
  • a system has been developed that allows sensitive data to be automatically copied, transferred and securely stored at a separate remote facility where it can only be accessed in accordance with an appropriate authority. Since the sensitive data is copied, transferred and securely stored at the separate remote facility without any human intervention the sensitive data has not been "intercepted". The sensitive data has merely been processed - e.g. routed and stored. Accordingly, the transfer and storage of sensitive data in accordance with the systems and methods described herein is unlikely to be in contravention of the appropriate legislation (e.g. IPA) relating to interception of sensitive communications.
  • the sensitive information is securely stored at the remote facility in a manner so that it cannot be directly accessed by any party, including the body (e.g. the communications service provider 101) that created the sensitive data, it can only be indirectly accessed by entities or bodies (e.g. law enforcement agency) with an appropriate authority.
  • Direct Access is used herein to mean the ability to obtain readable access to the full data set held temporarily in the secure data storage facility 111.
  • authorized entities cannot obtain direct access to the copy of that data held in the secure data storage facility 111. Instead, an authorized entity can only obtain readable access to a subset of that data presented to them as a set of search results.
  • an exact copy of the sensitive data is transmitted to a secure data storage facility 111 via a secure data network 106 where it is stored in a secure impenetrable data store 108.
  • the secure data network 106 may be any suitable data network such as a wireless data network, a wired data network, or a combination of a wired and wireless data network.
  • the communications service provider 101 may be obligated to supply the sensitive data to the secure data storage facility 111 under an agreement or law.
  • the communications service provider 101 may be party to an agreement or contract which requires the communications service provider 101 to supply the secure data storage facility 111 with all or a subset of the sensitive data collected by the communications service provider 101.
  • the communications service provider 101 may be under compulsion by law to provide all or a subset of the collected sensitive data to the secure data storage facility 111.
  • a law enforcement agency may obtain an interception warrant under RIPA which compels the communications service provider 101 to provide a subset of the sensitive data to the secure data storage facility 111.
  • the sensitive data may be filtered by a data filter module 107 prior to being delivered to the secure data storage facility 111 to ensure that only the sensitive data meeting the
  • the data filter module 107 may be configured to filter out all non UK to UK instant message records from the sensitive data.
  • the data filter module 107 may also organise data streams into common data fields. For example date formats from different communication data suppliers may differ and therefore the data filter module 107 can match data elements together or assign meta data to specific fields.
  • the communications service provider 101 will also typically provide to the secure data storage facility 111 the information required to decrypt the sensitive information.
  • the information required for decryption may be provided to the secure data storage facility 111 via the data network 106 or any other suitable means.
  • the communications service provider 101 may provide the global encryption keys for the relevant users/devices.
  • the sensitive data may be streamed to the secure data storage facility 111.
  • data streaming is intended to cover the transferring of data so that it can be processed as a steady and continuous stream.
  • data streaming includes the continuous transfer of data at a steady high-speed rate sufficient to enable the recipient to monitor communications between two or more parties in real-time.
  • the sensitive data may be transferred through a series of transfers. Such transfers may be initiated by the communications service provider 101 or by the secure data storage facility 111.
  • the secure data storage facility 111 stores the received sensitive data in the secure impenetrable data store 108 in a manner so that no party, including the entity that provided the sensitive data to the secure data storage facility 111 (e.g. the communications service provider 101), has direct access to the sensitive data. Only those entities (e.g. individuals or organizations) with an appropriate authority will be provided indirect access to the sensitive data. Even with an appropriate authority, the authorized entities may only have indirect access to the sensitive data specified in the authority, and no more. In some examples the person skilled in the art will appreciate that a search engine may be used to provide indirect access to the sensitive data.
  • the secure impenetrable data store 108 may comprise a receiving module (not shown) for receiving the sensitive data and a storage module (not shown) for storing the received sensitive data.
  • the storage module may be in the form of or including a database.
  • a "secure impenetrable data store" is intended to cover a form of data store wherein access to the data contained therein is strictly controlled.
  • a secure impenetrable data store may be established using known means such as a firewall and encryption. For example, all reasonable precautions subject to standard CESG (Communications-Electronics Security Group) approved accreditation procedures may be taken to ensure that the sensitive data stored in the secure impenetrable data store 108 may not be accessed without an appropriate authority.
  • the secure impenetrable data store 108 may be configured to only store sensitive data for a predefined period of time. Upon expiry of the predefined period of time, all traces of the particular sensitive data may be automatically deleted from the secure impenetrable data store 108.
  • the secure impenetrable data store 108 may be understood then as implementing a rolling window where any sensitive data not falling within the window is deleted from the secure impenetrable data store 108. For example, if the predefined period of time is 7 days, any sensitive data older than 7 days may be automatically deleted. This means that in some examples any sensitive data older than a predefined period of time measured from the date of capture may be automatically deleted.
  • the predefined period of time will typically range from days (e.g. 14 days) to years. However, it will be evident to a person of skill in the art that any suitable predefined period of time may be used.
  • the predefined period of time may be based on the type of sensitive data and/or the terms of the agreement between the parties. Accordingly, different types of sensitive data may have different predefined periods of time. For example, text message records and instant message records may have different predefined periods of time.
  • the secure impenetrable data store 108 may be configured to delete and purge data held in the secure impenetrable data store 108 when a certain storage capacity has been reached such that any new data being received into the secure impenetrable data store 108results in a corresponding amount of data being removed from the secure impenetrable data store 108 on a continuous rolling basis.
  • the data storage limit permissible may be selected, or may be determined by the physical storage capacity of the hardware employed.
  • the secure impenetrable data store 108 may also be configured to automatically index the received sensitive data.
  • the sensitive data may be divided into a plurality of portions where each portion corresponds to a communication record, for example. Indexing may then involve generating an index for each portion (e.g. communication record) and storing the index alongside the corresponding portion of sensitive data in the secure impenetrable data store 108. The index may then be updated upon deletion of the corresponding sensitive data. Indexing may greatly speed up any searches performed on the sensitive data. Alternatively the indexing may be carried out by a module separate from the secure impenetrable data store.
  • the secure data storage facility 111 may also include a data integrity audit module 110 to ensure the integrity of the sensitive data stored in the secure impenetrable data store 108.
  • the data integrity audit module 110 may monitor all activity of the secure impenetrable data store 108 and automatically generate incorruptible activity logs and history files.
  • the data integrity audit module 110 may monitor all activity that occurs on the secure impenetrable data store and compare it against predefined rules and parameters. Any variances detected between what is measured and the pre-defined rules and parameters may trigger a variance report prompting further investigation as necessary. This means that the data integrity module can be considered to ensure both the protection and integrity of the data stored in the secure impenetrable data store 108.
  • the activity logs and history files may be used to ensure that the sensitive data stored in the secure impenetrable data store 108 is in the same state as it was when it was received from the communications service provider 101— it has not been manipulated (e.g. that there have been no changes, additions and/or deletions) or structurally changed.
  • the data integrity audit module 110 therefore provides the parties (e.g. the communications service provider 101 and the law enforcement agencies) with confidence that the sensitive data stored in the secure impenetrable data store 108 has not been tampered with.
  • the data integrity audit module 110 may also be used to ensure that the sensitive data is deleted in accordance with the predefined period(s) of time.
  • the predefined period(s) of time may be provided to the data integrity audit module 110 which then monitors the secure impenetrable data store 108 to ensure that the sensitive data is deleted in accordance with the predefined period(s) of time.
  • the data integrity module 110 may be configured to monitor the number of records being deleted from the secure impenetrable data store 108 to ensure that it is the same as that which entered the data store a predetermined time ago. For example, where the predefine period of time is seven days, then the number of records deleted on a particular day should be the same as the number of records added to the secure impenetrable data store 108 seven days ago.
  • the data integrity audit module 110 may be configured to automatically produce regular audit reports and example records for scrutiny by the system administrators and other regulatory bodies.
  • the data integrity audit module 110 may also be configured to enable administrators to conduct detailed investigations regarding the correct usage of the system 100 and adherence to protocols.
  • the data integrity audit module 110 also may be configured to automatically produce an alert when it detects an error condition. Examples of error conditions include, but are not limited to: the sensitive data has been modified; and/or the sensitive data has not been deleted in accordance with predefined period(s) of time.
  • Each of the data filter module 107, the secure impenetrable data store 108 and the data integrity audit module 110 may be implemented in hardware or software.
  • each of the data filter module 107, the secure impenetrable data store 108 and the data integrity audit module 110 may be implemented by one or more computers, each computer comprising one or more processors.
  • each of the data filter module 107, the secure impenetrable data store 108 and the data integrity audit module 110 may be implemented by instructions that are stored on a computer readable medium, that when executed by a computer performs the functions described above.
  • the secure impenetrable data store 108 and the data integrity audit module 110 may be
  • Figure 2 illustrates an exemplary system 200 for allowing authorized access to the sensitive data stored in the secure impenetrable data store 108 of Figure 1 in accordance with an authority.
  • Obtaining the authority typically involves submitting a request to the appropriate body for approval.
  • the law enforcement agency must submit a request to the Secretary of State.
  • the request typically must set out the specific communications data they would like to access, and the reasons the requested access should be granted. If the request is approved an authority is granted which usually carries with it quite simple, but very strict rules on what information can and cannot be accessed, how it may be obtained, and the time periods in which it may be obtained. For example, in the UK, if the Secretary of State approves the request an interception warrant is issued.
  • FIG. 3 illustrates an example of an authority in the form of an interception warrant 300.
  • the warrant 300 comprises an introduction section 302 which sets out basic information (e.g. name, date of birth and address) of the person for which the law
  • enforcement agency wishes to intercept communications; an intelligence section 304 that sets out the justification for the interception warrant; a request section 306 that sets out the specifics of the interception request (e.g. what types of communication are to be monitored (e.g. BBM messages)), and the means used to identify the communications of interest (e.g. BBM PIN: 2K6de3L2); and an approval section 308 that sets out the specifics of the authority given to the law enforcement agency.
  • an intelligence section 304 that sets out the justification for the interception warrant
  • a request section 306 that sets out the specifics of the interception request (e.g. what types of communication are to be monitored (e.g. BBM messages)), and the means used to identify the communications of interest (e.g. BBM PIN: 2K6de3L2)
  • an approval section 308 that sets out the specifics of the authority given to the law enforcement agency.
  • the approval section 308 typically sets out how the communications of interest are to be identified and the time period for which the warrant is valid. For example, in the exemplary interception warrant 300, the approval section 308 specifies that the law enforcement agency has been given permission to monitor and intercept communications related to mobile number 0787123467899 and BBM Pin:2K6de3L2 for the time period of 14 th December 2011 to 12 th December 2012.
  • the system 200 is designed to ensure that access granted to sensitive data under a specific authority is provided only in accordance with the specific authority.
  • the system 200 is designed to ensure that the data accessing body or entity authorized under the authority can only access the sensitive data explicitly specified in the authority and no more.
  • the system 200 comprises the secure impenetrable data store 108 of Figure 1 for storing the sensitive data; a search parameter set-up module 202 for obtaining the terms of the authority that grants access to the sensitive data and generating a maximum search boundary based on the terms of the authority; and a search module 204 for searching the sensitive data stored in the secure impenetrable data store 108 in accordance with the maximum search boundary to produce a set of search results.
  • the system 200 may also comprise a search audit module 206 for recording the terms of the authority and the search activities undertaken on the sensitive data stored in the secure impenetrable data store 108; a search data store 208 for storing the search results; and a user interface module 210 for providing authorized entities with controlled access to the search results stored in the search data store 208.
  • a search audit module 206 for recording the terms of the authority and the search activities undertaken on the sensitive data stored in the secure impenetrable data store 108
  • a search data store 208 for storing the search results
  • a user interface module 210 for providing authorized entities with controlled access to the search results stored in the search data store 208.
  • system 200 may provide for access of data that includes the analysis, assessment of the results to enhance the usability of the search results stored in the search data store.
  • Any authority granting access to sensitive data typically defines the terms of the access.
  • the terms may include, but are not limited to, the specific sensitive data that may be accessed under the authority and the time period over which the specific sensitive data may be collected.
  • the search parameter set-up module 202 is configured to receive the terms of the authority and generate the maximum search boundary for that authority based on the received terms.
  • the maximum search boundary may be defined by one or more search strings based on the terms of the authority.
  • the search strings may define the parameters and time frame of the search under that authority.
  • the search parameter set-up module 202 may also be configured to generate a list of entities entitled to access the sensitive data under the authority. Typically, a search under a particular authority cannot be performed on the sensitive data until the terms of the authority have been provided to the search parameter set-up module 202 and the maximum search boundary generated.
  • the search parameter set-up module 202 may also be configured to generate a unique authority identification (ID) for each specific authority entered in the search parameter set-up module 202.
  • ID unique authority identification
  • an authority ID may be generated for each warrant or agreement entered into the search parameter set-up module 202.
  • the unique authority ID may be used (1) to ensure that any searches performed under that specific authority do not extend beyond the boundaries of the authority; and (2) to track (e.g. log or record) any searches performed under that specific authority.
  • the terms of the authority may be manually or automatically entered into the search parameter setup module 202.
  • the search parameter set-up module 202 may comprise a user interface that allows a user or administrator to manually enter the terms of the authority.
  • the details of the interception warrant may be provided to an administrator of the system who then enters the terms of the interception warrant into the search parameter set-up module 202 user interface.
  • the terms of the authority are manually entered into the search parameter set-up module 202 by a trusted third party. This would provide further assurance that the sensitive data stored in the secure
  • impenetrable data store 108 may only be accessed under the terms of an appropriate and valid authority.
  • the authority is a RIPA interception warrant
  • the trusted third party is selected so that they do not have a vested interest in any investigation related to the specific RIPA interception warrant. Accordingly, the trusted third party has no incentive to falsify the terms of the authority to increase or alter the sensitive data that may be accessed under the warrant.
  • the trusted third party may be separate from any of the government agencies and may be subject to monitoring and/or inspection by an Independent RIPA Commissioner.
  • the terms of the authority may be entered by a separate department within a particular law enforcement agency that has no connection with the investigation teams connected to the specific authority (e.g. RIPA interception warrant) and that acts only to provide an internal service.
  • the search parameter set-up module 202 may comprise an automatic module that receives the details of the authority in electronic form and automatically obtains the terms of the authority without user intervention.
  • the authority may be scanned or otherwise converted into a PDF (Portable Document Format) document which is emailed to the search parameter set-up module 202.
  • the search parameter set-up module 202 may then automatically scan the PDF document for the relevant terms.
  • Some benefits of automatically entering the terms over manually entering the terms of the authority include, but are not limited to: (1) there is no need to obtain and train a person to manually enter the terms of the authority and (2) the automatic detection of the terms of the authority decreases the chances than an error is made in entering the terms of the authority.
  • the maximum search boundary may be manually or automatically generated. For example, in some cases, an administrator will use the terms of the authority to enter search parameters which are then converted into one or more search string. In these cases, the search parameter set-up module 202 may provide templates for the administrator that convert the inputted parameters into very specific executable search strings that ensure that the boundaries of the authority cannot be accidentally circumvented or breached when activated. Alternatively, the search parameter set-up module 202 may be configured to automatically generate the search strings based on the received authority terms.
  • search string(s) and authority ID have been generated by the search parameter set-up module 202, they are transmitted or provided to the search module 204.
  • the search string(s) may be verified against the terms of the authority to ensure that any search conducted using the search string(s) does not go beyond the authority and the authority is valid. For example, the dates for searching defined by the search string(s) may be compared against the current date to ensure that the search may be lawfully conducted.
  • the search parameter set-up module 202 may be configured to transmit or provide the search string(s) and authority ID to the search module 204 only after the search is "activated".
  • the search parameter set-up module 202 comprises a user interface
  • the user interface may include means, such as a button, to allow the administrator to activate the search.
  • the search parameter set-up module 202 may be configured to automatically provide the search string(s) to the search module 204 once they have been generated and verified.
  • the search parameter set-up module 202 may also be configured to alert or notify the authorized entities that the authority has been set-up.
  • the alert or notification may be displayed to the authorized entity at the user interface module 210.
  • search parameter set-up module 202 may also be configured in order that certain search functions are disabled and other search inputs are subjected to strict data validation rules. In some examples the search parameter set-up module 202 may also be configured in order that searches on certain key words is not possible, such search functionality is disabled. This is because searching under such certain key words could be in breach of the specific RIPA interception warrant.
  • Figure 4 illustrates an exemplary search parameter set-up module user interface 400 to be used for RIPA authorities (called “RIPA Authorisation Notice” or “RIPA Request”). It shows RIPA authorities that have already been entered into the system and allows an administrator to enter additional RIPA authorities using, for example, the "Register” button.
  • RIPA authorities called "RIPA Authorisation Notice” or "RIPA Request”
  • the search module 204 is configured to search the secure impenetrable data store 108 for sensitive data outlined in the authority. As described, above the sensitive data stored in the secure impenetrable data store 108 may be indexed to increase the speed at which searched may be performed. A copy of the index may be stored in the search module 204. In some cases, it may be the search module 204 that indexes the sensitive data stored in the secure impenetrable data store 108 and then stores a copy of the index data.
  • the search module 204 is integrated with the secure data storage facility 111. In some examples the search module 204 is integrated with the secure impenetrable data store 108. In other examples the search module 204 may not be integrated with the secure data storage facility 111 or the secure impenetrable data store 108.
  • the search module 204 is the only means by which data in the secure data storage facility 111 can be accessed. However, in some examples other means of access may be provided. As described above, preferably the sensitive data stored in the secure impenetrable data store 108 has been indexed. This may drastically increase the speed at which searches may be performed.
  • the search module 204 may be configured to automatically perform an initial search of the secure impenetrable data store 108 using the search string(s) received from the search parameter set-up module. In other cases, particularly where there is a large amount of sensitive data to be searched, the search module 204 may be configured to perform the initial search at a predetermined time. For example, the search module 204 may be configured to schedule the initial search at a down time. The initial search identifies all of the sensitive data in the secure
  • impenetrable data store 108 that matches the search criteria.
  • a copy of the results of the initial search is extracted and placed into a further data store 208, herein after referred to as the search data store 208.
  • the search module 204 may generate a copy of the results of the initial search and forward the copy to the search data store 208.
  • search data is intended to cover the results of a search not the data used by the search module 204 to conduct the search.
  • the "search data” may comprise both the search results and the search string(s) used to conduct the search.
  • the search results may be stored in the search data store 208 alongside the search string(s) used to produce the search results.
  • the search data store 208 is in the form of a database, but it will be evident to a person of skill in the art that the secure data store 208 may take other appropriate forms.
  • the search module 204 the only device that has direct access to the secure impenetrable data store (and thus to the sensitive data stored in the secure impenetrable data store 108) is the search module 204. Since all activity of the search module 204 is monitored by the search audit module 206 it can be ensured that there is no unauthorized access to the sensitive data stored in the secure impenetrable data store 108.As noted above, the search module 204 may hold the data index (a system which allows faster search of the data), search , copy relevant compliant data and forward module. In this way the data in the search module will reflect that held in the Secure Impenetrable Data Store 108. This will ensure that there is no access to the Secure Impenetrable Data Store with only the audit and data cleansing roles having a role in relation to the secure data.
  • the search data store 208 allows for the capture and preservation of the search results. It should be noted that the process of capturing and preserving the search results does not alter the data in the secure impenetrable data store 108. During this process, the sensitive data stored in the secure impenetrable data store 108 remains in the secure impenetrable data store 108. In some examples, the search data store 208 allows for the capture and preservation of the search results only.
  • the search results are placed in the search data store 208 as incorruptible read only records to ensure that the data cannot be subsequently altered.
  • the incorruptible read only records may also contain, but are not limited to, one or more of the following: the authority ID, the search string(s) used to generate the search results, and other associated metadata (e.g. the date and time of the search and the username of the person initiating the search, if appropriate). If the sensitive data was stored in the secure impenetrable data store 108 in encrypted format, the extraction process may also comprise decrypting the search results prior to storing them in the search data store 208.
  • the terms of the authority will typically stipulate the time period for which the authorized entity may have access to the sensitive data. In some cases, the authority will stipulate a very small window of time (e.g. a day), whereas in other cases, the authority will stipulate a very large window of time (e.g. three months). Where the authority stipulates a time period that extends beyond the predefined period(s) of time used to trigger automatic deletion of the sensitive data, the search module 204 may be configured to automatically repeat the search under that authority at a predetermined rate in order to identify new matches of sensitive data that subsequently arrive in the secure impenetrable data store 108. For example the search module 204 may be configured to search the secure impenetrable data store 108 every minute until expiry of the authority.
  • the search module 204 may be configured to search the secure impenetrable data store 108 every minute until expiry of the authority.
  • the rate at which a particular search is repeated may be manually set by the administrator (e.g. using the user interface of the search parameter set-up module 202) or automatically set based on the time period for access and the predefined period(s) of time used to trigger automatic deletion.
  • Any new matches that are identified by a subsequent search are decrypted (if necessary) and stored in the search data store 208 alongside the matches already copied to the search data store 208 during the initial search using the authority ID.
  • the search module 204 may be configured to, each time it performs a search, verify that the search string(s) being used remains valid and within the realms of the authority.
  • the system 200 may also include a search audit module 206 to ensure that all searches performed on the sensitive data stored in the secure impenetrable data store 108 are in conformance with the one or more authority.
  • the search audit module 206 receives and records the terms of the authority from the search parameter set-up module 202, and monitors and records all search activity related to the sensitive data stored in the secure impenetrable data store 108 for future audit purposes.
  • the search audit module 206 may be configured to monitor: (1) the search parameter set-up module 202 to ensure that the terms of the one or more authority were correctly entered; and/or (2) the search module 204 to ensure that any searches performed on the sensitive data are in accordance with the one or more authority.
  • the search audit module 206 may be configured to automatically produce regular audit reports and example records for scrutiny by the system administrators and other regulatory bodies.
  • the search audit module 206 may also be configured to enable administrators to conduct detailed investigations regarding the correct usage of the system 200 and adherence to protocols.
  • the search audit module 206 may be configured to automatically produce an alert when it detects an error condition.
  • error conditions include, but are not limited to: a search that does not comply with the one or more authority has been conducted on the sensitive data; and/or the terms of an authority have not been correctly entered.
  • the data integrity audit module 110 of Figure 1 and the search audit module 206 of Figure 2 may be implemented in the same device or in separate devices.
  • the search data store 208 used to store the results of the searches conducted by the search module 204 may also be subject to very strict access controls such that only those entities (e.g. individuals or organizations) authorized to access the sensitive data under an authority have access to the sensitive data in the search data store 208. Specifically, access to the data in the search data store 108 may be controlled by the authority terms provided to the search parameter set-up module 202.
  • the search module 204 is configured to send an alert or notification to the authorized entities each time new search results are added to the search data store 108 for a particular authority.
  • the system 200 comprises a user interface module 210
  • the alert or notification may be transmitted to and displayed on the user interface module 210.
  • the alert or notification may be transmitted directly to the authorized entity.
  • the alert or notification may be directly transmitted to a police investigator's personal communication device, such as a mobile phone, a personal digital assistance (PDA), or a pager, via any communication means, such as email, text message or the like.
  • the alert may be sent to both the user interface module 210 and the authorized entity's personal communication device(s).
  • authorized entities may access the sensitive data in the search data store 208 and use it to further their investigations.
  • the sensitive data is stored in the search data store 208 in such a manner that it allows the sensitive data to be assessed and analysed, for instance, tagged, organised, sorted and commented upon, in order to enhance the usability of the search results.
  • the sensitive data may be processed and analysed in accordance with the methods and systems described in International Published Patent Application No. WO 2009/037478.
  • Access to the data stored in the search data store 208 may be provided to authorized entities by a user interface module 210.
  • the user must first identify the specific authority under which they are accessing the search data store 208.
  • the user interface module 210 may provide the user with a list of authority IDs they can select from, where, as discussed above, each authority ID identifies a specific authority entered into the search parameter set-up module 202. Alternatively, the user interface module 210 may provide the user with means to manually identify a particular authority. For example, the user interface module 210 may allow the user to manually enter a specific authority ID.
  • the user interface module 210 may require that user be authenticated before an authority can be identified. For example, the user may have to provide a username and password to gain access to the user interface module 210 and once authenticated they may only be allowed to search under particular authorities.
  • the user may access all of the sensitive information stored in the search data store 208 related to that authority.
  • the user interface module 210 may also enable the user to conduct further searches, apply filters and sorts on the relevant sensitive data, and manage additional metadata that can be applied to the sensitive data.
  • the user interface module 210 therefore may enable the user to take advantage of current and new reporting techniques and visualisation tools to aid discovery and communication.
  • the user interface module 210 may provide the user with read only access to the set of results stored in the search data store 208.
  • Figure 5 illustrates an exemplary user interface module 500 to access to the search results stored in the secure impenetrable data store 108.
  • Each of the search parameter set-up module 202, the search audit module 206, the search module 204, the secure impenetrable data store 108, the search data store 208 and the user interface module 210 may be implemented in hardware or software.
  • each of the search parameter set-up module 202, the search audit module 206, the search module 204, the secure impenetrable data store 108, the search data store 208 and the user interface module 210 may be implemented by one or more computers, each computer comprising one or more processors.
  • each of the search parameter set-up module 202, the search audit module 206, the search module 204, the secure impenetrable data store 108, the search data store 208 and the user interface module 210 may be implemented by instructions that are stored on a computer readable medium, that when executed by a computer performs the functions described above.
  • the secure impenetrable data store 108, the search audit module 206 and the search module 204 may be implemented in a single device or in separate devices.
  • the communications service provider 101 tracks communications generated by its users. Tracking may comprise creating a record for each communication wherein each record forms sensitive information. For example, where the communications service provider 101 is an instant message service provider, a record may be created for each instant message sent by their users or subscribers. Each record may comprise the instant message and any associated metadata.
  • Metadata may include, but is not limited to, one or more of the following: user identification information specific to the particular communication service (e.g. telephone number, ID number), registered name(s) associated with the user identification information, date and time of the communication message, location of the user/device when the communication was sent and/or received, encryption key(s) associated with the communication sent and/or received.
  • user identification information specific to the particular communication service e.g. telephone number, ID number
  • registered name(s) associated with the user identification information e.g. telephone number, ID number
  • date and time of the communication message e.g. telephone number, ID number
  • location of the user/device when the communication was sent and/or received e.g., location of the user/device when the communication was sent and/or received
  • encryption key(s) associated with the communication sent and/or received e.g., a specific region, such as the United Kingdom.
  • the communications service provider 101 processes and analyses the communication records. For example, as described above, in relation to Figure 1, the communications service provider 101 may process the communication records to identify the intended recipients of the communications.
  • the sensitive data may be provided to the secure data storage facility 111 in accordance with an agreement or legislative order that puts limits or restrictions on the sensitive data that is forwarded to the secure data storage facility 111.
  • an agreement between the communications service provider 101 and a third party may specify that only UK to UK communications are to be provided to the secure data storage facility 111.
  • the processing and analysis may comprise filtering the messages to eliminate any communication records that relate to non UK to UK communications.
  • the processing and analysis may also involve decrypting the communications. In some cases, this may involve receiving the encryption keys for the relevant devices at step 611. Once the communication records have been processed and analysed, the method 600 proceeds to steps 612 and 613.
  • the communications service provider 101 forwards the processed and analysed communications to the intended recipients.
  • a copy of the sensitive data is forwarded to the secure data storage facility 111.
  • the sensitive data may comprise communication records.
  • the sensitive data may comprise instant message records where each instant message record comprises the instant message and corresponding metadata.
  • the sensitive data may be transmitted to the secure data storage facility 111 via a secure network, for example.
  • the secure data storage facility 111 receives the sensitive data and stores it in a secure impenetrable data store, such as secure impenetrable data store 108, so that no party can directly access the sensitive data. Only entities authorized under a specific authority can indirectly access the sensitive data, and even then, the authorized entity may only access the specific sensitive data set out in the authority.
  • a secure impenetrable data store such as secure impenetrable data store 108
  • the secure impenetrable data store 108 may be configured to only store the sensitive data for a predefined period of time.
  • the predefined period of time sensitive data is stored in the secure impenetrable data store may be based on the type of sensitive data and/or any applicable agreement or legislation. Accordingly, the received data may be transformed into and stored as time limited data.
  • the method 600 then proceeds to steps 614 and 610.
  • the received sensitive data is indexed.
  • each communication record may be provided with a unique index number.
  • indexing the sensitive data allows for the sensitive data to be searched more quickly.
  • the secure impenetrable data store such as secure impenetrable data store 108, is searched to locate any sensitive data (e.g. communication records or instant message records) for which the predefined period of time has expired and all traces of this sensitive data are
  • Step 609 may be performed on a periodic basis to ensure that the sensitive data is timely deleted in accordance with the predefined period(s) of time.
  • auditing may comprise monitoring all activity on the secure impenetrable data store and automatically generating logs and records.
  • the auditing may also involve monitoring the deletion of sensitive data to ensure that the sensitive data is being deleted in accordance with the predefined period(s) of time.
  • FIG. 7 illustrates an exemplary method 700 for allowing authorized access to the sensitive data stored in a secure impenetrable data store in accordance with an authority.
  • the method 700 has been divided into four phases: the regulatory framework phase 701 (steps 702-705), the agency administration phase 706 (steps 707- 709), the search phase 719 (steps 710, 711, 713, 714, 717 and 718), and the agency analyst phase 715 (steps 712 and 716).
  • the regulatory framework phase 701 comprises obtaining an authority to access the sensitive information
  • the agency administration phase 706 comprises providing the details of the authority to the system and initiating a search of the sensitive information based on the authority
  • the search phase 719 comprises searching the sensitive data in accordance with the authority
  • the agency analyst phase 715 comprises providing access to the sensitive data matching the search criteria to the authorized entity (e.g. law enforcement agency).
  • an entity prepares a request for access to sensitive data.
  • a law enforcement agency may prepare a RIPA interception warrant request, such as that shown in Figure 3.
  • the request typically includes the specific sensitive data that the entity wishes to have access to and the reasons justifying access.
  • a RIPA interception warrant typically includes the specific individuals to be monitored, the type of data to be monitored and the associated devices or other identification metrics (e.g.
  • IP internet protocol
  • step 703 the entity presents their request to the appropriate body for approval. For example, a IPA interception warrant request is presented to the Secretary of State (SoS). The method 700 then proceeds to step 704.
  • SoS Secretary of State
  • the appropriate body e.g. the SoS for RIPA interception warrants
  • an authority granting access to the specified sensitive data is issued. For example, where the request is a RIPA interception warrant request, an interception warrant is granted. As shown in Figure 3, the authority typically specifies quite simple, but very strict, rules on what information can and cannot be accessed under the authority, how it may be obtained, and the time periods for which it may be obtained. Once the authority has been granted, the method 700 then proceeds to the agency administration phase 706.
  • the terms of the granted authority are input to the system and automatically converted into one or more search strings that define the maximum search boundary of the sensitive data under the authority.
  • the terms of the granted authority typically include at least the specific sensitive data that can be accessed under the authority and the time period it can be accessed.
  • the terms of the granted authority may be manually entered into the system by an administrator using an interface, such as the search parameter-set-up module 202 user interface of Figure 2 or Figure 4, or the authority may be electronically provided to the system and the relevant terms of the authority automatically extracted from the authority.
  • the method 700 proceeds to step 709.
  • the administrator "activates" a search of the sensitive data stored in the secure impenetrable data store in accordance with the authority.
  • Activating the search may comprise the administrator submitting an indication for the search to be initiated.
  • the administrator may be provided with a user interface that comprises an "activate search" button, or the like, that may be pressed or otherwise activated by the administrator.
  • step 712 will not be performed and the method 700 will proceed directly to step 708.
  • the system may be configured to automatically activate the search of the secure impenetrable data store in accordance with the authority, once the terms of the authority have been entered in step 710. Once the search has been activated, the method 700 proceeds to step 708.
  • the system checks the search string(s) generated in step 707 against the terms of the authority to ensure that a search conducted using the search string(s) will conform to the authority. For example, where the authority grants access to instant messages generated or received by a particular instant message ID, the search string(s) may be compared against the instant message ID specified in the authority and the dates of the authority to ensure that a search conducted using the search string(s) will not produce sensitive data that extends beyond the terms of the authority. Once the search string(s) have been verified, they are provided to a search module, such as search module 204, to perform the initial search. The method 700 then proceeds to step 710.
  • a search module such as search module 204
  • a search module such as search module 204, receives the search string(s) generated at step 707 and verified at step 708 and performs an initial search on the sensitive data stored in the secure impenetrable data store.
  • the initial search will locate all of the sensitive data in the secure impenetrable data store that conforms to the authority. The method then proceeds to steps 711 and 713.
  • the sensitive data located by the search performed at step 710 is processed and forwarded to a further data store, herein after referred to as the search data store.
  • the processing may involve decrypting the search results prior to forwarding to the search data store.
  • the search module may periodically repeat the search of the sensitive data stored in the secure impenetrable data store.
  • the frequency at which the search is performed may be set by a system administrator. For example, when an administrator manually provides the terms of the authority in step 707, the administrator may also optionally provide a time period that specifies how often the search is to be performed. Alternatively, the frequency at which the search is performed may be automatically determined. For example, the frequency at which the search is performed may be determined by the time period for which the authority is valid and the predefined period(s) of time that trigger automatic deletion of the sensitive data.
  • step 714 the system reviews the results of the subsequent search and determines if there are any new search results. If there are new search results, the method proceeds to step 711 so that the new results can be processed and forwarded to the search data store.
  • the system confirms that the search is still valid. In some cases, this may comprise confirming that the related authority is still valid. For example, where the authority is a IPA interception warrant, the system may confirm that the warrant has not expired or that the warrant will not expire when the search is running.
  • the system periodically crawls or searches the secure impenetrable data store for sensitive data for which the predefined period of time has expired and then automatically deletes the sensitive data. This activity keeps the contents of the secure impenetrable data store within the bounds of any agreement as well as ensuring that the secure impenetrable data store doesn't reach its storage capacity.
  • the search results are received by and stored in the search data store.
  • the search results may be stored in read only records so that they cannot be modified. This ensures that the records may be admissible in a court of law, for example. This may be achieved using various formats, such as Message-Digest Algorithm 5 (MD5).
  • MD5 Message-Digest Algorithm 5
  • the search data store then sends a notification to the authorized entity that there are new search results for the particular authority.
  • the method 700 then proceeds to step 716.
  • the authorized entity receives the notification or alert that there are new search results relating to a particular authority. At this point the authorized entity may then view, search, filter or otherwise access the search results stored in the search data store. As described above, the authorized entity may receive the alert or notification through a user interface module, such as user interface module 210.
  • Figure 8 illustrates a system 800 for a plurality of organizations or agencies 802, 804, 806 and 808 to access sensitive data in accordance with an agreement without the need to join up existing databases, which may be quite costly.
  • Each organisation or agency 802, 804, 806 and 808 may supply sensitive data to a secure data storage facility 810 where it is stored in a central secure impenetrable data store.
  • the data may be supplied by each organisation or agency 802, 804, 806 and 808 and stored by the secure data storage facility 810 in accordance with the system of Figure 1 and/or the method of Figure 6.
  • the search module of the secure data storage facility 810 may be configured to search the individual agency/organisation databases directly and then extract the search results to individual search data stores. In this context, it will be appreciated that it is a copy of the search results that are extracted and the original data remains in the individual agency/organisation databases.
  • the secure data storage facility 810 may have a secure direct connection through, for example, firewalls, to each organisation's database.
  • System 800 may be used, for example, to allow police, Border Controls, Anti-Terrorism, and Serious Organised Crime etc. to share information.

Abstract

A computer-implemented system to provide secure access to data stored in a secure data store, comprises a search parameter set-up module configured to receive terms of an authority granting access to the data and automatically generate a maximum search boundary for the data based on the received terms. A search module is configured to search the data in accordance with the maximum search boundary to produce a set of search results. The secure data store comprises a receiving module configured to receive data from one or more bodies; and a storage module configured to securely store the data so that no party, including the one or more bodies, can directly access the data.

Description

SYSTEM AND METHOD TO PROVIDE SECURE ACCESS TO SENSITIVE DATA
Field of the Invention
The present invention relates to systems and methods for providing secure access to sensitive data. More particularly, the present invention relates to systems and methods for providing secure access to sensitive data, such as communications data, to an authorized party in a manner that strictly complies with a specific authority granting access to the sensitive data.
Background
Social media and private messaging (e.g. instant messaging) is becoming the de facto tool for communications between individuals, with many in the 14-25 years bracket preferring to use text and written messaging over voice communications and asking "What was that email thing?"
Examples of some of the most popular instant messaging services include, but are not limited to, Blackberry® Messenger (BBM™), Windows LIVE Messenger (which may be used on Microsoft's Xbox), Play Station Network Messaging, Yahoo! Messenger, Gmail Messenger and Facebook Chat. Examples of some of the most common social media services include Facebook and Twitter. Due to the prolific use of social media and private messaging as a means for communicating between individuals, law enforcement agencies have a need to access and intercept, for intelligence and investigatory purposes, instant messages and other social media data.
For this reason, governments around the world have enacted legislation for the lawful gathering and surveillance of communication data. For example, in 2000 the Parliament of the United Kingdom enacted the Regulation of Investigatory Powers Act 2000 (RIPA) which regulates the powers of public bodies to carry out surveillance and investigation, and covers the interception of communications.
Specifically, RIPA allows for the interception of communications traffic by certain organisations - for example, Security Service, Secret Intelligence Service, the Government Communications
Headquarters (GCHQ), Police, or Customs - under authorisation of the Secretary of State. Such authorisation is provided by way of an interception warrant which sets out the specific data that may be obtained and the conditions under which it can be obtained. For example, section 8(1) of RIPA states that an interception warrant must name or describe either one person as the interception subject, or a single set of premises where the interception is to take place. Section 8(2) of RIPA further states that an interception warrant must describe the communications which may be intercepted including one or more schedules setting out the addresses, numbers, apparatus or other factors, or combination of factors, that are to be used for identifying the communications that are to be intercepted.
The procedure to be followed and the information to be provided when requesting an interception warrant from the Secretary of State are set out in "The Interception of Communications Code of Practice" (7th imprint, 2007). An interception warrant can only be issued on one of the following grounds: in the interests of national security; for the purposes of preventing or detecting serious crime; for the purpose of safeguarding the economic well-being of the United Kingdom; or for the purpose, in specified circumstances, of giving effect to the provisions of any international mutual assistance agreement. An interception warrant is usually only valid for three months. A warrant may be renewed during this three month period for a further six months if considered necessary under one of the grounds listed above.
One of the problems with the current structure, however, is that the authorized entities or bodies (e.g. Security Service, Secret Intelligence Service, GCHQ, Police, or Customs) are often unable to obtain the communications data in a manner that does not breach the conditions of the warrant. Specifically, since the data communications of interest are typically stored by the providers of such communications services (e.g. Research in Motion (RIM), Microsoft, Yahoo !, Google, and Facebook) and are only forwarded and deleted in accordance with company policy, the authorized entities must rely on the communication service providers supplying them the relevant information. Most service providers, however, are unable or unwilling to provide the level of filtering required to provide only the data specified in the warrant. Specifically, most service providers are unable to isolate from the complete worldwide dataset individual messages or communications. Furthermore, the authorized entities or bodies are prevented by legislation, such as RIPA, from accepting all of the messages en masse and then performing their own search to identify the messages of interest.
Accordingly, there is a need for systems and methods that allow authorized entities or bodies (e.g. Security Service, Secret Intelligence Service, GCHQ, Police, or Customs) to obtain, for intelligence and investigatory purposes, communications data from other entities or bodies, such as communications service providers, in a manner that is consistent with legislation (e.g. RIPA) granting access to such data so that the protection of an individual's right to privacy remains inviolate.
Summary
In a first aspect there is provided a system for securely storing data comprising: a secure data store; a secure data network configured to transmit data; a receiving module configured to receive data over the secure data network from one or more data supplying bodies; a storage module configured to securely store the data on a temporary basis; a search module configured to search the stored data in accordance with terms of an authority to generate a search boundary to produce a set of search results; and a further search data store configured to store the set of search results, wherein the further search data store is configured so the set of search results are only accessible to one or more data accessing bodies authorised by the authority, whereby the system is configured not to permit direct access to the complete set of data stored temporarily in the secure data store.
Since the sensitive data is copied, transferred and securely stored at the secure data store without any human intervention the sensitive data has not been "intercepted". The sensitive data has merely been processed - e.g. routed and stored. Accordingly, the transfer and storage of sensitive data to such a secure data store is unlikely to be in contravention of the appropriate legislation (e.g. RIPA) relating to interception of sensitive communications.
Preferably, the system for securely storing data includes a deletion module configured to automatically delete at least a portion of the data upon expiration of a predefined time period.
Preferably, the system for securely storing data includes a deletion module configured to automatically delete at least a portion of the data when a limit of storage capacity has been reached. This means that data may be stored temporarily in the secure data store for a predefined period of time, whereupon the data is then deleted and purged from the data store. The predefined period may be based on at least one of: the type of data, and an agreement.
Preferably, the data includes one or more portions and the storage module is configured to generate and store an index for each portion of the data.
Preferably, the secure data store includes a data integrity audit module configured to monitor the storage module. For example, the data integrity audit module may monitor all activity of the storage module and automatically generate incorruptible activity logs and history files. The activity logs and history files may be used to ensure that the data stored in the storage module is in the same state as it was when it was received from the one or more bodies - e.g. it has not been manipulated (e.g. that there have been no changes, additions and/or deletions) or structurally changed.
Preferably, the data integrity module is configured to record instances of access to the data.
Preferably, the data includes communication data, and preferably includes a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata, and preferably each communication message may be one of a text message, an instant message and a telephone call.
Preferably, the data is received as a stream of data.
Preferably, the system for securely storing data includes a data filter module configured to filter the data prior to being received and stored by the secure data store. Preferably, the data filter module is configured to organise the data.
Preferably, the secure data network includes a wireless data network, or a wired data network, or a combination of a wired and wireless data network.
Preferably, the storage module includes a database.
Preferably, the system for securely storing data includes a search audit module configured to monitor the search module and produce evidence that any searches performed on the data are in accordance with the authority.
Preferably, the search module is configured using search parameters.
Preferably, the search parameters are constrained by boundaries based on the terms of the authority. Preferably, the search parameters are constrained with templates. Preferably, the search boundary is automatically generated.
Preferably, the system for securely storing data includes a search parameter set-up module configured to: receive the terms of the authority granting access to the data; and automatically generate a maximum search boundary for the data based on the received terms. Preferably, the system for securely storing data includes a user interface module configured to enable the one or more data accessing bodies authorized by the authority to access the set of search results stored in the further search data store.
Preferably, access to the set of results includes the assessment, and/or analysis of the results to enhance the usability of the search results saved in the search data store.
Preferably, access to the set of results includes the tagging, organisation, sorting, and commenting upon the search results to enhance the usability of the search results saved in the search data store.
Preferably, the terms of the authority includes at least one of: identification of a subset of the data accessible under the authority; identification of a time period the authority is valid; and
identification of the one or more data accessing bodies authorized to access the subset of the data by the authority.
Preferably, the subset of the data accessible under the authority is identified by at least one of a telephone number, an internet protocol (IP) address, a device identification number, an email address, a username and a personal identification number, or is identified as being associated within a specified location.
Preferably, generating the maximum search boundary includes generating at least one search string based on the terms of the authority.
Preferably, the search parameter set-up module is further configured to verify that the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
Preferably, the search module is further configured to repeat the search on the temporarily stored data on a periodic basis to produce subsequent sets of search results.
Preferably, the authority is one of a warrant and an agreement.
In a second aspect there is provided a computer-implemented system to provide secure access to data stored in a secure data store, the system comprising: a search parameter set-up module configured to: receive terms of an authority granting access to the data; and automatically generate a maximum search boundary for the data based on the received terms; and a search module configured to search the data in accordance with the maximum search boundary to produce a set of search results.
This system to provide secure access to data stored in a secure data store ensures that access granted to sensitive data under a specific authority is provided only in accordance with the specific authority. In particular, the system is designed to ensure that the data accessing body authorized under the authority can only access the sensitive data explicitly specified in the authority and no more. Preferably, the system to provide secure access to data stored in a secure data store further includes a search audit module configured to monitor the search module and produce evidence that any searches performed on the data are in accordance with the authority. For example, the search audit module may be configured to receive and record the terms of the authority from the search parameter set-up module, and monitor and record all search activity performed by the search module for future audit purposes.
Preferably, the system to provide secure access to data stored in a secure data store includes a further search data store configured to store the set of search results.
Preferably, the set of search results stored in the further search data store are only be accessible to one or more data accessing bodies authorized by the authority.
Preferably, the system to provide secure access to data stored in a secure data store includes a user interface module configured to enable the one or more data accessing bodies authorized by the authority to access the set of search results stored in the further data store.
Preferably, for the system to provide secure access to data stored in a secure data store, wherein the terms of the authority includes at least one of: identification of a subset of the data accessible under the authority, identification of a time period the authority is valid, and identification of one or more data accessing bodies authorized to access the subset of the data by the authority.
Preferably, for the system to provide secure access to data stored in a secure data store, wherein the subset of the data accessible under the authority may be identified by at least one of a telephone number, an internet protocol (IP) address, a device identification number, an email address, a username and a personal identification number.
Preferably, for the system to provide secure access to data stored in a secure data store, wherein generating the maximum search boundary comprises generating at least one search string based on the terms of the authority. Preferably, for the system to provide secure access to data stored in a secure data store, wherein the search parameter set-up module is further configured to verify that the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
Preferably, for the system to provide secure access to data stored in a secure data store, wherein the search module is further configured to repeat the search on a periodic basis to produce subsequent sets of search results.
Preferably, for the system to provide secure access to data stored in a secure data store, wherein the data is communication data.
Preferably, for the system to provide secure access to data stored in a secure data store, wherein the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata. Preferably, for the system to provide secure access to data stored in a secure data store, wherein the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
Preferably, for the system to provide secure access to data stored in a secure data store, wherein each communication message is one of a text message, an instant message, and a telephone call.
Preferably, for the system to provide secure access to data stored in a secure data store, wherein the authority is one of a warrant and an agreement.
In another aspect there is provided a computer-implemented method of storing data in a secure data store, the method comprising: receiving data from one or more data supplying bodies over a secure data network; and securely storing the data temporarily in a secure data store; searching the data in accordance with terms of an authority to generate a search boundary to produce a set of search results; saving the set of search results in a further search data store, wherein the further search data store is configured so the set of search results are only accessible to one or more data accessing bodies authorised by the authority, whereby the method is configured not to permit direct access to the complete set of data stored temporarily in the secure data store.
Preferably, the computer-implemented method further comprises an audit process to determine compliance with the authority.
Preferably, the computer-implemented method further comprises automatically deleting at least a portion of the data from the secure data store upon expiration of a predefined time period.
Preferably, wherein the predefined time period is based on at least one of: the type of data, and an agreement.
Preferably, wherein the data comprises one or more portions and the method further comprises generating and storing in the secure data store an index for each portion of the data. Preferably, the computer-implemented method further comprises monitoring activity related to the secure data store and generating records of the activity.
Preferably, the computer-implemented method further comprises filtering the source data prior to receiving the data into the secure data store.
Preferably, wherein the data is communication data.
Preferably, wherein the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
Preferably, wherein the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message. Preferably, wherein each communication message is one of a text message, an instant message and a telephone call.
Preferably, wherein the data is received as a stream of data.
Preferably, wherein the secure data network comprises a wireless data network, or a wired data network, or a combination of a wired and wireless data network.
Preferably, wherein the storage module comprises a database.
Preferably, the computer-implemented method further comprises a search audit module configured to monitor the search module and produce evidence that any searches performed on the data are in accordance with the authority. Preferably, searching the data is in accordance with search parameters.
Preferably, the search parameters are constrained by boundaries based on the terms of the authority.
Preferably, the search parameters are constrained with templates.
Preferably, the search boundary is automatically generated. Preferably, the computer-implemented method further comprises a search parameter set-up module configured to: receive the terms of the authority granting access to the data; and automatically generate a maximum search boundary for the data based on the received terms.
Preferably, the computer-implemented method further comprises a user interface module configured to enable the one or more data accessing bodies authorized by the authority to access the set of search results stored in the further search data store.
Preferably, wherein access to the set of results stored in the search data store comprises the assessment, or analysis of the results to enhance the usability of the search results.
Preferably, wherein access to the set of results stored in the search data store comprises the tagging, organisation, sorting, and commenting upon the search results to enhance the usability of the search results.
Preferably, wherein the terms of the authority comprise at least one of: identification of a subset of the data accessible under the authority; identification of a time period the authority is valid; and identification of one or more data accessing bodies authorized to access the subset of the data by the authority. Preferably, wherein the subset of the data accessible under the authority is identified by at least one of a telephone number, an internet protocol (IP) address, a device identification number, an email address, a username and a personal identification number.
Preferably, wherein generating the maximum search boundary comprises generating at least one search string based on the terms of the authority. Preferably, wherein the search parameter set-up module is further configured to verify the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
Preferably, wherein the search module is further configured to repeat the search on the temporarily stored data on a periodic basis to produce subsequent sets of search results.
Preferably, wherein the data is communication data.
Preferably, wherein the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
Preferably, wherein the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
Preferably, wherein each communication message is one of a text message, an instant message, and a telephone call.
Preferably, wherein the authority is one of a warrant and an agreement.
In another aspect there is provided a computer-implemented method of providing secure access to data stored temporarily in a secure data store, the method comprising: receiving terms of an authority granting access to the data; automatically defining a maximum search boundary for the data based on the terms of the authority; and searching the data stored in the secure data store in accordance with the maximum search boundary to produce a set of search results.
Preferably, the computer-implemented method further comprise monitoring the searching performed on the data and generating records of the searching to ensure that any searching is in accordance with the authority.
Preferably, the computer-implemented method further comprises storing the search results in a further search data store.
Preferably, wherein the set of search results stored in the further search data store are only accessible to one or more data accessing bodies authorized by the authority.
Preferably, the computer-implemented method further comprises providing only the one or more data accessing bodies authorized by the authority access to the set of search results stored in the further search data store.
Preferably, wherein the terms of the authority comprise at least one of: identification of a subset of the data accessible under the authority; identification of a time period the authority is valid; and identification of one or more data accessing bodies authorized by the authority. Preferably, wherein the subset of the data accessible under the authority is identified by at least one of a telephone number, a username, an internet protocol (IP) address, an email address, and a personal identification number.
Preferably, wherein generating the maximum search boundary comprises generating at least one search string based on the terms of the authority.
Preferably, the computer-implemented method further comprises verifying that the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
Preferably, the computer-implemented method further comprises repeating the searching on the temporarily stored data on a periodic basis to produce subsequent sets of search results.
Preferably, wherein the data is communication data.
Preferably, wherein the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
Preferably, wherein the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
Preferably, wherein each communication message is one of a text message, an instant message and a telephone call.
Preferably, wherein the authority is one of a warrant and an agreement.
In another aspect there is provided apparatus for providing secure access to data stored in a secure data store comprising one or more computers each comprising one or more processors, the apparatus being configured to implement any of the systems described above.
It will be appreciated that the method of providing secure access to data may include storing of the secure data.
There is also provided a computer readable medium comprising instructions when implemented by a computer cause the computer to perform any of the methods described above.
Brief Description of the Drawings
Embodiments of the present disclosure will now be described, by way of example only, with reference to the attached figures, wherein:
Figure 1 is a block diagram of a system for obtaining and storing sensitive data from a
communications service provider;
Figure 2 is a block diagram of a system for providing secure access to sensitive data in accordance with an authority granting access to the sensitive data; Figure 3 is a schematic of an exemplary interception warrant;
Figure 4 is a schematic of an exemplary user interface for the search parameter set-up module of Figure 2;
Figure 5 is a schematic of an exemplary user interface module of Figure 2;
Figure 6 is a flow chart of a method for obtaining and storing sensitive data from a communications service provider;
Figure 7 is a flow chart of a method for providing secure access to sensitive data in accordance with an authority granting access to the sensitive data; and
Figure 8 is a block diagram of a system for a plurality of entities to share and access sensitive data in accordance with an authority granting access to the sensitive data.
Detailed Description
The methods and systems described herein are designed to provide secure access to sensitive data in accordance with a specific authority to access the sensitive data. In the following "authority" is intended to cover a form of authority granted to an individual or organisation and may take the form of an agreement, contract, warrant or permission. In some examples providing secure access to sensitive data can mean providing secure and restricted access to sensitive data.
In the following "sensitive data" is intended to cover any data that is not generally available to the public. Typically sensitive data can only be accessed under a proper authority. Sensitive data may include, but is not limited to, records of personal communications, such as telephone calls, text messages and instant messages; confidential information; and other personal information.
Unauthorized access to sensitive data may result in personal or confidential information being compromised.
It will be appreciated that for simplicity and clarity of illustration, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements. In addition, numerous specific details are set forth in order to provide a thorough understanding of the examples described herein. However, it will be understood by those of ordinary skill in the art that the examples described herein may be practiced without these specific details. In other instances, well-known methods, procedures and components have not been described in detail so as not to obscure the examples described herein. Also, the description is not to be considered as limited to the scope of the examples described herein.
Reference is made to Figure 1 which illustrates an exemplary system 100 for obtaining and securely storing sensitive data from a communications service provider 101. In this system 100, the communications service provider 101 is described as an instant message service provider and the sensitive data is instant message records, however, it will be evident to a person of skill in the art that the general principles described herein may be equally applied to any communications service provider and any data produced by a communication service provider. The term "communication service provider" is intended to cover any organisation that provides services that allow two or more entities to communicate with each other. Communications service providers include, but are not limited to, cellular phone service providers, text message service providers, instant message service providers, and social networking service providers. Accordingly, data that may be produced by a communications service provider includes, but is not limited to, telephone call records, text message records and instant message records. The communications service provider 101 provides a communication service to a plurality of users or subscribers 102, 103 and 104. The communication service allows the users 102, 103 and 104 to communicate with one another. For example, an instant message service provider may provide an instant message service that allows users or subscribers of the service to exchange text messages.
Each communication transmitted from a user or subscriber 102, 103 or 104 is received by the communications service provider 101 which creates and stores a record of the communication. For example, an instant message service provider may create and store a record of each instant message sent by its users. Since each communication record is a record of a personal conversation it forms sensitive data. In Figure 1, the communication records are stored in a secure database 105 maintained by the communications service provider 101, however, it will be evident to a person of skill in the art that the communication records may be stored by the communications service provider 101 in any suitable manner. For example, the communications service provider 101 may alternatively store the communication records on tape, compact disc (CD), or digital video disk (DVD).
The communications service provider 101 may only store the communication records for a limited period of time. For example, the communications service provider 101 may only store the communication records for a period long enough to complete the process. Alternatively, the communications service provider 101 may only store the communication records until the secure database 105 becomes full and requires purging to make room for new communication records.
The communications service provider 101 then processes and analyses the communication to identify the intended recipient(s) and forwards the communication to the intended recipient.
To increase the security of the communications, the user or subscriber 102, 103 or 104 may encrypt each communication prior to transmission. In some cases, each user or device 102, 103 or 104 may be assigned a unique global encryption key which is used to encrypt each communication. In these cases, the processing and analysis performed by the communications service provider 101 may include decrypting the communication.
As described above, the sensitive data stored by the communications service provider 101 can prove invaluable to criminal investigations, however, law enforcement agencies can only lawfully access the sensitive data in accordance with an authority granted under the appropriate legislation. For example, in the UK, law enforcement agencies can only lawfully intercept personal communications after they have obtained an interception warrant under IPA.
The problem is that even if a law enforcement agency is able to obtain an authority under the appropriate legislation to access the sensitive data, communications service providers do not typically have the information technology (IT) capabilities to be able to provide the sensitive data in a format that complies with the authority. Specifically, they do not typically have the searching or filtering capabilities to be able to provide the authorized law enforcement agency with only the sensitive data specified in the authority. The law enforcement agencies similarly can't be given carte blanche access to the sensitive data to perform their own searches or filtering because this would expose the law enforcement agencies to information that falls outside the scope of the authority.
To overcome this problem, a system has been developed that allows sensitive data to be automatically copied, transferred and securely stored at a separate remote facility where it can only be accessed in accordance with an appropriate authority. Since the sensitive data is copied, transferred and securely stored at the separate remote facility without any human intervention the sensitive data has not been "intercepted". The sensitive data has merely been processed - e.g. routed and stored. Accordingly, the transfer and storage of sensitive data in accordance with the systems and methods described herein is unlikely to be in contravention of the appropriate legislation (e.g. IPA) relating to interception of sensitive communications. Preferably, the sensitive information is securely stored at the remote facility in a manner so that it cannot be directly accessed by any party, including the body (e.g. the communications service provider 101) that created the sensitive data, it can only be indirectly accessed by entities or bodies (e.g. law enforcement agency) with an appropriate authority.
The term "Direct Access" is used herein to mean the ability to obtain readable access to the full data set held temporarily in the secure data storage facility 111. Preferably, in normal use of the system authorized entities cannot obtain direct access to the copy of that data held in the secure data storage facility 111. Instead, an authorized entity can only obtain readable access to a subset of that data presented to them as a set of search results.
Therefore, in system 100, an exact copy of the sensitive data is transmitted to a secure data storage facility 111 via a secure data network 106 where it is stored in a secure impenetrable data store 108. The secure data network 106 may be any suitable data network such as a wireless data network, a wired data network, or a combination of a wired and wireless data network. In some cases, the communications service provider 101 may be obligated to supply the sensitive data to the secure data storage facility 111 under an agreement or law. For example, the communications service provider 101 may be party to an agreement or contract which requires the communications service provider 101 to supply the secure data storage facility 111 with all or a subset of the sensitive data collected by the communications service provider 101. Alternatively, the communications service provider 101 may be under compulsion by law to provide all or a subset of the collected sensitive data to the secure data storage facility 111. For example, a law enforcement agency may obtain an interception warrant under RIPA which compels the communications service provider 101 to provide a subset of the sensitive data to the secure data storage facility 111.
In these cases, the sensitive data may be filtered by a data filter module 107 prior to being delivered to the secure data storage facility 111 to ensure that only the sensitive data meeting the
requirements of the agreement or compulsion order, for example, are provided to the secure data storage facility 111. For example, an agreement may stipulate that only UK to UK instant messages are to be transferred to the secure data storage facility 111. In that case, the data filter module 107 may be configured to filter out all non UK to UK instant message records from the sensitive data. In some examples the data filter module 107 may also organise data streams into common data fields. For example date formats from different communication data suppliers may differ and therefore the data filter module 107 can match data elements together or assign meta data to specific fields.
Where the sensitive data is provided in encrypted format to the secure impenetrable data facility 111, the communications service provider 101 will also typically provide to the secure data storage facility 111 the information required to decrypt the sensitive information. The information required for decryption may be provided to the secure data storage facility 111 via the data network 106 or any other suitable means. For example, where each user/device is assigned a unique global encryption key which is used to encrypt and decrypt all communications to and from the user/device, the communications service provider 101 may provide the global encryption keys for the relevant users/devices.
The sensitive data may be streamed to the secure data storage facility 111. As used herein the term "data streaming" is intended to cover the transferring of data so that it can be processed as a steady and continuous stream. For example, the term "data streaming" includes the continuous transfer of data at a steady high-speed rate sufficient to enable the recipient to monitor communications between two or more parties in real-time. Alternatively, the sensitive data may be transferred through a series of transfers. Such transfers may be initiated by the communications service provider 101 or by the secure data storage facility 111.
The secure data storage facility 111 stores the received sensitive data in the secure impenetrable data store 108 in a manner so that no party, including the entity that provided the sensitive data to the secure data storage facility 111 (e.g. the communications service provider 101), has direct access to the sensitive data. Only those entities (e.g. individuals or organizations) with an appropriate authority will be provided indirect access to the sensitive data. Even with an appropriate authority, the authorized entities may only have indirect access to the sensitive data specified in the authority, and no more. In some examples the person skilled in the art will appreciate that a search engine may be used to provide indirect access to the sensitive data.
An exemplary system for providing secure access to the sensitive data stored by the secure data storage facility 111 will be described in reference to Figure 2.
The secure impenetrable data store 108 may comprise a receiving module (not shown) for receiving the sensitive data and a storage module (not shown) for storing the received sensitive data. The storage module may be in the form of or including a database. In the context of this application a "secure impenetrable data store" is intended to cover a form of data store wherein access to the data contained therein is strictly controlled. A secure impenetrable data store may be established using known means such as a firewall and encryption. For example, all reasonable precautions subject to standard CESG (Communications-Electronics Security Group) approved accreditation procedures may be taken to ensure that the sensitive data stored in the secure impenetrable data store 108 may not be accessed without an appropriate authority.
The secure impenetrable data store 108 may be configured to only store sensitive data for a predefined period of time. Upon expiry of the predefined period of time, all traces of the particular sensitive data may be automatically deleted from the secure impenetrable data store 108. The secure impenetrable data store 108 may be understood then as implementing a rolling window where any sensitive data not falling within the window is deleted from the secure impenetrable data store 108. For example, if the predefined period of time is 7 days, any sensitive data older than 7 days may be automatically deleted. This means that in some examples any sensitive data older than a predefined period of time measured from the date of capture may be automatically deleted.
The predefined period of time will typically range from days (e.g. 14 days) to years. However, it will be evident to a person of skill in the art that any suitable predefined period of time may be used. The predefined period of time may be based on the type of sensitive data and/or the terms of the agreement between the parties. Accordingly, different types of sensitive data may have different predefined periods of time. For example, text message records and instant message records may have different predefined periods of time.
In some examples the secure impenetrable data store 108 may be configured to delete and purge data held in the secure impenetrable data store 108 when a certain storage capacity has been reached such that any new data being received into the secure impenetrable data store 108results in a corresponding amount of data being removed from the secure impenetrable data store 108 on a continuous rolling basis. The data storage limit permissible may be selected, or may be determined by the physical storage capacity of the hardware employed.
The secure impenetrable data store 108 may also be configured to automatically index the received sensitive data. For example, the sensitive data may be divided into a plurality of portions where each portion corresponds to a communication record, for example. Indexing may then involve generating an index for each portion (e.g. communication record) and storing the index alongside the corresponding portion of sensitive data in the secure impenetrable data store 108. The index may then be updated upon deletion of the corresponding sensitive data. Indexing may greatly speed up any searches performed on the sensitive data. Alternatively the indexing may be carried out by a module separate from the secure impenetrable data store.
The secure data storage facility 111 may also include a data integrity audit module 110 to ensure the integrity of the sensitive data stored in the secure impenetrable data store 108. For example, the data integrity audit module 110 may monitor all activity of the secure impenetrable data store 108 and automatically generate incorruptible activity logs and history files. Specifically, the data integrity audit module 110 may monitor all activity that occurs on the secure impenetrable data store and compare it against predefined rules and parameters. Any variances detected between what is measured and the pre-defined rules and parameters may trigger a variance report prompting further investigation as necessary. This means that the data integrity module can be considered to ensure both the protection and integrity of the data stored in the secure impenetrable data store 108.
The activity logs and history files may be used to ensure that the sensitive data stored in the secure impenetrable data store 108 is in the same state as it was when it was received from the communications service provider 101— it has not been manipulated (e.g. that there have been no changes, additions and/or deletions) or structurally changed. The data integrity audit module 110 therefore provides the parties (e.g. the communications service provider 101 and the law enforcement agencies) with confidence that the sensitive data stored in the secure impenetrable data store 108 has not been tampered with. Where the sensitive data is only stored for a predefined period of time, the data integrity audit module 110 may also be used to ensure that the sensitive data is deleted in accordance with the predefined period(s) of time. For example, the predefined period(s) of time may be provided to the data integrity audit module 110 which then monitors the secure impenetrable data store 108 to ensure that the sensitive data is deleted in accordance with the predefined period(s) of time.
Specifically, the data integrity module 110 may be configured to monitor the number of records being deleted from the secure impenetrable data store 108 to ensure that it is the same as that which entered the data store a predetermined time ago. For example, where the predefine period of time is seven days, then the number of records deleted on a particular day should be the same as the number of records added to the secure impenetrable data store 108 seven days ago.
The data integrity audit module 110 may be configured to automatically produce regular audit reports and example records for scrutiny by the system administrators and other regulatory bodies. The data integrity audit module 110 may also be configured to enable administrators to conduct detailed investigations regarding the correct usage of the system 100 and adherence to protocols. The data integrity audit module 110 also may be configured to automatically produce an alert when it detects an error condition. Examples of error conditions include, but are not limited to: the sensitive data has been modified; and/or the sensitive data has not been deleted in accordance with predefined period(s) of time.
Each of the data filter module 107, the secure impenetrable data store 108 and the data integrity audit module 110 may be implemented in hardware or software. For example, each of the data filter module 107, the secure impenetrable data store 108 and the data integrity audit module 110 may be implemented by one or more computers, each computer comprising one or more processors. Alternatively each of the data filter module 107, the secure impenetrable data store 108 and the data integrity audit module 110 may be implemented by instructions that are stored on a computer readable medium, that when executed by a computer performs the functions described above.
The secure impenetrable data store 108 and the data integrity audit module 110 may be
implemented in a single device or in separate devices.
Reference is now made to Figure 2 which illustrates an exemplary system 200 for allowing authorized access to the sensitive data stored in the secure impenetrable data store 108 of Figure 1 in accordance with an authority.
As described above, in many countries law enforcement agencies may only lawfully intercept sensitive communications, such as emails, texts, instant messages etc. by first obtaining an authority under appropriate legislation. For example, in the UK, law enforcement agencies must obtain an interception warrant under the Regulation of Investigatory Powers Act 2000 (RIPA) to intercept personal communications traffic.
Obtaining the authority typically involves submitting a request to the appropriate body for approval. For example, in the UK, the law enforcement agency must submit a request to the Secretary of State. The request typically must set out the specific communications data they would like to access, and the reasons the requested access should be granted. If the request is approved an authority is granted which usually carries with it quite simple, but very strict rules on what information can and cannot be accessed, how it may be obtained, and the time periods in which it may be obtained. For example, in the UK, if the Secretary of State approves the request an interception warrant is issued.
Reference is now made to Figure 3 which illustrates an example of an authority in the form of an interception warrant 300. The warrant 300 comprises an introduction section 302 which sets out basic information (e.g. name, date of birth and address) of the person for which the law
enforcement agency wishes to intercept communications; an intelligence section 304 that sets out the justification for the interception warrant; a request section 306 that sets out the specifics of the interception request (e.g. what types of communication are to be monitored (e.g. BBM messages)), and the means used to identify the communications of interest (e.g. BBM PIN: 2K6de3L2); and an approval section 308 that sets out the specifics of the authority given to the law enforcement agency.
The approval section 308 typically sets out how the communications of interest are to be identified and the time period for which the warrant is valid. For example, in the exemplary interception warrant 300, the approval section 308 specifies that the law enforcement agency has been given permission to monitor and intercept communications related to mobile number 0787123467899 and BBM Pin:2K6de3L2 for the time period of 14th December 2011 to 12th December 2012.
Referring back to Figure 2, the system 200 is designed to ensure that access granted to sensitive data under a specific authority is provided only in accordance with the specific authority. In particular, the system 200 is designed to ensure that the data accessing body or entity authorized under the authority can only access the sensitive data explicitly specified in the authority and no more.
The system 200 comprises the secure impenetrable data store 108 of Figure 1 for storing the sensitive data; a search parameter set-up module 202 for obtaining the terms of the authority that grants access to the sensitive data and generating a maximum search boundary based on the terms of the authority; and a search module 204 for searching the sensitive data stored in the secure impenetrable data store 108 in accordance with the maximum search boundary to produce a set of search results. The system 200 may also comprise a search audit module 206 for recording the terms of the authority and the search activities undertaken on the sensitive data stored in the secure impenetrable data store 108; a search data store 208 for storing the search results; and a user interface module 210 for providing authorized entities with controlled access to the search results stored in the search data store 208.
This means that the system 200 may provide for access of data that includes the analysis, assessment of the results to enhance the usability of the search results stored in the search data store.
Any authority granting access to sensitive data typically defines the terms of the access. The terms may include, but are not limited to, the specific sensitive data that may be accessed under the authority and the time period over which the specific sensitive data may be collected. The search parameter set-up module 202 is configured to receive the terms of the authority and generate the maximum search boundary for that authority based on the received terms. For example, the maximum search boundary may be defined by one or more search strings based on the terms of the authority. Specifically, the search strings may define the parameters and time frame of the search under that authority.
Where the terms of the authority also include the entities (e.g. individuals or organization) authorized to access the sensitive data, the search parameter set-up module 202 may also be configured to generate a list of entities entitled to access the sensitive data under the authority. Typically, a search under a particular authority cannot be performed on the sensitive data until the terms of the authority have been provided to the search parameter set-up module 202 and the maximum search boundary generated.
The search parameter set-up module 202 may also be configured to generate a unique authority identification (ID) for each specific authority entered in the search parameter set-up module 202. For example, an authority ID may be generated for each warrant or agreement entered into the search parameter set-up module 202. The unique authority ID may be used (1) to ensure that any searches performed under that specific authority do not extend beyond the boundaries of the authority; and (2) to track (e.g. log or record) any searches performed under that specific authority. The terms of the authority may be manually or automatically entered into the search parameter setup module 202. In some cases, the search parameter set-up module 202 may comprise a user interface that allows a user or administrator to manually enter the terms of the authority. For example, where the authority is a IPA interception warrant, the details of the interception warrant may be provided to an administrator of the system who then enters the terms of the interception warrant into the search parameter set-up module 202 user interface. Preferably, the terms of the authority are manually entered into the search parameter set-up module 202 by a trusted third party. This would provide further assurance that the sensitive data stored in the secure
impenetrable data store 108 may only be accessed under the terms of an appropriate and valid authority. For example, if the authority is a RIPA interception warrant, the trusted third party is selected so that they do not have a vested interest in any investigation related to the specific RIPA interception warrant. Accordingly, the trusted third party has no incentive to falsify the terms of the authority to increase or alter the sensitive data that may be accessed under the warrant. The trusted third party may be separate from any of the government agencies and may be subject to monitoring and/or inspection by an Independent RIPA Commissioner. In other cases, the terms of the authority may be entered by a separate department within a particular law enforcement agency that has no connection with the investigation teams connected to the specific authority (e.g. RIPA interception warrant) and that acts only to provide an internal service.
This means that in some examples an audit process is undertaken to demonstrate compliance with the warrant and authority. Alternatively, the search parameter set-up module 202 may comprise an automatic module that receives the details of the authority in electronic form and automatically obtains the terms of the authority without user intervention. For example, the authority may be scanned or otherwise converted into a PDF (Portable Document Format) document which is emailed to the search parameter set-up module 202. The search parameter set-up module 202 may then automatically scan the PDF document for the relevant terms. Some benefits of automatically entering the terms over manually entering the terms of the authority include, but are not limited to: (1) there is no need to obtain and train a person to manually enter the terms of the authority and (2) the automatic detection of the terms of the authority decreases the chances than an error is made in entering the terms of the authority.
The maximum search boundary may be manually or automatically generated. For example, in some cases, an administrator will use the terms of the authority to enter search parameters which are then converted into one or more search string. In these cases, the search parameter set-up module 202 may provide templates for the administrator that convert the inputted parameters into very specific executable search strings that ensure that the boundaries of the authority cannot be accidentally circumvented or breached when activated. Alternatively, the search parameter set-up module 202 may be configured to automatically generate the search strings based on the received authority terms.
Once the search string(s) and authority ID have been generated by the search parameter set-up module 202, they are transmitted or provided to the search module 204. In some cases, prior to transmitting the search string(s) and authority ID to the search module 204 the search string(s) may be verified against the terms of the authority to ensure that any search conducted using the search string(s) does not go beyond the authority and the authority is valid. For example, the dates for searching defined by the search string(s) may be compared against the current date to ensure that the search may be lawfully conducted.
The search parameter set-up module 202 may be configured to transmit or provide the search string(s) and authority ID to the search module 204 only after the search is "activated". For example, where the search parameter set-up module 202 comprises a user interface, the user interface may include means, such as a button, to allow the administrator to activate the search. Alternatively, the search parameter set-up module 202 may be configured to automatically provide the search string(s) to the search module 204 once they have been generated and verified.
In some cases the search parameter set-up module 202 may also be configured to alert or notify the authorized entities that the authority has been set-up. For example, where the system 200 comprises a user interface module 210, the alert or notification may be displayed to the authorized entity at the user interface module 210.
In some cases the search parameter set-up module 202 may also be configured in order that certain search functions are disabled and other search inputs are subjected to strict data validation rules. In some examples the search parameter set-up module 202 may also be configured in order that searches on certain key words is not possible, such search functionality is disabled. This is because searching under such certain key words could be in breach of the specific RIPA interception warrant.
Figure 4 illustrates an exemplary search parameter set-up module user interface 400 to be used for RIPA authorities (called "RIPA Authorisation Notice" or "RIPA Request"). It shows RIPA authorities that have already been entered into the system and allows an administrator to enter additional RIPA authorities using, for example, the "Register" button.
Referring back to Figure 2, the search module 204 is configured to search the secure impenetrable data store 108 for sensitive data outlined in the authority. As described, above the sensitive data stored in the secure impenetrable data store 108 may be indexed to increase the speed at which searched may be performed. A copy of the index may be stored in the search module 204. In some cases, it may be the search module 204 that indexes the sensitive data stored in the secure impenetrable data store 108 and then stores a copy of the index data.
In the example illustrated Figure 2, the search module 204 is integrated with the secure data storage facility 111. In some examples the search module 204 is integrated with the secure impenetrable data store 108. In other examples the search module 204 may not be integrated with the secure data storage facility 111 or the secure impenetrable data store 108.
In the illustrated example, the search module 204 is the only means by which data in the secure data storage facility 111 can be accessed. However, in some examples other means of access may be provided. As described above, preferably the sensitive data stored in the secure impenetrable data store 108 has been indexed. This may drastically increase the speed at which searches may be performed.
In some cases, the search module 204 may be configured to automatically perform an initial search of the secure impenetrable data store 108 using the search string(s) received from the search parameter set-up module. In other cases, particularly where there is a large amount of sensitive data to be searched, the search module 204 may be configured to perform the initial search at a predetermined time. For example, the search module 204 may be configured to schedule the initial search at a down time. The initial search identifies all of the sensitive data in the secure
impenetrable data store 108 that matches the search criteria.
A copy of the results of the initial search is extracted and placed into a further data store 208, herein after referred to as the search data store 208. For example, the search module 204 may generate a copy of the results of the initial search and forward the copy to the search data store 208. In this context the term "search data" is intended to cover the results of a search not the data used by the search module 204 to conduct the search. However, in some cases the "search data" may comprise both the search results and the search string(s) used to conduct the search. Specifically, as described below, the search results may be stored in the search data store 208 alongside the search string(s) used to produce the search results. Preferably the search data store 208 is in the form of a database, but it will be evident to a person of skill in the art that the secure data store 208 may take other appropriate forms.
In this configuration the only device that has direct access to the secure impenetrable data store (and thus to the sensitive data stored in the secure impenetrable data store 108) is the search module 204. Since all activity of the search module 204 is monitored by the search audit module 206 it can be ensured that there is no unauthorized access to the sensitive data stored in the secure impenetrable data store 108.As noted above, the search module 204 may hold the data index (a system which allows faster search of the data), search , copy relevant compliant data and forward module. In this way the data in the search module will reflect that held in the Secure Impenetrable Data Store 108. This will ensure that there is no access to the Secure Impenetrable Data Store with only the audit and data cleansing roles having a role in relation to the secure data.
The search data store 208 allows for the capture and preservation of the search results. It should be noted that the process of capturing and preserving the search results does not alter the data in the secure impenetrable data store 108. During this process, the sensitive data stored in the secure impenetrable data store 108 remains in the secure impenetrable data store 108. In some examples, the search data store 208 allows for the capture and preservation of the search results only.
Preferably, the search results are placed in the search data store 208 as incorruptible read only records to ensure that the data cannot be subsequently altered. In some cases, in addition to containing the actual search results, the incorruptible read only records may also contain, but are not limited to, one or more of the following: the authority ID, the search string(s) used to generate the search results, and other associated metadata (e.g. the date and time of the search and the username of the person initiating the search, if appropriate). If the sensitive data was stored in the secure impenetrable data store 108 in encrypted format, the extraction process may also comprise decrypting the search results prior to storing them in the search data store 208.
As described above, the terms of the authority will typically stipulate the time period for which the authorized entity may have access to the sensitive data. In some cases, the authority will stipulate a very small window of time (e.g. a day), whereas in other cases, the authority will stipulate a very large window of time (e.g. three months). Where the authority stipulates a time period that extends beyond the predefined period(s) of time used to trigger automatic deletion of the sensitive data, the search module 204 may be configured to automatically repeat the search under that authority at a predetermined rate in order to identify new matches of sensitive data that subsequently arrive in the secure impenetrable data store 108. For example the search module 204 may be configured to search the secure impenetrable data store 108 every minute until expiry of the authority.
The rate at which a particular search is repeated may be manually set by the administrator (e.g. using the user interface of the search parameter set-up module 202) or automatically set based on the time period for access and the predefined period(s) of time used to trigger automatic deletion.
Any new matches that are identified by a subsequent search are decrypted (if necessary) and stored in the search data store 208 alongside the matches already copied to the search data store 208 during the initial search using the authority ID.
To ensure that each search that is performed is a valid search, the search module 204 may be configured to, each time it performs a search, verify that the search string(s) being used remains valid and within the realms of the authority.
The system 200 may also include a search audit module 206 to ensure that all searches performed on the sensitive data stored in the secure impenetrable data store 108 are in conformance with the one or more authority. Specifically, the search audit module 206 receives and records the terms of the authority from the search parameter set-up module 202, and monitors and records all search activity related to the sensitive data stored in the secure impenetrable data store 108 for future audit purposes. For example, the search audit module 206 may be configured to monitor: (1) the search parameter set-up module 202 to ensure that the terms of the one or more authority were correctly entered; and/or (2) the search module 204 to ensure that any searches performed on the sensitive data are in accordance with the one or more authority.
The search audit module 206 may be configured to automatically produce regular audit reports and example records for scrutiny by the system administrators and other regulatory bodies. The search audit module 206 may also be configured to enable administrators to conduct detailed investigations regarding the correct usage of the system 200 and adherence to protocols.
In some cases, the search audit module 206 may be configured to automatically produce an alert when it detects an error condition. Examples of possible error conditions include, but are not limited to: a search that does not comply with the one or more authority has been conducted on the sensitive data; and/or the terms of an authority have not been correctly entered.
The data integrity audit module 110 of Figure 1 and the search audit module 206 of Figure 2 may be implemented in the same device or in separate devices.
The search data store 208 used to store the results of the searches conducted by the search module 204 may also be subject to very strict access controls such that only those entities (e.g. individuals or organizations) authorized to access the sensitive data under an authority have access to the sensitive data in the search data store 208. Specifically, access to the data in the search data store 108 may be controlled by the authority terms provided to the search parameter set-up module 202.
Preferably, the search module 204 is configured to send an alert or notification to the authorized entities each time new search results are added to the search data store 108 for a particular authority. For example, where the system 200 comprises a user interface module 210, the alert or notification may be transmitted to and displayed on the user interface module 210. Alternatively, the alert or notification may be transmitted directly to the authorized entity. For example, the alert or notification may be directly transmitted to a police investigator's personal communication device, such as a mobile phone, a personal digital assistance (PDA), or a pager, via any communication means, such as email, text message or the like. In some cases, the alert may be sent to both the user interface module 210 and the authorized entity's personal communication device(s).
Once a copy of the search results have been stored in the search data store 208, authorized entities may access the sensitive data in the search data store 208 and use it to further their investigations. Preferably, the sensitive data is stored in the search data store 208 in such a manner that it allows the sensitive data to be assessed and analysed, for instance, tagged, organised, sorted and commented upon, in order to enhance the usability of the search results. For example, the sensitive data may be processed and analysed in accordance with the methods and systems described in International Published Patent Application No. WO 2009/037478. Access to the data stored in the search data store 208 may be provided to authorized entities by a user interface module 210. Typically, to gain access to the data stored in the search data store 208, the user must first identify the specific authority under which they are accessing the search data store 208.
The user interface module 210 may provide the user with a list of authority IDs they can select from, where, as discussed above, each authority ID identifies a specific authority entered into the search parameter set-up module 202. Alternatively, the user interface module 210 may provide the user with means to manually identify a particular authority. For example, the user interface module 210 may allow the user to manually enter a specific authority ID.
The user interface module 210 may require that user be authenticated before an authority can be identified. For example, the user may have to provide a username and password to gain access to the user interface module 210 and once authenticated they may only be allowed to search under particular authorities.
Once the user has identified an authority, the user may access all of the sensitive information stored in the search data store 208 related to that authority. In advanced systems the user interface module 210 may also enable the user to conduct further searches, apply filters and sorts on the relevant sensitive data, and manage additional metadata that can be applied to the sensitive data. The user interface module 210 therefore may enable the user to take advantage of current and new reporting techniques and visualisation tools to aid discovery and communication.
This means that the user interface module 210 may provide the user with read only access to the set of results stored in the search data store 208.
Figure 5 illustrates an exemplary user interface module 500 to access to the search results stored in the secure impenetrable data store 108.
Each of the search parameter set-up module 202, the search audit module 206, the search module 204, the secure impenetrable data store 108, the search data store 208 and the user interface module 210 may be implemented in hardware or software. For example, each of the search parameter set-up module 202, the search audit module 206, the search module 204, the secure impenetrable data store 108, the search data store 208 and the user interface module 210 may be implemented by one or more computers, each computer comprising one or more processors.
Alternatively each of the search parameter set-up module 202, the search audit module 206, the search module 204, the secure impenetrable data store 108, the search data store 208 and the user interface module 210 may be implemented by instructions that are stored on a computer readable medium, that when executed by a computer performs the functions described above.
The secure impenetrable data store 108, the search audit module 206 and the search module 204 may be implemented in a single device or in separate devices. Reference is now made to Figure 6 which illustrates an exemplary method 600 for obtaining and securely storing sensitive data from a communications service provider 101. Steps 605, 606, 611, 612 and 613 of the method 600 may be executed by the communications service provider 101 and steps 607, 609, 610 and 614 may be performed by the secure data storage facility 111.
At step 605 the communications service provider 101 tracks communications generated by its users. Tracking may comprise creating a record for each communication wherein each record forms sensitive information. For example, where the communications service provider 101 is an instant message service provider, a record may be created for each instant message sent by their users or subscribers. Each record may comprise the instant message and any associated metadata.
Metadata may include, but is not limited to, one or more of the following: user identification information specific to the particular communication service (e.g. telephone number, ID number), registered name(s) associated with the user identification information, date and time of the communication message, location of the user/device when the communication was sent and/or received, encryption key(s) associated with the communication sent and/or received. In some cases, the communications tracked may be limited to those communications that are generated within or transmitted to a specific region, such as the United Kingdom. The method 600 then proceeds to step 606.
At step 606, the communications service provider 101 processes and analyses the communication records. For example, as described above, in relation to Figure 1, the communications service provider 101 may process the communication records to identify the intended recipients of the communications.
Also, as described above in reference to Figure 1, the sensitive data may be provided to the secure data storage facility 111 in accordance with an agreement or legislative order that puts limits or restrictions on the sensitive data that is forwarded to the secure data storage facility 111. For example, an agreement between the communications service provider 101 and a third party may specify that only UK to UK communications are to be provided to the secure data storage facility 111. Accordingly, the processing and analysis may comprise filtering the messages to eliminate any communication records that relate to non UK to UK communications.
Where the communications are encrypted, the processing and analysis may also involve decrypting the communications. In some cases, this may involve receiving the encryption keys for the relevant devices at step 611. Once the communication records have been processed and analysed, the method 600 proceeds to steps 612 and 613.
At step 612, the communications service provider 101 forwards the processed and analysed communications to the intended recipients. At step 613, a copy of the sensitive data is forwarded to the secure data storage facility 111. As described in reference to step 605, the sensitive data may comprise communication records. For example, where the communications are instant messages, the sensitive data may comprise instant message records where each instant message record comprises the instant message and corresponding metadata. As described above in reference to Figure 1, the sensitive data may be transmitted to the secure data storage facility 111 via a secure network, for example. Once the sensitive data has been forwarded to the secure data storage facility 111 the method 600 proceeds to step 607.
At step 607, the secure data storage facility 111 receives the sensitive data and stores it in a secure impenetrable data store, such as secure impenetrable data store 108, so that no party can directly access the sensitive data. Only entities authorized under a specific authority can indirectly access the sensitive data, and even then, the authorized entity may only access the specific sensitive data set out in the authority.
As described above in relation to Figure 1, the secure impenetrable data store 108 may be configured to only store the sensitive data for a predefined period of time. The predefined period of time sensitive data is stored in the secure impenetrable data store may be based on the type of sensitive data and/or any applicable agreement or legislation. Accordingly, the received data may be transformed into and stored as time limited data.
Once the sensitive data has been received and stored by the secure data storage facility 111, the method 600 then proceeds to steps 614 and 610. At step 614, the received sensitive data is indexed. For example, each communication record may be provided with a unique index number. As described above, in relation to Figure 1, indexing the sensitive data allows for the sensitive data to be searched more quickly. The method then proceeds to step 609. At step 609, the secure impenetrable data store, such as secure impenetrable data store 108, is searched to locate any sensitive data (e.g. communication records or instant message records) for which the predefined period of time has expired and all traces of this sensitive data are
automatically removed from the secure impenetrable data store. Step 609 may be performed on a periodic basis to ensure that the sensitive data is timely deleted in accordance with the predefined period(s) of time.
At step 610, the storage and indexing of the received sensitive data is audited to ensure that the integrity of the received sensitive data is maintained while being stored by the secure data storage facility 111. As described above, in relation to Figure 1, auditing may comprise monitoring all activity on the secure impenetrable data store and automatically generating logs and records. The auditing may also involve monitoring the deletion of sensitive data to ensure that the sensitive data is being deleted in accordance with the predefined period(s) of time.
It will be evident to a person of skill in the art that the steps of method 600 may be performed in a different order and that not all steps of the method may be performed.
Reference is now made to Figure 7 which illustrates an exemplary method 700 for allowing authorized access to the sensitive data stored in a secure impenetrable data store in accordance with an authority. For ease of explanation, the method 700 has been divided into four phases: the regulatory framework phase 701 (steps 702-705), the agency administration phase 706 (steps 707- 709), the search phase 719 (steps 710, 711, 713, 714, 717 and 718), and the agency analyst phase 715 (steps 712 and 716). The regulatory framework phase 701 comprises obtaining an authority to access the sensitive information, the agency administration phase 706 comprises providing the details of the authority to the system and initiating a search of the sensitive information based on the authority, the search phase 719 comprises searching the sensitive data in accordance with the authority, and the agency analyst phase 715 comprises providing access to the sensitive data matching the search criteria to the authorized entity (e.g. law enforcement agency). At step 702, an entity prepares a request for access to sensitive data. For example, a law enforcement agency may prepare a RIPA interception warrant request, such as that shown in Figure 3. As described above in reference to Figures 2 and 3, the request typically includes the specific sensitive data that the entity wishes to have access to and the reasons justifying access. For example, a RIPA interception warrant typically includes the specific individuals to be monitored, the type of data to be monitored and the associated devices or other identification metrics (e.g.
telephone, telephone number, instant message, internet protocol (IP) address, a device
identification number or other unique device identifier, email address), how the individual's communications are to be identified (e.g. the user ID of the individual, the user's username) and what evidence has been collected to date to justify granting a law enforcement agency access to the specified communications. The method 700 then proceeds to step 703. At step 703, the entity presents their request to the appropriate body for approval. For example, a IPA interception warrant request is presented to the Secretary of State (SoS). The method 700 then proceeds to step 704.
At decision step 704, the appropriate body (e.g. the SoS for RIPA interception warrants) reviews the request and either grants the request or rejects the request. Where the request is rejected, the method 700 proceeds back to step 702. Where the request is granted, the method 700 proceeds to step 705.
At step 705, an authority granting access to the specified sensitive data is issued. For example, where the request is a RIPA interception warrant request, an interception warrant is granted. As shown in Figure 3, the authority typically specifies quite simple, but very strict, rules on what information can and cannot be accessed under the authority, how it may be obtained, and the time periods for which it may be obtained. Once the authority has been granted, the method 700 then proceeds to the agency administration phase 706.
At step 707, the terms of the granted authority are input to the system and automatically converted into one or more search strings that define the maximum search boundary of the sensitive data under the authority. The terms of the granted authority typically include at least the specific sensitive data that can be accessed under the authority and the time period it can be accessed.
As described above in reference to Figure 2, the terms of the granted authority may be manually entered into the system by an administrator using an interface, such as the search parameter-set-up module 202 user interface of Figure 2 or Figure 4, or the authority may be electronically provided to the system and the relevant terms of the authority automatically extracted from the authority. Once the terms of the granted authority are input in the system and automatically converted into one or more search strings, the method 700 proceeds to step 709.
At step 709, the administrator "activates" a search of the sensitive data stored in the secure impenetrable data store in accordance with the authority. Activating the search may comprise the administrator submitting an indication for the search to be initiated. For example, the administrator may be provided with a user interface that comprises an "activate search" button, or the like, that may be pressed or otherwise activated by the administrator. It should be noted that in some implementations of the method 700, step 712 will not be performed and the method 700 will proceed directly to step 708. For example, the system may be configured to automatically activate the search of the secure impenetrable data store in accordance with the authority, once the terms of the authority have been entered in step 710. Once the search has been activated, the method 700 proceeds to step 708.
At step 708, the system checks the search string(s) generated in step 707 against the terms of the authority to ensure that a search conducted using the search string(s) will conform to the authority. For example, where the authority grants access to instant messages generated or received by a particular instant message ID, the search string(s) may be compared against the instant message ID specified in the authority and the dates of the authority to ensure that a search conducted using the search string(s) will not produce sensitive data that extends beyond the terms of the authority. Once the search string(s) have been verified, they are provided to a search module, such as search module 204, to perform the initial search. The method 700 then proceeds to step 710. At step 710, a search module, such as search module 204, receives the search string(s) generated at step 707 and verified at step 708 and performs an initial search on the sensitive data stored in the secure impenetrable data store. The initial search will locate all of the sensitive data in the secure impenetrable data store that conforms to the authority. The method then proceeds to steps 711 and 713.
At step 711, the sensitive data located by the search performed at step 710 is processed and forwarded to a further data store, herein after referred to as the search data store. As described above in reference to Figure 2, where the sensitive data was stored in the secure impenetrable data store in encrypted form, the processing may involve decrypting the search results prior to forwarding to the search data store.
At step 713, the search module, such as search module 204, may periodically repeat the search of the sensitive data stored in the secure impenetrable data store. The frequency at which the search is performed may be set by a system administrator. For example, when an administrator manually provides the terms of the authority in step 707, the administrator may also optionally provide a time period that specifies how often the search is to be performed. Alternatively, the frequency at which the search is performed may be automatically determined. For example, the frequency at which the search is performed may be determined by the time period for which the authority is valid and the predefined period(s) of time that trigger automatic deletion of the sensitive data. Once a subsequent search has been performed, the method 700 proceeds to step 714 and step 718.
At step 714, the system reviews the results of the subsequent search and determines if there are any new search results. If there are new search results, the method proceeds to step 711 so that the new results can be processed and forwarded to the search data store.
At step 717, before each subsequent search is performed the system confirms that the search is still valid. In some cases, this may comprise confirming that the related authority is still valid. For example, where the authority is a IPA interception warrant, the system may confirm that the warrant has not expired or that the warrant will not expire when the search is running.
At step 718, the system periodically crawls or searches the secure impenetrable data store for sensitive data for which the predefined period of time has expired and then automatically deletes the sensitive data. This activity keeps the contents of the secure impenetrable data store within the bounds of any agreement as well as ensuring that the secure impenetrable data store doesn't reach its storage capacity.
At step 712, the search results are received by and stored in the search data store. As described above in relation to Figure 2, the search results may be stored in read only records so that they cannot be modified. This ensures that the records may be admissible in a court of law, for example. This may be achieved using various formats, such as Message-Digest Algorithm 5 (MD5). The search data store then sends a notification to the authorized entity that there are new search results for the particular authority. The method 700 then proceeds to step 716.
At step 716, the authorized entity receives the notification or alert that there are new search results relating to a particular authority. At this point the authorized entity may then view, search, filter or otherwise access the search results stored in the search data store. As described above, the authorized entity may receive the alert or notification through a user interface module, such as user interface module 210.
It will be evident to a person of skill in the art that the steps of method 700 may be performed in a different order than those shown in Figure 7, and that not all steps of the method 700 may be performed.
It will be evident to the person of skill in the art that the principles and concepts described herein are not limited to situations where a single law enforcement agency requires access to
communication records, but the principles and concepts described herein may also be applied to other situations. For example, the same principles and concepts of providing secure data access can be applied to the situation where a plurality of organizations or agencies wish to securely share data.
Reference is now made to Figure 8, which illustrates a system 800 for a plurality of organizations or agencies 802, 804, 806 and 808 to access sensitive data in accordance with an agreement without the need to join up existing databases, which may be quite costly.
Each organisation or agency 802, 804, 806 and 808 may supply sensitive data to a secure data storage facility 810 where it is stored in a central secure impenetrable data store. For example the data may be supplied by each organisation or agency 802, 804, 806 and 808 and stored by the secure data storage facility 810 in accordance with the system of Figure 1 and/or the method of Figure 6. Alternatively, the search module of the secure data storage facility 810 may be configured to search the individual agency/organisation databases directly and then extract the search results to individual search data stores. In this context, it will be appreciated that it is a copy of the search results that are extracted and the original data remains in the individual agency/organisation databases. For example, the secure data storage facility 810, may have a secure direct connection through, for example, firewalls, to each organisation's database.
System 800 may be used, for example, to allow Police, Border Controls, Anti-Terrorism, and Serious Organised Crime etc. to share information.

Claims

Claims
1. A system for securely storing data comprising:
a secure data store;
a secure data network configured to transmit data;
a receiving module comprised within the secure data store and configured to receive data over the secure data network from one or more data supplying bodies;
a storage module comprised within the secure data store and configured to securely store the data on a temporary basis;
a search module configured to search the stored data in accordance with terms of an authority to generate a search boundary to produce a set of search results; and
a further search data store configured to store the set of search results,
wherein the further search data store is configured so the set of search results are only accessible to one or more data accessing bodies authorised by the authority,
whereby the system is configured not to permit direct access to the complete set of data stored temporarily in the secure data store.
2. The system for securely storing data of claim 1, further comprising a deletion module configured to automatically delete at least a portion of the data upon expiration of a predefined time period.
3. The system for securely storing data of claim 1, further comprising a deletion module configured to automatically delete at least a portion of the data when a limit of storage capacity has been reached.
4. The system for securely storing data of claim 1 or claim 2, wherein the predefined time period is based on at least one of: the type of data, and an agreement.
5. The system for securely storing data of any one of claims 1 to 4, wherein the data comprises one or more portions and the storage module is configured to generate and store an index for each portion of the data.
6. The system for securely storing data of any one of claims 1 to 5, further comprising a data integrity audit module configured to monitor the storage module.
7. The system for securely storing data according to claim 6, wherein the data integrity module is configured to record instances of access to the data.
8. The system for securely storing data of any one of claims 1 to 7, wherein the data is communication data.
9. The system for securely storing data of claim 8, wherein the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
10. The system for securely storing data of claim 9, wherein the communication message is in an encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
11. The system for securely storing data of claim 9 or claim 10, wherein each communication message is one of a text message, an instant message and a telephone call.
12. The system for securely storing data of any one of claims 1 to 11, wherein the data is received as a stream of data.
13. The system for securely storing data of any one of claims 1 to 12, further comprising a data filter module configured to filter the data prior to being received and stored by the secure data store.
14. The system for securely storing data according to claim 13, wherein the data filter module is configured to organise the data.
15. The system for securely storing data of any one of claims 1 to 14, wherein the secure data network comprises a wireless data network, or a wired data network, or a combination of a wired and wireless data network.
16. The system for securely storing data of any one of claims 1 to 15, wherein the storage module comprises a database.
17. The system for securely storing data of any one of claims 1 to 16, further comprising a search audit module configured to monitor the search module and produce evidence that any searches performed on the data are in accordance with the authority.
18. The system for securely storing data of any one of claims 1 to 14, further comprising a search parameter set-up module configured to:
receive the terms of the authority granting access to the data; and
automatically generate a maximum search boundary for the data based on the received terms.
19. The system for securely storing data of any one of claims 1 to 18, further comprising a user interface module configured to enable the one or more data accessing bodies authorized by the authority to access the set of search results stored in the further search data store.
20. The system for securely storing data of claim 19, wherein access to the set of results comprises the assessment and/or analysis of the results to enhance the usability of the search results saved in the search data store.
21. The system for securely storing data of claim 19, wherein access to the set of results comprises the tagging, organisation, sorting, and commenting upon the search results to enhance the usability of the search results saved in the search data store.
22. The system for securely storing data of any one of claims 1 to 21, wherein the terms of the authority comprise at least one of:
identification of a subset of the data accessible under the authority;
identification of a time period the authority is valid;
and identification of the one or more data accessing bodies authorized to access the subset of the data by the authority.
23. The system for securely storing data of any of claims 16 to 19, wherein the subset of the data accessible under the authority is identified by at least one of a telephone number, an internet protocol (IP) address, a device identification number, an email address, a username and a personal identification number.
24. The system for securely storing data of any one of claims 1 to 23, wherein generating the maximum search boundary comprises generating at least one search string based on the terms of the authority.
25. The system for securely storing data of any one of claims 1 to 24, wherein the search parameter set-up module is further configured to verify that the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
26. The system for securely storing data of any one of claims 1 to 25, wherein the search module is further configured to repeat the search on the temporarily stored data on a periodic basis to produce subsequent sets of search results.
27. The system for securely storing data of any one of claims 1 to 26 wherein the authority is one of a warrant and an agreement.
28. A computer-implemented system to provide secure access to data stored in a secure data store, the system comprising:
a search parameter set-up module configured to:
receive terms of an authority granting access to the data; and
automatically generate a maximum search boundary for the data based on the received terms; and
a search module configured to search the data in accordance with the maximum search boundary to produce a set of search results.
29. The computer-implemented system of claim 28, further comprising a search audit module configured to monitor the search module and produce evidence that any searches performed on the data are in accordance with the authority.
30. The computer-implemented system of claim 28 or claim 29, further comprising a further search data store configured to store the set of search results.
31. The computer-implemented system of claim 30, wherein the set of search results stored in the further search data store are only accessible to one or more data accessing bodies authorized by the authority.
32. The computer-implemented system of claim 31, further comprising a user interface module configured to enable the one or more data accessing bodies authorized by the authority to access the set of search results stored in the further data store.
33. The computer-implemented system of any one of claims 28 to 32, wherein the terms of the authority comprise at least one of: identification of a subset of the data accessible under the authority, identification of a time period the authority is valid, and identification of the one or more data accessing bodies authorized to access the subset of the data by the authority.
34. The computer-implemented system of claim 33, wherein the subset of the data accessible under the authority is identified by at least one of a telephone number, an internet protocol (IP) address, a device identification number, an email address, a username and a personal identification number.
35. The computer-implemented system of any one of claims 28 to 34, wherein generating the maximum search boundary comprises generating at least one search string based on the terms of the authority.
36. The computer-implemented system of any one of claims 28 to 35, wherein the search parameter set-up module is further configured to verify that the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
37. The computer-implemented system of any one of claims 28 to 36, wherein the search module is further configured to repeat the search on a periodic basis to produce subsequent sets of search results.
38. The computer-implemented system of any one of claims 28 to 37, wherein the data is communication data.
39. The computer-implemented system of claim 38, wherein the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
40. The computer-implemented system of claim 39, wherein the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
41. The computer-implemented system of claim 39 or claim 40, wherein each communication message is one of a text message, an instant message, and a telephone call.
42. The computer-implemented system of any one of claims 29 to 42 wherein the authority is one of a warrant and an agreement.
43. A computer-implemented system comprising the system for securely storing data of any one of claims 1 to 28, adapted to provide secure access to data stored in a secure data store according to any one of claims 28 to 42.
44. Apparatus for providing secure access to data stored in a secure data store comprising one or more computers each comprising one or more processors, the apparatus being configured to implement the system of any one of claims 1 to 43.
45. A computer-implemented method of storing data in a system, the method comprising: receiving data from one or more data supplying bodies over a secure data network; and securely storing the data temporarily in a secure data store;
searching the data in accordance with terms of an authority to generate a search boundary to produce a set of search results;
saving the set of search results in a further search data store,
wherein the further search data store is configured so the set of search results are only accessible to one or more data accessing bodies authorised by the authority,
whereby the method is configured not to permit direct access to the complete set of data stored temporarily in the secure data store.
46. A computer-implemented method of storing data in a system according to claim 45, further comprising an audit process to determine compliance with the authority.
47. The computer-implemented method of claim 45 or 46, further comprising automatically deleting at least a portion of the data from the secure data store upon expiration of a predefined time period.
48. The computer-implemented method of claim 47, wherein the predefined time period is based on at least one of: the type of data, and an agreement.
49. The computer-implemented method of any one of claims 45 to 48, wherein the data comprises one or more portions and the method further comprises generating and storing in the secure data store an index for each portion of the data.
50. The computer-implemented method of any one of claims 45 to 49, further comprising monitoring activity related to the secure data store and generating records of the activity.
51. The computer-implemented method of any one of claims 45 to 50, further comprising filtering the source data prior to receiving the data into the secure data store.
52. The computer-implemented method of any one of claims 45 to 52, wherein the data is communication data.
53. The computer-implemented method of claim 52, wherein the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
54. The computer-implemented method of claim 53, wherein the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
55. The computer-implemented method of claim 52 or claim 53, wherein each communication message is one of a text message, an instant message and a telephone call.
56. The computer-implemented method of any one of claims 45 to 55, wherein the data is received as a stream of data.
57. The computer-implemented method of any one of claims 45 to 56, wherein the secure data network comprises a wireless data network, or a wired data network, or a combination of a wired and wireless data network.
58. The computer-implemented method of any one of claims 45 to 57, wherein the storage module comprises a database.
59. The computer-implemented method of any one of claims 45 to 59, further comprising a search audit module configured to monitor the search module and produce evidence that any searches performed on the data are in accordance with the authority.
60. The computer-implemented method of any one of claims 45 to 59, further comprising a search parameter set-up module configured to:
receive the terms of the authority granting access to the data; and
automatically generate a maximum search boundary for the data based on the received terms.
61. The computer-implemented method of any one of claims 45 to 60, further comprising a user interface module configured to enable the one or more data accessing bodies authorized by the authority to access the set of search results stored in the further search data store.
62. The computer-implemented method of claim 61, wherein access to the set of results stored in the search data store comprises the assessment, or analysis of the results to enhance the usability of the search results.
63. The computer-implemented method of claim 61, wherein access to the set of results stored in the search data store comprises the tagging, organisation, sorting, and commenting upon the search results to enhance the usability of the search results.
64. The computer-implemented method of any one of claims 45 to 63, wherein the terms of the authority comprise at least one of:
identification of a subset of the data accessible under the authority;
identification of a time period the authority is valid; and
identification of one or more data accessing bodies authorized to access the subset of the data by the authority.
65. The computer-implemented method of any of claims 61 to 64, wherein the subset of the data accessible under the authority is identified by at least one of a telephone number, an internet protocol (IP) address, a device identification number, an email address, a username and a personal identification number.
66. The computer-implemented method of any one of claims 45 to 65, wherein generating the maximum search boundary comprises generating at least one search string based on the terms of the authority.
67. The computer-implemented method of any one of claims 45 to 66, wherein the search parameter set-up module is further configured to verify the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
68. The computer-implemented method of any one of claims 45 to 67, wherein the search module is further configured to repeat the search on the temporarily stored data on a periodic basis to produce subsequent sets of search results.
69. The computer-implemented method of any one of claims 46 to 68, wherein the data is communication data.
70. The computer-implemented method of claim 69 wherein the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
71. The computer-implemented method of claim 70, wherein the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
72. The computer-implemented method of claim 70 or claim 71, wherein each communication message is one of a text message, an instant message, and a telephone call.
73. The computer-implemented method of any one of claims 46 to 72 wherein the authority is one of a warrant and an agreement.
74. A computer-implemented method of providing secure access to data stored temporarily in a secure data store, the method comprising:
receiving terms of an authority granting access to the data;
automatically defining a maximum search boundary for the data based on the terms of the authority; and
searching the data stored in the secure data store in accordance with the maximum search boundary to produce a set of search results.
75. The computer-implemented method of claim 74, further comprising monitoring the searching performed on the data and generating records of the searching to ensure that any searching is in accordance with the authority.
76. The computer-implemented method of claim 74 or claim 75, further comprising storing the search results in a further search data store.
77. The computer-implemented method of claim 76, wherein the set of search results stored in the further search data store are only accessible to one or more data accessing bodies authorized by the authority.
78. The computer-implemented method of claim 77, further comprising providing only the one or more data accessing bodies authorized by the authority access to the set of search results stored in the further search data store.
79. The computer-implemented method of any one of claims 74 to 78, wherein the terms of the authority comprise at least one of:
identification of a subset of the data accessible under the authority;
identification of a time period the authority is valid; and
identification of one or more data accessing bodies authorized by the authority.
80. The computer-implemented method of claim 79, wherein the subset of the data accessible under the authority is identified by at least one of a telephone number, a username, an internet protocol (IP) address, an email address, and a personal identification number.
81. The computer-implemented method of any one of claims 74 to 80, wherein generating the maximum search boundary comprises generating at least one search string based on the terms of the authority.
82. The computer-implemented method of any one of claims 74 to 81, further comprising verifying that the maximum search boundary does not extend beyond the authority by comparing the maximum search boundary with the terms of the authority.
83. The computer-implemented method of any one of claims 74 to 82, further comprising repeating the searching on the temporarily stored data on a periodic basis to produce subsequent sets of search results.
84. The computer-implemented method of any one of claims 74 to835, wherein the data is communication data.
85. The computer-implemented method of claim 84, wherein the communication data comprises a plurality of communication records, each communication record comprising a copy of a communications message and associated metadata.
86. The computer-implemented method of claim 85, wherein the communication message is in encrypted format and the corresponding communication record further comprises information required to decrypt the communication message.
87. The computer-implemented method of claim 85 or claim 86, wherein each communication message is one of a text message, an instant message and a telephone call.
88. The computer-implemented method of any one of claims 74 to 87 wherein the authority is one of a warrant and an agreement.
89. The method of any one of claims 45 to 73 additionally comprising the steps of the method of any one of claims 74 to 88.
90. Computer readable medium comprising instructions when implemented by a computer cause the computer to perform the method of any one of claims 46 to 89.
91. The system for securely storing data of any claims 1 to 17, wherein the search module is configured using search parameters.
92. The system for securely storing data of claim 91, wherein the search parameters are constrained by boundaries based on the terms of the authority.
93. The system for securely storing data of claim 92, wherein the search parameters are constrained with templates.
94. The system for securely storing data of any claims 1 to 17, wherein the search boundary is automatically generated.
95. The computer-implemented method of any of claims 45 to 59, wherein searching the data is in accordance with search parameters.
96. The computer-implemented method of claim 95, wherein the search parameters are constrained by boundaries based on the terms of the authority.
97. The computer-implemented method of claim 96, wherein the search parameters are constrained with templates.
98. The computer-implemented method of any of claims 45 to 59, wherein the search boundary is automatically generated.
PCT/GB2012/052994 2011-12-16 2012-12-03 System and method to provide secure access to sensitive data WO2013088118A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1121738.7 2011-12-16
GB201121738A GB201121738D0 (en) 2011-12-16 2011-12-16 System and method to provide secure access to sensitive data

Publications (1)

Publication Number Publication Date
WO2013088118A1 true WO2013088118A1 (en) 2013-06-20

Family

ID=45572583

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2012/052994 WO2013088118A1 (en) 2011-12-16 2012-12-03 System and method to provide secure access to sensitive data

Country Status (2)

Country Link
GB (1) GB201121738D0 (en)
WO (1) WO2013088118A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017036906A1 (en) * 2015-08-31 2017-03-09 Uniscon Universal Identity Control Gmbh Method for securely and efficiently accessing connection data
CN108133150A (en) * 2018-02-05 2018-06-08 北京公共交通控股(集团)有限公司 Safety management system, storage medium and electric terminal based on contract dataset

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007135656A1 (en) * 2006-05-18 2007-11-29 Nice Systems Ltd. Method and apparatus for combining traffic analysis and monitoring center in lawful interception
WO2009037478A1 (en) 2007-09-19 2009-03-26 Olton Limited Apparatus and method for document processing
WO2009103340A1 (en) * 2008-02-21 2009-08-27 Telefonaktiebolaget L M Ericsson (Publ) Data retention and lawful intercept for ip services

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007135656A1 (en) * 2006-05-18 2007-11-29 Nice Systems Ltd. Method and apparatus for combining traffic analysis and monitoring center in lawful interception
WO2009037478A1 (en) 2007-09-19 2009-03-26 Olton Limited Apparatus and method for document processing
WO2009103340A1 (en) * 2008-02-21 2009-08-27 Telefonaktiebolaget L M Ericsson (Publ) Data retention and lawful intercept for ip services

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Lawful Interception (LI); Retained data handling; Handover interface for the request and delivery of retained data", ETSI DRAFT; LI(10)0112_TS_102_657_V151, EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE (ETSI), 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS ; FRANCE, no. V1.5.1, 8 March 2011 (2011-03-08), pages 1 - 101, XP014062839 *
"Lawful Interception (LI); Retained data handling; System Architecture and Internal Interfaces", TECHNICAL REPORT, EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE (ETSI), 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS ; FRANCE, vol. LI, no. V1.2.1, 1 December 2011 (2011-12-01), XP014069191 *
"Lawful Interception (LI); Security framework in Lawful Interception and Retained Data environment", ETSI DRAFT; LI(10)0012_23LITD012_TR_102_661_V121, EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE (ETSI), 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS ; FRANCE, no. V1.2.1, 8 March 2011 (2011-03-08), pages 1 - 46, XP014062822 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017036906A1 (en) * 2015-08-31 2017-03-09 Uniscon Universal Identity Control Gmbh Method for securely and efficiently accessing connection data
CN107925664A (en) * 2015-08-31 2018-04-17 尤尼斯康通用身份控制股份有限公司 Method for safely and efficiently accessing connection data
US10929313B2 (en) 2015-08-31 2021-02-23 Uniscon Universal Identity Control Gmbh Method for securely and efficiently accessing connection data
CN107925664B (en) * 2015-08-31 2021-10-01 尤尼斯康通用身份控制股份有限公司 Method for secure and efficient access to connection data
CN108133150A (en) * 2018-02-05 2018-06-08 北京公共交通控股(集团)有限公司 Safety management system, storage medium and electric terminal based on contract dataset
CN108133150B (en) * 2018-02-05 2024-01-16 北京公共交通控股(集团)有限公司 Contract data-based security management system, storage medium and electronic terminal

Also Published As

Publication number Publication date
GB201121738D0 (en) 2012-02-01

Similar Documents

Publication Publication Date Title
JP6476339B6 (en) System and method for monitoring, controlling, and encrypting per-document information on corporate information stored on a cloud computing service (CCS)
JP6430968B2 (en) Delayed data access
US8862129B2 (en) Systems and methods for encrypted mobile voice communications
US20120284516A1 (en) Cross-domain collaborative systems and methods
US8712396B2 (en) Mobile communication device monitoring systems and methods
US9866591B1 (en) Enterprise messaging platform
US9572033B2 (en) Systems and methods for encrypted mobile voice communications
KR20160009569A (en) System and method for tracking sms messages
Pell You can't always get what you want: how will law enforcement get what it needs in a post-CALEA, Cybsecurity-Centric Encryption Era
Li et al. A comprehensive overview of government hacking worldwide
US20170132738A1 (en) Sexual activity consent tracking
Liguori Exploring Lawful Hacking as a Possible Answer to the'Going Dark'Debate
WO2013088118A1 (en) System and method to provide secure access to sensitive data
Khweiled et al. An Improved Framework For cyberbullying Investigation Process on WhatsApp application
AU2013222127B2 (en) Systems and methods for encrypted mobile voice communications
Judge Mobile forensics: Analysis of the messaging application signal
Pell Jonesing for a Privacy Mandate, Getting a Technology Fix-Doctrine to Follow
Au et al. Mobile security and privacy: Advances, challenges and future research directions
Alhassan et al. Forensic Acquisition of Data from a Crypt 12 Encrypted Database of Whatsapps
Shahin Is wifi worth it: The hidden dangers of public wifi
Reisinger et al. Unified Communication: What do Digital Activists need?
Toh et al. Overseas Surveillance in an Interconnected World
Wijnberg et al. Identifying interception possibilities for WhatsApp communication
Bryant et al. Investigating digital crime
Koleoso A Digital Forensics Investigation Model for Confidentiality, Integrity and Authenticity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12806621

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RJULE 112(1) EPC DATED 16.09.14

122 Ep: pct application non-entry in european phase

Ref document number: 12806621

Country of ref document: EP

Kind code of ref document: A1