What are the other areas related to telecommunications

Monitoring of telecommunications traffic data

Research Report 2008 - Max Planck Institute for Research into Crime, Security and Law

Albrecht, Hans-Jörg; Kilchling, Michael

Criminology (Prof. Dr. Dr. h.c. Hans-Jörg Albrecht)
MPI for foreign and international criminal law, Freiburg

Access to telecommunications traffic data is an investigative measure that has only been increasingly used for a few years. It not only complements "classic" eavesdropping, but is increasingly developing into an independent investigation method that can be used very economically. This no longer only happens in criminal areas such as data network crime, but increasingly also in conventional crime, and then no longer just as the “last resort”, but increasingly as the “first”.
The access to so-called telecommunications traffic data is an investigative method which has increasingly been resorted to in recent years. It not only complements “classic” forms of telecommunications interception but has in fact evolved to form an independent investigative method in its own right that can be implemented in both a cost effective and economical manner. Consequently, its use has spread beyond the areas of computer related crime and data theft to take in more conventional crimes - not as the “last” resort, but rather as the “first”.

Access to telecommunication traffic data (telephone and internet connections, also called connection data) is becoming more and more important as a determination tool in addition to monitoring communication content. Both measures are at the core of a long-term transformation from open to clandestine criminal investigations. They therefore form a research focus in the program of the criminological department of the Max Planck Institute for Foreign and International Criminal Law. After a first large evaluation study on the legal reality and efficiency of the surveillance of telecommunications [1, 2, 3] and further investigations into acoustic living space surveillance [4] and on raster searches [5], the first German evaluation study on the surveillance of traffic data was published in 2008 [6]. The study is based on the analysis of criminal files from 2005 in four federal states (467 cases), a nationwide written survey of public prosecutors (874 people), oral in-depth interviews with judges, public prosecutors, police officers, defense lawyers and employees of telecommunications companies (53 people) and the analysis of anonymized data sets from two companies in the mobile and fixed network sectors.

Connection data play a central role, especially in the fight against data network crime. In view of the dramatically increasing digital communication, they are meanwhile also of concern in almost all other areas of crime. In addition to evaluating who telephoned whom, when and for how long, or communicated electronically in any other way, the data can also be used to determine the whereabouts of people, to determine further evidence or to reveal perpetrator structures and networks of transactional crime. In practice, the connection data are now an indispensable source of information - as demonstrated not least by the European Union directive on data retention [7].

Frequency of the traffic data request

With the official statistics it is not possible to make any statements about the total number of resolutions or inquiries about different areas of traffic data. This also does not allow the developments in this area to be observed. With the company data for the corresponding inquiries from the law enforcement authorities, however, an extrapolation could be made. In the illustration 1 The mean values ​​shown also represent the margin of error. According to this, the number of traffic data queries (§§ 100g, 100h old version of the Code of Criminal Procedure) in 2005 was around 40,000; the tendency is, as can be seen, strongly increasing.

In a direct comparison with the data from the investigation into telecommunications surveillance (§§ 100a, 100b old version of the Code of Criminal Procedure), inquiries about traffic data and content monitoring were ordered for the first time with about the same frequency in 2005 (telecommunications monitoring around 42,500 decisions including extensions and around 40,700 decisions on traffic data inquiries). In the years before that, the number of traffic data queries was still well below the number of content monitoring (2004: telecommunications monitoring 34,400, traffic data 22,600; 2003: 29,430 to 15,200 and 2002: 26,200 to 10,200).

Types and areas of application of traffic data inquiries

Figure 2 shows the development of the most important types of traffic data monitoring in the mobile communications sector. After that, the number of queries about a so-called IMEI number increased (International Mobile Equipment Identity) about four times as much. The number of direct dialing searches, which are also referred to as target searches, have tripled in the same period of time.

Even with the development of the orders according to §§ 100g, 100h StPO in the fixed network area, a continuous increase in target dial searches can be noticed. The query of outgoing and future traffic data (“standard resolutions”) has remained at the same level since 2003. An extreme increase then falls when querying so-called IP addresses (Internet Protocol Address) which can be described in the broadest sense as the functional counterpart to the IMEI query on mobile phones. This can be used, for example, to identify an individual computer that is used to access certain addresses on the Internet. While data on around 6,300 IP addresses were queried in 2004, these orders rose to 75,500 in 2005. This is related, among other things, to extensive investigations in the area of ​​copyright infringements (illegal downloads). In 2005, the Karlsruhe public prosecutor's office alone received around 20,000 reports of copyright infringement. In these cases, many public prosecutors discontinue the proceedings without initiating specific investigative measures - unless the report reaches a certain level of severity, which is usually based on a minimum number of illegal downloads. This is not only for procedural economic reasons. In minor cases, especially if, for example, young people download only a few or even only one piece of music illegally from the Internet, such a measure would also be disproportionate from a legal point of view.

The relevant range of offenses in the traffic data query therefore relates to other offenses. Here, the analysis of the court proceedings revealed clear differences, depending on whether mobile or landline connections are being monitored. In many cases fixed line surveillance is fraudulent. Cases that begin with telephone contact play a significant role. A common example is the so-called grandchildren trick, in which strangers impersonate older people as relatives (“grandchildren”). Robbery and murder as well as narcotics offenses are also of importance. In the mobile telephony sector, however, the dominant offenses in addition to criminal offenses from the narcotics sector are robbery and theft.

The second essential distinguishing criterion is the type of traffic data query. For example, querying IP addresses focuses on fraud, child pornography and copyright infringement. In the case of radio cell interrogation, on the other hand, it is very often a matter of robbery and theft, often including investigating the whereabouts of stolen or stolen cell phones. In this way, the perpetrators of the Munich subway case of December 2007 are said to have been successfully located by the police. Here, as in the case of crimes that are committed using terminal equipment, the traffic data query often offers the only promising investigation approach.

Overall, the distribution of criminal offenses suggests that traffic data inquiries are used in a broader range of offenses than “traditional” telecommunications surveillance (related to listening to the content of a conversation). Evidence of links to organized crime was found in only 18 percent of the cases. The analysis of the sanctions imposed in the investigated cases also shows that a significant proportion of the procedures with traffic data queries can at best be assigned to medium crime. Only in every fifth case was there a conviction (21 percent); and only 16 percent of those convicted received a sentence of more than five years.

Most of the data that had already been saved were queried in the resolutions examined (93 percent; Fig. 3). The target dial search was ordered in 55 percent of the resolutions. 33 percent of the queries were directed to the future. Location inquiries (18 percent) were arranged about twice as often as radio cell inquiries (10 percent of the cases). The other queries (4 percent) were, in particular, queries about the phone number for the IMEI number, information about the SIM card used and inventory data.

Finally, the analysis results on the duration of traffic data monitoring are very informative (Fig. 4). While direct dialing searches for recording incoming calls and radio cell inquiries mainly fall into the hour and minute range, the inquiry of connections coming from and coming from a monitored connection ("standard inquiries") is used specifically for a longer period of time (two to three months) . The aim here is to record a suspect's communication traffic data as broadly as possible.

Evaluation of the results

The results of the investigation show that the traffic data query is mainly used in the initial stage of the investigation process. In two thirds of the proceedings, it was also the reason for the public prosecutor's office to be involved for the first time. Traffic data inquiries are often combined with other investigative measures such as search and seizure, but above all with telecommunications surveillance. In the latter case, the use complements each other functionally. Since the traffic data query determines connection numbers, it is often used to prepare for telecommunication monitoring or to identify call participants. It is arranged at the same time as the telecommunication monitoring if the query of stored data and the simultaneous arrangement of the telecommunication monitoring are to lead to a comprehensive picture of the communication patterns for the future. Here, the traffic data request from the practitioners from the investigating authorities is considered a very economical measure. In addition, it should gain initial investigative approaches so that other measures can then be carried out.

The traffic data query is therefore - unlike the telecommunication monitoring related to conversation content - not the "last" means, but, conversely, the "first". This is different only in procedures in which the traffic data query, as explained above, is the only promising determination measure. The overall picture of the use of traffic data inquiries also fits in with the findings made in the surveys that practitioners tend to classify it as less burdensome compared to conventional telephone monitoring and other covert investigative measures.


All test results are still based on the legal situation as it was presented in Germany before the introduction of data retention. In this respect, practice is largely based on the available data. Until then, this availability was largely determined by the internal purpose of the telecommunications companies, in particular invoicing. As a rule, the data was therefore only available for a period not exceeding three months. Storage or deletion practices are also influenced by constitutional and data protection regulations. Therefore, meaningful connection data was available for customers with prepaid cards and users of Flat rates practically not available so far. Whether and, if so, how, the surveillance practice will change under the conditions of the six-month data retention period that is currently in force - which, in contrast to previous practice, should be geared towards the interests of law enforcement - will be the subject of a repeat study, which is scheduled to be completed by the end of 2010.

Original publications

H.-J. Albrecht, C. Dorsch, Ch. Krüpe:
Legal reality and efficiency of the surveillance of telecommunications according to §§ 100a, 100b StPO and other covert investigative measures.
Criminological Research Reports Volume 115, Freiburg i. Br. 2003.
The efficiency of the monitoring of telecommunications according to §§ 100a, 100b StPO.
Criminological Research Reports Volume K 126, Berlin 2005.
The monitoring of telecommunications according to §§ 100a, 100b StPO in legal practice.
Criminological Research Reports Volume K 127, Berlin 2005.
Criminological Research Reports Volume K 128, Berlin 2005.
The implementation of the raster search.
Criminological Research Reports Volume K 140, Berlin 2008.
H.-J. Albrecht, A. Grafe, M. Kilchling:
Legal reality of the provision of information about telecommunication connection data according to §§ 100g, 100h StPO.
Criminological Research Reports Volume K 139, Berlin 2008.
European Parliament and Council of the European Union: