Understanding HI1 HI2 HI3 interfaces is fundamental to implementing lawful interception correctly. At the heart of every lawful interception system lies a set of standardised interfaces that govern how intercepted communications are managed, processed, and delivered to law enforcement. In the ETSI framework — the dominant standard for LI in Europe and much of the world — these interfaces are designated HI1, HI2, and HI3. Together, they form the complete handover architecture that connects an operator’s network to the law enforcement monitoring facility (LEMF). Despite their fundamental importance, the distinctions between these three interfaces are frequently misunderstood, even by professionals working in the telecommunications and law enforcement sectors.
This article provides a clear, detailed explanation of each interface — what it carries, how it works, and why it matters. Understanding HI1, HI2, and HI3 is not merely an academic exercise; it is essential for anyone involved in designing, procuring, deploying, or operating a lawful interception system.
Understanding HI1 HI2 HI3 Interfaces
Before examining each interface individually, it is important to understand where they sit within the broader LI architecture. The ETSI model divides the interception process into several functional components. On the operator’s side, the key components are the internal interception function (IIF), which performs the actual interception within the network, and the mediation function (MF), which translates the intercepted data into the standardised formats required by the handover interfaces. On the law enforcement side, the LEMF receives the intercepted data and provides tools for analysis and investigation.
The three HI interfaces span the boundary between the operator’s domain and the law enforcement domain. HI1 handles the administrative exchange, HI2 carries intercept-related information, and HI3 carries the content of communications. Each interface operates independently, though all three must work together to support a complete interception operation. The separation of these functions into distinct interfaces ensures that the administrative, metadata, and content aspects of interception can be managed, secured, and processed according to their different requirements.
HI1: The Administrative Interface
HI1 is the administrative interface between law enforcement and the operator. Its primary purpose is to convey the interception order from the law enforcement agency to the operator and to manage the lifecycle of the interception — from activation through modification to deactivation. HI1 is the command-and-control channel of the interception process.
Through HI1, the law enforcement agency communicates the details of the interception order, including the target’s identity (which may be specified by telephone number, IMSI, IMEI, IP address, email address, or other identifier), the scope of the interception (content only, metadata only, or both), the authorised duration, and any specific parameters or restrictions. The operator acknowledges receipt of the order, confirms activation, and reports back on the status of the interception.
HI1 also handles modifications to an existing interception — for example, extending the duration, changing the target identifier, or adjusting the scope — and the deactivation of the intercept when the authorisation expires or is revoked. In some implementations, HI1 also supports the exchange of administrative metadata such as warrant numbers, case references, and operator response codes.
The implementation of HI1 varies significantly between jurisdictions and operators. In some countries, HI1 is a fully automated, machine-to-machine interface using defined protocols and message formats. In others, it remains a largely manual process, with interception orders delivered by fax, secure email, or physical document and acknowledged through similar channels. The ETSI standards define the logical functions of HI1 but allow considerable flexibility in the specific implementation, recognising that national legal and institutional arrangements vary widely.
Security is a critical concern for HI1, as it carries sensitive information about active interception operations. Unauthorised access to HI1 could reveal the existence of an interception to the target or allow the activation of unauthorised intercepts. Implementations must therefore include strong authentication, encryption, access controls, and audit logging.
HI2: The Intercept-Related Information Interface
HI2 is the interface for delivering intercept-related information (IRI) to the LEMF. IRI is the metadata associated with intercepted communications — the who, when, where, and how of the communication, without the actual content. HI2 is often described as the metadata interface, and the information it carries is crucial for law enforcement investigations, frequently providing as much or more investigative value than the content itself.
The IRI delivered over HI2 typically includes the identities of the communicating parties (calling and called numbers, IMSI, IMEI), the time and duration of the communication, the type of service (voice, SMS, data), the network elements involved, cell identifiers and location information, IP addresses and port numbers, and signalling information such as SIP headers or Diameter messages. The specific data elements included in the IRI vary depending on the type of communication and the network technology, and are defined in detail in the ETSI TS 102 232 series.
HI2 data is encoded using ASN.1 (Abstract Syntax Notation One), which provides a formal, structured format for representing the IRI data elements. The use of ASN.1 ensures that the data can be unambiguously encoded and decoded across different implementations, supporting interoperability between operators and law enforcement agencies. The transport of HI2 data is typically secured using TLS, and the delivery mechanism may use TCP-based protocols to ensure reliable delivery.
One of the complexities of HI2 is the need to generate IRI events in real time as the intercepted communication progresses. For a voice call, this means generating events for call setup, ringing, answer, call modification (such as hold or conference), and call release. For a data session, it means generating events for session establishment, address allocation, bearer activation, and session termination. The mediation function must be capable of monitoring the relevant signalling protocols and generating the corresponding IRI events with accurate timestamps.
HI2 is particularly important for investigations involving location tracking, network analysis, and pattern-of-life assessments. The metadata delivered over HI2 can reveal patterns of communication, geographic movements, and network usage that are central to many types of criminal investigation. For operators, ensuring the completeness and accuracy of HI2 data is a key quality metric for their LI systems.
HI3: The Content of Communications Interface
HI3 is the interface for delivering the content of communications (CC) to the LEMF. CC is the actual substance of the intercepted communication — the voice audio, the SMS text, the web pages viewed, the emails sent and received, the files transferred. HI3 is the interface that carries the material that law enforcement needs to understand what the target is communicating, as opposed to the metadata about how and when the communication occurs.
The format and volume of CC data vary enormously depending on the type of communication being intercepted. For voice calls, the CC is a real-time audio stream, typically encoded using standard codecs such as AMR (Adaptive Multi-Rate) or G.711. For data sessions, the CC consists of the IP packets exchanged by the target, which may include web traffic, email messages, file transfers, streaming media, and any other type of IP-based communication. The volume of data generated by a single data interception can be orders of magnitude greater than that generated by a voice interception.
HI3 delivery must be real-time for voice and near-real-time for data. The intercepted content must be delivered to the LEMF with minimal latency to support time-critical investigations. The transport mechanisms defined by ETSI for HI3 use secure TCP or UDP connections, depending on the media type. Voice content is typically transported using RTP (Real-time Transport Protocol) encapsulated within a secure transport wrapper, while data content may be delivered as raw IP packets or using protocol-specific encapsulation.
The handling of encrypted content on HI3 is one of the most challenging aspects of modern LI. If the target’s communications are encrypted at the application layer (for example, using end-to-end encryption in a messaging application), the operator may only be able to deliver the encrypted content on HI3, which is of limited value to law enforcement. The ETSI standards specify that operators should deliver whatever content they are technically capable of accessing, but the growing prevalence of encryption is creating a widening gap between what law enforcement expects and what operators can deliver.
How the Three Interfaces Work Together
In a typical interception operation, the three interfaces work together as follows. First, the law enforcement agency transmits an interception order to the operator via HI1, specifying the target, the scope, and the duration. The operator’s LI management system processes the order, validates the warrant, and configures the internal interception function to begin intercepting the target’s communications.
When the target initiates or receives a communication, the internal interception function captures the relevant signalling and content data. The mediation function processes this data, generating IRI events and encoding them in ASN.1 format for delivery over HI2, and encapsulating the CC for delivery over HI3. Both streams are transmitted securely to the LEMF, where they are correlated and presented to investigators.
Throughout the interception, HI1 remains active for administrative purposes — the law enforcement agency may use it to request status updates, modify the interception parameters, or issue a deactivation order. When the interception is terminated, the operator confirms deactivation via HI1 and ceases the delivery of IRI and CC over HI2 and HI3.
Practical Considerations for Operators
Operators implementing the three HI interfaces must address several practical considerations. The first is system dimensioning. The HI2 and HI3 interfaces must be dimensioned to handle the expected volume of concurrent intercepts without data loss or excessive latency. For data-heavy intercepts, the bandwidth requirements for HI3 can be substantial, and operators must ensure that their delivery infrastructure is adequately provisioned.
The second consideration is security. All three interfaces carry sensitive information and must be protected against unauthorised access, eavesdropping, and tampering. This requires end-to-end encryption, mutual authentication, and comprehensive audit logging. Security failures on any of the three interfaces can compromise the integrity of the interception process and potentially expose sensitive law enforcement operations.
The third consideration is interoperability. Operators must ensure that their HI implementations are compatible with the systems used by the law enforcement agencies in their jurisdiction. This typically requires formal interoperability testing, which can be a time-consuming process. Operators should engage with their national law enforcement technical contacts early in the development process to identify and resolve compatibility issues.
結論
The HI1, HI2, and HI3 interfaces form the backbone of the ETSI lawful interception handover architecture. HI1 provides the administrative control channel, HI2 delivers the rich metadata that is essential for investigations, and HI3 carries the actual content of intercepted communications. Together, they enable a complete, standards-based interception capability that supports the needs of both operators and law enforcement. Understanding the distinct roles, technical requirements, and practical challenges of each interface is essential for anyone involved in the design, deployment, or operation of lawful interception systems in modern telecommunications networks.
Proper implementation of HI1 HI2 HI3 interfaces is essential for lawful interception compliance. Operators must test their HI1 HI2 HI3 implementations thoroughly before going live.
関連記事
関連トピックについては、以下の記事を参照されたい:
- ETSI TS 103 120の説明最新IPネットワークのハンドオーバインターフェース
- IRI vs CC: What Intercept-Related Information Actually Means in Practice
- X1/X2/X3 Interfaces in 5G: The 3GPP LI Architecture Explained
外部リソース
以下の外部リソースは、さらなる背景と公式文書を提供している:
