Intercept related information forms the metadata backbone of every lawful interception operation. In lawful interception, two categories of data are fundamental to every interception operation: intercept-related information (IRI) and content of communication (CC). These two data types form the core of what an operator delivers to law enforcement when executing an interception order, and they are carried over separate handover interfaces — HI2 for IRI and HI3 for CC — in the ETSI framework. While most practitioners understand the basic distinction — IRI is metadata, CC is content — the practical implications of this distinction are more nuanced than they first appear.
This article examines what IRI and CC actually mean in practice, what data elements each encompasses, how they are generated and delivered, and why the distinction matters for operators, law enforcement, and the broader lawful interception ecosystem.
What Intercept Related Information Means
Intercept-related information encompasses all the metadata associated with an intercepted communication. In the simplest terms, IRI answers the questions: who communicated, with whom, when, for how long, using what service, and from where? It does not include the substance of the communication itself — that is the domain of CC. IRI is defined and structured according to the ETSI TS 102 232 series, which specifies the data elements, encoding formats, and delivery mechanisms for different network technologies.
The specific data elements included in IRI vary depending on the type of communication and the network technology involved. For a traditional voice call, IRI typically includes the calling number (A-number), the called number (B-number), the IMSI and IMEI of the target’s device, the time the call was initiated, the time it was answered, the duration of the call, the cell identifiers at the start and during the call (providing location information), and the disposition of the call (answered, busy, no answer, forwarded). For an IP data session, IRI may include the target’s IP address, the allocated APN (Access Point Name), bearer parameters, session start and end times, and volume of data transferred.
IRI is generated as a series of events that correspond to the progression of the communication. The ETSI standards define specific IRI event types for different stages of a communication — for example, a call setup event, an answer event, a call release event, and various supplementary service events. Each event carries the relevant data elements and an accurate timestamp. The mediation function in the operator’s network is responsible for monitoring the signalling protocols (SIP, Diameter, GTP, SS7, and others) and generating the corresponding IRI events in ETSI format.
One of the most important characteristics of IRI is its structured nature. Because IRI is encoded in ASN.1 format according to well-defined data structures, it can be automatically parsed, processed, and analysed by law enforcement systems. This structured format enables automated correlation, pattern analysis, and data mining operations that would be much more difficult with unstructured data. The investigative value of IRI should not be underestimated — in many cases, the metadata provided by IRI is as valuable as, or more valuable than, the content itself.
Defining CC: The Content Layer
Content of communication is the actual substance of the intercepted communication — the words spoken in a phone call, the text of an SMS message, the web pages browsed during a data session, the files attached to an email. CC represents what was communicated, as opposed to the contextual information about the communication. CC is delivered over the HI3 interface to the LEMF.
The format of CC varies dramatically depending on the type of communication. For voice calls, CC is a real-time audio stream, typically encoded using codecs such as AMR (Adaptive Multi-Rate), AMR-WB (Wideband), or G.711. The audio must be delivered in real time so that law enforcement can monitor the conversation as it occurs, though it is also typically recorded for later review. For SMS messages, CC is the text content of the message. For data sessions, CC consists of the IP packets exchanged by the target, which may contain web browsing traffic, email content, application data, streaming media, and any other type of IP-based communication.
Data interception produces significantly more CC volume than voice interception. A single voice call generates a continuous but relatively low-bandwidth audio stream, while a data session can generate gigabytes of traffic depending on the target’s activity. This disparity has important implications for the dimensioning of LI systems, the bandwidth of HI3 delivery channels, and the storage capacity required at the LEMF.
The delivery of CC must be timely. For voice interception, this means real-time delivery with minimal latency. For data interception, near-real-time delivery is typically required, though the exact requirements may vary by jurisdiction. The transport mechanisms for CC delivery are defined in the ETSI standards and typically use secure TCP or UDP connections, with encryption to protect the content during transit.
Why the Distinction Matters
The distinction between IRI and CC is not merely technical — it has significant legal, operational, and strategic implications. From a legal perspective, many jurisdictions treat metadata and content differently. Some interception orders may authorise the collection of both IRI and CC, while others may be limited to metadata only. The legal thresholds for obtaining authorisation may differ, with content interception typically requiring a higher standard of evidence or a more serious category of offence. Operators must be able to activate IRI-only and combined IRI-plus-CC intercepts independently, as the scope of the interception order dictates what data can be collected and delivered.
From an operational perspective, IRI and CC have different characteristics in terms of volume, format, processing requirements, and delivery mechanisms. IRI is relatively compact and structured, making it well-suited for automated processing and analysis. CC is potentially voluminous and varies widely in format, requiring different handling, storage, and analysis approaches. Operators must design their LI systems to handle both data types efficiently, with appropriate buffering, flow control, and quality-of-service mechanisms.
From a strategic and investigative perspective, IRI and CC provide different types of intelligence. IRI enables pattern analysis, network mapping, location tracking, and the identification of communication patterns over time. CC provides direct insight into the substance of specific communications but may require significant effort to process and analyse — particularly for data interceptions that produce large volumes of mixed-media content. Law enforcement agencies increasingly recognise the strategic value of metadata, and in some investigations, IRI may be the primary focus of the interception effort.
IRI in Modern Networks
The transition from circuit-switched to packet-switched networks has significantly expanded the scope and complexity of IRI. In traditional telephony networks, IRI was relatively straightforward — call setup signalling provided a well-defined set of metadata elements. In modern IP networks, the signalling landscape is much more diverse and complex, involving protocols such as SIP, Diameter, GTP-C, and various application-layer protocols.
VoLTE, for example, uses SIP signalling over the IMS (IP Multimedia Subsystem) core, combined with Diameter for authentication and policy control and GTP for bearer management. Generating complete IRI for a VoLTE call requires the mediation function to monitor multiple protocols simultaneously and correlate the resulting events into a coherent IRI record. The ETSI standards define specific IRI data elements for IMS-based services, but the practical implementation can be challenging.
In 5G networks, the complexity increases further. The service-based architecture of the 5G core introduces new network functions and signalling interfaces that must be monitored for IRI generation. The 3GPP LI architecture for 5G defines specific point-of-interception (POI) locations and IRI data elements for 5G services, but operators must ensure that their mediation functions can extract the required information from the 5G signalling streams.
The Impact of Encryption on CC
One of the most significant challenges for CC delivery in modern networks is the increasing prevalence of encryption. End-to-end encrypted communications — such as those provided by messaging applications with E2EE — cannot be intercepted at the network layer in a meaningful way. The operator can capture the encrypted packets, but without the encryption keys, the content is unintelligible. This creates a situation where the operator can deliver IRI (which is generated from network signalling and does not depend on access to content) but cannot provide usable CC.
This encryption challenge has become one of the central policy debates in the lawful interception community. Law enforcement agencies argue that encryption creates blind spots that hinder criminal investigations, while privacy advocates maintain that strong encryption is essential for protecting fundamental rights. The resolution of this debate — if one is reached — will have profound implications for the CC component of lawful interception. In the meantime, operators must deliver whatever CC they are technically capable of accessing, while being transparent with law enforcement about the limitations imposed by encryption.
Practical Considerations for Operators
Operators implementing LI systems must ensure that their mediation functions are capable of generating complete, accurate, and timely IRI and CC for all services and network technologies in their portfolio. This requires deep integration with the operator’s signalling infrastructure, robust protocol analysis capabilities, and careful attention to data correlation and timing.
Testing is essential for verifying that IRI and CC are generated correctly. Operators should conduct comprehensive testing against the ETSI IRI data structure definitions, ensuring that all required data elements are present and correctly populated for each event type. CC delivery should be tested for fidelity, timing, and completeness across all supported media types.
Finally, operators must maintain their LI systems as their networks evolve. New services, new protocols, and new network technologies will require updates to the IRI generation and CC capture capabilities. A lawful interception system that was fully compliant at the time of deployment can become non-compliant as the network changes, making ongoing maintenance and development a critical part of the compliance programme.
Conclusion
IRI and CC are the two pillars of lawful interception data delivery. IRI provides the structured metadata that enables pattern analysis, location tracking, and communication mapping. CC provides the actual content of intercepted communications, offering direct insight into what targets are communicating. Together, they form a complete picture that supports law enforcement investigations. For operators, understanding the technical, legal, and operational implications of IRI and CC — and building LI systems that handle both effectively — is essential to meeting their lawful interception obligations in modern telecommunications networks.
Accurate intercept related information collection is fundamental to lawful interception operations. Operators must ensure their systems capture all required intercept related information fields.
Related Articles
For further reading on related topics, explore these articles:
- HI1 vs HI2 vs HI3: Understanding the Three Lawful Interception Interfaces
- How a Mediation Function Works: The Bridge Between Your Network and Law Enforcement
- ETSI TS 103 120 Explained: Handover Interfaces for Modern IP Networks
External Resources
The following external resources provide additional context and official documentation:
