CDR, IPDR and Tower Dumps: An Investigator's Guide to Telecom Data Requests
CDR, IPDR and tower dumps explained for investigators: what each telecom record proves, the lawful India process under BNSS, and how Carpenter compares.
Call Detail Records (CDR), Internet Protocol Detail Records (IPDR) and tower dumps are among the most powerful evidentiary tools a cybercrime investigator can draw on, and among the most legally sensitive. They reveal who communicated with whom, when, from where and for how long, without ever capturing the content of a single conversation. This guide explains what each data type is, how an Indian investigating officer lawfully obtains it from a Telecom Service Provider (TSP), and how the global picture compares. It is written for officers and analysts who act only under proper legal authority (a court order or competent-authority approval) and who treat subscriber privacy as a constraint built into the process, not an afterthought. It is general professional guidance, not legal advice.
- All three are metadata, not content. They describe the envelope of a communication, never the message inside. Capturing content is interception, a separate and higher legal threshold.
- CDR = call and SMS records for one known number. IPDR = data-session records that tie an IP address to a subscriber. Tower dump = every device on a tower in a time window (bulk).
- India route for stored records: a production order under Section 94 BNSS (or Section 95 for telecom-held custody), not an interception order.
- Retention: Indian TSPs must archive CDR, EDR and IPDR for at least two years (DoT, 2021), so act early on older matters.
- The global trend (Carpenter in the US, the CJEU in the EU) is toward warrants, targeting and independent review for bulk and historical location data.
CDR, IPDR and tower dumps: what each one actually contains
The single most important distinction for any investigator, and any court reviewing the request, is that these are metadata, not content. Capturing content (the audio of a call, the text of a message, live data traffic) is a separate, higher-threshold act of interception governed by different law, covered below.
- Call Detail Record (CDR). The billing-and-routing metadata a network generates for every call and SMS: calling and called numbers, date, time and duration, the IMEI of the handset, the IMSI of the SIM, and the cell-tower identifiers (and therefore approximate location) at the start and end of the call. It does not contain what was said.
- IP Detail Record (IPDR). The equivalent for data sessions. It logs session-level metadata for a subscriber's internet usage: the public and private IP addresses allocated, source and destination ports, timestamps, session duration and data volume. It does not reveal page content or decrypt encrypted payloads.
- Tower dump. Not the history of one subscriber but a list of all devices that connected to one or more specific cell towers during a defined window. Used to identify an unknown suspect present at a scene, or a device common to several scenes.
| Attribute | CDR | IPDR | Tower dump |
|---|---|---|---|
| What it contains | Call and SMS metadata: numbers, time, duration, IMEI, IMSI, cell IDs | Data-session metadata: assigned IPs, ports, timestamps, data volume | All subscribers and devices on a given tower in a time window |
| Subject | One known number or device, historical | One known subscriber or IP, historical | Many unknown devices, geographically defined |
| What it tends to prove | Contact network, timeline, approximate location of a known suspect | Attribution of an IP address to a subscriber; data-activity pattern | Presence of an unknown device at a place and time; common device across scenes |
| Privacy footprint | Targeted (one subject) | Targeted (one subject) | Bulk; over-collects bystanders |
| India legal threshold | Production order, Sec. 94 or 95 BNSS | Production order, Sec. 94 or 95 BNSS | Production order, Sec. 94 or 95 BNSS, with heightened justification |
What each record proves, and what it does not
Treating these records as more probative than they are is a common and costly error. Each answers a narrow question.
- A CDR proves contact and approximate location, not identity or intent. It shows that two numbers connected and roughly where a handset was, but the registered subscriber is not always the user, and start/end cell IDs give a coverage area, not a GPS point. It says nothing about what was discussed.
- An IPDR proves attribution, not authorship. Its core value is resolving which subscriber held a particular public IP at a particular instant, indispensable in the age of carrier-grade NAT, where thousands of users share one public IP and only the source-port and timestamp combination separates them. It is also the route to attribute activity behind app and VoIP services, where there is no dialled number to trace. It does not prove which person at that connection acted, nor the content of the session.
- A tower dump proves presence, not participation. It places a device near a tower; it cannot, by itself, show that the device's owner was involved in anything. Its evidential power comes from intersection: the same device appearing near multiple linked scenes.
A related identifier worth tracking is the IMEI, the handset's hardware number that appears in CDRs. Where a phone is stolen or a SIM is swapped to evade a number-based trace, India's Central Equipment Identity Register (CEIR), run by the DoT, lets a device be blocked across networks by IMEI and flags when a new SIM is inserted, a useful pivot when the number changes but the handset does not.
India: the lawful process for stored telecom records
Because CDR, IPDR and tower dumps are stored records already held by the TSP, the ordinary route is a production order, not an interception order. The governing law is now the Bharatiya Nagarik Suraksha Sanhita (BNSS), 2023, which replaced the Code of Criminal Procedure (CrPC), 1973.
- Section 94 BNSS (which replaced Section 91 CrPC) empowers a court or an officer in charge of a police station to require any person to produce a document or thing. Unlike the old CrPC text, it expressly extends to electronic communications, communication devices and anything likely to contain digital evidence.
- Section 95 BNSS (which replaced Section 92 CrPC) deals with things in the custody of a postal authority (the CrPC's reference to a "telegraph" authority was dropped in the BNSS). In Mala Ram v. State of Rajasthan (2024), the Rajasthan High Court held that, in the modern context, "postal authority" must be read to mean and include the telecom authority, making Section 95 the natural vehicle where a court or magistrate must direct a TSP to produce call and location records.
In practice the investigating officer raises a written, case-numbered requisition to the TSP's nodal officer, citing the relevant BNSS provision, the FIR or case details, the precise number, IP or tower sought, and a tightly bounded date-and-time range.
This is not interception. Interception captures live content and is a separate, higher track:
- Calls: authorised under Section 20 of the Telecommunications Act, 2023 (in force 26 June 2024, which replaced Section 5(2) of the Indian Telegraph Act, 1885), read with the Telecommunications (Procedures and Safeguards for Lawful Interception of Messages) Rules, 2024 (which superseded Rule 419A on 6 December 2024). Written approval is still required from the competent authority, the Union Home Secretary at the Centre or the State Home Secretary in the states.
- Data and computer resources: authorised under Section 69 of the Information Technology Act, 2000, read with the IT (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, again on the competent authority's approval.
Keep the two tracks distinct: stored metadata via a production order; live content via a sanctioned interception order.
On retention: under licence conditions administered by the DoT, TSPs were historically required to preserve CDRs for at least one year. In December 2021 the DoT amended the Unified Licence to require that commercial records, CDRs, exchange detail records (EDR) and IPDRs be archived for at least two years for security scrutiny, after which they may be destroyed absent a direction to retain. This two-year window defines how far back a request can realistically reach, so time is of the essence in older matters, and a preservation request should go in early.
A lawful request workflow
- Establish the legal predicate. Confirm a registered FIR or sanctioned inquiry, and articulate in writing exactly how the requested data is necessary and relevant to that specific investigation. Vague or fishing requests fail both legally and evidentially.
- Choose the correct instrument. For stored CDR, IPDR or tower-dump data, prepare a production order under Section 94 BNSS (or route through Section 95 and a competent court where custody rules require it). For live content, escalate for a competent-authority interception order under the Telecommunications Act 2023 and its 2024 Interception Rules, or IT Act Section 69. Never substitute one for the other.
- Minimise scope before you send. Narrow the request to the specific number, IP or tower and the tightest defensible time window. For a tower dump, justify each tower and each minute. Over-broad windows are the most common ground for later challenge.
- Submit to the TSP nodal officer. Route the requisition through the provider's designated nodal or law-enforcement officer with the case reference, authorising signature and the cited legal provision. Record the date, recipient and acknowledgment.
- Preserve chain of custody. On receipt, hash the data, log who handled it and when, and store it in a controlled evidence system. Capture the Section 63 Bharatiya Sakshya Adhiniyam (electronic-evidence certificate) requirements so the records are admissible at trial.
- Use, retain and dispose lawfully. Analyse only what the authorisation covers, document analytical steps, and securely purge bystander data from a tower dump that proves irrelevant. Be ready to justify proportionality if the request is reviewed.
Tower dumps: over-collection and the duty to minimise
A tower dump is the highest-risk request in this guide because it is, by design, bulk collection. Asking for every device on a busy urban cell for even an hour can sweep in tens of thousands of uninvolved people, their numbers, IMEIs and movements. That is precisely what attracts the heaviest scrutiny, in court and from data-protection principles.
Disciplined minimisation is what makes a tower dump defensible:
- Fewest towers, shortest window. Justify each tower and tie the time range to the offence, not to convenience.
- Filter, then discard. Use the dump to isolate the device of interest (for example, one present at several linked scenes), then purge the bystander records you do not need.
- Document necessity contemporaneously. Record why a dump, rather than a targeted CDR, was the only way to identify an unknown suspect.
United States: Carpenter and the warrant for location history
The US offers the sharpest comparative lesson on location metadata. In Carpenter v. United States, 585 U.S. ___ (2018), decided 22 June 2018, the Supreme Court held 5 to 4 that acquiring historical cell-site location information (CSLI) is a Fourth Amendment search, so the government generally needs a warrant supported by probable cause, a higher bar than the lesser court orders previously used under the Stored Communications Act.
The Court held that accessing seven days of historical CSLI is a search, reasoning that long-term location data creates a detailed chronicle of a person's movements, and that the third-party doctrine (that data shared with a provider loses privacy protection) does not automatically apply to this kind of comprehensive record. It expressly left open whether shorter periods would also require a warrant. Carpenter is the reference point for why bulk and historical location data deserves elevated scrutiny.
EU and UK: the retreat from blanket retention
European law has moved decisively against indiscriminate retention.
- Tele2 Sverige and Watson (Joined Cases C-203/15 and C-698/15, 2016): the Court of Justice of the European Union (CJEU) held that national laws mandating general and indiscriminate retention of all traffic and location data are incompatible with EU law.
- La Quadrature du Net (2020): the Grand Chamber reaffirmed the ban while permitting narrow exceptions, insisting that any retention be targeted, strictly necessary, reserved for serious crime or genuine national-security threats, and subject to prior review by a court or independent body.
These rulings reshaped the United Kingdom's regime under the Investigatory Powers Act 2016, pushing access to communications data toward independent authorisation rather than self-authorisation by the requesting agency. The throughline with Carpenter is clear: courts increasingly demand that bulk telecom data be justified, bounded and independently checked.
Privacy guardrails and why they protect the case
In India, the right to privacy is a fundamental right under K.S. Puttaswamy v. Union of India (2017), which set a proportionality test: any intrusion must rest on a valid law, pursue a legitimate aim, and be proportionate to that aim. Tower dumps sit at the frontier of this test because they collect data on large numbers of uninvolved people.
The defensible practice is the same discipline that makes the evidence stick: the narrowest towers, the shortest window, prompt purging of irrelevant records, and contemporaneous documentation of necessity. These are not merely courtesies to civil liberties. They are the difference between metadata that anchors a conviction and metadata a court throws out.
Frequently asked questions
Does a CDR or IPDR request capture what was said or typed? No. Both are metadata only: numbers, IP addresses, ports, times, durations and volumes. Capturing content requires a separate, competent-authority interception order under the Telecommunications Act 2023 and its 2024 Interception Rules, or IT Act Section 69, which is a higher legal threshold.
How far back can we realistically request records? In India, current licence conditions require TSPs to archive CDR, EDR and IPDR for at least two years, after which providers may destroy them. Requests beyond that window may find nothing retained, so act early and, where needed, send a preservation request.
Why is an IPDR needed when we already have an IP address? Because carrier-grade NAT means many subscribers share one public IP at the same time. Only the IPDR, matching the public IP to the timestamp and source port, attributes that connection to a single subscriber, and it is often the only way to trace activity behind app and VoIP services that expose no phone number.
Why are tower dumps treated more cautiously than a CDR? A CDR targets one known subject; a tower dump sweeps in every device near a tower, including innocent bystanders. Because of that bulk footprint, courts expect tighter justification, narrower windows and minimisation, consistent with the proportionality standard in Puttaswamy and the global trend seen in Carpenter and the CJEU rulings.
Hero image: Mobile communication tower by Wispiant, via Wikimedia Commons, CC BY-SA 4.0.