Monday, April 30, 2007

CALEA thoughts from Marlon & Matt at WISPA

from discussion on the WISPA list:

We've got a long way to go yet. But here are a few things so far.

  • You don't NEED a safe harbor.
  • You don't HAVE to follow anyone's industry standard to be compliant.
  • You don't need a TTP.
  • What you DO have to do is collect specific data. How you do so is up to you.
  • You do have to do it without tipping off the suspect.
  • You do have to be able to verify it's authenticity at a later date.
  • You do have to do as much as you can to help LEA.
  • If you do not follow *a* standard, you've got to try to do anything that LEA asks of you. If you follow a standard then you only have to do what is required by the standard.
  • By the time we (wispa) get done with CALEA we'll have a low/no cost option for the average company.
  • MOST of us will likely have hybrid plans in place. Some of the work we'll do ourselves with our routers, servers etc. Some of the work we'll contract out to people like Bearhill.
  • - marlon
from Matt in Atlanta:

Getting the data for the LEA is just one part of compliance. What about the more practical issues?

  • CALEA requires:
  • Establishment of policies and procedures for supervision and control of officers and employees
  • Designating a 24/7/265 POC for the LEA
  • Validating legal authorization for the ELSUR (electronic surveillance)
  • Maintaining secure and accurate records
  • Reporting any CALEA security breaches
  • AND... filing with the FCC how you are going to do the above (by May 14, 2007 or face a huge fine!)
  • Not implementing the policies and procedures may result in legal liability.
  • Assuming you have all that is needed to be compliant, how do you actually comply with an order?

You are going to at least need to collect the following information:

  • Telephone number/circuit ID
  • Start date/time
  • Officer presenting order & Judge issuing order
  • Type of ELSUR
  • Supervising carrier personnel & Carrier employees involved
  • Certification of “senior official...”
  • Subscriber name
  • Date/time order served
  • Court issuing order as well as Court docket/file number
  • Law enforcement officers authorized to receive info
  • LEA contact numbers

And what about the warrant's validity? CALEA requires the carrier to determine the following:

  • Does the Court have jurisdiction over Carrier?
  • Does the Court Order provide for Technical Assistance?
  • Has the Court provided for compensation?
  • If problems arise, how does the carrier address the issues – inside/outside counsel, Service Bureau, etc
  • Just in case you are wondering, acting on an invalid subpoena is $1,000 min fine.
  • Further, if you are acting in bad faith, the court can create, at carrier expense, a court-supervised monitor of your compliance to ensure due diligence.
  • Any violations detected by the monitor can result in additional fines.


These are interpretations (what some would call Opinions). Take it with a grain of salt. Tuesday, May 1, 2007 at 11 AM Eastern is a webinar with Solera Networks about their CALEA Solution.

No comments: