Friday, May 04, 2007

WISPA Notes from Talk with Feds

A WISPA member spoke with the Fed CALEA Tech unit about the requirements. Read the full post here.

Here is what I learned from the conversation:

  • we will be responding to court orders from LEA's, not subpoenas
  • T1.IAS and ATIS-013 are the same standard. ATIS-013 is the new name for T1.IAS.
  • "safe harbor" can only be obtained by implementing a CALEA compliance solution based on one of the standards outlined in section 107 of the law
  • if one does not obtain "safe harbor" then one just has to be able to comply with what a given LEA may request. If one's interpretation of what section 103 (which is vague) entitles the LEA to ask for differs from what the LEA thinks it entitles it to, and agreement cannot be reached, the matter will have to be settled in court between oneself & the LEA
  • obtaining "safe harbor" with the FBI alone is OK, but there are hundreds of LEA's out there besides the FBI. Obtaining "safe harbor" with the FBI does not guarantee that one has "safe harbor" with any other LEA.
  • CALEA requires the ISP to be able to sniff *all* customer traffic, including traffic passing *between* two of its customers (referred to as "hairpinning"). If the LEA requires this and the ISP can't provide it, the ISP may need to go to court.
  • the ISP must be able to transmit *all* data to the LEA in realtime (with an 8 second delay, I believe), regardless of whether the traffic is VoIP or not
  • dialup traffic does not fall under CALEA. The Class 5 office servicing the phone line has to perform the intercept in these cases, not the ISP.
  • CALEA does not define the interface by which the LEA can obtain access to the data stream captured by the ISP. The ISP can use any industry standard. LEA's are generally not too happy about this because it makes them have to be able to support multiple standards. Norm could not tell me whether being able to grant the LEA access to the data stream via SSH was adequate or not. He thought it might be. I guess the alternative would be a VPN.
  • Re: opencalea.org, Norm had heard of them but was not very familiar with them. If they can fulfill a standard like ATIS-013 then utilizing a solution based on opencalea should provide the ISP with safe harbor. However, I understand that opencalea has not yet been able to put together a fully standards-based solution yet. Until they do, those of us depending on an opencalea-based compliance solution will have to live with the risk of not being able to negotiate a mutually satisfactory compliance method with any given LEA that issues us a court order, and thus face a possible stint in court

Thanks to Adam Green at WebJogger

No comments: