I have interpretted CALEA to apply only to providers of VOICE service, be it VOIP or traditional, however I was told this morning point blank by the FCC that CALEA most definitely applies to all ISPs that provide internet access at speeds over 200k.
The FCC said that routers must send a copy of all packets to and from a selected IP to law enforcement in real time from gateway routers.
I've seen very little CALEA related traffic on this list which reinforced my belief that it did not apply to data providers.
Can anyone comment on this?
Thanks.
-nm
you have 4 days, work fast... Actually, I'd ask your in-house-counsel
about your current status and whether or not things you do would fall into
the CALEA bucket. Also, work fast, there's only 4 days left 
I believe there was some chatter on a puck.nether.net list, perhaps Jared
has that handy? or another reader does?
Nikos Mouat wrote:
I have interpretted CALEA to apply only to providers of VOICE service,
be it VOIP or traditional, however I was told this morning point blank
by the FCC that CALEA most definitely applies to all ISPs that provide
internet access at speeds over 200k.
That, and the definition of ISP, are still a bit fuzzy...
wireless@wispa.org, for instance, has had a LOT of chatter about that,
but WISPA's staff attorney believes that small wireless ISPs are
required to be CALEA-compliant. (WISPA is a trade association for
wireless ISPs.) If small ISPs have to be compliant, it's probably safe
to assume big ISPs are too. 
http://lists.wispa.org/pipermail/wireless/ is the list archive - there's
a lot of noise in there, but a fair amount of signal (start in February
2007 or so, and work your way up). There's also forms you're apparently
supposed to fill out (FCC Form 445, and a CALEA compliance plan due next
week).
As always your friendly attorney knows better than I do.
David Smith
MVN.net
Sure,
You need to have a router or some appliances that will assist
you in the required lawful-intercept capabilities that are necessary.
Take the time to read the 2nd order and report, and review FCC
form 445. The filing date for that form passed, but that was a form to be
filed to capture a "snapshot" of the current state of compliance.
Keep in mind that you may need to negotiate with the requesting
agency (ie: the folks that give you the subponea that cites CALEA).
Take a moment and also review things like T1.IAS (I think it was
renamed again).
There was also a brief CALEA presentation at the past nanog. As
usual, make sure you chat with your legal counsel. Finding some that have
FCC knowledge/competence (and technology) is a plus.
If you're not offering VoIP services, your life may be easier as
you will only need to intercept the data. Depending on your environment
you could do this with something like port-mirroring, or something
more advanced. There are a number of folks that offer TTP (Trusted
third-provider) services. Verisign comes to mind. But using a TTP
doesn't mean you can hide behind them. Compliance is ultimately your
(the company that gets the subponea) responsibility.
This is a oversimplified summary and since IANAL nor am I a
CALEA expert all this may be bunk.
Some possibly useful links:
http://www.fcc.gov/calea/
http://www.askcalea.net/
http://www.access.gpo.gov/uscode/title47/chapter9_subchapteri_.html
- Jared (IANAL!)
If you're not offering VoIP services, your life may be easier as
you will only need to intercept the data. Depending on your environment
you could do this with something like port-mirroring, or something
more advanced. There are a number of folks that offer TTP (Trusted
third-provider) services. Verisign comes to mind. But using a TTP
doesn't mean you can hide behind them. Compliance is ultimately your
(the company that gets the subponea) responsibility.
Here's a question that's come up around here. Does a CALEA intercept
include "hairpining" or is it *only* traffic leaving your network?
I'm of the opinion that a CALEA intercept request includes every bit
of traffic being sent or received by the targeted individual, but
there is strong opposition here that thinks only internet-related
traffic counts.
Jason Frisvold wrote:
If you're not offering VoIP services, your life may be easier as
you will only need to intercept the data. Depending on your environment
you could do this with something like port-mirroring, or something
more advanced. There are a number of folks that offer TTP (Trusted
third-provider) services. Verisign comes to mind. But using a TTP
doesn't mean you can hide behind them. Compliance is ultimately your
(the company that gets the subponea) responsibility.
Here's a question that's come up around here. Does a CALEA intercept
include "hairpining" or is it *only* traffic leaving your network?
I'm of the opinion that a CALEA intercept request includes every bit
of traffic being sent or received by the targeted individual, but
there is strong opposition here that thinks only internet-related
traffic counts.
- Jared (IANAL!)
That would be something best brought up with a CALEA lawyer or one of the Trusted Third Party companies for an answer.
I suspect that you probably ought to have the capability of getting both ends of the "conversation" (incoming & outgoing) as the warrant may be written that way.
IANAL and I don't even play on the net, but...
We've been under the impression that is *all* data. So for us, things like PPPoE Sessions, just putting a tap/span port upstream of the aggregation router will not work as you would miss any traffic going from USER A <-> USER B, if they where on the same aggregation device. Since the Intercept has to be invisible to the parties being tapped, you can't route their traffic back out and then in either, since the tap would change the flow. In that regard, we've been upgrading our older NPE's to newer ones in order to support SII, All the while I keep having something a co-worker said stuck in my head. "CALEA - Consultant And Lawyer Enrichment Act" 
-Patrick
We've been under the impression that is *all* data. So for us,
things like PPPoE Sessions, just putting a tap/span port upstream of
the aggregation router will not work as you would miss any traffic
going from USER A <-> USER B, if they where on the same aggregation
device. Since the Intercept has to be invisible to the parties
being tapped, you can't route their traffic back out and then in
either, since the tap would change the flow. In that regard, we've
been upgrading our older NPE's to newer ones in order to support
SII, All the while I keep having something a co-worker said stuck in
my head. "CALEA - Consultant And Lawyer Enrichment Act"
Agreed.. Now to dig into the legal document to see if this is right..
Anyone have a legal gibberish to english converter? (And no, a lawyer
doesn't count)
The DOJ/FBI has been pretty consistent. They want it all and if there is a technicality in the law that doesn't give it to them they have consistently tried to expand the laws, regulations and court cases to give it to them. If you want to be the test case, talk to your lawyers about how little you can do.
But its also important to remember CALEA compliance and responding to a Title III intercept court order are not necessarily the same thing.
CALEA is only a subset of stuff some carriers have to be prepared to do for "Free." Other wiretaps requiring things above and beyond CALEA can be done for a time and materials billing to law enforcement after you get an lawful order (which can vary depending on what is demanded). For example, a Title III, FISA or ECPA lawful order can apply to traffic and institutions not covered by CALEA. ISPs have been responding to lawful orders for over a decade, even before CALEA was a law. And the reality
is most of the stuff law enforcement actually wants from ISPs on a day to
day basis isn't covered by CALEA (i.e. stored communications and transaction records).
http://www.fcc.gov/calea/
All facilities-based broadband Internet access providers and providers
of interconnected VoIP service have until May 14, 2007 to come into
compliance with CALEA.
So are you a
Facilities-based? (DSL v. cable, dark fiber v. ATM?)
Broadband? (< 200Kbps?)
Internet? (VPN?)
Access? (backbone v. access?)
Provider? (freenets or paid?)
or are you a
Provider?
Interconnected?
VoIP?
Service?
If the answer is yes, talk to your lawyer before May 14. If the answer is
maybe, talk to your lawer, if the answer is I don't know, talk to your lawyer. And if the answer is no, you probably should still talk to your
lawyer.
If you are doing PPPOE over another carrier's ATM network, are you really
a "facilities-based" provider? Or is the CALEA compliance the responsibility of the underlying ATM network provider to give LEA access to the ATM VC of the subscriber under surviellance?
Jared Mauch wrote:
You need to have a router or some appliances that will assist
you in the required lawful-intercept capabilities that are necessary.
But anything whatsoever is OK. Since you don't know of the capabilities
required in advance, there's no reason that it be a fast router or switch.
An old slow hub is fine....
Remember, you don't actually have to do anything until *after* you
receive the payment -- that is required up front!
Take the time to read the 2nd order and report, and review FCC
form 445. The filing date for that form passed, but that was a form to be
filed to capture a "snapshot" of the current state of compliance.
Keep in mind that you may need to negotiate with the requesting
agency (ie: the folks that give you the subponea that cites CALEA).
Speaking from experience, that's very likely -- a lot of negotiation
trouble. No matter what happens, you'll pay some attorney fees.
Also, the gag order was ruled unconstitutional, so always inform your
customer! They may be willing to work out attorney fees, and/or join
you in a suppression hearing.
You probably should remember to call your congresscritters to complain
each and every time it happens.
Most important: call your state ACLU, as they are trying to keep track,
and might be of some help. 
Just had this conversation with one of my clients, and it's a good question. Seems like the telco providing the ATM (or other) access cloud might be the responsible party. The ISP reselling that DSL is too far upstream anyway to capture traffic between users of the same DSL cloud, though they could capture traffic between those DSL users and other users of their network or the Internet at large.
Consult your attorney, of course.
Good question. In our case, we are owned by LECS, so we are facilities based, and the trade off is doing the intercept at the OC-X level or at the router.
-Patrick
The problem for the DOJ/FBI is CALEA doesn't apply to "private line" networks. The underlying ATM carrier is just providing a private line
"emulation" between the ISP and the subscriber, like a T-1 circuit. In the Voice world, CALEA generally applied to which ever carrier is operating the first voice switch connected to the subscriber.
But since CALEA was passed, the world changed. The carrier providing
the facilities and the carrier providing the switching may not be the
same company. So the phrase "facilities-based broadband Internet access"
is a mess, unless you happen to be a vertically integrated company. For
vertically integrated carriers, its mostly a problem of which division
gets stuck with the bill. But for unaffiliated carriers, I think there
is going to be a lot of finger pointing between the facilities-based,
broadband, and Internet companies.
Assuming you're actually serious, how do you deal with customers who dispute usage one or more months ago (when they get their bill)?
We keep summarized radius detail for a considerable time, and its not unusual to have to pull up several months worth to quell a customer initiated billing dispute.
Sean Donelan wrote:
The DOJ/FBI has been pretty consistent. They want it all and if there is a technicality in the law that doesn't give it to them they have consistently tried to expand the laws, regulations and court cases to give it to them. ...
Very true!
But its also important to remember CALEA compliance and responding to a Title III intercept court order are not necessarily the same thing.
Yes.
CALEA is only a subset of stuff some carriers have to be prepared to do for "Free." Other wiretaps requiring things above and beyond CALEA can be done for a time and materials billing to law enforcement after you get an lawful order (which can vary depending on what is demanded). For example, a Title III, FISA or ECPA lawful order can apply to traffic and institutions not covered by CALEA. ISPs have been responding to lawful orders for over a decade, even before CALEA was a law. And the reality
is most of the stuff law enforcement actually wants from ISPs on a day to
day basis isn't covered by CALEA (i.e. stored communications and transaction records).
Yes. But not even CALEA was "for free". There's an argument that although
Congress "authorized" CALEA (and there is also argument about whether the
recent expansion to ISPs was authorized at all), it cannot be required of
the public until Congress *appropriates* the funds, and they are received
by us.
Just like the current argument about how to end the Iraq war. Only
actual appropriations count.
Even non-lawyers should remember our basic civics lessons.
If the answer is yes, talk to your lawyer before May 14. If the answer is
maybe, talk to your lawer, if the answer is I don't know, talk to your lawyer. And if the answer is no, you probably should still talk to your
lawyer.
Excellent advice!
And not just any lawyer -- this is probably beyond your benefits and
retirement planner.
William Allen Simpson wrote:
Also, the gag order was ruled unconstitutional, so always inform your
customer! They may be willing to work out attorney fees, and/or join
you in a suppression hearing.
Huh? You can tell a customer that you've had a CALEA subpoena served on you for his/her/it's traffic?
Well, I guess it's a way to avoid having to be compliant since every customer will depart 5 seconds after you tell them. No need for the tap then.
Jason Frisvold wrote:
Here's a question that's come up around here. Does a CALEA intercept
include "hairpining" or is it *only* traffic leaving your network?
I'm of the opinion that a CALEA intercept request includes every bit
of traffic being sent or received by the targeted individual, but
there is strong opposition here that thinks only internet-related
traffic counts.
IANAL... The law does include "hairpining", however, the conference we went to last week on CALEA gave us a lot of insight. The LEAs we talked to were interested in us working with them. They understand that the mandate requires some things that are technically infeasible or so cost prohibitive as to mandate abandoning broadband all together. For example, how do you tap a "customer" that is in a cyber cafe? How do you handle "hairpining" on a wireless bridge? There is entire DSLAM infrastructure out there that has no filtering capabilities and the closest one could tap is leaving the DSLAM, but not traffic between customers on the same DSLAM. In general, they seemed to be happy if we could get traffic isolated down to a town level, and just do the best we could to assist in meeting the traffic tap.
Jack Bates
Jon Lewis wrote:
Follow the usual best practices, and you may save time and money.
1. Ensure that your DHCP, RADIUS, SMTP, and other logs are always,
ALWAYS, *ALWAYS* rolled over and deleted within 7 days without backup.
I'd recommend 3 days, but operational requirements vary.
Assuming you're actually serious, how do you deal with customers who dispute usage one or more months ago (when they get their bill)?
We've never charged on a "usage" model. We always charged on a fixed
tier bandwidth model, payable in advance.
Remember, ISPs surpassed bloated telcos in large part because half of
telco's inflated costs were for accounting and administration. A long
fight with ATT in standards committees was because ATT made 40% or more of
their money on minute by minute billed long-distance fax.... That we
made available inexpensively, fixed price, email, etc.
We are much more efficient!
Unfortunately, as Sean mentioned, CALEA assumes everybody looks like a
vertically integrated telco.
I believe its everything.