The sticky problem remains for any communications carrier, we are looking
for a technical solution to a legal problem.
I believe that if you encrypted your links sufficiently that it was
impossible to siphon the wanted data from your upstream the response would
be for the tapping to move down into your data center before the crypto.
With CALEA requirements and the Patriot Act they could easily compel you
to give them a span port prior to the crypto.
Regardless of how well built our networks are internally and externally we
still must obey a court order.