[96424] in North American Network Operators' Group
Re: ISP CALEA compliance
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu May 10 12:45:21 2007
Date: Thu, 10 May 2007 12:44:00 -0400
From: Jared Mauch <jared@puck.nether.net>
To: Nikos Mouat <nikm@cyberflunk.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.64.0705100825420.9393@rapture.cyberflunk.com>
Errors-To: owner-nanog@merit.edu
On Thu, May 10, 2007 at 08:44:00AM -0700, Nikos Mouat wrote:
>
>
> I have interpretted CALEA to apply only to providers of VOICE service, be
> it VOIP or traditional, however I was told this morning point blank by the
> FCC that CALEA most definitely applies to all ISPs that provide internet
> access at speeds over 200k.
>
> The FCC said that routers must send a copy of all packets to and from a
> selected IP to law enforcement in real time from gateway routers.
>
> I've seen very little CALEA related traffic on this list which reinforced
> my belief that it did not apply to data providers.
>
> Can anyone comment on this?
Sure,
You need to have a router or some appliances that will assist
you in the required lawful-intercept capabilities that are necessary.
Take the time to read the 2nd order and report, and review FCC
form 445. The filing date for that form passed, but that was a form to be
filed to capture a "snapshot" of the current state of compliance.
Keep in mind that you may need to negotiate with the requesting
agency (ie: the folks that give you the subponea that cites CALEA).
Take a moment and also review things like T1.IAS (I think it was
renamed again).
There was also a brief CALEA presentation at the past nanog. As
usual, make sure you chat with your legal counsel. Finding some that have
FCC knowledge/competence (and technology) is a plus.
If you're not offering VoIP services, your life may be easier as
you will only need to intercept the data. Depending on your environment
you could do this with something like port-mirroring, or something
more advanced. There are a number of folks that offer TTP (Trusted
third-provider) services. Verisign comes to mind. But using a TTP
doesn't mean you can hide behind them. Compliance is ultimately your
(the company that gets the subponea) responsibility.
This is a oversimplified summary and since IANAL nor am I a
CALEA expert all this may be bunk.
Some possibly useful links:
http://www.fcc.gov/calea/
http://www.askcalea.net/
http://www.access.gpo.gov/uscode/title47/chapter9_subchapteri_.html
- Jared (IANAL!)
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
