Re: ISP CALEA compliance
I do have a volunteer from EFF... I had mentioned that both VeriSign and Neustar have people that are fluent in the technical and general legal issues as well as the legal aspects. It would seem to make more sense to solicit one of those organizations since NANOG is about operations, and not politics. The EFF is a political organization and these are not topics that make sense for NANOG, IMHO, the list, the program, or a BoF. Having the EFF explain CALEA at NANOG is like asking the Sierra Club to identify good sites for oil wells in forests. Best, -M<
Re: ISP CALEA compliance
On May 23, 2007, at 1:14 PM, Randy Bush wrote: I do have a volunteer from EFF... excellent! steve, can we get this in? Unfortunately, not in the general session. We've filled the available time, and it looks like we will be running until 12:30 Monday and Tuesday, and 13:00 Wednesday. There might be room for a BOF, but I won't know for sure until I actually lay out the agenda later today. Steve
Re: ISP CALEA compliance
> I do have a volunteer from EFF... excellent! steve, can we get this in? randy
Re: ISP CALEA compliance
On Wed, 23 May 2007 16:02:35 -0400 Jared Mauch <[EMAIL PROTECTED]> wrote: > > On Wed, May 23, 2007 at 07:08:21PM +, Chris L. Morrow wrote: > > > > > > On Wed, 23 May 2007, Joe Abley wrote: > > > > > > > Oh! That was a really old message I just replied to. Mail got > > > kidnapped in a rogue barracuda, it seems, and someone just paid > > > the ransom. Sorry about the noise :-) > > > > don't swim with them and bait... Was there a final disposition on > > this? (I suppose maybe the agenda might show it too? though I don't > > see it currently there...) > > I was unable to get someone from DoJ CALEA Impl. Unit to > attend this upcoming NANOG. They said they had folks available the > next week but obviously that wouldn't work :(. I do have a volunteer from EFF... --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: ISP CALEA compliance
On Wed, May 23, 2007 at 07:08:21PM +, Chris L. Morrow wrote: > > > On Wed, 23 May 2007, Joe Abley wrote: > > > > Oh! That was a really old message I just replied to. Mail got > > kidnapped in a rogue barracuda, it seems, and someone just paid the > > ransom. Sorry about the noise :-) > > don't swim with them and bait... Was there a final disposition on this? (I > suppose maybe the agenda might show it too? though I don't see it > currently there...) I was unable to get someone from DoJ CALEA Impl. Unit to attend this upcoming NANOG. They said they had folks available the next week but obviously that wouldn't work :(. I asked them to consider presenting at the upcoming ABQ NANOG. - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: ISP CALEA compliance
On Wed, 23 May 2007, Joe Abley wrote: > Oh! That was a really old message I just replied to. Mail got > kidnapped in a rogue barracuda, it seems, and someone just paid the > ransom. Sorry about the noise :-) don't swim with them and bait... Was there a final disposition on this? (I suppose maybe the agenda might show it too? though I don't see it currently there...)
Re: ISP CALEA compliance
On 23-May-2007, at 14:56, Joe Abley wrote: On 11-May-2007, at 13:55, Chris L. Morrow wrote: On Fri, 11 May 2007, Jared Mauch wrote: If there is interest, perhaps I can make a call to DoJ and see if someone can present on CALEA at nanog in a few weeks? (incase the PC can accomodate them). that seems like a great idea, atleast a lightning talk would be nice. From the sounds of things, a tutorial would be better. Oh! That was a really old message I just replied to. Mail got kidnapped in a rogue barracuda, it seems, and someone just paid the ransom. Sorry about the noise :-) Joe
Re: ISP CALEA compliance
On 11-May-2007, at 13:55, Chris L. Morrow wrote: On Fri, 11 May 2007, Jared Mauch wrote: If there is interest, perhaps I can make a call to DoJ and see if someone can present on CALEA at nanog in a few weeks? (incase the PC can accomodate them). that seems like a great idea, atleast a lightning talk would be nice. From the sounds of things, a tutorial would be better. Joe
Re: ISP CALEA compliance
On Fri, 11 May 2007 12:47:56 -0700 (GMT-07:00) Todd Glassey <[EMAIL PROTECTED]> wrote: > Gee Steven, that's what everyone thought prior to a Federal Judge > ordering Microsoft to produce seven years of Email... > We're getting off-topic here, but I'll respond. First -- the context of the conversation is wiretap law, including the stored communications and customer records provisions. This covers what communications providers do for their customers, not internal emails. Second: (a) The judge's order was for a civil lawsuit, under discovery procedures; (b) The order was for records that they apparently had. If Microsoft had had and enforced a policy, prior to that lawsuit, of not retaining internal email older than 30 days, they'd have been in the clear. Microsoft got in trouble because the judge believed they were not complying with his order to turn over data he believed they had, either deliberately or by not exerting sufficient effort; (c) you may have business reasons to retain certain records for longer, including the requirements of external auditors. For example, if you do usage-sensitive billing, you may need to retain certain records for a while so that your accounting firm can verify that your financial records accurately reflect actual customer behavior. (d) What doesn't exist can't be subpoenaed; what does exist, in general, can be, subject to other specialized exceptions (i.e., attorney work product) Third -- that isn't what I'm talking about. Please see, among others, http://news.com.com/Gonzales+pressures+ISPs+on+data+retention/2100-1028_3-6077654.html http://www.theregister.co.uk/2006/09/20/gonzales_calls_for_data_retention/ http://news.com.com/2100-1028_3-6156948.html Note especially that last one, since it's only 3 months old and provides for jail time for "employees of any Internet provider who fail to store that information", and not just fines for the company. I've tried hard to keep this discussion factual, with copious references. But I think I've run out of things to say that are even vaguely on-topic, so I'll shut up. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: ISP CALEA compliance
On 5/11/07, Todd Glassey <[EMAIL PROTECTED]> wrote: Gee Steven, that's what everyone thought prior to a Federal Judge ordering Microsoft to produce seven years of Email... I believe that was because they knew MS *had* that email. Of course, any missing email can probably be tossed together pretty quickly using some fairly simple algorithms, perhaps by using many of the BS generators already on the Internet.. :) That said, if you really don't have 7 years worth of email, then the Federal Judge can order till he's red in the face. TSG/ -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
Re: ISP CALEA compliance
On Fri, 11 May 2007, Steven M. Bellovin wrote: As Bill Simpson has quite correctly pointed out, you're also not required to roll over and play dead when someone from the government asks you for some data. There are laws they're obligated to follow, too. Even if you want to look at it from a purely selfish position, you and/or your company may be liable if you co-operate with an improper or illegal request. Have a look at http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_2520000-.html which provides for civil liability for illegal wiretaps. You're clear, under that statute, if you have good reason to believe the request is legal under certain very specific sections of the wiretap law, but not otherwise. An important thing to remember in this discussion is CALEA does not expand, contract or otherwise change other laws concerning electronic survellance. The government can not intercept anything under CALEA. All interception orders must be authorized by some other statute or some other lawful authority (e.g. claims of Executive Power). You might never, ever receive an lawful interception order, but still be in violation of CALEA. Likewise you might be 100% CALEA compliant, and still decline or be unable to perform some intercept orders. CALEA does enhance some monetary penalties for not being able to perform a lawful intercept authorized by some other statute or authority; but CALEA doesn't authorize the interception itself. Despite attempts by some folks, CALEA compliance != Wiretap authority.
Re: ISP CALEA compliance
On Fri, 11 May 2007 12:17:04 -0400 Jared Mauch <[EMAIL PROTECTED]> wrote: > If there is interest, perhaps I can make a call to DoJ and > see if someone can present on CALEA at nanog in a few weeks? (incase > the PC can accomodate them). > And perhaps someone from CDT? I mean that in all seriousness. DoJ and the FBI have pushed the statutory envelope on CALEA, in my opinion. Different lawyers will often disagree on what the law actually requires (I'm not even talking about what it should require); it's worth getting other perspectives. Education on this subject is good. When NANOG met in DC a few years ago, I personally invited a DoJ attorney to speak on Sunday on wiretap law (http://www.nanog.org/mtg-0010/justice.html). I'm not unsympathetic to legitimate law enforcement or national security needs, and I'm aware that ISPs need to obey the law. But DoJ needs to obey it, too. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: ISP CALEA compliance
On Fri, 11 May 2007 10:52:21 -0400 William Allen Simpson <[EMAIL PROTECTED]> wrote: > > David Lesher wrote: > > > Speaking on Deep Background, the Press Secretary whispered: > >> You work so hard to defend people that exploit children? > >> Interesting. We are >> talking LEA here and not the latest in > >> piracy law suits. The #1 request from a >> LEA in my experience > >> concerns child exploitation. > > That's nonsense, or his (press secretary's) experience consists of > > watching > /Law & Order/ and /Without a Trace/. > > No official statistics backs that up. Where in the world does he > operate? > > > > I think you'll find most intercept orders are drug cases. > So I've > > heard, but my experience was the Ashcroft 'net p0rn crackdown. > What a waste of time and resources for a perfectly legal activity! > > Of course, CALEA (and PATRIOT) were supposed to be about tracking > terrorists, not common criminals. That was never the real purpose; > it was just a wish list. > > Also, with so many college students, we *are* talking about piracy > lawsuits. But that's civil law, not CALEA or PATRIOT. Hopefully, > they haven't tried to expand into that, too? > The latest revisions to copyright law did provide for more criminal penalties... Let me toss in a few more factual URLs. First, on this topic: Federal wiretap warrants can only be issued for specific crimes. That list is in 18 USC 2516; see http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_2516000-.html The list is long, but it doesn't seem to include the RIAA's least favorite activities -- at least, not yet... (The list has also been expanded significantly in recent years. I haven't bothered to check the details, but I think that most of the expansion was via the PATRIOT Act. Much of the PATRIOT Act, I might add, was a long set of DoJ/FBI wish list amendments, things they'd wanted for years but couldn't get through Congress until after 9/11. My source for that, btw, is conversations with people in DoJ.) For CALEA deployment status, see http://www.usdoj.gov/oig/reports/FBI/a0613/final.pdf Note in particular how much more expensive CALEA taps are... For the latest wiretap report, just out last week, see http://www.uscourts.gov/wiretap06/contents.html Pay particular attention to Table 3. The highlight: 80% of all wiretaps were for narcotics offenses. There is *no* separate category for pornography, child or otherwise, which caps the percentage at the 3.5% for "Other". To be sure, the report notes that sensitive ongoing cases are not counted; this may reflect ongoing sting operations or national security wiretaps, There are no national security or terrorism wiretaps listed, possibly because those fell under FISA (50 USC 1801 -- http://www4.law.cornell.edu/uscode/html/uscode50/usc_sec_50_1801000-.html ). For those who remember the Crypto Wars of the 1990s, it's interesting to note this section of the wiretap report: Public Law 106-197 amended 18 U.S.C. 2519(2)(b) to require that reporting should reflect the number of wiretap applications granted for which encryption was encountered and whether such encryption prevented law enforcement officials from obtaining the plain text of communications intercepted pursuant to the court orders. In 2006, no instances were reported of encryption encountered during any federal or state wiretap. The situation may be different for national security wiretaps, but of course that's where compliance with any US anti-crypto laws are least likely. Folks, the factual and legal data is out there, and it's not that hard to find. Interpreting it is harder, and frequently does require a lawyer who really knows the field. (My favorite example there is 18 USC 2072(c)(6), which *permits* communications providers to disclose customer records (except for content) to "any person other than a governmental entity". I was surprised enough when I first read that that I went and looked up the legislative history, and it means exactly what it says. *But* -- such activity is no longer legal. Why? The Telecom Reform Act of 1996 bars telcos, at least, from certain forms of information sharing internally, to promote competition in the telephony market. They weren't trying to fix the privacy flaw in the older statute; fortunately, they did -- by accident...) As Bill Simpson has quite correctly pointed out, you're also not required to roll over and play dead when someone from the government asks you for some data. There are laws they're obligated to follow, too. Even if you want to look at it from a purely selfish position, you and/or your company may be liable if you co-operate with an improper or illegal request. Have a look at http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_2520000-.html which provides for civil liability for illegal wiretaps. You're clear, under that statute, if you have good reason to believ
Re: ISP CALEA compliance
A _much_ longer version of this was sent privately- but I had to take public exception to the following comment: I'm not surprised that when they are dealing with companies that delete all evidence they might need or push as much red tape as possible, that the LEA turns around and scrutinizes the company to find where they might be in breach of the law. You are saying it's ok for people in power to be vindictive assholes. You are saying it is ok to govern through intimidation. I am both incredulous as well as fearful for the future of our country. -Don
Re: ISP CALEA compliance
On Fri, 11 May 2007 10:42:14 -0400 "Jason Frisvold" <[EMAIL PROTECTED]> wrote: > > On 5/11/07, Brandon Galbraith <[EMAIL PROTECTED]> wrote: > > My understanding was data you had needed to be turned over when > > requested, but CALEA provides no specification/guidance on log > > retention. > > Agreed. My understanding, to date, is that the data to be turned over > is data collected from the beginning of the CALEA tap. Historical > data can be requested, but I'm not aware of any official legal > guidelines on retention time. > There are no legal requirements on proactive data retention in the US. Gonzales has suggested that there should be one, but at this point it's just that -- a suggestion. I think that at the moment, the odds of Congress enacting a Gonzales proposal are rather low; they'd much rather impeach him than listen to him... There is now an EU requirement on retention, but the EU's jurisdiction rules are, shall we say, complex. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: ISP CALEA compliance
On Fri, 11 May 2007, Jared Mauch wrote: > > If there is interest, perhaps I can make a call to DoJ and > see if someone can present on CALEA at nanog in a few weeks? (incase > the PC can accomodate them). that seems like a great idea, atleast a lightning talk would be nice.
Re: ISP CALEA compliance
On Fri, May 11, 2007 at 10:42:14AM -0400, Jason Frisvold wrote: > > On 5/11/07, Brandon Galbraith <[EMAIL PROTECTED]> wrote: > > My understanding was data you had needed to be turned over when requested, > > but CALEA provides no specification/guidance on log retention. > > Agreed. My understanding, to date, is that the data to be turned over > is data collected from the beginning of the CALEA tap. Historical > data can be requested, but I'm not aware of any official legal > guidelines on retention time. CALEA is not a subscriber records type of subponea or similar. I'm very concerned with the comments here that folks may come up with an opinion that CALEA is something they don't need to pay attention to. You may luck out and never see a request, nor a Title III, nor FISA, NSL, or any other lawful request. This is not a political thing the way some here on the list appear to be coloring it. We (as an industry) need to comply with a lawful request, the same as any other industry (eg: financial services, or otherwise). If you take a casual moment to read the CALEA statute, you will notice it's a capability to perform intercepts, not logs, etc.. If you do not have experience in dealing with court orders, when you get one, engage some legal counsel immediately. There are some small things that you can inadvertently do that can either compromise the evidence for the LEA, or possibly place your company at significant legal risk. I know that DoJ specifically has trained folks about CALEA. Call your local FBI office. Also CALEA isn't just a DoJ thing, it could be your local police, state police, or otherwise. You will need to have the capability to relay to them (in realtime or pseudo-realtime) via the LES protocol. If your customer is a 10G or 40G customer, you need to have the ability to perform that intercept. There is not a cutting-edge technology safe-harbor. Your only safe-harbor for problems is "the industry standard", which currently is interpreted for internet stuff as the T1.IAS. You can buy it for $185 (or $164) here: https://www.atis.org/docstore/product.aspx?id=22665 You really need to be talking to a mediation device provider and/or your vendors. They each have a lawful-intercept story. Don't expect any of these solutions to be elegant, as most of them use stuff like snmp-set and other things to hide the configuration, as per your Systems Security and Integrity Plan that you had to file already (you did file this, right? as well as filing form 445 ;) not everyone in your company should know about the intercept. If there is interest, perhaps I can make a call to DoJ and see if someone can present on CALEA at nanog in a few weeks? (incase the PC can accomodate them). - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: ISP CALEA compliance
David Lesher wrote: Speaking on Deep Background, the Press Secretary whispered: You work so hard to defend people that exploit children? Interesting. We are talking LEA here and not the latest in piracy law suits. The #1 request from a LEA in my experience concerns child exploitation. That's nonsense, or his (press secretary's) experience consists of watching /Law & Order/ and /Without a Trace/. No official statistics backs that up. Where in the world does he operate? I think you'll find most intercept orders are drug cases. So I've heard, but my experience was the Ashcroft 'net p0rn crackdown. What a waste of time and resources for a perfectly legal activity! Of course, CALEA (and PATRIOT) were supposed to be about tracking terrorists, not common criminals. That was never the real purpose; it was just a wish list. Also, with so many college students, we *are* talking about piracy lawsuits. But that's civil law, not CALEA or PATRIOT. Hopefully, they haven't tried to expand into that, too? And no matter what, we still have a Constitutionsort of... Which brings up my point be sure and let your Hill Critters know what shit you are going though Thanks! I said that a bit more politely, but it should be emphasized: report each and every request to your Congress critters. Remind them how much it's costing business, and an utter waste of effort.
Re: ISP CALEA compliance
On 5/11/07, Brandon Galbraith <[EMAIL PROTECTED]> wrote: My understanding was data you had needed to be turned over when requested, but CALEA provides no specification/guidance on log retention. Agreed. My understanding, to date, is that the data to be turned over is data collected from the beginning of the CALEA tap. Historical data can be requested, but I'm not aware of any official legal guidelines on retention time. -brandon -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
Re: ISP CALEA compliance
Donald Stahl wrote:
Working hard to defend privacy does not automatically equal protecting
people who exploit children- and I'm getting sick and tired of people
screaming "Think of the children!" It's a stupid, fear mongering tactic-
and hopefully one day people will think of it in the same way as crying
wolf.
Confirming a warrant == working hard to defend privacy.
Making sure check clears != working hard to defend privacy
("Yep, you are protected from the government until they pay me.")
Deleting logs to inhibit valid warrants != working hard to defend privacy.
CALEA itself is only for taps, and does not cover record storage. We'll
be hit with that next, and it probably won't be nice legislation based
on what other countries have passed. Lack of maintaining any more of
records and even purposefully deleting them to inhibit law enforcement
will leave the government no choice but to let a bunch of non-technical
people design how we should store records.
The new rules for cnpi come into effect later this year, designed to
keep telco's a little sharper on maintaining customer privacy.
As for CALEA and data taps, who are you fooling? Do you tell customers
they have an expectation of privacy on the Internet? Does anyone here
actually believe that? If so, why are there rantings and ravings about
the weakness in encryption protocols? Why encrypt data at all over the
Internet? Why sign code? If there's an expectation of privacy, then
there should be an expectation of security. If my data can't be viewed,
it won't be modified. Perhaps you believe that criminals have the right
to invade privacy, but the government doesn't have that right even when
they do have just cause.
Great- so a bunch of people who want the laws bent for them go on a
power trip because you expect them to OBEY THE LAW and you end up with
no recourse against them. Yeah- this is the America I want to live in.
You're absolutely right- it's a crying shame we aren't all buddies with
the fed's- after all- they only want what's best for us! I'm looking
forward to the day when the government tells me what to think- thinking
is hard after all.
I have no problem with expecting a LEA to follow the law. I do have an
issue with making life as difficult as possible for them to do their job
when they are within the law. I'm not surprised that when they are
dealing with companies that delete all evidence they might need or push
as much red tape as possible, that the LEA turns around and scrutinizes
the company to find where they might be in breach of the law.
If you don't have anything to hide- then why should you care right?
Privacy is always a large concern. However, privacy should be addressed
through proper channels, not by trying to circumvent the laws that have
passed.
On the other hand- these sorts of laws may just be enough to push
everyone to use encryption- and then what will LE do?
I agree that it will most likely push criminals to use encryption. On
the other hand, lots of criminals are stupid, so perhaps some good will
come out of it. If it pushes everyone to use encryption, we are better
for it. See above, what expectation of privacy did we have to begin
with? Encryption good.
Jack
Re: ISP CALEA compliance
On 5/10/07, Jack Bates <[EMAIL PROTECTED]> wrote: I think what he meant was "My DSL has been broke for 3 months now, and I haven't not be able to use it. You can't charge me for something which wasn't working!" Question #1 - Did you bother to call our technical support hotline? No? Well then it can hardly be our fault that you're not working. Oh, you did call? (checks support records) .. No, no I don't see that in there.. Please pay the bill. -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
RE: ISP CALEA compliance
On Thu, 10 May 2007, Stasiniewicz, Adam wrote: Anyway, here is what I have learned from my experience with our friends in law enforcement (be it local, state, or federal). First and foremost, they like us are only humans trying to make a living. They are not out to get us The troublemakers are usually not the law enforcement agents, but the consultants and vendors who are just trying to make a living.
RE: ISP CALEA compliance
I bet this guy used to work for Enron... Anyway, here is what I have learned from my experience with our friends in law enforcement (be it local, state, or federal). First and foremost, they like us are only humans trying to make a living. They are not out to get us and they don't take some sort of sick pleasure in making us do more work. When dealing with law enforcement, it is best to be friendly, kind, and polite. Smiling helps too. If they start using big words and legal jargon or you are not sure how to proceed, call in the folks from legal. But don't go about trying to make life harder for law enforcement. At the end of the day, they are trying to lockup the folks that send spam, write viruses, steal people's indentify, and make the Internet an unfriendly place. That is in addition to stopping all the terrorists, child pornographers, stalkers, and other unsavory folks who use the Internet to help them in their crimes. My $0.02, Adam Stasiniewicz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris L. Morrow Sent: Thursday, May 10, 2007 10:50 PM To: Jon Lewis Cc: William Allen Simpson; nanog@merit.edu Subject: Re: ISP CALEA compliance On Thu, 10 May 2007, Jon Lewis wrote: > > On Thu, 10 May 2007, William Allen Simpson wrote: > > > Follow the usual best practices, and you may save time and money. > > > > 1. Ensure that your DHCP, RADIUS, SMTP, and other logs are always, > > ALWAYS, *ALWAYS* rolled over and deleted within 7 days without backup. > > I'd recommend 3 days, but operational requirements vary. > > Assuming you're actually serious, how do you deal with customers who > dispute usage one or more months ago (when they get their bill)? > Jon, there is no way this fellow is serious, nor is there anyway this fellow's advice should be taken without some serious legal discussions with in-house counsel... the penalties for non-compliance for CALEA are very steep (100k/day while an order is outstanding I believe?). -Chris smime.p7s Description: S/MIME cryptographic signature
Re: ISP CALEA compliance
On Thu, 10 May 2007, Joe Provo wrote: Highly likely for most old requests. Your voice folks can tell you the #1 CALEA request is neither kiddie pron nor terrrists, but rather DEA. Remember, CALEA compliance is separate from any intercept orders you receive. If you ask your voice folks, you'll also find out very few current voice intercepts actually use CALEA compliant equipment or capabilities. CALEA is primarily concerned with the interception of real-time communications, and doesn't included access to stored records. http://www.access.gpo.gov/uscode/title47/chapter9_subchapteri_.html Also if you talk to your voice guys who have been doing this for many years, you'll discover everytime an telephone engineer opened his mouth and said "what about this," the response from the government was "yes, we want that too, even though we don't understand what it is." Anyone concerned with broadband CALEA should check with their legal team and officers to see who if anyone signed off on the securities manual form 445 and form 105 SSI. Dealines were in February and March, so if your legal believes you are needing to comply, they should have already handled the matter. Yep, that's why you have lawyers and legal departments. CALEA is not an engineering problem, its a legal/budget problem. Whose legal and budget is going to pay for it, and who doesn't.
Re: ISP CALEA compliance
On 5/10/07, Chris L. Morrow <[EMAIL PROTECTED]> wrote: Jon, there is no way this fellow is serious, nor is there anyway this fellow's advice should be taken without some serious legal discussions with in-house counsel... the penalties for non-compliance for CALEA are very steep (100k/day while an order is outstanding I believe?). -Chris My understanding was data you had needed to be turned over when requested, but CALEA provides no specification/guidance on log retention. -brandon
Re: ISP CALEA compliance
On Thu, 10 May 2007, Jon Lewis wrote: > > On Thu, 10 May 2007, William Allen Simpson wrote: > > > Follow the usual best practices, and you may save time and money. > > > > 1. Ensure that your DHCP, RADIUS, SMTP, and other logs are always, > > ALWAYS, *ALWAYS* rolled over and deleted within 7 days without backup. > > I'd recommend 3 days, but operational requirements vary. > > Assuming you're actually serious, how do you deal with customers who > dispute usage one or more months ago (when they get their bill)? > Jon, there is no way this fellow is serious, nor is there anyway this fellow's advice should be taken without some serious legal discussions with in-house counsel... the penalties for non-compliance for CALEA are very steep (100k/day while an order is outstanding I believe?). -Chris
Re: ISP CALEA compliance
On Thu, 10 May 2007 16:03:49 -0400
William Allen Simpson <[EMAIL PROTECTED]> wrote:
> Congress "authorized" CALEA (and there is also argument about whether
> the recent expansion to ISPs was authorized at all), it cannot be
> required of the public until Congress *appropriates* the funds, and
> they are received by us.
>
> Just like the current argument about how to end the Iraq war. Only
> actual appropriations count.
>
> Even non-lawyers should remember our basic civics lessons.
>
What appropriation?
Have a look at the actual text of the law at
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=103_cong_bills&docid=f:h4922enr.txt.pdf
(If the link doesn't work, go to thomas.loc.gov and look for bill
H.R. 4922 from the 103rd Congress. If that still doesn't help, email
me and I'll send you the PDF.)
Anyway -- for the most part, the law does not impose mandates on the
government, so there's no necessary appropriation. The law requires
carriers to do certain things, which doesn't necessarily cost the
government money. To be sure, the CALEA act does authorize money to
reimburse carriers for the changes -- see Section 109. But that money
was for upgrading facilities deployed before 1995, which I suspect
applies to none of the gear we're talking about here... ("Help, my AGS+
isn't CALEA-compliant!") The law (Section 109(d)) does say what
happens if the money isn't appropriated -- you're exempt until "the
equipment, facility, or service is replaced or significantly upgraded
or otherwise undergoes major modification." Does that sound like your
POPs?
(OT: When government spending is involved, Bill is absolutely right.
The framers of the Constitution were very careful to make sure that
Congress, not the President, had the right to raise taxes and
authorize spending, and that military appropriations in particular
could not be for longer than two years. Why? Because they were
intimately familiar with British history, much of which included a
perpetual struggle between the monarch and Parliament over money to
wage war. If memory serves, Parliament gained control over that in
1243 (and definitely not very long after the Magna Carta), and it
regularly used that power to rein in the king or queen. The monarch
did have direct control over certain revenue sources -- but anything
like that was carefully excluded from the American constitution It
isn't possible to understand the Constitution without knowing British
history.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: ISP CALEA compliance
David Lesher wrote:
Speaking on Deep Background, the Press Secretary whispered:
You work so hard to defend people that exploit children? Interesting. We are
talking LEA here and not the latest in piracy law suits. The #1 request from a
LEA in my experience concerns child exploitation.
I think you'll find most intercept orders are drug cases.
And no matter what, we still have a Constitutionsort of...
Which brings up my point be sure and let your Hill Critters
know what shit you are going though
So far, my involvement with law enforcement has been split evenly
between illegal gambling and income tax evasion. Nothing else.
Of course, I'm based in Nevada; if I were elsewhere the gambling
("gaming" as it's called here) would most likely drop off the map.
Re: ISP CALEA compliance
Speaking on Deep Background, the Press Secretary whispered: > > You work so hard to defend people that exploit children? Interesting. We are > talking LEA here and not the latest in piracy law suits. The #1 request from > a > LEA in my experience concerns child exploitation. I think you'll find most intercept orders are drug cases. And no matter what, we still have a Constitutionsort of... Which brings up my point be sure and let your Hill Critters know what shit you are going though -- A host is a host from coast to [EMAIL PROTECTED] & no one will talk to a host that's close[v].(301) 56-LINUX Unless the host (that isn't close).pob 1433 is busy, hung or dead20915-1433
Re: ISP CALEA compliance
Thus spake "Donald Stahl" <[EMAIL PROTECTED]> Working hard to defend privacy does not automatically equal protecting people who exploit children- and I'm getting sick and tired of people screaming "Think of the children!" It's a stupid, fear mongering tactic- and hopefully one day people will think of it in the same way as crying wolf. Ditto; I'm sick of all the programs that are pushed with that justification. People are all too happy to give up their privacy to "protect" kids, rather than just doing a decent job of parenting themselves. If you don't have anything to hide- then why should you care right? On the other hand- these sorts of laws may just be enough to push everyone to use encryption- and then what will LE do? Arrest everyone! Have you forgotten the court ruling a year or two ago that using PGP was evidence of covering up a crime? S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov
Re: ISP CALEA compliance
On Thu, May 10, 2007 at 03:42:27PM -0500, Jack Bates wrote: [snip] > You work so hard to defend people that exploit children? Interesting. We > are talking LEA here and not the latest in piracy law suits. The #1 request > from a LEA in my experience concerns child exploitation. Highly likely for most old requests. Your voice folks can tell you the #1 CALEA request is neither kiddie pron nor terrrists, but rather DEA. Anyone concerned with broadband CALEA should check with their legal team and officers to see who if anyone signed off on the securities manual form 445 and form 105 SSI. Dealines were in February and March, so if your legal believes you are needing to comply, they should have already handled the matter. Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: ISP CALEA compliance
You work so hard to defend people that exploit children? Interesting. We are talking LEA here and not the latest in piracy law suits. The #1 request from a LEA in my experience concerns child exploitation. ?? ??? Working hard to defend privacy does not automatically equal protecting people who exploit children- and I'm getting sick and tired of people screaming "Think of the children!" It's a stupid, fear mongering tactic- and hopefully one day people will think of it in the same way as crying wolf. If law enforcement could be trusted to be competent you might have an argument- but considering the avalanche of cases where cops a) get their information wrong and go after the wrong person b) go out of their way to ignore evidence exhonerating people because it might screw up their records c) simply don't have a clue or d) plant evidence (on a 90 year old woman for gods sake)- then it's nice to know that there are people out there forcing LE to play by the rules, get actual warrants, etc. Then again perhaps I am biased- The USSS use to hold meetings at 7 World Trade Center to facilitate interaction between computer security firms and LE. In those meetings after I realized that LE is split about 50/50- those who get it (ie those I would help)- and those who are so clueless wrt computers that is makes me cringe (ie those I wouldn't talk to, let along try to help). Unfortunately it seems to have gotten worse- The agents who use to deal with this stuff were those who actually wanted to- now every agent likes to play with computers. Hmmm, you must have been one of those types the agents I talked to were referring to. They said that those who give them the most flack usually get the least amount of slack. Play hardball with the government, and it will play hardball back at you. I'd definitely make sure you stick to #4 if following #1-3. Great- so a bunch of people who want the laws bent for them go on a power trip because you expect them to OBEY THE LAW and you end up with no recourse against them. Yeah- this is the America I want to live in. You're absolutely right- it's a crying shame we aren't all buddies with the fed's- after all- they only want what's best for us! I'm looking forward to the day when the government tells me what to think- thinking is hard after all. If you don't have anything to hide- then why should you care right? On the other hand- these sorts of laws may just be enough to push everyone to use encryption- and then what will LE do? Sigh- I give up. -Don
Re: ISP CALEA compliance
William Allen Simpson wrote: We've never charged on a "usage" model. We always charged on a fixed tier bandwidth model, payable in advance. I think what he meant was "My DSL has been broke for 3 months now, and I haven't not be able to use it. You can't charge me for something which wasn't working!" *checks logs* "Well, interestingly enough we see that you used it here, here, here, and here. Pay the bill, please." Jack Bates
Re: ISP CALEA compliance
William Allen Simpson wrote: Speaking from experience, that's very likely -- a lot of negotiation trouble. No matter what happens, you'll pay some attorney fees. Also, the gag order was ruled unconstitutional, so always inform your customer! They may be willing to work out attorney fees, and/or join you in a suppression hearing. You probably should remember to call your congresscritters to complain each and every time it happens. Most important: call your state ACLU, as they are trying to keep track, and might be of some help. ;-) You work so hard to defend people that exploit children? Interesting. We are talking LEA here and not the latest in piracy law suits. The #1 request from a LEA in my experience concerns child exploitation. Follow the usual best practices, and you may save time and money. 1. Ensure that your DHCP, RADIUS, SMTP, and other logs are always, ALWAYS, *ALWAYS* rolled over and deleted within 7 days without backup. I'd recommend 3 days, but operational requirements vary. This has been a nice trick by many, and it does circumvent CALEA as if you can't give the the customer info to begin with, they probably won't be able to request a tap. The exception is emergency taps requested while an action is going on. 2. Insist that you receive payment *in advance* before doing anything! And wait until the check clears. I'm not sure that this would work with all LEA orders. 3. Remind the requesting agency that everything must be signed by a judge. Call the issuing court to confirm. Don't accept "exigent" administrative requests. The recent inspector general report showed that most administrative requests were never followed up by actual judicially approved requests, and virtually none of them warranted exigent status -- they were illegal shortcuts. The last I checked, LEAs have a 48 hour window for emergency orders, and they are supposed to be honored. I'd definitely check with a lawyer on that one. 4. Never, NEVER, *NEVER* speak to a federal agent of any kind. Do not allow them into the building. Require them to speak to your attorney. Require everything in writing. No exceptions! We returned the first request as inadequate -- since it misspelled the name of the company and the address, and wasn't accompanied by a check. Our problem was that we weren't rigorous about #1 (some staff had been keeping some backups sometimes), and the resulting time and expense for extracting "lawful" information from all the rest was painful. Learn from our mistake. Hmmm, you must have been one of those types the agents I talked to were referring to. They said that those who give them the most flack usually get the least amount of slack. Play hardball with the government, and it will play hardball back at you. I'd definitely make sure you stick to #4 if following #1-3. Of course, IANAL and YMMV. Jack Bates
Re: ISP CALEA compliance
I believe if you have any equipment in the process at all, you're to be CALEA compliant. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: "Sean Donelan" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 2:23 PM Subject: Re: ISP CALEA compliance On Thu, 10 May 2007, Patrick Muldoon wrote: We've been under the impression that is *all* data. So for us, things like PPPoE Sessions, just putting a tap/span port upstream of the aggregation router will not work as you would miss any traffic going from USER A <-> USER B, if they where on the same aggregation device. Since the Intercept has to be invisible to the parties being tapped, you can't route their traffic back out and then in either, since the tap would change the flow.In that regard, we've been upgrading our older NPE's to newer ones in order to support SII, All the while I keep having something a co-worker said stuck in my head. "CALEA - Consultant And Lawyer Enrichment Act" :) If you are doing PPPOE over another carrier's ATM network, are you really a "facilities-based" provider? Or is the CALEA compliance the responsibility of the underlying ATM network provider to give LEA access to the ATM VC of the subscriber under surviellance?
Re: ISP CALEA compliance
Join the wireless list at wispa.org and the wisp list at part-15.org They've been discussing it quite a bit. There's also a FAQ at wispa.org - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: "Nikos Mouat" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 10:44 AM Subject: ISP CALEA compliance I have interpretted CALEA to apply only to providers of VOICE service, be it VOIP or traditional, however I was told this morning point blank by the FCC that CALEA most definitely applies to all ISPs that provide internet access at speeds over 200k. The FCC said that routers must send a copy of all packets to and from a selected IP to law enforcement in real time from gateway routers. I've seen very little CALEA related traffic on this list which reinforced my belief that it did not apply to data providers. Can anyone comment on this? Thanks. -nm
Re: ISP CALEA compliance
I recommend Kris Twomey... lokt.net - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: "David E. Smith" <[EMAIL PROTECTED]> To: Sent: Thursday, May 10, 2007 11:36 AM Subject: Re: ISP CALEA compliance Nikos Mouat wrote: I have interpretted CALEA to apply only to providers of VOICE service, be it VOIP or traditional, however I was told this morning point blank by the FCC that CALEA most definitely applies to all ISPs that provide internet access at speeds over 200k. That, and the definition of ISP, are still a bit fuzzy... [EMAIL PROTECTED], for instance, has had a LOT of chatter about that, but WISPA's staff attorney believes that small wireless ISPs are required to be CALEA-compliant. (WISPA is a trade association for wireless ISPs.) If small ISPs have to be compliant, it's probably safe to assume big ISPs are too. :) http://lists.wispa.org/pipermail/wireless/ is the list archive - there's a lot of noise in there, but a fair amount of signal (start in February 2007 or so, and work your way up). There's also forms you're apparently supposed to fill out (FCC Form 445, and a CALEA compliance plan due next week). As always your friendly attorney knows better than I do. David Smith MVN.net
Re: ISP CALEA compliance
I believe its everything. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: "Jason Frisvold" <[EMAIL PROTECTED]> To: "Jared Mauch" <[EMAIL PROTECTED]> Cc: "Nikos Mouat" <[EMAIL PROTECTED]>; Sent: Thursday, May 10, 2007 1:03 PM Subject: Re: ISP CALEA compliance On 5/10/07, Jared Mauch <[EMAIL PROTECTED]> wrote: If you're not offering VoIP services, your life may be easier as you will only need to intercept the data. Depending on your environment you could do this with something like port-mirroring, or something more advanced. There are a number of folks that offer TTP (Trusted third-provider) services. Verisign comes to mind. But using a TTP doesn't mean you can hide behind them. Compliance is ultimately your (the company that gets the subponea) responsibility. Here's a question that's come up around here. Does a CALEA intercept include "hairpining" or is it *only* traffic leaving your network? I'm of the opinion that a CALEA intercept request includes every bit of traffic being sent or received by the targeted individual, but there is strong opposition here that thinks only internet-related traffic counts. - Jared (IANAL!) -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
Re: ISP CALEA compliance
Jon Lewis wrote: On Thu, 10 May 2007, William Allen Simpson wrote: Follow the usual best practices, and you may save time and money. 1. Ensure that your DHCP, RADIUS, SMTP, and other logs are always, ALWAYS, *ALWAYS* rolled over and deleted within 7 days without backup. I'd recommend 3 days, but operational requirements vary. Assuming you're actually serious, how do you deal with customers who dispute usage one or more months ago (when they get their bill)? We've never charged on a "usage" model. We always charged on a fixed tier bandwidth model, payable in advance. Remember, ISPs surpassed bloated telcos in large part because half of telco's inflated costs were for accounting and administration. A long fight with ATT in standards committees was because ATT made 40% or more of their money on minute by minute billed long-distance fax That we made available inexpensively, fixed price, email, etc. We are much more efficient! Unfortunately, as Sean mentioned, CALEA assumes everybody looks like a vertically integrated telco.
Re: ISP CALEA compliance
Jason Frisvold wrote: Here's a question that's come up around here. Does a CALEA intercept include "hairpining" or is it *only* traffic leaving your network? I'm of the opinion that a CALEA intercept request includes every bit of traffic being sent or received by the targeted individual, but there is strong opposition here that thinks only internet-related traffic counts. IANAL... The law does include "hairpining", however, the conference we went to last week on CALEA gave us a lot of insight. The LEAs we talked to were interested in us working with them. They understand that the mandate requires some things that are technically infeasible or so cost prohibitive as to mandate abandoning broadband all together. For example, how do you tap a "customer" that is in a cyber cafe? How do you handle "hairpining" on a wireless bridge? There is entire DSLAM infrastructure out there that has no filtering capabilities and the closest one could tap is leaving the DSLAM, but not traffic between customers on the same DSLAM. In general, they seemed to be happy if we could get traffic isolated down to a town level, and just do the best we could to assist in meeting the traffic tap. Jack Bates
Re: ISP CALEA compliance
Sean Donelan wrote: The DOJ/FBI has been pretty consistent. They want it all and if there is a technicality in the law that doesn't give it to them they have consistently tried to expand the laws, regulations and court cases to give it to them. ... Very true! But its also important to remember CALEA compliance and responding to a Title III intercept court order are not necessarily the same thing. Yes. CALEA is only a subset of stuff some carriers have to be prepared to do for "Free." Other wiretaps requiring things above and beyond CALEA can be done for a time and materials billing to law enforcement after you get an lawful order (which can vary depending on what is demanded). For example, a Title III, FISA or ECPA lawful order can apply to traffic and institutions not covered by CALEA. ISPs have been responding to lawful orders for over a decade, even before CALEA was a law. And the reality is most of the stuff law enforcement actually wants from ISPs on a day to day basis isn't covered by CALEA (i.e. stored communications and transaction records). Yes. But not even CALEA was "for free". There's an argument that although Congress "authorized" CALEA (and there is also argument about whether the recent expansion to ISPs was authorized at all), it cannot be required of the public until Congress *appropriates* the funds, and they are received by us. Just like the current argument about how to end the Iraq war. Only actual appropriations count. Even non-lawyers should remember our basic civics lessons. If the answer is yes, talk to your lawyer before May 14. If the answer is maybe, talk to your lawer, if the answer is I don't know, talk to your lawyer. And if the answer is no, you probably should still talk to your lawyer. Excellent advice! And not just any lawyer -- this is probably beyond your benefits and retirement planner.
Re: ISP CALEA compliance
On Thu, 10 May 2007, William Allen Simpson wrote: Follow the usual best practices, and you may save time and money. 1. Ensure that your DHCP, RADIUS, SMTP, and other logs are always, ALWAYS, *ALWAYS* rolled over and deleted within 7 days without backup. I'd recommend 3 days, but operational requirements vary. Assuming you're actually serious, how do you deal with customers who dispute usage one or more months ago (when they get their bill)? We keep summarized radius detail for a considerable time, and its not unusual to have to pull up several months worth to quell a customer initiated billing dispute. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: ISP CALEA compliance
On Thu, 10 May 2007, Daniel Senie wrote: Just had this conversation with one of my clients, and it's a good question. Seems like the telco providing the ATM (or other) access cloud might be the responsible party. The ISP reselling that DSL is too far upstream anyway to capture traffic between users of the same DSL cloud, though they could capture traffic between those DSL users and other users of their network or the Internet at large. Consult your attorney, of course. The problem for the DOJ/FBI is CALEA doesn't apply to "private line" networks. The underlying ATM carrier is just providing a private line "emulation" between the ISP and the subscriber, like a T-1 circuit. In the Voice world, CALEA generally applied to which ever carrier is operating the first voice switch connected to the subscriber. But since CALEA was passed, the world changed. The carrier providing the facilities and the carrier providing the switching may not be the same company. So the phrase "facilities-based broadband Internet access" is a mess, unless you happen to be a vertically integrated company. For vertically integrated carriers, its mostly a problem of which division gets stuck with the bill. But for unaffiliated carriers, I think there is going to be a lot of finger pointing between the facilities-based, broadband, and Internet companies.
Re: ISP CALEA compliance
On May 10, 2007, at 3:23 PM, Sean Donelan wrote: If you are doing PPPOE over another carrier's ATM network, are you really a "facilities-based" provider? Or is the CALEA compliance the responsibility of the underlying ATM network provider to give LEA access to the ATM VC of the subscriber under surviellance? Good question. In our case, we are owned by LECS, so we are facilities based, and the trade off is doing the intercept at the OC- X level or at the router. -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Press [ESC] to detonate or any other key to explode.
Re: ISP CALEA compliance
At 03:23 PM 5/10/2007, Sean Donelan wrote: On Thu, 10 May 2007, Patrick Muldoon wrote: We've been under the impression that is *all* data. So for us, things like PPPoE Sessions, just putting a tap/span port upstream of the aggregation router will not work as you would miss any traffic going from USER A <-> USER B, if they where on the same aggregation device. Since the Intercept has to be invisible to the parties being tapped, you can't route their traffic back out and then in either, since the tap would change the flow.In that regard, we've been upgrading our older NPE's to newer ones in order to support SII, All the while I keep having something a co-worker said stuck in my head. "CALEA - Consultant And Lawyer Enrichment Act" :) If you are doing PPPOE over another carrier's ATM network, are you really a "facilities-based" provider? Or is the CALEA compliance the responsibility of the underlying ATM network provider to give LEA access to the ATM VC of the subscriber under surviellance? Just had this conversation with one of my clients, and it's a good question. Seems like the telco providing the ATM (or other) access cloud might be the responsible party. The ISP reselling that DSL is too far upstream anyway to capture traffic between users of the same DSL cloud, though they could capture traffic between those DSL users and other users of their network or the Internet at large. Consult your attorney, of course.
Re: ISP CALEA compliance
Jared Mauch wrote: You need to have a router or some appliances that will assist you in the required lawful-intercept capabilities that are necessary. But anything whatsoever is OK. Since you don't know of the capabilities required in advance, there's no reason that it be a fast router or switch. An old slow hub is fine Remember, you don't actually have to do anything until *after* you receive the payment -- that is required up front! Take the time to read the 2nd order and report, and review FCC form 445. The filing date for that form passed, but that was a form to be filed to capture a "snapshot" of the current state of compliance. Keep in mind that you may need to negotiate with the requesting agency (ie: the folks that give you the subponea that cites CALEA). Speaking from experience, that's very likely -- a lot of negotiation trouble. No matter what happens, you'll pay some attorney fees. Also, the gag order was ruled unconstitutional, so always inform your customer! They may be willing to work out attorney fees, and/or join you in a suppression hearing. You probably should remember to call your congresscritters to complain each and every time it happens. Most important: call your state ACLU, as they are trying to keep track, and might be of some help. ;-) === Follow the usual best practices, and you may save time and money. 1. Ensure that your DHCP, RADIUS, SMTP, and other logs are always, ALWAYS, *ALWAYS* rolled over and deleted within 7 days without backup. I'd recommend 3 days, but operational requirements vary. 2. Insist that you receive payment *in advance* before doing anything! And wait until the check clears. 3. Remind the requesting agency that everything must be signed by a judge. Call the issuing court to confirm. Don't accept "exigent" administrative requests. The recent inspector general report showed that most administrative requests were never followed up by actual judicially approved requests, and virtually none of them warranted exigent status -- they were illegal shortcuts. 4. Never, NEVER, *NEVER* speak to a federal agent of any kind. Do not allow them into the building. Require them to speak to your attorney. Require everything in writing. No exceptions! We returned the first request as inadequate -- since it misspelled the name of the company and the address, and wasn't accompanied by a check. Our problem was that we weren't rigorous about #1 (some staff had been keeping some backups sometimes), and the resulting time and expense for extracting "lawful" information from all the rest was painful. Learn from our mistake.
Re: ISP CALEA compliance
On Thu, 10 May 2007, Patrick Muldoon wrote: We've been under the impression that is *all* data. So for us, things like PPPoE Sessions, just putting a tap/span port upstream of the aggregation router will not work as you would miss any traffic going from USER A <-> USER B, if they where on the same aggregation device. Since the Intercept has to be invisible to the parties being tapped, you can't route their traffic back out and then in either, since the tap would change the flow.In that regard, we've been upgrading our older NPE's to newer ones in order to support SII, All the while I keep having something a co-worker said stuck in my head. "CALEA - Consultant And Lawyer Enrichment Act" :) If you are doing PPPOE over another carrier's ATM network, are you really a "facilities-based" provider? Or is the CALEA compliance the responsibility of the underlying ATM network provider to give LEA access to the ATM VC of the subscriber under surviellance?
Re: ISP CALEA compliance
On Thu, 10 May 2007, Jason Frisvold wrote: Here's a question that's come up around here. Does a CALEA intercept include "hairpining" or is it *only* traffic leaving your network? I'm of the opinion that a CALEA intercept request includes every bit of traffic being sent or received by the targeted individual, but there is strong opposition here that thinks only internet-related traffic counts. The DOJ/FBI has been pretty consistent. They want it all and if there is a technicality in the law that doesn't give it to them they have consistently tried to expand the laws, regulations and court cases to give it to them. If you want to be the test case, talk to your lawyers about how little you can do. But its also important to remember CALEA compliance and responding to a Title III intercept court order are not necessarily the same thing. CALEA is only a subset of stuff some carriers have to be prepared to do for "Free." Other wiretaps requiring things above and beyond CALEA can be done for a time and materials billing to law enforcement after you get an lawful order (which can vary depending on what is demanded). For example, a Title III, FISA or ECPA lawful order can apply to traffic and institutions not covered by CALEA. ISPs have been responding to lawful orders for over a decade, even before CALEA was a law. And the reality is most of the stuff law enforcement actually wants from ISPs on a day to day basis isn't covered by CALEA (i.e. stored communications and transaction records). http://www.fcc.gov/calea/ All facilities-based broadband Internet access providers and providers of interconnected VoIP service have until May 14, 2007 to come into compliance with CALEA. So are you a Facilities-based? (DSL v. cable, dark fiber v. ATM?) Broadband? (< 200Kbps?) Internet? (VPN?) Access? (backbone v. access?) Provider? (freenets or paid?) or are you a Provider? Interconnected? VoIP? Service? If the answer is yes, talk to your lawyer before May 14. If the answer is maybe, talk to your lawer, if the answer is I don't know, talk to your lawyer. And if the answer is no, you probably should still talk to your lawyer.
Re: ISP CALEA compliance
On 5/10/07, Patrick Muldoon <[EMAIL PROTECTED]> wrote: We've been under the impression that is *all* data. So for us, things like PPPoE Sessions, just putting a tap/span port upstream of the aggregation router will not work as you would miss any traffic going from USER A <-> USER B, if they where on the same aggregation device. Since the Intercept has to be invisible to the parties being tapped, you can't route their traffic back out and then in either, since the tap would change the flow.In that regard, we've been upgrading our older NPE's to newer ones in order to support SII, All the while I keep having something a co-worker said stuck in my head. "CALEA - Consultant And Lawyer Enrichment Act" :) Agreed.. Now to dig into the legal document to see if this is right.. Anyone have a legal gibberish to english converter? (And no, a lawyer doesn't count) -Patrick -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
Re: ISP CALEA compliance
On May 10, 2007, at 2:03 PM, Jason Frisvold wrote: Here's a question that's come up around here. Does a CALEA intercept include "hairpining" or is it *only* traffic leaving your network? I'm of the opinion that a CALEA intercept request includes every bit of traffic being sent or received by the targeted individual, but there is strong opposition here that thinks only internet-related traffic counts. IANAL and I don't even play on the net, but... We've been under the impression that is *all* data. So for us, things like PPPoE Sessions, just putting a tap/span port upstream of the aggregation router will not work as you would miss any traffic going from USER A <-> USER B, if they where on the same aggregation device. Since the Intercept has to be invisible to the parties being tapped, you can't route their traffic back out and then in either, since the tap would change the flow.In that regard, we've been upgrading our older NPE's to newer ones in order to support SII, All the while I keep having something a co-worker said stuck in my head. "CALEA - Consultant And Lawyer Enrichment Act" :) -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Sure it's user-friendly...if you know what you're doing.
Re: ISP CALEA compliance
Jason Frisvold wrote: On 5/10/07, Jared Mauch <[EMAIL PROTECTED]> wrote: If you're not offering VoIP services, your life may be easier as you will only need to intercept the data. Depending on your environment you could do this with something like port-mirroring, or something more advanced. There are a number of folks that offer TTP (Trusted third-provider) services. Verisign comes to mind. But using a TTP doesn't mean you can hide behind them. Compliance is ultimately your (the company that gets the subponea) responsibility. Here's a question that's come up around here. Does a CALEA intercept include "hairpining" or is it *only* traffic leaving your network? I'm of the opinion that a CALEA intercept request includes every bit of traffic being sent or received by the targeted individual, but there is strong opposition here that thinks only internet-related traffic counts. - Jared (IANAL!) That would be something best brought up with a CALEA lawyer or one of the Trusted Third Party companies for an answer. I suspect that you probably ought to have the capability of getting both ends of the "conversation" (incoming & outgoing) as the warrant may be written that way. -- Jeff Shultz
Re: ISP CALEA compliance
On 5/10/07, Jared Mauch <[EMAIL PROTECTED]> wrote: If you're not offering VoIP services, your life may be easier as you will only need to intercept the data. Depending on your environment you could do this with something like port-mirroring, or something more advanced. There are a number of folks that offer TTP (Trusted third-provider) services. Verisign comes to mind. But using a TTP doesn't mean you can hide behind them. Compliance is ultimately your (the company that gets the subponea) responsibility. Here's a question that's come up around here. Does a CALEA intercept include "hairpining" or is it *only* traffic leaving your network? I'm of the opinion that a CALEA intercept request includes every bit of traffic being sent or received by the targeted individual, but there is strong opposition here that thinks only internet-related traffic counts. - Jared (IANAL!) -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
Re: ISP CALEA compliance
On Thu, May 10, 2007 at 08:44:00AM -0700, Nikos Mouat wrote: > > > I have interpretted CALEA to apply only to providers of VOICE service, be > it VOIP or traditional, however I was told this morning point blank by the > FCC that CALEA most definitely applies to all ISPs that provide internet > access at speeds over 200k. > > The FCC said that routers must send a copy of all packets to and from a > selected IP to law enforcement in real time from gateway routers. > > I've seen very little CALEA related traffic on this list which reinforced > my belief that it did not apply to data providers. > > Can anyone comment on this? Sure, You need to have a router or some appliances that will assist you in the required lawful-intercept capabilities that are necessary. Take the time to read the 2nd order and report, and review FCC form 445. The filing date for that form passed, but that was a form to be filed to capture a "snapshot" of the current state of compliance. Keep in mind that you may need to negotiate with the requesting agency (ie: the folks that give you the subponea that cites CALEA). Take a moment and also review things like T1.IAS (I think it was renamed again). There was also a brief CALEA presentation at the past nanog. As usual, make sure you chat with your legal counsel. Finding some that have FCC knowledge/competence (and technology) is a plus. If you're not offering VoIP services, your life may be easier as you will only need to intercept the data. Depending on your environment you could do this with something like port-mirroring, or something more advanced. There are a number of folks that offer TTP (Trusted third-provider) services. Verisign comes to mind. But using a TTP doesn't mean you can hide behind them. Compliance is ultimately your (the company that gets the subponea) responsibility. This is a oversimplified summary and since IANAL nor am I a CALEA expert all this may be bunk. Some possibly useful links: http://www.fcc.gov/calea/ http://www.askcalea.net/ http://www.access.gpo.gov/uscode/title47/chapter9_subchapteri_.html - Jared (IANAL!) -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: ISP CALEA compliance
Nikos Mouat wrote: > I have interpretted CALEA to apply only to providers of VOICE service, > be it VOIP or traditional, however I was told this morning point blank > by the FCC that CALEA most definitely applies to all ISPs that provide > internet access at speeds over 200k. That, and the definition of ISP, are still a bit fuzzy... [EMAIL PROTECTED], for instance, has had a LOT of chatter about that, but WISPA's staff attorney believes that small wireless ISPs are required to be CALEA-compliant. (WISPA is a trade association for wireless ISPs.) If small ISPs have to be compliant, it's probably safe to assume big ISPs are too. :) http://lists.wispa.org/pipermail/wireless/ is the list archive - there's a lot of noise in there, but a fair amount of signal (start in February 2007 or so, and work your way up). There's also forms you're apparently supposed to fill out (FCC Form 445, and a CALEA compliance plan due next week). As always your friendly attorney knows better than I do. David Smith MVN.net
Re: ISP CALEA compliance
On Thu, 10 May 2007, Nikos Mouat wrote: > > > I have interpretted CALEA to apply only to providers of VOICE service, be > it VOIP or traditional, however I was told this morning point blank by the > FCC that CALEA most definitely applies to all ISPs that provide internet > access at speeds over 200k. > > The FCC said that routers must send a copy of all packets to and from a > selected IP to law enforcement in real time from gateway routers. > > I've seen very little CALEA related traffic on this list which reinforced > my belief that it did not apply to data providers. > > Can anyone comment on this? you have 4 days, work fast... Actually, I'd ask your in-house-counsel about your current status and whether or not things you do would fall into the CALEA bucket. Also, work fast, there's only 4 days left :( I believe there was some chatter on a puck.nether.net list, perhaps Jared has that handy? or another reader does?
ISP CALEA compliance
I have interpretted CALEA to apply only to providers of VOICE service, be it VOIP or traditional, however I was told this morning point blank by the FCC that CALEA most definitely applies to all ISPs that provide internet access at speeds over 200k. The FCC said that routers must send a copy of all packets to and from a selected IP to law enforcement in real time from gateway routers. I've seen very little CALEA related traffic on this list which reinforced my belief that it did not apply to data providers. Can anyone comment on this? Thanks. -nm
