Hi,
I just spoke with Norm Wright (part of the CALEA Tech unit, 703-632-6218).
Here is what I learned from the conversation:
- we will be responding to court orders from LEA's, not subpoenas
- T1.IAS and ATIS-013 are the same standard. ATIS-013 is the new name for
T1.IAS.
- "safe harbor" can only be obtained by implementing a CALEA compliance
solution based on one of the standards outlined in section 107 of the law
- if one does not obtain "safe harbor" then one just has to be able to
comply with what a given LEA may request. If one's interpretation of what
section 103 (which is vague) entitles the LEA to ask for differs from what
the LEA thinks it entitles it to, and agreement cannot be reached, the
matter will have to be settled in court between oneself and the LEA
- obtaining "safe harbor" with the FBI alone is OK, but there are
hundreds of LEA's out there besides the FBI. Obtaining "safe harbor" with
the FBI does not guarantee that one has "safe harbor" with any other LEA
- CALEA requires the ISP to be able to sniff *all* customer traffic,
including traffic passing *between* two of its customers (referred to as
"hairpinning"). If the LEA requires this and the ISP can't provide it, the
ISP may need to go to court
- the ISP must be able to transmit *all* data to the LEA in realtime
(with an 8 second delay, I believe), regardless of whether the traffic is
VoIP or not
- dialup traffic does not fall under CALEA. The Class 5 office servicing
the phone line has to perform the intercept in these cases, not the ISP
- CALEA does not define the interface by which the LEA can obtain access
to the data stream captured by the ISP. The ISP can use any industry
standard. LEA's are generally not too happy about this because it makes them
have to be able to support multiple standards. Norm could not tell me
whether being able to grant the LEA access to the data stream via SSH was
adequate or not. He thought it might be. I guess the alternative would be a
VPN.
- regarding opencalea.org, Norm had heard of them but was not very
familiar with them. If they can fulfill a standard like ATIS-013 then
utilizing a solution based on opencalea should provide the ISP with safe
harbor. However, I understand that opencalea has not yet been able to put
together a fully standards-based solution yet. Until they do, those of us
depending on an opencalea-based compliance solution will have to live with
the risk of not being able to negotiate a mutually satisfactory compliance
method with any given LEA that issues us a court order, and thus face a
possible stint in court
Norm said that he is the point person at CALEA for questions of this nature,
and can contact the Office of General Counsel if needed to respond to legal
questions. They can't provide "official interpretations" of the law, but
they might be able to answer some questions. In general, I found the
conversation very helpful (if not somewhat disconcerting because of some of
what I learned).
It would be interesting to know if any of this differs from what the WISPA
board has been able to learn through their conversations with the FBI. In
particular, do I understand correctly that WISPA is attempting to negotiate
a section 107-type standard so that any ISP that conforms to the standard
will be able to obtain safe harbor with *all* LEA's (or just the FBI)?
Thanks,
Adam
Adam Greene
VP, Operations
Webjogger Internet Services
http://www.webjogger.net
(845) 757-4000 x134
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/