I just wanted to make a brief post relating a few experiences
relating to the CALEA "scare" that was recently the "talk of the
town" (so to speak). I should preface this post with a bit of
information that will give some insight into how common (or not) law
enforcement will or will not use CALEA to get information from
you/us. I have about 225 customers in my database. I work on a
regular basis for about 15-20 of those each week. Since April, I
have worked 4 cases with my customers (actually, it was 6, but 3
were related) that were filed as CALEA actions.
Of these cases, 3 of my customers were using Mikrotik and 1 was
using ImageStream. I can't reveal anything related to the cases,
but I wanted to help people understand what kind of information we
are being asked for under CALEA, and what that translates to in
terms of capability requirements.
1. The first subpeona wanted to know who had a specific IP at a
certain time and date. That was all that was requested. This
particular WISP has about 450 customers, and about 225 of those are
using private IPs that are natted at the border. It so happened
that the IP we were requested information about was the NAT IP. I
called the officer who had requested the data and explained the
situation to him. After an hour or so, he understood that there is
nothing we could do without more information. The case was an
ongoing thing, and he was tracking contact to a specific website, so
we were able to determine a specific customer who was using that
website. We did not tell the officer who it was, but we DID explain
how he needed to word his subpoena so that we COULD get him what he
wanted. After he got the legal jargon to match the technical
requirements of our capabilities, we were able to capture and
provide him with the communications he was needing.
2. The next 3 were related to one another (sort of). In this case,
the subpeona asked for customer billing records and login
information for the past year for 3 IP addresses. We had part of
this information (this WISP used public IP addresses for all his
customers). Since the subpeona requested historical information, we
were somewhat limited in what we could provide, but we did get the
required information and LEA was happy.
3. The other 2 were not related but were similar. They asked for
telephone information that the targets made between a couple of
dates in the past. Since the WISPs in both cases were not the
provider of the VoIP (they were just the transport) service, we
explained to the LEA that the information they are seeking would not
be available at the WISP, eventually they went elsewhere for their
information (I guess), but the WISPs, in the end, did not provide
ANY customer data to the LEA.
The point I am making here is that all of the information requested
in all 3 cases, was easily obtainable using equipment available
within the WISP networks already. We used information that the
Mikrotik and/or Imagestream enabled us to gather, log files and
RADIUS logs to gather login information and capturing of data along
with their business records to answer all 6 subpeonas (7 if you
count the one that had to be re-done).
In all cases, the law enforcement officer who was our first contact
was not technically capable of understanding what they
wanted/needed, but without fail, there WERE people at the agencies
involved who were. Of these subpeonas, 3 were from the FBI, 2 were
local LE and 1 was homeland security.
Incidentally, none of these WISPs spent any extra money to be
compliant (other than some legal work that had to be done). Billing
for my time cost less than $350 (much less in some cases) to help
gather necessary information. All of these (I think) ended up
billing these costs to the LEA and as far as I know, they got their
direct expenses back.
I got another call today to assist with a subpoena and it got me
thinking about the others. I just thought this information may be
useful/educational to some on this list.
--
Butch Evans
Network Engineering and Security Consulting
573-276-2879
http://www.butchevans.com/
My calendar: http://tinyurl.com/y24ad6
Training Partners: http://tinyurl.com/smfkf
Mikrotik Certified Consultant
http://www.mikrotik.com/consultants.html
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
