[WISPA] Fw: [WISPA CALEA Questions] Trango and CALEA
fyi marlon - Original Message - From: "J.C. Utter" To: "CALEA Questions" Sent: Sunday, December 21, 2008 12:59 PM Subject: Re: [WISPA CALEA Questions] [WISPA] Trango and CALEA >> In an ideal world one would never even "touch" a packet that had nothing >> to do with the target of any legal requirement we might receive. The >> understanding that proceeds from the application of CALEA to packet >> switched networks from the circuit switched world is that the same >> privacy rights that exist in the circuit switched world exist in a >> packet switched world. In other words we are not allowed to let the >> probe touch any other circuit. When applying an intercept device, in an >> ideal world, it would isolate traffic by IP/MAC and completely ignore >> any other traffic. It would forward only the data packets which are >> associated with the target of the legal action that authorized the >> intercept. Sometimes that is possible, sometimes it is not. When it is >> not possible the physical TAP will likely forward all traffic to a >> storage system which will drop any packets that are not covered in the >> legal requirement establishing the intercept. > > Thanks for the background Mike. I think your analysis is generally > spot-on, but I do have a technical issue to address in what you have said > here. > > I would argue that the "storage" step in this process is the only step > that is equivalent to what we are calling "collection." For example, when > a software "tap" in one of our routers is used to perform an intercept, we > are already "touching" all of the packets in the sense that the router is > looking at them and forwarding them. I don't think this is what you mean > when you talk about "touching" a packet. I think when you talk about > "touching" a packet you're talking about privacy. So, in an intercept like > this, only the packets of interest are forwarded to the "collector" which > is essentially the storage device. No extra "touching" of unauthorized > traffic is required by our routers during an intercept, in the context of > privacy, which I think is what you are talking about. > > Similarly, when you look at a passive hardware monitoring tap, which > creates a second copy of the network traffic, the tap is nearly > indistinguishable from a wire in terms of its intelligence and the > device's actual ability (or inability in this cae) to collect network > traffic. So in this scenario, installing a hardware tap on a ciruit to > create a copy of the circuit's traffic is not really collecting anything, > and in terms of privacy, it does not "touch" the traffic any more than the > other wires that carry customer data to its appropriate destination. > With a hardware tap, network traffic continues to be treated as private > until the act of collection (or perhaps another act of viewing of the > data) commences, where the output of the tap is actually stored or viewed > by a person. This is why it is legal to install hardware taps throughout a > network in advance of a court order, and then begin using the output of > the tap to perform a lawful intercept once the court order is issued. > > In a lawful intercept, the output of the hardware tap is filtered before > it is stored. In this scenario, if there is no storage of the data and no > access to that data which is to remain "private" (i.e. not covered by the > intercept order), then no one has effectively "touched" the data from a > privacy perspective. In this context, it is also important to note that > even though some traffic may be authorized for collection, it too must be > kept private, and the carrier is not allowed to view the contents of an > intercept. > > I know I'm being fairly nit-picky with terminology here, but we are > interpreting the law, and the FBI can be quite nit-pickey when they want > to. You comments made it sound like the act of installing a tap is somehow > less private than not installing a tap, which is not the case. It is just > as private as any other wire on the network that carries traffic and could > be viewed or collected, but the traffic is not being collected or viewed. > > I hope this is helpful. I agree that CALEA codifies data privacy > requirements under the law, and it is a big step in the right direction. I > also believe that installing taps on a network is no more a threat to > privacy than having other wires carrying private customer traffic that > might be viewed and/or collected. It is really a matter of whether the > carrier collects private traffic, and hardware taps do not collect > traffic, even when an intercept is being performed with proper filtering. > > >> So, what I am saying is this. We must collect our packets as close to >> the target of the legal action as possible. We must filter those >> packets for any which are not pertinent and drop those at the earliest >> convenience. We must *never* record those packets which are not >> pertinent on any permanent medium unle
[WISPA] Fw: [WISPA CALEA Questions] Trango and CALEA
fyi marlon - Original Message - From: "Michael J. Erskine" To: "CALEA Questions" Sent: Friday, December 19, 2008 6:10 PM Subject: Re: [WISPA CALEA Questions] [WISPA] Trango and CALEA > Good evening everyone! Happy Christmas to all of you. > > It has been a long and profitable day. I found a problem I have been > working for four months. Yeah! > > I have time now to try to explain what I intended to say. > > CALEA complicates these issues because it is an application of circuit > switching law to a packet switched environment. It was never suited, or > intended, to apply to packet switched networks, but the FCC/FBI found it > convenient in these times to force that foot into that glass slipper. :) > > No law longer than one sentence will ever be followed to the letter in > every instance. That is impossible. Still, judges believe that the > letter of the law is what matters. I guess that is because you can not > infer spirit without also inferring opinion as well. Reasonable enough. > > The law of intercept has been hashed about between NSA, the FBI, and the > "State Department" for about a hundred and fifty years at this point and > the rights of the citizens are fairly well defined. We were > intercepting telegraph during the Civil War, WWI, and all manner of > communications by WWII. The various court cases which arose from those > intercepts helped to exercise the Constitution and The Bill of Rights > and to define the limits to which citizens and government may act in the > invasion of another person's privacy. That battle will continue to be > waged forever. Never the less, the FCC's application of CALEA to packet > switched networks actually substantiates protections in a packet > switched world which were not previously applied. For this reason, > CALEA is actually a good thing. > > CALEA protects our customers from *anyone* who would collect information > from their communications streams without proper court approval. CALEA > applies the protections which the TELCOs must observe to *all* IP > carriers, whether they are end nodes or transport nodes in the packet > switched network. This is a good thing, but problematic when we are > forced to discuss the letter (and not the intent) of the law. > > The pertinent principles defined in CALEA, are Authentication, > Validation, Isolation, Proportionality, and Completeness. When reading > the WISPA-CS-IPNA 2.0 we see that the committee derived from the statute > that we must collect the minimum information that will satisfy any legal > requirement. This was not done to relieve the ISP of work, rather it > was done to ensure the privacy of the user is the *first* concern in any > intercept action. > > In an ideal world one would never even "touch" a packet that had nothing > to do with the target of any legal requirement we might receive. The > understanding that proceeds from the application of CALEA to packet > switched networks from the circuit switched world is that the same > privacy rights that exist in the circuit switched world exist in a > packet switched world. In other words we are not allowed to let the > probe touch any other circuit. When applying an intercept device, in an > ideal world, it would isolate traffic by IP/MAC and completely ignore > any other traffic. It would forward only the data packets which are > associated with the target of the legal action that authorized the > intercept. Sometimes that is possible, sometimes it is not. When it is > not possible the physical TAP will likely forward all traffic to a > storage system which will drop any packets that are not covered in the > legal requirement establishing the intercept. > > So, what I am saying is this. We must collect our packets as close to > the target of the legal action as possible. We must filter those > packets for any which are not pertinent and drop those at the earliest > convenience. We must *never* record those packets which are not > pertinent on any permanent medium unless that is the only possible way > to satisfy the legal requirement. > > WISPA-CS-IPNA defines the relationship between the WISP/ISP and the > LEA. It does not define the relationship between the WISP/ISP and the > customer; however, the law, CALEA, is based upon the existence of a set > of rights and responsibilities which were established in a circuit > switched world. If, in the process of satisfying a legal action, we > violate those established principles, we can find ourselves in a legal > quagmire like the one that AT&T so recently stepped into. > > Just my two. > > > J.C. Utter wrote: >> Everyone gets confused easily in this conversation because participants >> use the word "tap" to mean different things. I use "passive tap" to refer >> to real taps that you install on the line for out-of-band collection. >> However, many people in the industry think of a "tap" as a software >> collector. I don't use the word "tap" in refernce to software, but
[WISPA] Fw: [WISPA CALEA Questions] Trango and CALEA
- Original Message - From: "Michael Erskine" To: "CALEA Questions" Sent: Friday, December 19, 2008 11:01 AM Subject: Re: [WISPA CALEA Questions] [WISPA] Trango and CALEA > CALEA prevents even the WISP from over collecting. We are no longer > permitted to tap any communications in our own networks except for the > purposes of satisfying a subpoena, a Title 3, or CALEA action or for > maintainance purposes. We are now, because of CALEA, under exactly the > same intercept constraints as the telcos. Your tap may run in > permissive mode; however, if you interpret the statue strictly, you have > to filter at the tap in the software. Hence my concern that the vendors > get WCS-IPNA implemented post haste. Other solutions are too pricey for > the little guys. We need OpenCALEA yesterday. > > just my two. > -m- > > > Jesse Norell wrote: >> On Fri, 2008-12-19 at 08:32 -0700, Jesse Norell wrote: >> So as long as you offer the data they ask regardless of what you actually collect that is acceptable? >>> Correct, you can "over collect" data, then you filter out just what >>> you need and only give them that. And if you're following a standard >>> like WCS-IPNA, you would make/record the checksums on only the data >>> you >>> present the LEA. >>> >> >> I guess I'll qualify that permissibility to overcollect with the >> requirements of the standard you're following. Eg. the CableLabs CBIS >> does not allow it (see 5.1.6 Isolation). But (from memory) the CALEA >> law does not prohibit that approach; it does require that you be capable >> of "103(a)(4) facilitating .. interceptinos .. in a manner that protects >> (A) the privacy and security of communications and call-identifying >> information not authorized to be intercepted," hence the WCS-IPNA >> standard (and all others) don't allow you to present that overcollected >> data to the LEA(*). >> >> Jesse >> >> (*) there is a controversial nat-in-the-ap exemption in wcs-ipna that >> will expire soon that violates this point >> >> >> > > ___ > CALEAquestions mailing list > caleaquesti...@wispa.org > http://lists.wispa.org/mailman/listinfo/caleaquestions WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
[WISPA] Fw: [WISPA CALEA Questions] Trango and CALEA
Jesse is one of the main writers of the WISPA CALEA standard. marlon - Original Message - From: "Jesse Norell" To: "Josh Luthman" Cc: "CALEA Questions" Sent: Friday, December 19, 2008 7:32 AM Subject: Re: [WISPA CALEA Questions] [WISPA] Trango and CALEA > On Fri, 2008-12-19 at 09:57 -0500, Josh Luthman wrote: >> So as long as you offer the data they ask regardless of what you >> actually collect that is acceptable? > > Correct, you can "over collect" data, then you filter out just what > you need and only give them that. And if you're following a standard > like WCS-IPNA, you would make/record the checksums on only the data you > present the LEA. > > >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> >> Those who don't understand UNIX are condemned to reinvent it, poorly. >> --- Henry Spencer >> >> >> On Fri, Dec 19, 2008 at 9:53 AM, Jeff Broadwick >> wrote: >> Not if you have a collector behind the tap. You can still >> filter out the >> traffic that you don't need for the warrant. >> >> Jeff >> >> >> -Original Message- >> From: wireless-boun...@wispa.org >> [mailto:wireless-boun...@wispa.org] On >> Behalf Of Josh Luthman >> Sent: Friday, December 19, 2008 9:50 AM >> To: WISPA General List >> >> >> Subject: Re: [WISPA] Trango and CALEA >> >> That was my only idea, however that includes data from other >> CPE radios >> which voids the rules of engagement :/ >> >> On 12/19/08, Jeff Broadwick wrote: >> > That would be my suggestion. That's radio vendor neutral. >> > >> > Jeff >> > >> > >> > -Original Message- >> > From: caleaquestions-boun...@wispa.org >> > [mailto:caleaquestions-boun...@wispa.org] On Behalf Of >> Marlon K. >> > Schafer >> > Sent: Friday, December 19, 2008 9:21 AM >> > To: WISPA General List >> > Cc: caleaquesti...@wispa.org >> > Subject: Re: [WISPA CALEA Questions] [WISPA] Trango and >> CALEA >> > >> > You'll just have to drop a tap in right behind the AP. >> > >> > If you have client to client allowed I have no idea how to >> help you. >> > >> > Anyone else have any ideas for Josh? (remember to hit reply >> all) >> > marlon >> > >> > - Original Message - >> > From: "Josh Luthman" >> > To: "WISPA General List" >> > Sent: Wednesday, December 17, 2008 8:50 AM >> > Subject: [WISPA] Trango and CALEA >> > >> > >> >> Has anyone got any ideas on how to use Trango's p2mp >> equipment and >> >> support CALEA? >> >> >> >> Josh Luthman >> >> Office: 937-552-2340 >> >> Direct: 937-552-2343 >> >> 1100 Wayne St >> >> Suite 1337 >> >> Troy, OH 45373 >> >> >> >> Those who don't understand UNIX are condemned to reinvent >> it, poorly. >> >> --- Henry Spencer >> >> >> >> >> >> >> > >> >> -- >> > -- >> > >> >> WISPA Wants You! Join today! >> >> http://signup.wispa.org/ >> >> >> > >> >> -- >> > -- >> > >> >> >> >> WISPA Wireless List: wireless@wispa.org >> >> >> >> Subscribe/Unsubscribe: >> >> http://lists.wispa.org/mailman/listinfo/wireless >> >> >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> > >> > ___ >> > CALEAquestions mailing list >> > caleaquesti...@wispa.org >> > http://lists.wispa.org/mailman/listinfo/caleaquestions >> > >> > >> > >> > >> >> -- >> > -- >> > WISPA Wants You! Join today! >> > http://signup.wispa.org/ >> > >> >> -- >> > -- >> > >> > WISPA Wireless List: wireless@wispa.org >> > >> > Subscribe/Unsubscribe: >> > http://lists.wispa.org/mailman/listinfo/wireless >> > >> > Archives: http://lists.wispa.org/pipermail/wireless/ >> > >> >> >> -- >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> >> Those who don't understand UNIX are condemned to reinvent it, >>