On Mon, 26 Mar 2007 19:49:43 -0400, Adam Greene wrote > Hi, > > As a new member of WISPA I am reading with interest all of the > postings about CALEA from the past few weeks. > > Thankfully, we have designed our network in such a way that all > customer IP traffic passes through at least one Cisco switch before > it can be bridged to any other customer or routed to the Internet, > so I think we'll be able to SPAN all customer traffic and from there > manipulate the data streams and hand them off to law enforcement. > The only exception to this case might be our Waverider CCU's, which > are routing packets between various end-users. I am going to contact > them to see what their take is on implementing LI -- we might need > to stop using the CCU's as routers. > > The main questions I have for the forum are ... assuming we can at > least make a copy of a given customer's traffic without the customer > realizing it > (i.e. non-intrusively), how are we going to be able to format the > data to be able to hand it off to law enforcement? We obviously want > to do this in the most cost-effective way possible (read: open > source solution). http://www.opencalea.org/ definitely looks > promising, but it is just getting off the ground as far as I can > tell. I wonder if there are any other groups out there working on this. > > As far as compliance standards go, as far as I can tell, the one > that most fits us might be ATIS -T1.IPNA -ISP data, but I'm still > confused about that. When I visit > http://www.askcalea.net/standards.html, I see a link for "Wireline: > PTSC T1.IAS" which takes me to > https://www.atis.org/docstore/product.aspx?id=22665. Is this all the > same as ATIS -T1.IPNA -ISP? Somehow I don't have the feeling that > paying $164.00 for this standard is going to help get me in the > right direction .... > > We do have a couple savvy Linux guru-types in house that could > deploy a good open-source solution and keep it updated, I think. But > I don't think we're up to developing such a solution ourselves from scratch. > > I did find a device made by a company called Solera > > (http://www.voip-news.com/feature/solera-calea-voip-packet-capture- > 031907/) which looks like it could be cost-effective (read: > ~$7000.00) for a small ISP (read: ~1,000 customers) like us. > Obviously we would prefer open source, but at least it was a relief > to see that we might be able to avoid the $40,000 - $100,000 > solutions I've been hearing about from TTP's and other > (larger) ISPs. > > Matt Liotta, you mentioned that you "have the ability to provide > lawful intercept in compliance with CALEA for our single-homed > downstream ISP customers assuming there is no NAT involved." Would > you be willing to share some details about the solution you've been > able to come up with? > > I do see the opportunity that this whole CALEA thing could provide > to some ISP's who figure out a way to develop a cost-effective > solution and then offer consulting services or **affordable** TTP > services to other companies ... > > I also read with interest the "Baller law group's Key Legal and > Technical Requirements and Options for CALEA > (http://www.baller.com/pdfs/BHLG-CTC_CALEA_Memo.pdf)" that Peter > Radizeski forwarded to the list. I had not taken seriously the > possibility of filing a section 109(b) petition, but if we do due > diligence and really do not find an affordable solution to deploy on > our network, I think we may have to seriously consider that (for > example, the part about asking to be considered compliant as long as > we can meet most of LI's requirements, if not all of them). > > Please excuse the long and rambling post ... I'm just having a hard > time finding out how to grab a hold of this CALEA beast.
Hi, let me quote from www.askcalea.com "On March 17, 2004, we published a press release regarding our joint petition. Q: Does the petition for CALEA rulemaking propose to apply CALEA to all types of online communication, including instant messaging and visits to websites? A: No. The petition proposes CALEA coverage of only broadband Internet access service and broadband telephony service. Other Internet-based services, including those classified as "information services" such as email and visits to websites, would not be covered. Q: Does the petition propose extensive retooling of existing broadband networks that could impose significant costs? A: No. The petition contends that CALEA should apply to certain broadband services but does not address the issue of what technical capabilities those broadband providers should deliver to law enforcement. CALEA already permits those service providers to fashion their own technical standards as they see fit. If law enforcement considers an industry technical standard deficient, it can seek to change the standard only by filing a special "deficiency" petition before the Commission. It is the FCC, not law enforcement, that decides whether any capabilities should be added to the standard. The FCC may refuse to order a change in a standard on many different grounds. For example, a capability may be rejected because it is too costly. Therefore CALEA already contains protections for industry against paying undue compliance costs. Q: Did law enforcement ask the FCC to curtail its usual review process to implement the petition? A: No. Law enforcement asked the FCC to give the proposed rulemaking expedited treatment. Such treatment is often requested and granted when urgent matters are brought to the FCC's attention. Some FCC rulemaking proceedings can take years to complete. Law enforcement believes expedited treatment is warranted in this case based on evidence that terrorists, criminals, and/or spies are already exploiting the networks of broadband communication providers to evade lawful electronic surveillance. Q: Is Law enforcement trying to dictate how the Internet should be engineered to permit whatever level of surveillance law enforcement deems necessary? A: No. Law enforcement does not seek the power to dictate how the Internet should be engineered or even to decide how broadband communications networks should be engineered. As explained above, CALEA already allocates those decisions to industry and any resulting capability disputes between industry and law enforcement are decided by the FCC. Moreover, the level of surveillance is not an issue raised in the petition, is not within the scope of CALEA, and is not decided by law enforcement. Based on a statute known as "Title III," before a law enforcement agent or officer is permitted to engage in lawful electronic surveillance, he or she must seek an appropriate court order from a judge or magistrate. Only if a judicial order is issued can the lawful surveillance take place, and the level of surveillance is prescribed by the order. Q: Does the petition ignore the letter or spirit of CALEA's "information services" exemption by seeking to apply CALEA to such services? A: No. The petition notes that CALEA contains a definition of "telecommunications carrier" that is different from and broader than the definition of that term in the Communications Act, which governs most FCC actions. The petition therefore asks the FCC to decide the scope of CALEA coverage based on the CALEA definition, not the Communications Act definition. As a result, some carriers classified as "information service" providers for purposes of the Communications Act would be simultaneously deemed "telecommunications carriers" for purposes of CALEA. Q: Would the petition force carriers to decode data that might be encrypted? A: No. The petition does not raise the issue of encryption. That issue is already addressed by CALEA. The statute states that if encryption is provided by a telecommunications carrier and the carrier possesses the information necessary to decrypt the communication, it must decrypt the communications subject to an order for lawful interception. But if the encryption is provided by a subscriber or customer, the carrier is not responsible for decrypting the targeted communications. " What you read this... It conflicts considerably with a lot of information gathered in other places. Read this carefully, it says that website visits, IM, etc, are NOT included in the information you must capture. Yeah, yeah, it says the companies that provide those services need not be compliant - if that's the case, then that data is not included in the required types. Only specific types of information, mostly being VIOP calls are detailed. Since VOIP calls are tapped at the provider's end, it appears that really IS NO INCLUDED DATA that needs to be tapped at the ISP's end, unless somehow we're supposed to find peer to peer voice data buried in the packet flow or something. Of course, this conflicts to some degree with other information published elsewhere... and here, too. I'm not sure it doesn't conflict with the FCC's and FBI's recent comments, too. What is definitely scary, is that it says that the level of intrusion or actual availability of data from your network's operation is going to be decided BY INDUSTRY. Who the heck is that? Me? AT&T? Earthlink? AOL? Disputes between providers and law enforcement will be mediated by the FCC, it says. So the FCC has placed itself as the mediator... the one who decideds post facto what is required, and then can levy fines. Talk about being able to capriciously "nail" anyone they feel like! The more I read this, the more we should be telling them this bit of regulatory manture should be buried forever. -------------------------------------------- Mark Koskenmaki <> Neofast, Inc Broadband for the Walla Walla Valley and Blue Mountains 541-969-8200 -- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
