fyi marlon ----- Original Message ----- From: "J.C. Utter" <j...@imagestream.com> To: "CALEA Questions" <caleaquesti...@wispa.org> Sent: Sunday, December 21, 2008 12:59 PM Subject: Re: [WISPA CALEA Questions] [WISPA] Trango and CALEA
>> In an ideal world one would never even "touch" a packet that had nothing >> to do with the target of any legal requirement we might receive. The >> understanding that proceeds from the application of CALEA to packet >> switched networks from the circuit switched world is that the same >> privacy rights that exist in the circuit switched world exist in a >> packet switched world. In other words we are not allowed to let the >> probe touch any other circuit. When applying an intercept device, in an >> ideal world, it would isolate traffic by IP/MAC and completely ignore >> any other traffic. It would forward only the data packets which are >> associated with the target of the legal action that authorized the >> intercept. Sometimes that is possible, sometimes it is not. When it is >> not possible the physical TAP will likely forward all traffic to a >> storage system which will drop any packets that are not covered in the >> legal requirement establishing the intercept. > > Thanks for the background Mike. I think your analysis is generally > spot-on, but I do have a technical issue to address in what you have said > here. > > I would argue that the "storage" step in this process is the only step > that is equivalent to what we are calling "collection." For example, when > a software "tap" in one of our routers is used to perform an intercept, we > are already "touching" all of the packets in the sense that the router is > looking at them and forwarding them. I don't think this is what you mean > when you talk about "touching" a packet. I think when you talk about > "touching" a packet you're talking about privacy. So, in an intercept like > this, only the packets of interest are forwarded to the "collector" which > is essentially the storage device. No extra "touching" of unauthorized > traffic is required by our routers during an intercept, in the context of > privacy, which I think is what you are talking about. > > Similarly, when you look at a passive hardware monitoring tap, which > creates a second copy of the network traffic, the tap is nearly > indistinguishable from a wire in terms of its intelligence and the > device's actual ability (or inability in this cae) to collect network > traffic. So in this scenario, installing a hardware tap on a ciruit to > create a copy of the circuit's traffic is not really collecting anything, > and in terms of privacy, it does not "touch" the traffic any more than the > other wires that carry customer data to its appropriate destination. > With a hardware tap, network traffic continues to be treated as private > until the act of collection (or perhaps another act of viewing of the > data) commences, where the output of the tap is actually stored or viewed > by a person. This is why it is legal to install hardware taps throughout a > network in advance of a court order, and then begin using the output of > the tap to perform a lawful intercept once the court order is issued. > > In a lawful intercept, the output of the hardware tap is filtered before > it is stored. In this scenario, if there is no storage of the data and no > access to that data which is to remain "private" (i.e. not covered by the > intercept order), then no one has effectively "touched" the data from a > privacy perspective. In this context, it is also important to note that > even though some traffic may be authorized for collection, it too must be > kept private, and the carrier is not allowed to view the contents of an > intercept. > > I know I'm being fairly nit-picky with terminology here, but we are > interpreting the law, and the FBI can be quite nit-pickey when they want > to. You comments made it sound like the act of installing a tap is somehow > less private than not installing a tap, which is not the case. It is just > as private as any other wire on the network that carries traffic and could > be viewed or collected, but the traffic is not being collected or viewed. > > I hope this is helpful. I agree that CALEA codifies data privacy > requirements under the law, and it is a big step in the right direction. I > also believe that installing taps on a network is no more a threat to > privacy than having other wires carrying private customer traffic that > might be viewed and/or collected. It is really a matter of whether the > carrier collects private traffic, and hardware taps do not collect > traffic, even when an intercept is being performed with proper filtering. > > >> So, what I am saying is this. We must collect our packets as close to >> the target of the legal action as possible. We must filter those >> packets for any which are not pertinent and drop those at the earliest >> convenience. We must *never* record those packets which are not >> pertinent on any permanent medium unless that is the only possible way >> to satisfy the legal requirement. > > Yes, this is quite right... > > >> WISPA-CS-IPNA defines the relationship between the WISP/ISP and the >> LEA. It does not define the relationship between the WISP/ISP and the >> customer; however, the law, CALEA, is based upon the existence of a set >> of rights and responsibilities which were established in a circuit >> switched world. If, in the process of satisfying a legal action, we >> violate those established principles, we can find ourselves in a legal >> quagmire like the one that AT&T so recently stepped into. > > Hmmm... I'm not sure how important your statement about relationships is > here, but there is no doubt that CALEA establishes norms of privacy, which > speaks directly to the relationship between the WISP/ISP and the customer. > So in this context, I would disagree with your characterization of what > relationships CALEA attempts to define. > > jc > _______________________________________________ > CALEAquestions mailing list > caleaquesti...@wispa.org > http://lists.wispa.org/mailman/listinfo/caleaquestions -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/