North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISP CALEA compliance

  • From: William Allen Simpson
  • Date: Thu May 10 15:38:51 2007
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=Ew3LyVa0eLy8ZAoLdZ7p58t7o0++uzTiAxyJwPhuTFccZroKtGjIVg85a7uOd+R/N8gxL9EUwmgAuu/m+1Q/EBQr5MwSwuEL14zMJVM+TuZF8A9IonvXkzlyL2Y9gx2z2ehMyllCeqFcHeksugB1a5onjp+vbB73/JJ+Xydbsh8=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=JP5NyrF/RATJI6PkJ0UAW1gi/cBVFKcAIvJgoH0uB9ajzQh6JlVaDciy/A+D+Oybvoh0gE/7DqA/ILWaINLT5n7wZk6F9FG/1xP3qTIq0KMQ9qvLibQHZwj5uiGoX62UoHVxyESvYTgxDIXqqiKL3BqlOJMOQ+xwgoEiSsgEU28=

Jared Mauch wrote:
	You need to have a router or some appliances that will assist
you in the required lawful-intercept capabilities that are necessary.

But anything whatsoever is OK.  Since you don't know of the capabilities
required in advance, there's no reason that it be a fast router or switch.
An old slow hub is fine....

Remember, you don't actually have to do anything until *after* you
receive the payment -- that is required up front!

	Take the time to read the 2nd order and report, and review FCC
form 445.  The filing date for that form passed, but that was a form to be
filed to capture a "snapshot" of the current state of compliance.

	Keep in mind that you may need to negotiate with the requesting
agency (ie: the folks that give you the subponea that cites CALEA).

Speaking from experience, that's very likely -- a lot of negotiation
trouble.  No matter what happens, you'll pay some attorney fees.

Also, the gag order was ruled unconstitutional, so always inform your
customer!  They may be willing to work out attorney fees, and/or join
you in a suppression hearing.

You probably should remember to call your congresscritters to complain
each and every time it happens.

Most important: call your state ACLU, as they are trying to keep track,
and might be of some help. ;-)


Follow the usual best practices, and you may save time and money.

1. Ensure that your DHCP, RADIUS, SMTP, and other logs are always,
ALWAYS, *ALWAYS* rolled over and deleted within 7 days without backup.
I'd recommend 3 days, but operational requirements vary.

2. Insist that you receive payment *in advance* before doing anything!
And wait until the check clears.

3. Remind the requesting agency that everything must be signed by a
judge.  Call the issuing court to confirm.  Don't accept "exigent"
administrative requests.  The recent inspector general report showed
that most administrative requests were never followed up by actual
judicially approved requests, and virtually none of them warranted
exigent status -- they were illegal shortcuts.

4. Never, NEVER, *NEVER* speak to a federal agent of any kind.  Do not
allow them into the building.  Require them to speak to your attorney.
Require everything in writing.  No exceptions!

We returned the first request as inadequate -- since it misspelled the
name of the company and the address, and wasn't accompanied by a check.

Our problem was that we weren't rigorous about #1 (some staff had been
keeping some backups sometimes), and the resulting time and expense for
extracting "lawful" information from all the rest was painful.  Learn
from our mistake.