Under FCC regulations effective May 14, 2007, a broad spectrum of IP facilities ï¿½ potentially including some self-managed enterprise IP networks and possibly even PBX (News - Alert)-type IP systems ï¿½ must be configured to allow law enforcement monitoring of communications under the Communications Assistance to Law Enforcement Act (ï¿½CALEAï¿½). Yet, the FCCï¿½s most recent CALEA order, issued May 12, 2006, leaves unresolved the compliance issues of greatest concern to manufacturers, developers, and resellers of enterprise IP solutions: Who is covered, what is required, and how soon must compliance milestones be met? Meanwhile, the FCC has imposed a tight timetable on industry. Preliminary compliance steps may be required as early as the end of summer.
Manufacturers and resellers should be sure to bring the CALEA regulations to the attention of customers to whom they may apply. To ensure that your products can comply and that market opportunities are not foreclosed, you may need to do some consultations to determine which of your customers are affected, what standards they must meet, and when initial compliance steps must be completed. In addition, manufacturers, developers, and resellers should keep a close watch on developments in standards-setting bodies and pending court proceedings.
Who Is Covered by CALEA?
Passed in 1994, CALEA, by its terms, applies only to telecommunications carriers. In the September 2005 Order, however, the Commission found that CALEA should apply to two types of entities not previously covered.
First, the Commission decided CALEA should apply to all VoIP service providers who are currently subject to E911 obligations ï¿½ that is, all providers of two-way voice communications that require broadband connections and IP-compatible terminal devices or adapters and that permit communications to and from the public circuit-switched network.
Second, the Commission decided CALEA should apply to ï¿½facilities-based providers of broadband Internet access service.ï¿½ This term would encompass local exchange carriers, cable TV service providers, and others operating IP facilities that are generally available to the public. Closed private IP networks, such as those operated by education and research organizations, are not covered. In a footnote, however, the FCC stated:
To the extent . . . that these private networks are interconnected with a public network, either the PSTN or the Internet, providers of the facilities that support the connection of the private network to a public network are subject to CALEA . . . .
In this ambiguous footnote, the FCC could be saying that any private network operator that makes broadband facilities available for Internet access ï¿½ for example, a university that provides Internet access to its students ï¿½ must comply with CALEA by May 14, 2007. Other kinds of facilities that offer Internet access, like broadband facilities operated by a large hotel or convention center, could also be covered, even if the facilities are contained within a single building. Conceivably, even a corporation that provides Internet access to its employees using privately owned broadband facilities could be deemed subject to CALEA. Application of CALEA to any of these entities would represent an unprecedented extension of CALEA to cover facilities that, in the circuit-switched world, have been considered exempt ï¿½private networks.ï¿½
The Commissionï¿½s most recent order, which has been affirmed by the court of appeals, failed to clarify these issues, leaving industry uncertain who is covered. To respond to queries from customers, who may be looking for guidance as to whether they are covered, industry participants may benefit from access to a careful analysis of the FCC regulations.
What Does CALEA Require?
CALEA requires covered entities to establish the capability to provide law enforcement agencies (pursuant to legal process) (1) the ability to monitor the content of phone calls or data transmissions, and (2) information that identifies the origin, direction, destination, or termination of a communication.
The FCC had requested comment on how to define the second category for Internet calls, and also on whether a provider that follows industry standards should be automatically considered to be in compliance. In the May 2006 Order, however, the Commission deferred providing further guidance on what constitutes compliance. Apparently, it is up to industry standards bodies to try to define compliance, although there is no guarantee that following such standards will be deemed compliance.
Manufacturers, vendors, and resellers should make sure they are fully informed about likely interpretations of the rules, so that they can design equipment and software for compliance and help their customers determine the steps they must take to comply. In addition, they need to keep a close eye on the development of CALEA standards to ensure that standards are available in time to meet the May 14, 2007, deadline, and that they offer all companies a fair opportunity to compete.
What Is the Timetable for Compliance?
The third unknown factor is the timetable for compliance. Although the Commissionï¿½s May 14, 2007, deadline is seemingly clear-cut, there are preliminary milestones to be met as well, and these are subject to uncertainty. The Commission required Internet access and VoIP service providers to comply with ï¿½system security rulesï¿½ (addressing employee supervision and recordkeeping policies and procedures) prior to that deadline and to submit their policies and procedures within 90 days of the orderï¿½s ï¿½effective date.ï¿½ The effective date for this requirement, however, will not be determined until the requirement, which involves recordkeeping and reporting, is approved by the White House Office of Management and Budget, which had not yet occurred at the time of publication.
In addition, the FCC will require VoIP service and Internet access providers to submit interim reports to the Commission showing their progress towards compliance, but has not yet set due dates for these reports. The uncertainty about due dates is compounded by the additional uncertainty as to who is covered and what standards apply. Therefore, manufacturers, developers, and resellers need to have a process in place to stay on top of developments.
With compliance deadlines looming, industry participants need to make decisions based on careful legal and technical analysis of how the CALEA regulations apply to you and your customers. Be sure to carefully monitor developments in the standards-setting and legal arenas to ensure that you retain and enhance your ability to market new and replacement products that enable your affected customers to comply. Manufacturers and developers need to keep their sales channels informed, and resellers should ensure that their customers are aware of potentially applicable CALEA regulations. IT
Bob Aldrich is a telecommunications law practitioner at Dickstein Shapiro Morin & Oshinsky, Washington, D.C. Aldrich represents the Enterprise Communications (News - Alert) Association (ECA) and other competitive telecommunications firms and organizations. For more information, please visit the organization online at www.encomm.org.
If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at firstname.lastname@example.org or by phone at 800-290-5460.