In May 2006, the Federal Communications Commission adopted its Second Order providing definitive rules for broadband Internet access and PSTN-interconnected VoIP provider compliance with the Communications Assistance for Law Enforcement Act of 1994, or CALEA.
CALEA was passed by Congress to enable law enforcement officials to continue to obtain real-time forensic evidence from public telecommunication networks pursuant to a judicial warrant. The Act obliges carriers to have the technical and administrative capacity to isolate specific subscriber communications ï¿½ or related signaling ï¿½ and ï¿½hand overï¿½ the call data and/or content via a transmission link to a monitoring facility operated by law enforcement. The requirements also enhance end user privacy by providing for an audited process.
Because Internet service providers have not previously been covered by CALEA, they are now contemplating their next steps and options. What exactly needs to be filed with the FCC and when? What does it mean to be compliant by May 2007? Can compliance be handled internally or outsourced? And, what happens if a provider is non-compliant?
Who Needs To Comply?
The rules cover all public, facilities-based broadband Internet access service providers (i.e., offering access greater than 200 kilobits/sec) and interconnected VoIP service providers (those connecting to any PSTN gateway). Quasi-public access providers, such as libraries, campuses and corporate extranets, will likely be subject to ï¿½something less than full CALEA complianceï¿½ to be established in a subsequent order to be released in a few months.
The ï¿½facilities-basedï¿½ terminology was meant to include providers offering connectivity infrastructure between end users and the Internet. However, establishments that acquire broadband Internet access service from a facilities-based provider to enable their customers to access the Internet from their respective establishments are excluded. The FCC explicitly exempted retail providers such as those offering hot spot WiFi (News - Alert) service where the actual Internet connectivity is obtained from another provider.
What Needs To Be Filed With The FCC?
The Second Order required affected service providers to initially register and file their CALEA security policies and procedures by Nov. 2, 2006. Around the same time, the Commission is also requiring providers to submit an initial ï¿½monitoring reportï¿½ on how they will meet the CALEA capability requirements by the May 14, 2007 deadline. The exact date for filing these monitoring reports will appear in a FCC Public Notice.
Compliance is based on capability requirement, which the FBI has fine tuned over the last few years. Safe harbor industry standards have been developed and continue to be evolved in several different industry bodies for wireline, wireless, and cable systems. Implementation guidelines are also being developed to help providers comply.
How Do You Become Compliant ï¿½ In-House or Outsource?
The FCC gave providers two choices ï¿½ do it yourself or outsource to a ï¿½Trusted Third Partyï¿½ service bureau.
Compliance involves both administrative and technical capacity implementations. You must provide a security office, train personnel, establish administrative policies, and implement technical capabilities that enable acquisition, management, mediation, and delivery including maintenance and proof of performance. These implementations include CALEA-related hardware and software, network engineering, and technical project management staff, secure facilities, as well as legal and regulatory personnel. You also need to follow the changing requirements, keep the capabilities up to date, and regularly test their operation. While entirely feasible to accomplish, dedicating the specialized resources to accomplish all these tasks is remote from provider business activities. As a result, the Commission recognized in the proceeding the unique value proposition of Trusted Third Party service bureaus.
For almost all providers, the Trusted Third Party option will be significantly less expensive and a great deal easier. TTPs specialize in CALEA compliance. They follow the latest requirements, the standards activities, and capability implementations by vendors. TTPs procure the necessary equipment and software, and share the costs across multiple provider customers. Their personnel perform administrative, access, and delivery of intercept requirements when the provider receives a court order.
For transnational providers, some Trusted Third Parties also provide international support capabilities and facilitate the complexities of meeting the CALEA equivalent Lawful Interception capability requirements found in almost all countries worldwide. Indeed, in many countries the requirements are even more extensive than in the U.S. and include new Data Retention and Identity Management capability requirements as well.
What Happens If You Are Not Compliant?
The FCC has made it clear that it will not grant extensions nor is likely to exempt providers. Indeed, they strongly suggest that even small providers make use of TTPs, and require that any petitions for exemptions include attempted service through a TTP. The Commission is also imposing its own enforcement remedies and monitoring report mechanisms that include very substantial fines and penalties for non-compliance. Given the FCCï¿½s recent track record of imposing large fines for violating even non-security-related rules, failing to become CALEA compliant is a risk that few providers will want to take. IT
DISCLAIMER: The purpose of this article is to provide general information regarding recent changes to CALEA. It is for informational purposes only. Nothing in this article constitutes, and nothing herein should be interpreted as, legal advice. Readers are encouraged to consult with their legal adviser as regards the provisions of and compliance with CALEA.
Tony Rutkowski is the vice-president for regulatory affairs and standards within the Communication Services Division at VeriSign (News - Alert). Additional news and information about the company is available at www.verisign.com.
If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at firstname.lastname@example.org or by phone at 800-290-5460.