A Cloud Provider's Checklist for CALEA Compliance

Guest Room

A Cloud Provider's Checklist for CALEA Compliance

By TMCnet Special Guest
  |  April 02, 2014

Nearly a decade has passed since federal policymakers expanded the reach of the Communications Assistance for Law Enforcement Act to VoIP, cloud, and certain broadband service providers. Yet a surprising number remain in the dark over their responsibility to comply with the law and provide technical support to law enforcement for lawful intercept.

Make no mistake: If you are a CALEA-defined “telecommunications carrier” and you operate in the cloud, CALEA compliance applies to you. You must have a technical solution to implement a court order or an “exigent” (emergency) request for surveillance, and the people and processes in place to carry it through successfully.

CALEA compliance is complex. However, by taking the right steps in advance, your company can jump into action when and if a court order for lawful intercept arrives, and avoid penalties and legal injunctions for failure to observe the law.

Here are two straightforward checklists: one on how to select and implement a technology solution, and a second on the necessary staff and planning processes.

How to Choose and Set Up a Surveillance Technology Solution

There are five basic areas to consider when selecting and implementing a technology solution for CALEA compliance:

Network Topology Check first to see that the surveillance solutions under consideration work with your specific network topology. And, as importantly, make sure the solutions are standards-based to meet the exact technical requirements specified in CALEA.

Choosing the Right Technology There are two types: active and passive. An active surveillance solution uses a mediation device. Passive probes tap network segments and perform deep packet inspection on designated traffic. Active solutions scale for large networks and are typically more expensive than passive probes, which are designed for smaller networks.

Configuring the Device Active solutions require a range of commands and protocols that sync with a switch or router to provision, capture, and mediate targeted data. Passive solutions require a probe connected to a network SPAN (Switch Port Analyzer) to access the data flowing across a network. Whether active or passive, the solution must be configured.

Provisioning Administration Interface and the Database A specialist must configure the administration interface or terminal that offers a unified mechanism to administer different network and target types; and the database that stores the system configuration data, target criteria information, users’ information, and activity logs.

Testing Once deployed, the solution must be tested to ensure it operates on-demand and meets industry-acceptable standards.

The Plan and the Process

Compliance involves a lot more than just technology. You will need a plan and a process in place to manage your surveillance solution. That involves:

Expert Staff The service provider must designate technical and legal staff to manage the intercept process when a court order arrives. Legal experts must review each court order to ensure that it is correctly worded so that the data captured during an intercept will be admissible in court, and that the privacy of other subscribers is protected as specified under CALEA. An engineering team will need to switch on the technology solution to capture the target’s communications traffic, shut it down when the intercept time period expires, or modify the intercept to capture different data if the court order changes mid-stream during an investigation. Finally, the service provider must assign someone to ensure that the targeted intercept data reaches the appropriate law enforcement agency.

Compliance Plan Every detail of your CALEA compliance program must be put in writing in a System Security and Integrity Plan, which is then filed with the Federal Communications Commission in Washington, D.C.

Avoid Your Day in Court

There is no way around CALEA compliance, and the pressure is on. Authorized intercepts nearly tripled between 2002 and 2012, and that’s for “full content” orders alone. Add other forms of lawful intercept such as “pen/traps” that record telephone numbers called by targets, and the count goes higher.

Ignorance or denial of the law is not a defense. Excuses don’t fly before a court of law empowered to demand your explanation and levy fines up to $10,000 per day for any failure to comply. By being fully CALEA compliant in advance you can avoid a day in court.

Steve Bock is president of Subsentio (www.subsentio.com).

Edited by Stefania Viscusi