Update: Present and Future CALEA Mandates
By Jill Morgan
The FCC last August mandated that providers of VoIP over broadband comply with CALEA by May 14, 2007. The deadline has come and gone, and the question now becomes: are providers CALEA-compliant, and what else can be expected?
“The Tier 1 telcos basically met the deadline,” says Dr. Jerry Lucas, President of TeleStrategies and founder of the ISS World Lawful Intercept Conference. However, he adds, “In my estimation, thousands of small VoIP operators, as well as many small rural independent telcos, have not.”
In the case of non-compliant telcos, if the FBI issues a subpoena or court order on an investigation and they can’t respond, Lucas believes the FBI will make an example of them. “Perhaps it gets hyped up in the news and the FCC clamps down with fines ($10,000 a day) or orders the provider to shut its doors,” he says. “In short, just like when the IRS catches a big fish cheating on taxes, they may choose to make an example out of them—the FCC will likely borrow a page from the IRS.”
On May 15, the day after the CALEA compliance deadline for VoIP over broadband, the Department of Justice filed for an expedited rulemaking on CDMA standards, because it believes the standard has deficiencies when it comes to CALEA. Specifically Justice has concerns over the J-STD-025-B standard for CDMA 2000. According to Lucas, “The DOJ waited until after the deadline to submit the filing to the FCC, because they didn’t want anything to interfere with the May 14th deadline.”
The original TIA/ATIS standard for CALEA compliance, known as J-STD-025, addressed circuit-switched voice. The FBI requested some modifications, and the new version of the standard became J-STD-025A. Then the wireless service providers introduced IP data services, thereby making 025A obsolete. Six years ago, TIA and ATIS began modifying 025A for CDMA 2000. Justice said that this didn’t make sense, because packet mode is different from circuit mode communications, and thus began a six-year paper trail identifying its issues with the TIA and ATIS standard.
Its latest petition, filed May 15, and the subsequent FCC public notice published May 25 should be on the radar screen of every telecom provider—not just CDMA-based wireless carriers. “The petition goes beyond just wireless—it is about IP services,” says Lucas.
Briefly, the DOJ wants the following capabilities for the J standard addressed. First, it wants capabilities for reporting packet activity. This includes the IP address of the target source and destination, port numbers and transport layer protocols used. The current J-025B standard only requires that the service provider specify when the target started IP session and a little more.
Second, the department wants timing or time stamp information, which the current standard does not require for call identifying information (CII). For an IP intercept, court-ordered information is being gathered simultaneously from many locations—in contrast to the circuit-switched world, where CII is gathered in one place.
Third, Justice wants wireless providers to provide all available location information for a particular target. Currently they have precise location information (within 400 feet of a wireless caller’s location, for E-911 purposes), and some wireless operators provide location-based services. The current 025B standard only gives cell cite location, which could say only, in essence, that a target is within a 10- to 100-square-mile area.
Finally, the DOJ is not satisfied with the security, performance and reliability capabilities of today’s 025B standard. Why? Because it mirrors the 025A circuit mode standard. Securely delivering a packet stream from a service provider’s network to a law enforcement agency’s monitoring center is complex. The process requires data leak prevention appliances to protect against insider threats or transfer errors. Regarding performance and reliability, if you lose several hundredths of a second of circuit-switched voice intercept, it is not noticeable; if you lose intercept packets sent from service provider equipment to the monitoring center, it likely makes the entire intercept worthless.
“This is a big deal for all U.S. service providers,” says Lucas. The only petition request that’s wireless-oriented is location information. Providers of VoIP over broadband that support nomadic service—for example, taking your VoIP-enabled laptop on the road—should be concerned with the DOJ petition as well.
In comparison to other regions of the world, CALEA requirements and standardization are not an issue. In Europe, lawful intercept standards are developed by ETSI. In this process, the government plays a more active role. In the United States the FCC monitors the process, but the FBI in particular participates. “The only problem with FBI participation is that the standards groups (with a few exceptions such as PacketCable) virtually ignore the FBI’s input, resulting in FCC action [remaining] as previously described in the J Standard 025B,” says Lucas. The deficiencies DOJ identified in 025B, however, don’t exist for the most part in the ETSI standards, so most other nations’ governments are mandating the ETSI standard. The biggest exception is Latin America, where intercept laws are nearly non-existent.
Regarding tougher laws, the EU has stringent laws on call and electronic messaging data retention. As of September 15, 2007, EU service providers will have to retain call records (telephony, SMS, etc.) for six to 24 months, depending on the service. In the United States, the FCC only requires retention of toll records for 18 months, although other regulations govern customer proprietary network information, or CPNI.
Yet another difference is that in the United States, service providers select what lawful intercept equipment to buy, as well as which standard they wish to follow. But “in the Middle East, for example,” Lucas says, “the government dictates to the service provider what to buy, as well as requiring the service provider to pay for it.”
What About Skype?
Because Skype is encrypted, the service is obviously more difficult to monitor. “But that doesn’t make lawful intercept meaningless,” says Lucas. “Outside of the NSA, most law enforcement offices have given up trying to decrypt Skype. But it is still possible to determine who called whom via Skype. Besides, even if someone is using Skype, it can’t be guaranteed that someone else besides the person they are talking to isn’t listening, because there are clever ways to spoof the system and get the keys.” And lastly, although Skype service is free, it is also considered a telecom service, and most Western countries require telecoms to release encryption keys upon request. “My bet is e-Bay, who owns Skype, does just that,” says Lucas.
Why Executives Need to Pay Attention
Meeting the current CALEA mandates did require considerable time and investment for service providers, especially the larger carriers. If the FCC rules in favor of the DOJ’s proposed requirements, service providers will be required to invest in IP infrastructure, products and manpower. In addition, many in the industry speculate that Congress will mandate data retention laws similar to those in Europe, requiring massive data storage capabilities and the ability to handle a growing number of nonstandard data requests. Securing a large data store is a large investment.
According to Lucas, the No. 1 responsibility for a telecom’s security department is making sure that a network and user information is secure from the company’s own employees, whether dishonest or disgruntled. “The insider threat is a big deal—just look at what happened with T.J. Maxx,” he adds, referring to the high profile case of stolen credit card numbers. The new security risks would become far more complex under the DOJ’s desired mandates for cell user location information.
What’s more, “service providers may have no other choice but to automate subpoena requests, given the likelihood that LEA location requests would increase. Envision a situation where an employee was able to enter a cell number and have the location of that subscriber pop up on the screen. How valuable is that, to know the exact location of a key executive, or a courier whose job it is to transport diamonds?”
Other telecom executives, especially marketing staff, have to be concerned about the Justice filing as well. If marketing neglects to understand compliance issues, the service it’s promoting can become cost-prohibitive. Lucas points to the recent push-to-talk offerings from various CDMA providers. These operators saw the success of the PTT service from Nextel (now Sprint Nextel) and decided to offer their own. They did so by treating PTT as an information service and sending it over the wireless packet channel like other MMS services. With this service, customers could use their own PC to create buddy lists. However, supported by the FCC, law enforcement saw this as a phone service and subject to CALEA mandates. The problem for CDMA carriers is that they can intercept the target’s PTT session but have no idea who is receiving the messages, making the service non-compliant.
Down the road, it is likely that IP-based services will fall under lawful intercept requirements, especially if data retention legislation goes into effect. Service providers need to calculate in advance the data storage and retrieval required for any new service to understand its costs and price accordingly. In addition, marketing departments need to consider issues such as flat-rate services, usage-sensitive pricing, bundles and so forth. For example, if you sell a service that is usage-sensitive, you have to save call detail records as in long-distance toll service. If a service provider used deep packet inspection (DPI) technology to introduce tiered access pricing, would that provider then have to support P2P intercept subpoenas, because P2P can be intercepted with DPI technology with no additional infrastructure cost or design?
The FCC released the public notice of the Justice Department’s petition on May 25; initial replies are due by June 25. “Given past history,” says Lucas, “eventually the FCC will mandate all or some of these requests as part of CALEA.” Lucas will be conducting a free TeleStrategies Service Provider Club webinar for service providers on July 10 at 11 a.m. Eastern time for those interested in understanding the potential impact of the new DOJ requests. For complete agenda information and to register, go to http://www.serviceprovidersclub.com/.
Email this article
Add a comment
Printer version
Order reprints
RSS Feed
Bookmark article