Download - Impact of CALEA on Network Operators

1© 2000, Cisco Systems, Inc. CALEA_NANOG_2000_0611.ppt

Impact of CALEA on Impact of CALEA on Network OperatorsNetwork Operators

What it is and what it ain’tWhat it is and what it ain’tChip Sharp

Cisco System, [email protected]

Disclaimer: The views expressed herein may not reflect the views of my employer or anyone else associated with me. :-)

2CALEA_NANOG_2000_0611.ppt © 2000, Cisco Systems, Inc.

What is it?What is it?

• CALEA: Communications Assistance for Law Enforcement Agencies Act (1994)

47 USC §1001, CALEA §102

• Requirements for Carriers to Assist Law Enforcement in Carrying out Wiretaps


What is it not?What is it not?

• CALEA does not grant Law Enforcement new authority for wiretaps

Caveat: “new authority” is a matter of interpretation


Congressional IntentCongressional Intent

"(1) to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts;

(2) to protect privacy in the face of increasingly powerful and personally revealing technologies; and

(3) to avoid impeding the development of new communications services and technologies.”

- H.R. Rep. No. 103-827, 103d Cong., 2d Sess. (1994)


Surveillance LawsSurveillance Laws

• Title III of the Omnibus Crime Control and Safe Streets Act of 1968

• Electronic Communications Privacy Act of 1986

• The Foreign Intelligence Surveillance Act of 1978


TerminologyTerminology

• Telecommunications Carrier

• Telecommunications Service

• Information Service

• Call Identifying Information

• Electronic messaging

• Safe Harbor standard


Information ServiceInformation Service

“(6) The term ‘information services’--

(A) means the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications; and

(B) includes--

(i) a service that permits a customer to retrieve stored information from, or file information for storage in, information storage facilities;

(ii) electronic publishing; and

(iii) electronic messaging services; but


Information Service (cont.)Information Service (cont.)

(C) does not include any capability for a telecommunications carrier's internal management, control, or operation of its telecommunications network.”

- from Communications Assistance for Law Enforcement Act


Electronic MessagingElectronic Messaging

“(4) The term ‘electronic messaging services’ means software- based services that enable the sharing of data, images, sound, writing, or other information among computing devices controlled by the senders or recipients of the messages.”



Telecommunications CarrierTelecommunications Carrier“(8) The term ‘telecommunications carrier’--

(A) means a person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; and

(B) includes--

(i) a person or entity engaged in providing commercial mobile service (as defined in section 332(d) of this title); or

(ii) a person or entity engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of this chapter; but”



Telecommunications Carrier Telecommunications Carrier (cont.)(cont.)

“(C) does not include--

(i) persons or entities insofar as they are engaged in providing information services; and

(ii) any class or category of telecommunications carriers that the Commission exempts by rule after consultation with the Attorney General.”



Telecommunications ServiceTelecommunications Service

This page intentionally left blank


Call Identifying InformationCall Identifying Information

“(2) The term ‘call-identifying information’ means dialing or signaling information that identifies the origin, direction, destination, or termination of each communication generated or received by a subscriber by means of any equipment, facility, or service of a telecommunications carrier.”



Safe Harbor StandardsSafe Harbor Standards

“...publicly available technical requirements or standards adopted by an industry association or standard-setting organization, or by the Commission under subsection (b) of this section, to meet the requirements of section 1002 of this title.”



Types of SurveillanceTypes of Surveillance

• Pen Register

Phone numbers of people that target is calling

• Trap and Trace

Phone numbers of people calling target

• Full content of call

Title III

FISA


Requirements on Carrier Requirements on Carrier EquipmentEquipment

• Provide LEA access to intercept

All wire and electronic communications to/from target

Call Identifying information

Correlation

• Minimize Interference with service

• Protect privacy


LimitationsLimitations

• Do not deliver location information

• Information Services not included

• Private networks not included

• No decryption required

Unless Service Provider has keys

• Protect privacy of non-targets


Current Standards EffortsCurrent Standards Efforts

• TIA: J-STD-025(a)

Telephony & Packet Data

• PacketCable(TM)

Cable Telephony (VoIP)

• PCIA: Paging

• IETF: Declined to play

Published RFC2804 (Raven)


J-STD-025 Packet Data J-STD-025 Packet Data • Two Methods for Delivery

Call Data Channel

Call Content Channel

• Only IP definition is for Wireless IP

However scope is vague.

• Current solution for Pen Register & Trap and Trace -> Send all packets and let LEA sort them out.


FCC Third Report & OrderFCC Third Report & Order

• Released by FCC August 31, 1999

• Responded to FBI requests

e.g., Location ID is required

• Invited TIA to provide report on packet data surveillance by September 30, 2000

• Compliance deadline for delivery of packet data using J-STD-025: 9/30/2001


USTA vs. FCCUSTA vs. FCC

• USTA, et. al. filed suit opposing third report and order

Punch list items (e.g., Location)

Packet Data solution in J-STD-025

Sending all data violates privacy protection provision in CALEA

• Initial arguments heard 5/18/2000

• Court will probably advise FCC to reconsider its position


TIA Joint Experts MeetingTIA Joint Experts Meeting

• Technical Fact-Finding Body

• Determine feasibility of delivering less than the full content of a packet to a law enforcement agency (LEA) in response to a pen register or trap and trace court order

• Provide input to TIA for report to FCC by Sept. 30, 2000


Scope of JEMScope of JEM

• Many packet technologies: TDMA/CDMA/PCS/GSM/CDPD/X.25/ ISDN/ATM/Frame Relay/IP/others

• Does not include

legal issues

interpretation of FCC orders

impacts of encryption other than how it affects ability to deliver less than full content of packet


Status of JEMStatus of JEM

• First JEM held 5/3-5Most participants from Wireless industry

Not much input from ISPs

Meeting Report: http://www.tiaonline.org/standards/CALEA_JEM/45053125.pdf

Current Draft JEM Report http://www.tiaonline.org/standards/CALEA_JEM/45053126.pdf

• Second JEM scheduled 6/27-29http://www.tiaonline.org/standards/CALEA_JEM/


Status of JEM - Main PointsStatus of JEM - Main Points

• Separating “Information Service” from “Telecommunications Service” impossible unless carrier is providing the service

• Two scenarios identified

Service Provider offering Call Management Services (e.g., SIP server)

Service Provider offering IP transport

• Technology dependent appendices


Personal ConclusionsPersonal Conclusions

• Separating IP header info from content is technically feasible

• Reliably identifying application in packet as telecom or information service is not technically feasible

• Increasing line speed & encryption aggravate (or improve) the situation

• New operating procedures to reply to warrants


Other Personal ConclusionsOther Personal Conclusions

• Tradeoff between protecting privacy and burden on ISP

• Seizing stored communications vs. communications in transit (wiretap)

• Who will be the test case?

• Nobody really knows what the end result will be.


ReferencesReferences

• How wiretaps are done: http://www.cpsr.org/cpsr/privacy/communications/wiretap/denning_wiretap_procedure_paper.txt

• Overview of Wiretap law: http://www.nap.edu/readingroom/books/crisis/D.txt

• CALEA text: http://techlawjournal.com/agencies/calea/47usc1001.htm

• TIA CALEA page: http://www.tiaonline.org/standards/CALEA_JEM/

• FCC CALEA Page: http://www.fcc.gov/wtb/csinfo/calea.html

• FBI CALEA page: http://www.fbi.gov/programs/calea/overview.htm

• ETSI Lawful Intercept: http://www.etsi.org/technicalactiv/li.htm

• EPIC Wiretap pages: http://www.epic.org/privacy/wiretap/

• CTIA Comments on FCC Third Report and Order: http://www.wow-com.com/lawpol/filing/Body.cfm?Reg_ID=196

• CDT Wiretap page: http://www.cdt.org/digi_tele/

• CDT Privacy page: http//www.cdt.org/privacy/plif.shtml

• USTA/CDT brief on CALEA challenge:

• Brief of EPIC, ACLU, and EFF: http://techlawjournal.com/courts/ustavfcc/20000120.htm

• IETF RAVEN RFC: ftp://ftp.isi.edu/in-notes/rfc2804.txt


AcknowledgmentsAcknowledgments

• The following people either provided comments or I used their presentations for material:

Al Gidari: g-savvy.com

Terri Brooks: Nokia

Peter Musgrove: AT&T