U.S. gov't wiretapping laws and your network

CALEA. What is it, and what does it mean for your network? If the acronym for the Communications Assistance for Law Enforcement Act is familiar, chances are your organization has already done much decision-making regarding CALEA. If not, with the deadlines for reporting and compliance fast approaching, it's time to become familiar with CALEA and what implications it may have for the network you administer.

First, some background. Congress enacted CALEA in 1994. CALEA's purpose was to provide a way of intercepting voice communications from digital telephone networks to aid in Law Enforcement Agencies (LEA) in investigations.

In 2005, the FCC issued a First Report and Order on CALEA in response to a joint petition from the Department of Justice, FBI and Drug Enforcement Agency to expand CALEA intercept coverage to include providers of interconnected VoIP services. The First Report and Order required facilities-based Internet services and VoIP broadband providers to be compliant by May 14, 2007.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

CALEA. What is it, and what does it mean for your network? If the acronym for the Communications Assistance for Law Enforcement Act is familiar, chances are your organization has already done much decision-making regarding CALEA. If not, with the deadlines for reporting and compliance fast approaching, it's time to become familiar with CALEA and what implications it may have for the network you administer.

First, some background. Congress enacted CALEA in 1994. CALEA's purpose was to provide a way of intercepting voice communications from digital telephone networks to aid in Law Enforcement Agencies (LEA) in investigations.

In 2005, the FCC issued a First Report and Order on CALEA in response to a joint petition from the Department of Justice, FBI and Drug Enforcement Agency to expand CALEA intercept coverage to include providers of interconnected VoIP services. The First Report and Order required facilities-based Internet services and VoIP broadband providers to be compliant by May 14, 2007.

The FCC describes an intercept process whereby Call Identifying Information (CII) is extracted from the communications stream. However, the FCC is leaving the creation of CII standards to the communications industry. Once the requested information is obtained, it's sent to the requesting LEA.

On May 12, 2006, the FCC issued a CALEA Second Report and Order, which confirmed the feasibility of the compliance deadline and provided additional information, including reporting plans for networks covered by CALEA. According to an FCC Public Notice issued Dec. 14, 2006, networks that are not CALEA exempt must file a Monitoring Report (FCC Form 445) by Feb. 12, 2007. A second FCC Public Notice requires System Security and Integrity plans to be filed by March 12, 2007.

A consortium led by the American Council on Education (ACE) and Educause challenged the FCC's position that facilities-based Internet services and VoIP were covered under CALEA, arguing that they fell under the exempt category of Information Services. The U.S. Court of Appeals for the District of Columbia Circuit ruled in favor of the FCC 2-1 but did reaffirm that certain networks could be exempt.

The determination of what makes a network exempt, however, is not quite clear. A self-contained network that has absolutely no possible method to pass traffic to the Internet is clearly a private network and therefore not subject to CALEA. If an Internet connection was the sole CALEA determinant, the exempt/nonexempt question would not be an issue. However, that's not the case.

The CALEA tests

There are essentially two tests to determine whether or not a network connected to the Internet is exempt or not from CALEA. Note that this doesn't mean that the data is exempt from monitoring; it only aids in determining where the monitoring takes place.

The first question to answer is whether or not the network is private or not. As most corporate networks are not publicly accessible, they would be exempt from CALEA. On the other hand, an ISP by definition operates a large publicly accessible network and therefore would be expected to fall under CALEA.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.