CALEA
Communications Assistance For Law Enforcement Act
David Ward, Senior Attorney
Public Safety and Homeland Security Bureau, Policy
Division
March 20, 2008
Non-Public Information; For Internal
Use Only
1
Part 1- CALEA Demystified
Description, Compliance
Requirements, Compliance Relief,
and Enforcement
Non-Public Information; For Internal
Use Only
2
What Is CALEA?
Legal and Regulatory Fundamentals
• Communications Assistance for Law Enforcement Act,
– Pub. L. No. 103-414, 108 Stat. 4279 (1994) (codified as amended
in sections of 18 U.S.C. and 47 U.S.C.).
• The CALEA Preamble:
– “AN ACT To amend title 18, United States Code, to make clear a
telecommunications carrier’s duty to cooperate in the interception
of communications for law enforcement purposes, and for other
purposes.”
• CALEA is an Enabling Statute
– Allows entities identified in other statutes to obtain lawful
electronic surveillance, e.g., Federal (Titles 18 and 50), and State
statutes.
• Why CALEA?
Non-Public Information; For Internal
Use Only
3
What Is CALEA?
Legal and Regulatory Fundamentals
• CALEA “Newspeak:”
– Electronic surveillance: generic term for electronic eavesdropping.
– Interception: generic term for electronic eavesdropping.
– Wiretap: physical connection to a target’s service, “pliers and
wires.”
– Content interception: intercepting the conversation.
– Two types of wiretaps:
• Content, or “Title III:” a lawfully-authorized content interception
obtained by a law enforcement agency (LEA).
• Call identification information: 47 USC § 1001(2), formerly known as
“trap, trace and pen register” wiretaps.
– Call-related records: Available to LEAs via other statutes but not
covered by CALEA.
Non-Public Information; For Internal
Use Only
4
CALEA Compliance
Legal and Regulatory Fundamentals
•
What Entities must comply with CALEA?
– Statute: “Telecommunications Carriers, “ as they are defined by 47
USC § 1001(8).
– Regulations: CALEA Second Report and Order; in general,
telecommunications carrier = common carrier
• Included: Common Carriers, Resellers, CMRS, VoIP Service
Providers, and Broadband Internet Access Providers
• Not included: PMRS not connected to PSTN as a common carrier,
Pay Telephone Providers, and Internet Services Providers (ISPs) that
do not provide VoIP or broadband Internet access services.
Non-Public Information; For Internal
Use Only
5
CALEA Compliance
Legal and Regulatory Fundamentals
• What Entities must comply with CALEA? (cont’d)
– 47 CFR § 102(8)(B)(ii): [CALEA includes] “a person or entity engaged in
providing wire or electronic communication switching or transmission
service to the extent that the Commission finds that such service is a
replacement for a substantial portion of the local telephone exchange
service and that it is in the public interest to deem such a person or entity
to be a telecommunications carrier for purposes of this title; but
– (c) does not include -• (i) persons or entities insofar as they are engaged in providing
information services; and
• (ii) any class or category of telecommunications carriers that the
Commission exempts by rule after consultation with the AG”
Non-Public Information; For Internal
Use Only
6
CALEA Compliance
Legal and Regulatory Fundamentals
• What Entities must comply with CALEA? (cont’d)
– Second Report and Order:
• ¶ 29: “We do not believe it necessary at this time to identify by rule
additional classes of entities within CALEA’s definition of
telecommunications carrier, pursuant to section 102(8)(B)(ii), or to
exempt in our rules any classes pursuant to section 102(8)(C)(ii).
Moreover, we agree with the FBI that codification in our rules of a list
of examples would run the risk of being considered definitive rather
than merely illustrative. We therefore have decided not to adopt such
a list, as we had proposed in the NPRM.”
Non-Public Information; For Internal
Use Only
7
CALEA Compliance
Legal and Regulatory Fundamentals
• “System Security and Integrity” (SSI) requirements:
– Two statutory provisions: 47 USC §§ 1004 (CALEA section 105),
and 229 (CALEA section 301).
– CALEA section 105:
• Big change over pre-CALEA electronic surveillance
• “A telecommunications carrier shall ensure that any interception of
communications access to call-identifying information effected within
its switching premises can be activated only in accordance with a
court order or other lawful authorization and with the affirmative
intervention of an individual officer or employee of the carrier acting
in accordance with regulations prescribed by the Commission.”
Non-Public Information; For Internal
Use Only
8
CALEA Compliance
Legal and Regulatory Fundamentals
• SSI requirements: (continued)
– 47 USC § 229:
• Requires the Commission to make rules to ensure SSI compliance, so
that carriers:
– require appropriate authorization to activate interception of
communications or access to call identifying information
– Prevent unauthorized interception
– Maintain secure and accurate records of interceptions, with or without
authorization
– Submit to Commission SSI policies and procedures
• Commission must review each carrier’s SSI plans
• First Report and Order contains SSI filing requirements
Non-Public Information; For Internal
Use Only
9
CALEA Compliance
Legal and Regulatory Fundamentals
• What constitutes capability compliance?
– Statute: 47 U.S.C. § 1002, CALEA section 103 “Assistance
Capability Requirements”
• Prescribes content interception requirements
– “concurrently to or from the subscriber’s equipment, facility, or service
– “or at such later time as may be acceptable to the government
• Prescribes call-identifying information requirements
– “before, during, or immediately after the transmission. . .or at a later time
as may be acceptable to the government
– “in a manner that allows it to be associated with the communications to
which it pertains
– The government determines the information format
Non-Public Information; For Internal
Use Only
10
CALEA Compliance
Legal and Regulatory Fundamentals
• What constitutes capability compliance? (continued)
– Statutory Limitations:
• Law enforcement agencies (LEAs) cannot require any specific design
of equipment, facilities, services, features, or system configurations.
• Excludes information services and decrypting services
• Excludes physical location info., except from telephone number
• Intercept must protect:
– Subscriber privacy
– Existence of surveillance
– Carriers may permit monitoring at carrier premises in emergencies
– Mobile carriers must provide the means for seamless taps.
Non-Public Information; For Internal
Use Only
11
CALEA Compliance
Legal and Regulatory Fundamentals
• What constitutes capability compliance? (continued)
– “Safe Harbor” provided by standards:
• Statute: 47 USC § 1006: technical requirements and standards; extension of
compliance date
• Compliance with an established CALEA standard will protect a carrier from
an enforcement action.
• 47 USC § 1006(a): Industry standards organizations must consult with FBI,
who must consult with state, local, and other federal LEAs, to guide the
standards development process.
• 47 USC § 1006(a)(3): Absence of standards no safe harbor.
• 47 USC § 1006(b): LEAs may petition the FCC for a standards ruling.
• 47 USC § 1006(c) (section 107(c)): Individual carriers may petition the FCC
for an extension of up to two years, if compliance “is not reasonably
achievable through application of technology.”
Non-Public Information; For Internal
Use Only
12
CALEA Compliance
Legal and Regulatory Fundamentals
• What constitutes capability compliance? (continued)
– CALEA Third Report and Order
• Adopted TIA J-STD-025 as the CALEA standard
• Ordered that TIA include an additional six capabilities, from the nine
“punch list” capabilities demanded of the FBI.
– FCC role in the CALEA standards process • TIA J-STD-025 (“J” Standard)
• Safe harbor for carriers that use switching equipment built to comply
with J standard
• Third Report and Order,
Non-Public Information; For Internal
Use Only
13
CALEA Compliance
Legal and Regulatory Fundamentals
• What constitutes capability compliance? (continued)
– 47 USC § 1006(c), CALEA section 107(c): “Not reasonably
achievable” due to “availability of technology”
– 47 USC § 1008(b), CALEA section 109(b): “Not reasonably
achievable,” due to 11 statutory reasons.
Non-Public Information; For Internal
Use Only
14
CALEA Compliance
Legal and Regulatory Fundamentals
• How much intercept capacity must a carrier provide?
– 47 USC § 1003, CALEA section 104 “capacity requirements”
– The statute requires the Attorney General, who delegated CALEA
responsibility to the FBI, to develop “actual” and “maximum”
CALEA capacity requirements.
• Carriers must expand to the actual within three years of enactment.
• Carriers must expand to the maximum within four years of
enactment.
Non-Public Information; For Internal
Use Only
15
CALEA Compliance
Legal and Regulatory Fundamentals
• Who pays?
– Statutory schema:
• Capability requirements - carriers without “significant upgrades or
major modifications” before 1/1/95, will have CALEA capabilities
paid by the FBI. If the FBI refuses to pay, the carrier is deemed
compliant by operation of statute (47 USC § 1008(d)).
• Costs for CALEA capability compliance for equipment and software
purchases after 1/1/95, that constitute “major modification and
significant upgrade” must be borne by carriers.
• Bottom line: CALEA has been around for 14 years, so all new
network equipment for sale is CALEA-compliant and has been for
quite some time.
• Second CALEA R&O: Capitol costs for CALEA compliance accrue
to the carrier.
Non-Public Information; For Internal
Use Only
16
CALEA Compliance
Legal and Regulatory Fundamentals
• By when?
– The original deadline was four years from the date of CALEA’s
enactment, or October 25, 1998.
– The FCC extended the original compliance date until June 30,
2000, on CALEA section 107(c) grounds; not reasonably
achievable due to the unavailability of compliant technology.
– FCC ordered an additional extension to 9/30/2000 for the six
punch list items approved by the Third Report and Order, and for
packet mode communications.
– Additional extensions were ordered to allow time for carriers and
manufacturers to field compliance solutions for VoIP and
Broadband Internet Access services providers. The deadline for all
compliance was 14 May 07.
Non-Public Information; For Internal
Use Only
17
CALEA Enforcement
Legal and Regulatory Fundamentals
• Who enforces?
– 47 USC § 229 requirements: FCC
• Full panoply of Title V enforcement mechanisms.
• Civil damages under 47 USC § 206- What if the entity is not a
common carrier?
– All other CALEA:
• FBI, pursuant to 47 USC § 1007, and 18 USC § 2522.
• FCC, for violations of Commission Rules
Non-Public Information; For Internal
Use Only
18
Part II- How Does CALEA
Work?
Circuit Switched, Voice over Internet
Protocol (VoIP), Broadband Access,
and Industry-Specific Solutions
Non-Public Information; For Internal
Use Only
19
How Does CALEA Work?
The Concept of Mechanized Wiretapping
• Telecommunications Carrier CALEA Services
– Call Data Channel (CDC) for Call Identifying Information
– Call Content Channel (CCC) for Content Information
•
•
No More “Pliers and Wires”
Cooperation Among all Interested Parties
– Telecommunications Carriers- purchase and use only CALEAcompliant service providing equipment
– Telecommunications Equipment Manufacturers- design and build
into all telecommunications equipment CALEA compliance
– Law Enforcement Agencies (LEAs)
Non-Public Information; For Internal
Use Only
20
How Does CALEA Work?
Lawful intercept functions & ownership
Law enforcement agency
Law Enforcement
Administrative
Function (LEAF)
Collection
Function (CF)
Service Provider
Administrative
Function (SPAF)
Delivery
Function (DF)
Legal
Order
Voice service provider or
Trusted third party
Network service provider
Target subscriber
Intercept Access
Function or
Point (AF/IAP)
How Does CALEA Work?
Service provider lawful intercept functions in detail
• Service Provider Administration
Function (SPAF)
LEA
– ADMF: Administration Function
– Provisions Target’s ID in AF
• Intercept Access Function/
Point (AF/IAP)
Law Enforcement
Administrative
Function (LEAF)
Legal
Order
– Intercepts Target’s communication
unobtrusively
– Mirrors & forwards call content
(media) to DF
– Collects & forwards call data
(signaling related information) to DF
Collection
Function (CF)
VSP/TTP
Service Provider
Administrative
Function (SPAF)
Delivery
Function (DF)
NSP
Intercept Access
Function or
Point (AF/IAP)
• Delivery Function (DF)
– Collects & delivers call content &
data from AF to Law Enforcement
CF
– Prevents unauthorized access,
manipulation and disclosure of call
content & data
Target subscriber
How Does CALEA Work?- Lawful intercept interfaces
• “a” interface: SPAF-AFprovisioning
– Target number
– INI-1, X1
• “d” interface: AF-DF –
call identifying information
Legal
Order
– Signaling related information
– Call data events - Call Data Connection
(CDC), INI-2
– Encapsulated SIP - Intercept Related
Information (IRI) X2
• “d” interface: AF-DF - call content
Law Enforcement
Administrative
Function (LEAF)
Collection
Function (CF)
e
Service Provider
Administrative
Function (SPAF)
c
Delivery
Function (DF)
d
a
– Media
– Call Content Connection (CCC),
INI-3, X3
Intercept Access
Function or
Point (AF/IAP)
• e interfaces: handover to/from LEA
– HI-1: LEAF-ADMF- legal order
provisioning
– CDC, HI-2: DF-CF – call data
– CCC, HI-3: DF-CF – call content
b
Target subscriber
Voice and video over IP
– how it works
Signaling messages
SIP in UDP, TCP or SCTP
INVITE + SDP(media options)
OK + SDP(media selection)
Voice media flows
RTP in UDP
RTCP in UDP
Video media flows
Non-Public Information; For Internal
Use Only
24
Types of interactive communications - voice, video, and
messaging - over IP
• One tier (centralized) services
– Vonage, AT&T Callvantage, Primus Lingo, Pulver FWD
– Registration (authentication & authorization), presence
& routing centralized
• Two-tier service
ITSP/VoIP provider
responsible for intercept
– Skype
– Registration – centralized
– Presence & routing distributed to subscriber endpoints –
“supernode”
with public IP address
• Peer-to-peer
– Users with global IP addresses
– No VoIP provider/ITSP
– Set up session peer-peer
Broadband ISP
responsible for intercept
Intercept requires right level of intelligence and active participation
Softswitch
Router
Media
gateway
Media
server
Signaling messages
Voice media flows
Video media flows
SBC
Media
gateway
+ softswitch
LEA
PSTN
Session
border
controller
LEA
AN1
AN2
AN1
AN2
A
B
A
B
Router
+ softswitch
LEA
Media
server
+ softswitch
LEA
AN1
AN2
AN1
A
B
A
AN2
B
Signaling
Media
Solution:
Internet Telephony Service Provider
•
Regulatory compliance – lawful intercept & emergency service (E911)
•
Security – SBC DoS protection, access control,
topology hiding & privacy, VPN separation,
service infrastructure DoS prevention,
fraud prevention
•
•
•
Service reach – adaptive NAT
traversal; SIP, SIP-H.323 IWF;
OLIP/VPN bridging; interworking:
transport & encryption protocols
SLA assurance – admission
control: session agent
load, bandwidth;
peer-peer media release;
app/media server load
balancing QoS reporting
Revenue & profit protection
– routing, accounting
Data Center
Database(s)
Accounting
SIP
Internet
Managed net
SIP
SIP/H.323
PSTN
Signaling
Media
Solution: Facilities-based HIP IC services – business & residential
• Regulatory compliance – lawful intercept & emergency service
• Security – SBC DoS protection, access control,
topology hiding & privacy, VPN separation,
service infrastructure DoS prevention,
fraud prevention
• Service reach – SIP, MGCP/NCS,
H.248, SIP-H.323 PBX IWF; adaptive
NAT traversal; OLIP/VPN bridging;
interworking: transport &
encryption protocols; surrogate
registration IP PBX & IAD
endpoints
SIP
H.248
MGCP
DSL
MPLS VPN
SIP
• SLA assurance –
admission control: session agent load, bandwidth,
policy server, QoS metrics; peer-peer media release;
QoS marking/mapping; QoS reporting
Cable
H.248
Frame/LL
H.323
MGCP
• Revenue & profit protection – bandwidth policing,
QoS theft protection, accounting, session timers
Signaling
Media
Solution: Universities
• Regulatory compliance – lawful intercept
University network
• Security – access control (FW),
topology hiding (NAPT), privacy,
VPN separation, IP PBX/endpoint
DoS prevention, SBC DoS protection
H.323 or
SIP PBX
SIP
• SLA assurance – admission control:
IP PBX/SIP server constraints,
bandwidth; QoS marking/VLAN
mapping – voice vs. video;
QoS reporting, bandwidth policing, accounting
• Service reach - VPN/OLIP
bridging, SIP-H.323
interworking,
adaptive NAT traversal
SIP endpoints
/server
SRTP
pass-thru
Internet
SOHO
SIP/TLS
Managed
SIP services
IP access to PSTN,
hosted services,
IP extranet,
other IP subscribers
Part III
What’s Next?
Non-Public Information; For Internal
Use Only
31
Pending CALEA Activity
• Records Management
– Mechanized System to Support the FBI with Accurate
and Complete SSI Plan 7X24 Contact Information
• FBI/DOJ/DEA CDMA 2000 Standards Deficiency
Petition
– Draft NPRM
• Adjudicate Section 107(b) and 109(b) Relief
Petitions
Non-Public Information; For Internal
Use Only
32
Non-Public Information; For Internal
Use Only
33