CALEA Compliance Big Job for Carriers, Experts Say
Telecom companies have much work to do to comply with FCC CALEA rules by May 14, 2007, especially since some probably don’t understand the complex requirements, panelists said Thurs. on a USTelecom webinar. Developing a system to give law enforcement access to subscriber activity is hard because such data usually are distributed over multiple networks, said VeriSign Vp Raj Puri. Real time access to content requires quickly identifying and isolating all services a targeted subscriber uses, he said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Among the “gray areas” attorney Albert Gidari described: Whether ISPs are covered if they don’t provide their own broadband Internet access. Probably not, meaning Verizon would be covered by the requirements but a company that doesn’t own its “access component,” such as EarthLink, might not, Gidari said. Another area of uncertainty, he said, is whether gateway routers used by private networks are covered. In a recent decision upholding the FCC CALEA order, the U.S. Appeals Court, D.C., said that issue isn’t “ripe” for appeal, leaving the matter murky, said Gidari, who represented some parties in the appeal.
Another “open question” is how to discern between the duties of access and application providers when surveillance of VoIP is sought, Gidari said. “If the access provider has the primary obligation, what is the applications provider required to do?” he asked. Are there situations where an applications provider would have to modify its operations? Gidari asked.
A pending order will decide whether entities providing P2P or one-way VoIP can be exempted, Gidari said. The order will set criteria to weigh when making such a determination, but won’t list actual exemptions, he said. Providers will have to apply to the FCC for exemption, Gidari said. FCC discretion to include “electronic communications” under the CALEA mandate could extend to email, instant messaging, P2P and other forms, though DoJ hasn’t shown interest in P2P, he said.
Providers will have 2 ways to meet CALEA requirements, said VeriSign Regulatory Affairs Vp Tony Rutkowski. The “do- it-yourself” method has the provider hiring staff, setting up a security system and developing so-called capabilities that enable law enforcement to tap into communications services, he said. The other option is the “trusted 3rd party” method, in which providers give the project to outside firms. Hardware, software and interception gear costs can be high, VeriSign’s Puri said. Engineering and technical staffs must decide how to connect law enforcement to the network and ensure that infrastructure on which messages are being intercepted is “isolated” from outside access, he said.
The FCC has said companies can outsource many such tasks to a trusted 3rd party, said Puri, whose company does such work. In selecting a contractor, providers should be sure the company has good security, doesn’t require customers to change their network architecture and is financially stable, Puri said.