By Art Reisman – CTO – www.netequalizer.com
It has been 4 years since the most recent round of CALEA laws took effect. At the time, our phones rang off the hook for several days with calls from various small ISPs worrying that they were going to be shut down if they did not invest in a large expensive CALEA compliant device.
Implementation of the law was open to interpretation.
Confusion over what CALEA was, stemmed from the fact that the CALEA laws themselves do not contain a technical specification. In essence, they are just laws. Suppose the Harvard Law school became the front end design team for all projects in Harvard’s engineering school. Lawyers write laws, not engineering specifications. And so it was with CALEA, congress wrote a well intended law, but the implementation and enforcement part had to be interpreted. The FBI took the lead and wrote an extremely detailed specification as to what they wanted. The specification covered every scenario possible and thus the scope was costly to implement. Vendors willingly took the complex FBI specification to heart as part of the actual law, and built out high dollar CALEA certified devices. As vendors will do, their sales teams ran with it as gospel and spread fear in order to sell expensive equipment with large margins. Fortunately calmness prevailed at some point, and the FBI consultants worked with us and some of the smaller ISPs on a reasonable scaled down version of their CALEA requirements.
Ironically, even the current law has now become problematic for the FBI and they are requesting additional requirements.
The complexity of implementing the new CALEA laws are a reflection of the way we communicate with the Internet.
Prior to the Internet, the wire tap precedent for old phone systems was much simpler to implement. And, I suspect this simplicity played a role in the surprise confusion implementing an updated law. Historically a wire tap was just a matter of arriving at the central office with a search warrant and a tapping device, a wire splice, then listening in on a customer phone call. The transition of the law to implementation was fairly obvious.
Today there are many more things to consider when tracking end users:
- users with bad intentions can move from location to location (library to Internet cafe), data taps must be immediate, law enforcement
cannot always wait a day for search Warrant to be effective
- users often send and receive encrypted data that cannot easily be tapped into
- Addressing schemes are dynamically allocated and do not always allow a provider to identify a particular user
- there are intermediate web sites that can hide a users identity
We expect the CALEA debate and what it entails to continue for quite some time.