CALEA: A Look Back and Forward

By Art Reisman – CTO –

Art Reisman CTO

It has been 4 years since the most recent round of CALEA laws took effect. At the time, our phones rang off the hook for several days with calls from various small ISPs worrying that they were going to be shut down if they did not invest in a large expensive CALEA compliant device.

Implementation of the law was open to interpretation.

Confusion over what CALEA was, stemmed from the fact that the CALEA laws themselves do not contain a technical specification. In essence, they are just laws. Suppose the Harvard Law school became the front end design team for all projects in Harvard’s engineering school. Lawyers write laws,  not engineering specifications. And so it was with CALEA, congress wrote a well intended law, but the implementation and enforcement part had to be interpreted. The FBI took the lead and wrote an extremely detailed specification as to what they wanted. The specification covered every scenario possible and thus the scope was costly to implement. Vendors willingly took the complex FBI specification to heart as part of the actual law, and built out high dollar CALEA certified devices. As vendors will do, their sales teams ran with it as gospel and spread fear in order to sell expensive equipment with large margins. Fortunately calmness prevailed at some point, and the FBI consultants worked with us and some of the smaller ISPs on a reasonable scaled down version of their CALEA requirements.

Ironically, even the current law has now become problematic for the FBI and they are requesting additional requirements.

The complexity of implementing the new CALEA laws are a reflection of the way we communicate with the Internet.

Prior to the Internet, the wire tap precedent for old phone systems was  much simpler to implement. And, I suspect this simplicity played a role in the surprise confusion implementing an updated  law. Historically a wire tap  was just a matter of arriving at the central office with a search warrant and a tapping device, a wire splice, then listening in on a customer phone call. The transition of  the law to implementation was fairly obvious.

Today there are many more things to consider when tracking end users:

  • users with bad intentions can  move from location to location (library to Internet cafe), data taps must be immediate, law enforcement
    cannot always wait a day for search Warrant to be effective
  • users often send and receive encrypted data that cannot easily be tapped into
  • Addressing schemes are dynamically allocated and do  not always allow a provider to identify a particular user
  • there are intermediate web sites that can hide a users identity

We expect the CALEA debate and what it entails to continue for quite some time.

NetEqualizer Bandwidth Shaping Solution: Telecom, Satellite Systems, Cable, and Wired and Wireless ISPs

In working with Internet providers around the world, we’ve repeatedly heard the same issues and challenges facing network administrators. Here are just a few:

Download ISP White Paper

  • We need to support selling fixed bandwidth to our customers.
  • We need to be able to report on subscriber usage.
  • We need the ability to increase subscriber ratio, or not have a subscriber cutback, before having to buy more bandwidth.
  • We need to meet the varying needs of all of our users.
  • We need to manage P2P traffic.
  • We need to give VoIP traffic priority.
  • We need to make exemptions for customers routing all of their traffic through VPN tunnels.
  • We need a solution that’s low cost, low maintenance, and easy to set up.
  • We need a solution that will grow with our network.
  • We need a solution that will meet CALEA requirements.

In this article, we will talk about how the NetEqualizer has been used to solve these issues for Internet providers worldwide.

Download article (PDF) ISP White Paper

Read full article …

Top Six Fear-Driven Network Equipment Purchases

Fear is one of our most primal survival instincts.  But, as such, sales people around the world have made a business out of selling their products on fear and making  them out to be a necessity for survival. Below, we will highlight some of the current and historical fear-based triggers used to push oftentimes unneeded items with respect to the networking industry.

1) CALEA compliance — A little over a year ago, we were besieged by frantic inquiries from many of our ISP customers about the need to do something for the new CALEA laws.  Basically, these are laws that require data carriers to provide access to law enforcement agencies upon receipt of a judge’s order.

We spent the next few months researching what the intent of the CALEA laws were, and what that meant to our customers.   Yes, CALEA is a real law with teeth, but it was intended to help law enforcement agencies track criminals using data networks, not force ISPs into bankruptcy.

There are some low cost options available to operators wanting to conform, so before you break the bank, do some research.  But, also be aware, as somewhere along the line CALEA became the Next Y2k fear-driven windfall for unscrupulous networking sales reps. Familiarize yourself with what you need and then find a product that works for you. While we were more than happy to help users of our products comply, we felt than an informed customer was more important that one that was simply panicked and afraid.  More info on the NetEqualizer approach to CALEA compliance.

2) Secure credit card transmission over the Internet — In short, credit information becomes the most unsecured  once it reaches  a corporate database. A hacker or employee with bad intentions is many times more likely to lift credit card information from a fixed database rather than in transit over the Internet. Therefore, the paranoia that abounds over submitting a credit card to Web a site for fear of transmission piracy is way out of proportion to the actual risk.

Consumers will gladly hand their credit card off to a random strangers behind the cash register at a brick and mortar establishment, but for some reason, submitting your credit card to a Web site creates an unacceptable risk for many. This fear has given rise to a cottage industry around secure Internet transmission. The bottom line is that stealing a credit card in transit over the Internet would take extreme patience and inside help from a carrier. To top it off, the credit card issuers have mastered the art of shutting off your card at the first sign of any anomaly (at great inconvenience to their customers in many cases, but worth it in a true emergency).  However despite the relative lack of risk, there is a significant amount of money and technology spent on securing merchant sites.

Related article “Do we really need SSL

3) Y2k — This is an old one, and yes, there were some critical systems out there that might have suffered. My firsthand personal experience from that  time was just a wake-up call. My employer had me doing Y2k upgrades to our product line and the scare pushed our sales to their biggest year ever.  However, within 3 years revenue had dropped 65 percent. Perhaps we should have been doing real product improvements?

4) Virus protection for your laptop — Yes, viruses are real and they attack all the time, but I simply just save off my critical files daily and re-load my windows box when I get a virus.  I prefer this method over being a slave to a Norton pop-up  box.  You can also convert to MAC or Linux desktop, which seem to carry some form of natural immunity. New York Times writer Paul Boutin agrees in this recent article.

5)  Lack of technology for our schools — Yes, there is some level of computer literacy required in the work force today, however, with the billions (trillions?) spent by schools today, you’d think there might be some increase in standardized test scores. I’d much rather see the money spent on increasing teacher salaries and smaller class sizes, even if it meant learning to calculate on an abacus. Training the mind to think and reason critically is a skill for life that transcends technology and requires encouragement and challenge from teachers.

6) Uninterruptable Power Supply (UPS) — I almost gagged when I read the blurb  below from a UPS sales VP from a trade rag. Originally, I was thinking of including UPS power supplies on my list, but I had no evidence that they were being miss represented. And, yes, in many situations a good UPS will save your computer and computer center from crashing, so please understand they are important pieces of equipment for a data center. But, the context below confirmed my suspicion.  The lead touts ways to speed up network performance, essentially implying that if your network is slow, you need UPS servers to correct it!

Are their desktops locking up every time someone runs the microwave oven? “If VARs aren’t selling UPSs [uninterruptible power supplies] with each new server or desktop, they are doing their customers an injustice, and they may be leaving money on the table,” says ….. name and company omitted.

This quote and full  article is written to infer that your desktop computer and network may run “slow” because of a lack of power. The fact is, your computer will crash hard if  power drops below a fixed tolerance. It is not an electric motor that winds down slowly. It is either on or off. A UPS prevents crashes due to lack of power, but it will not make your network faster or more efficient.

The point of this article isn’t to completely discount the six issues discussed above, but rather to provide some context. In many cases, fear is based on a lack of knowledge and understanding. Therefore, the problems mentioned here may not necessarily be best solved with one tech product or another, but instead could be remedied by a little bit of research. As a consumer, doing your homework goes a long way.

NetEqualizer Announces Low-Cost CALEA Probe for Mid-Level ISPs

LAFAYETTE, Colo., May 18, 2007 — APconnections, a leading supplier of plug-and-play bandwidth shaping products and creator of the NetEqualizer, today announced an upgrade that will allow operators to perform the necessary data reporting measures mandated by the Communications Assistance for Law Enforcement Act, or CALEA.

“We already had a great bandwidth shaping tool dispersed in networks around the world. It was a natural extension to add CALEA functionality with our equipment already in place,” said Art Reisman, CEO of APconnections. “Rather than watch our customers purchase CALEA specific solutions at what seem to be inflated prices, we have produced a functional CALEA probe that meets the spirit of the law at no extra cost to our existing customers.”

The NetEqualizer CALEA probe will allow an ISP or other system operator to comply with a basic warrant for information about a user on their network by capturing and sending IP communications in real time to a third party. This communication can be captured either by headers alone, or by both headers and content. The NetEqualizer probe will provide basic descriptive tags identifying headers, data, and time stamps, along with HEX or ASCII representation of content data.

Customers with current NetEqualizer Software Subscriptions (NSS) can implement the upgrade at no charge. This will be done with the assurance that the NetEqualizer’s bandwidth-control capabilities will continue to operate effectively and unabated. All future NetEqualizer models will be shipped with the upgrade already installed.

The NetEqualizer is a plug-and-play bandwidth control and WAN/Internet optimization appliance that is flexible and scalable. When the network is congested, NetEqualizer’s unique “behavior shaping” technology gives priority to latency sensitive applications, such as VoIP and email. It does it all dynamically and automatically, improving on other bandwidth shaping technology out there. It controls network flow for the best WAN optimization.

CALEA Update

CALEAAs promised, NetEqualizer is now offering the utilities necessary to meet requirements set forth this month by CALEA, or the Communications Assistance for Law Enforcement Act. This law oversees telecommunication security and has now been expanded to Internet security. There are some fairly harsh federal penalties for noncompliance that became effective May 1.

In the spirit of protecting our nation, the mission is not to make life miserable and expensive for operators and thwart communications, but rather to give the FBI and homeland security tools to wire tap (if we can borrow the term) Internet conversation on a moment’s notice. We suspect it would be a rare occurrence for a small WISP to receive a warrant to comply, but it would be potentially devastating to security should the means to monitor conversation not be available.

The following updated Q&A will address NetEqualizer’s capabilities in reference to CALEA compliance.

1. Functionally, what does the Netequalizer CALEA release provide?

We provide a network probe with the following capabilities:

  • It will allow an ISP or other operator to comply with a basic warrant for information about a user by capturing and sending IP communications in real time to a third party.
  • Communication may be captured by headers or headers and content.

2. In what format is the data portion sent to a law enforcement agency?

We will provide basic descriptive tags identifying headers, data, and time stamps, along with HEX or ASCII representation of content data.

3. Do you meet the standards of the receiving law enforcement agency?

The law and specifications on “how” to deliver to a law enforcement agency are somewhat ambiguous. The FBI has created some detailed specifications, but the reality is that there are some 40,000 law enforcement agencies and they are given autonomy on how they receive data. We do provide samples on how to receive NetEqualizer-captured data on a third party server, but are unable to guarantee definite compliance with any specific agency.

4. Does the NetEqualizer do any analysis of the data?

No. We are only providing a probe function.

5. Is the NetEqualizer release fully CALEA compliant?

Although the law (see CALEA sections 103 and 107(a)(2)) is fairly specific on what needs to be done, the how is not addressed to any level of detail to which we can engineer our solution. Many people are following the ATIS specification which was put forth by the FBI, and we have read and attempted to comply with the probe portion of that specification. But, the reality is that there is no one agency given the authority to test a solution and bless it as compliant. So, if faced with a warrant for information, the law enforcement agency in charge may indeed want something in slightly different formats. If this is the case, there may be additional consulting.

As best we can tell at this time, there is no one government agency that can fully declare our technology CALEA compliant. However, we do pledge to work with our customers should they be faced with a warrant for information to adjust and even customize our solution; however additional fees may apply.

For more information on NetEqualizer and CALEA, visit our extended Q&A page at Additional information on CALEA itself can be found at

NetEqualizer and CALEA: A Short Q&A

What is CALEA?

CALEA, or the Communications Assistance for Law Enforcement Act, is the law that oversees telecommunication security which has now been expanded to Internet security. The FBI has been working to specify what is expected of wired and wireless ISPs, which has yet to be released in final form. There are some fairly harsh federal penalties for noncompliance that become effective in May 2007 (the stick). In the spirit of protecting our nation, the mission is not to make life miserable and expensive for operators and thwart communications, but rather to give the FBI and homeland security tools to wire tap (if I can borrow the term) Internet conversation on a moment’s notice.  I suspect it would be a rare occurrence for a small WISP to receive a warrant to comply, but it would be potentially devastating to security should the means to monitor conversation not be available. In the words of a consultant working for CALEA and the FBI, here is the verbatim minimal requirement as we obtained via e-mail in order to determine our obligations as a Network Tool supplier.

Norm wrote:

“Basically, an interception warrant would need to isolate and capture all communications to or from the subject of the warrant.  The warrant could specify that only header information is to be provided (i.e., a Pen Register/Trap and Tracee) or that header information and communications content should both be provided. “The Packet Technologies and Services Committee (PTSC) has developed standard ATIS-1000013.2007 for CALEA compliance for landline ISPs (including WiFi and WiMAX). Unfortunately, ATIS has not yet posted the standard on its web site (”

Our promise to our customers will be to provide a minimal compliance utility on our NetEqualizer Platform and support these utilities without adding additional cost to the product, if possible.

Below is a Q&A regarding our plans.

When will the NetEqualizer CALEA compliance module be available?

We will have a “best effort” unit available for trial as of May 1. We caveat this as best effort because there may be some lag time to comply exactly with the requirement once the requirement is finalized and posted. However, there is enough information right now to get close to compliance, which is what we plan to do.

Will there be any additional cost?

At this time all customers with current NSS (software upgrade licenses) will not be charged. The NSS license for one year runs approximately 10 percent of the purchase cost of a new unit. Typically this would be in the $200 to $300 range.

Will the CALEA module ship with newly purchased units?

Yes, in fact any units purchased after March 20 will be eligible to receive the upgrade at no extra cost.

Will the upgrade cost for the CALEA module always remain the same?

We cannot promise a fixed price for future upgrades. If the complexity of this feature gets “out of hand,” we may have to label a “nonstandard” upgrade and charge, essentially making it a new product rather than an upgrade and charge accordingly.At this time our plans are to keep it as a standard upgrade.

Will the standard NetEqualizer feature and the CALEA utility run on the same hardware at the same time?

Due to the sensitive nature of the information should a warrant be requested for a tap, we have decided it would be best to focus on getting the stream to the federal agency. For this reason, the NetEqualizer will fall back to standard bridge mode. Obviously this may slow or degrade service to all customers, however this will be a rare event if ever and we’d rather do it this way than force customers to purchase an all new standalone appliance.

Additional Questions… If you have any questions please, contact us at or 1-888-287-2492. For additional information on CALEA, visit

%d bloggers like this: