290 likes | 399 Views
Impact of CALEA on Network Operators. Chip Sharp Cisco System, Inc. chsharp@cisco.com. What it is and what it ain’t. Disclaimer: The views expressed herein may not reflect the views of my employer or anyone else associated with me. :-). What is it?.
E N D
Impact of CALEA on Network Operators Chip SharpCisco System, Inc. chsharp@cisco.com What it is and what it ain’t Disclaimer: The views expressed herein may not reflect the views of my employer or anyone else associated with me. :-)
What is it? • CALEA: Communications Assistance for Law Enforcement Agencies Act (1994) • 47 USC §1001, CALEA §102 • Requirements for Carriers to Assist Law Enforcement in Carrying out Wiretaps
What is it not? • CALEA does not grant Law Enforcement new authority for wiretaps • Caveat: “new authority” is a matter of interpretation
Congressional Intent "(1) to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts; (2) to protect privacy in the face of increasingly powerful and personally revealing technologies; and (3) to avoid impeding the development of new communications services and technologies.” - H.R. Rep. No. 103-827, 103d Cong., 2d Sess. (1994)
Surveillance Laws • Title III of the Omnibus Crime Control and Safe Streets Act of 1968 • Electronic Communications Privacy Act of 1986 • The Foreign Intelligence Surveillance Act of 1978
Terminology • Telecommunications Carrier • Telecommunications Service • Information Service • Call Identifying Information • Electronic messaging • Safe Harbor standard
Information Service “(6) The term ‘information services’-- (A) means the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications; and (B) includes-- (i) a service that permits a customer to retrieve stored information from, or file information for storage in, information storage facilities; (ii) electronic publishing; and (iii) electronic messaging services; but
Information Service (cont.) (C) does not include any capability for a telecommunications carrier's internal management, control, or operation of its telecommunications network.” - from Communications Assistance for Law Enforcement Act
Electronic Messaging “(4) The term ‘electronic messaging services’ means software- based services that enable the sharing of data, images, sound, writing, or other information among computing devices controlled by the senders or recipients of the messages.” - from Communications Assistance for Law Enforcement Act
Telecommunications Carrier “(8) The term ‘telecommunications carrier’-- (A) means a person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; and (B) includes-- (i) a person or entity engaged in providing commercial mobile service (as defined in section 332(d) of this title); or (ii) a person or entity engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of this chapter; but” - from Communications Assistance for Law Enforcement Act
Telecommunications Carrier (cont.) “(C) does not include-- (i) persons or entities insofar as they are engaged in providing information services; and (ii) any class or category of telecommunications carriers that the Commission exempts by rule after consultation with the Attorney General.” - from Communications Assistance for Law Enforcement Act
Telecommunications Service This page intentionally left blank
Call Identifying Information “(2) The term ‘call-identifying information’ means dialing or signaling information that identifies the origin, direction, destination, or termination of each communication generated or received by a subscriber by means of any equipment, facility, or service of a telecommunications carrier.” - from Communications Assistance for Law Enforcement Act
Safe Harbor Standards “...publicly available technical requirements or standards adopted by an industry association or standard-setting organization, or by the Commission under subsection (b) of this section, to meet the requirements of section 1002 of this title.” - from Communications Assistance for Law Enforcement Act
Types of Surveillance • Pen Register • Phone numbers of people that target is calling • Trap and Trace • Phone numbers of people calling target • Full content of call • Title III • FISA
Requirements on Carrier Equipment • Provide LEA access to intercept • All wire and electronic communications to/from target • Call Identifying information • Correlation • Minimize Interference with service • Protect privacy
Limitations • Do not deliver location information • Information Services not included • Private networks not included • No decryption required • Unless Service Provider has keys • Protect privacy of non-targets
Current Standards Efforts • TIA: J-STD-025(a) • Telephony & Packet Data • PacketCable(TM) • Cable Telephony (VoIP) • PCIA: Paging • IETF: Declined to play • Published RFC2804 (Raven)
J-STD-025 Packet Data • Two Methods for Delivery Call Data Channel Call Content Channel • Only IP definition is for Wireless IP • However scope is vague. • Current solution for Pen Register & Trap and Trace -> Send all packets and let LEA sort them out.
FCC Third Report & Order • Released by FCC August 31, 1999 • Responded to FBI requests • e.g., Location ID is required • Invited TIA to provide report on packet data surveillance by September 30, 2000 • Compliance deadline for delivery of packet data using J-STD-025: 9/30/2001
USTA vs. FCC • USTA, et. al. filed suit opposing third report and order • Punch list items (e.g., Location) • Packet Data solution in J-STD-025 • Sending all data violates privacy protection provision in CALEA • Initial arguments heard 5/18/2000 • Court will probably advise FCC to reconsider its position
TIA Joint Experts Meeting • Technical Fact-Finding Body • Determine feasibility of delivering less than the full content of a packet to a law enforcement agency (LEA) in response to a pen register or trap and trace court order • Provide input to TIA for report to FCC by Sept. 30, 2000
Scope of JEM • Many packet technologies: TDMA/CDMA/PCS/GSM/CDPD/X.25/ ISDN/ATM/Frame Relay/IP/others • Does not include • legal issues • interpretation of FCC orders • impacts of encryption other than how it affects ability to deliver less than full content of packet
Status of JEM • First JEM held 5/3-5 • Most participants from Wireless industry • Not much input from ISPs • Meeting Report: http://www.tiaonline.org/standards/CALEA_JEM/45053125.pdf • Current Draft JEM Report http://www.tiaonline.org/standards/CALEA_JEM/45053126.pdf • Second JEM scheduled 6/27-29 • http://www.tiaonline.org/standards/CALEA_JEM/
Status of JEM - Main Points • Separating “Information Service” from “Telecommunications Service” impossible unless carrier is providing the service • Two scenarios identified • Service Provider offering Call Management Services (e.g., SIP server) • Service Provider offering IP transport • Technology dependent appendices
Personal Conclusions • Separating IP header info from content is technically feasible • Reliably identifying application in packet as telecom or information service is not technically feasible • Increasing line speed & encryption aggravate (or improve) the situation • New operating procedures to reply to warrants
Other Personal Conclusions • Tradeoff between protecting privacy and burden on ISP • Seizing stored communications vs. communications in transit (wiretap) • Who will be the test case? • Nobody really knows what the end result will be.
References • How wiretaps are done: http://www.cpsr.org/cpsr/privacy/communications/wiretap/denning_wiretap_procedure_paper.txt • Overview of Wiretap law: http://www.nap.edu/readingroom/books/crisis/D.txt • CALEA text: http://techlawjournal.com/agencies/calea/47usc1001.htm • TIA CALEA page: http://www.tiaonline.org/standards/CALEA_JEM/ • FCC CALEA Page: http://www.fcc.gov/wtb/csinfo/calea.html • FBI CALEA page: http://www.fbi.gov/programs/calea/overview.htm • ETSI Lawful Intercept: http://www.etsi.org/technicalactiv/li.htm • EPIC Wiretap pages: http://www.epic.org/privacy/wiretap/ • CTIA Comments on FCC Third Report and Order: http://www.wow-com.com/lawpol/filing/Body.cfm?Reg_ID=196 • CDT Wiretap page: http://www.cdt.org/digi_tele/ • CDT Privacy page: http//www.cdt.org/privacy/plif.shtml • USTA/CDT brief on CALEA challenge: • Brief of EPIC, ACLU, and EFF: http://techlawjournal.com/courts/ustavfcc/20000120.htm • IETF RAVEN RFC: ftp://ftp.isi.edu/in-notes/rfc2804.txt
Acknowledgments • The following people either provided comments or I used their presentations for material: • Al Gidari: g-savvy.com • Terri Brooks: Nokia • Peter Musgrove: AT&T