Passed in 1994, and managed by the Federal Communications Commission (FCC), the provisions in CALEA initially only applied to phone traffic. It was originally passed in response to the need for law enforcement to be able to initiate wiretaps on digital phone switches, which were becoming more prevalent at the time. It required carriers and manufacturers of telecom equipment to ensure that their systems are capable of selective wiretapping of any phone traffic, and that carriers have the people and policies in place to properly assist law enforcement with that process in the event of a valid surveillance request.
In 2005 the FCC extended coverage of CALEA to include broadband Internet access providers and VoIP providers. With that change, Broadband providers also needed to ensure they have the systems and people in place to assist with lawful intercept requests, and to do so in a way that protects the confidentiality of the surveillance while securely transmitting the data to the requesting law enforcement agency (LEA). Compliance with CALEA is mandated, and if a provider is found not to be in compliance they can be subject to fines of up to $10,000 per day from the Court until they become compliant.
Unfortunately, CALEA compliance is not easy for several reasons. First, the provider needs to have designated CALEA contacts that are available 24 hours a day who are familiar with what needs to be done and who can ensure that the court order for a CALEA intercept is valid. CALEA requests do not happen often, but you could get one at any time. This makes CALEA compliance a challenge, since it’s difficult to maintain the required policies and efficiently execute procedures when something is relatively rare and occurs unexpectedly.
Next, there is the technical complexity of providing a live intercept of the traffic flow for a specific individual or individuals identified in the court order and then delivering that data securely, in the proper format, to the requesting LEA. This requires that specialized equipment be placed in the network in the right location. And, as your network changes over time, where that equipment should be placed could change. You won’t have a lot of time to figure that out. You need to be able to get the live intercept set up in a timely manner, which is generally considered to be within just a few days of the order.
All providers are also required to file a CALEA System Security and Integrity (SSI) Plan with the FCC. This plan explains how the provider will comply with CALEA, including who their designated CALEA contacts are. In addition, the SSI needs to confirm that appropriate legal and carrier authorization will be obtained prior to beginning an intercept, and that a record of each interception request will be kept for a designated period of time. You should also have a policy in place notify the LEA of any security breaches related to the request. We have a sample CALEA SSI Plan that you can download here.
The FCC currently only accepts paper filings of SSI plans, but they are in the process of implementing a CALEA Electronic Filing System (CEFS). Electronic filing in the CEFS will initially be voluntary, but the FCC is currently seeking comment on whether to make electronic filing mandatory, which will likely be the case six months after voluntary filing begins. With all SSI filings in an online system they would be easier for operators to submit and keep up to date, and easier for LEAs to access the information. It will also be easier for the FCC to determine if there are providers who have not filed a plan.
For service providers there are three ways to handle CALEA compliance: 1) You can develop your own equipment and initiate and manage your own compliance steps when a request comes in; 2) you can purchase equipment specifically for CALEA and handle your own compliance; or, 3) you can contract with a Trusted Third Party (TTP) to provide the equipment and CALEA compliance services for you. The FCC has allowed for this third TTP option because of the required resources and complexity of CALEA compliance, especially for smaller and mid-sized operators.
Additional Resources:
You can go to the FCC's CALEA site to find out more about your responsibilities under CALEA.
If you are not CALEA compliant, ZCorum can help. We can provide you with CALEA Trusted Third Party services and do the heavy lifting for you. For more information, visit our CALEA Services page.