Politics

WISPA's CALEA FAQ

WISPA is working to publish an industry standard for CALEA compliance to make it easier for WISPs and law enforcement to work together. As part of that effort, WISPA has built this FAQ to explain what CALEA means to WISPs.

by Michael Erskine of Kaballero.com (team leader), Brent Anderson of Great American Networks, Martha Huizenga of DC Access, Marty Dougherty of Road Star Internet, and Eric Plikuhu of ImageStream [April 6, 2007]

1) Can Mikrotik or a similar software-based router be used as a solution out of the box? It has a packet sniffer. It can stream captured data to a remote server using the Tazmen Sniffer Protocol (TZSP) which is used by the open source package Ethereal. It can filter the stream by a multitude of external packet parameters. It does not do deep packet inspection. In that same regard most *nix distributions can do the same thing as could a MS Windows server running connection sharing. Could all (or any) of these systems satisfy the CALEA requirement?

This may satisfy the obligations of a carrier, but the question is when writing a WISPA standard do we feel it meets the requirement. Mike is going to get them some to do some testing. CALEA FBI will work with us once we are ready to establish a standard to meet CALEA's requirements.

The FBI's preference is for us to provide a buffered delivery solution where the content and communication identifying information is written to PCAP files on local equipment or to a file server and to be able to provide FTP access to that file over a secure VPN.

The length of the PCAP files should be negotiable at the time of interception, but recommended default values should be once per fifteen minutes or once per Mbyte which ever comes first.

CALEA provides for two kinds of warrants: those requiring only call identifying information (CII) (which is similar to header information), and those requiring the actual content of the call.

When reporting call identifying information (CII), the Law Enforcement Authorities (LEAs) should always receive login/logout information concerning the target's service activities. Summary reports of traffic flows should be provided for pen register/trap and trace orders which include the source/destination IP address, protocol identifier, and length at the IP layer and the port numbers at the transport layer. The LEAs prefer data be summarized per flow instead of being summarized per packet.

CII should be kept separate from content. LEAs do not want to see CII embedded in content.. For content (Title III) orders, the LEAs want CII (AAA) in a separate directory beside or above the actual content. The LEAs want radius logs for content to provide assurance that the WISP confirmed that this is the subject/target and should be correlatable to an intercept identifier which is negotiated between law enforcement and the carrier at the start of the interception.

2) Are we required to put notices in our AUP for our users that we may have to intercept their communications?

CALEA does not require this. In fact, CALEA requires providers to provision/conduct interceptions pursuant to lawful authorization unobtrusively (i.e., without letting subjects/targets know they are being intercepted) and to protect information regarding an LEA's interception of CII and/or content.

3) Does anyone who owns a VoIP server, and offers VoIP service, have to be compliant?

Generally, YES. The FCC held in its September 2005 First Report and Order that CALEA applies to providers of "interconnected VoIP services." The FCC defined "interconnected VoIP services" to include those VoIP services that: (1) enable real-time, two-way voice communications; (2) require a broadband connection from the user's location; (3) require IP-compatible customer premises equipment; and (4) permit users to receive calls from and terminate calls to the PSTN. Only private networks or private PBX would not have to be compliant.

In most cases, with VoIP, you will need to provide Pen Register data (which identifies who the subject/target called and who called the subject/target in addition to service information such as conference calling and redirections) and in many cases you will have to provide the call content if they require a full collection. If you transport services such as VONAGE ™ you may still have to provide full content from the device.

4) Is there any reason that rural WISPs would not have to be CALEA compliant?

No. Neither CALEA nor the FCC has carved out a compliance exemption for rural entities, so all WISPs and VoIP companies that fall within the scope of covered providers established by the FCC in its September 2005 First Report and Order must be compliant. Any facilities based ISP must be CALEA compliant. The only exemption to CALEA is the private network exemption. A private network is a network which is not offering a service to the public whether for profit or not for profit. If the network is available to the public, it is not a private network. If you resell to your neighbor you are offering a public service. If you share a connection with your neighbor and he pays half the price, you are offering a public service.

5) Does the FBI want all information from a connection? Or does it have to be limited based on the legal authorization? The limit is mostly just how it is collected and passed to the LEA.

They will ask for PEN register under a CII-only order or full content with everything from the target device under a content (Title III) order. A PEN register provides CII, which is originator, called party, time up, time down, duration, etc. Full content is the requirement to collect all traffic to and from a device. We do not have to do deep packet inspection. The FBI will do deep packet inspection. When we are given a content order we will always be asked to collect all data streams from a device. That data will be dumped to a file and retrieved expeditiously by the LEAs. If that data stream contains VoIP which is not provided by the carrier facilitating the intercept, they are not required to isolate it. When a file is complete we should make an MD5 hash on the file so that the LEA can prove that the data they retrieved from our site is exactly the same data that we claim to have collected.

We are not authorized to keep a copy of the collected data.

We should keep a copy of the MD5 hash for the file. We are only required to record and hold hash information on any full collection. The hash is required in case the LEA needs to show that the data was not modified. The WISP should work with the LEA on how long they need to hold the hash.

6) What is the definition of "facilities based"?

The FCC has defined "facilities-based" providers as entities that provide transmission or switching over their own facilities between the end user and the ISP.

Based on the FCC's definition, we are facilities based in most cases. If your own hardware is being used to deliver the service and you provide a public service you are facilities based. The operative phrase used in the meeting here was this, "If you have the information you are legally responsible for reporting it when it is requested."

7) If a provider gets his IP addresses from an upstream ISP and provides every customer a public IP address from that ISP's CIDR allocation, wouldn't that relieve that downstream provider of the requirement for compliance as the upstream ISP could do the intercept?

No. Each CALEA-covered provider remains covered regardless of whether someone else in the mix also has this information. The upstream provider may also have to show what they have but this does not release the downstream from providing what they have per the court order. This is because the downstream provider is collecting the CII (AAA) information. They emphasize here that you may see multiple orders served in these situations because there will be multiple places where this data is available.

8) How does inter-client communication affect the requirement for compliance with CALEA. Suppose that there are two bad guys using a WISP's AP and their traffic never even reaches the ISP's backbone, is the WISP responsible for being able to intercept that traffic when the vendor does not provide a mechanism for doing that?

The requirement is not affected—CALEA requires us to collect this data. The only option we have in such cases it to collect the data on the RF side of the link. CALEA requires us to be able to do that collection and to offer that ability to the LEA when an order is presented. The LEAs will not want us to do RF collection because it places us too close to the target and might violate CALEA's transparent interception requirement, or worse get one of us killed.

If, for example, the subject/target notices that Marlon is hanging around outside of his house with Yagi in his hat and gets "hinky" (the LEA technical term for nervous) the investigation is blown and the LEA gets pissed (general term for upset). The easy answer is for the LEA to say, "Hell no! you are not going to do the collection via RF!" and then they deploy their geeks and do it themselves.

In the near term, we have to offer to do the collection via wireless sniffer because that is the only mechanism available to us when the AP device does not prevent inter-client communication and also does not provide a mechanism to intercept data streams on the device.

However, vendors are required to assist carriers in meeting their CALEA obligations and as such, carriers should notify their AP manufacturers that they will require an intercept capability in the next version of their product.

9) TAP, Storage Server, CALEA Site, How long do we have to hold the data?

Data should be held just long enough for the LEA to receive it. The WISP should hold the HASH for that particular interception as long as the legal proceedings and appeals last. This could be 5 to 10 years. The WISP should work with the LEA on how long they need to hold the hash. Prior do destroying the hash it would be best to verify with the LEA. Since a hash is performed for each intercept period. There will be many small files. The total long term storage required would be minimal.

10) What about open access points?

If you have open access points and don't know the target then it is the LEA that should distinguish target and non-target. We just provide the full data. The LEA may work with you in identifying the target in preparation for obtaining and presenting the legal authorization (e.g., subpoena, intercept order, etc.) but there will always be some legal document requesting this information.

Who is responsible for tracking down a bad guy who is hijacking a connection on an open access point?

This is a joint effort between the LEA and the WISP to the best of the ability of the WISP.

11) I have a customer who has made a deal with his neighbor to let him use his connection. I am not aware that arrangement has been made on the customer's end of the link. You come to me to intercept traffic from that IP address and I intercept that traffic. Subsequently you discover (by whatever means) that I have provided you intercept which was not covered by the order. Who is liable?

Court orders are on the target's communications device. It is the LEA's responsibility to remove all non-target communications when it is a full collection requirement. This relieves us of the requirement to provide only target communications. We provide data streams associated with a DEVICE. The LEAs are required to separate target data streams from non-target data streams.

12) Some people say you want raw traffic, other people say you want filtered traffic. Which do you want?

They want full raw PCAP dump for data or PEN data, with a hash mark. Remember that before you are presented with lawful authorization from the LEA for the intercept, you will have some contact with the LEA as they prepare the legal approvals. This is not a short process unless it is a life or death situation (then you should work as best as possible to preserve life). In the life or death case, they will work out the legal information after the fact. It is important to note here that you will almost always have a piece of paper signed by a judge that specifies exactly what you are to collect. Only in life threatening issues will you find yourself having to make judgment calls, without that piece of paper. In such cases, the LEAs have to accept responsibility for the actions of their agents.

13) Is it true that the LEAs are not allowed to enter our networks without lawful authorization?

YES

Does this mean the LEA is usually required to submit a request for lawful authorization and depend upon us to satisfy that authorization?

There will be some legal documents (e.g., subpoenas) even prior to the intercept order that may be to help the LEA identify the target and other specifics in connection with getting the intercept order. Again you should expect to have some contact with the LEA prior to getting an intercept order but you do not have to provide the interception/collection on the target until the order is issued.

14) What is the procedure for us to ensure that due process is served if we are required to provide a TAP prior to the subpoena?

CALEA limits what we can do! CALEA does not come into play until after legal authorization is presented to the provider. Only in a life or death situation would this information be required before the lawful authorization is presented. You may have to hold the data waiting for the lawful authorization but this will be listed in the documents. Otherwise, interception/collection only starts after you have legal documents.

Additionally we were told this question is not a CALEA question and it was hinted that there are times when you have to decide between contacting your attorney and trusting your conscience.

15) There are a number of open source solutions which might be acceptable as a solution to CALEA compliance. Are there any which have already been tested and accepted by any LEA?

The FBI is willing to work with WISPA to develop a standard that will give us Safe Harbor once published. The main point is whether we provide the storage device that talks to the LEA or they do. We cannot charge them for the equipment. The FCC has made clear that we cannot bill for capital costs of complying with CALEA, and it was specifically agreed that, "We cannot build out infrastructure at their expense."

There are questions about whether bandwidth is billable; however, they have stated that dedicated lines are not considered acceptable solutions because of time delays in getting them installed. We can charge the LEA for time used to set up the TAP. We may be able to bill for the bandwidth that they use in their VPN, the VPN between the capture server and their polling host.

16) With respect to intercept transparency, if *ANY* packet header information is changed, would that be considered a violation of the transparency requirement?

If in any way the target can see the change, then yes.

If the answer is no, what packet header data could be changed which would pass the transparency requirement? We realize that data may be changed when those changes are never visible to the subject of the intercept. We are interested in what, if any, header data might acceptably be changed when the subject of the intercept could discover those changes.

Any change to the data which could be observed/detected by the target of an intercept violates the transparency requirement. If, for example, you routed the target traffic through a device which decremented the TTL but otherwise did not change the traffic you would be violating the transparency requirement. You cannot change the traffic in any way which is observable to the subject/target.

17) Are OPEN hotspots going to become illegal because the owners cannot become CALEA compliant?

No, they will not become illegal, but the LEAs may have to have you help them identify the target.

If you service customers that have an open hotspot and you can access it, then you can provide the required information. If the WISP does not have control of the Open AP, then you can only provide a full collection on this AP to meet the requirement. The AP owner may be asked to provide information under CALEA but this will be required under the intercept order.

For example, my wife has an open AP in her restaurant. Should I advise her to secure it and go to an authentication system so that she can ID the users of her open AP?

NO, but she should be aware the collection may be on the full AP stream if they are not able to get the data wirelessly.

18) When will capture to disk be acceptable over real time streaming?

You will know the situation and be able to work it out with the LEA, but from the discussion the easy answer is, "almost always unless VoIP is being collected."

What if the ISP cannot deliver real time streaming because he has an asymmetric gateway?

They will work with you in this situation and can take it to a device they provide to be put into the network.

For example, I have an ISP who is using an asymmetric DSL circuit to connect to his carrier. It is 7M/1M. He cannot possibly stream to a real time collector because his download is 50 percent loaded. What happens when a real time requirement hits the collection system?

They are not out to burn us on this and in many cases (like child porn) the collection at your demark may be all they need and will not require a stream. They understand these limitations. We just need to put it into the published WISPA standard in order to have safe harbor under CALEA. They clearly stated that they are not going to fire up a T-1 or other dedicated circuit in such situations because of the TIME involved to satisfy the collection requirement.

What they will do is expect us to be able to buffer as much data as necessary to be able to ensure that nothing is lost. This may indeed mean that you have to get a USB drive and hang it on the collection server. They will work with us. The goal is to catch bad people, not to mess with WISPs.

19) In what specific instances might a carrier be reimbursed for delivering intercepts? Suppose that my company needs to have TTP involved, can I be reimbursed?

You can only charge for the man-hours used to set up and support the collection. The FCC has made clear that we cannot bill for capital costs of complying with CALEA, which means you cannot be reimbursed for the use of a TTP's services. We did discuss the idea that you may be able to charge for bandwidth if an increase is required beyond what you have, but they did not want to commit to that. You may have to go to court to get reimbursed for that; however, the LEAs understand the problem and you may well find them reasonable. It is likely that if you ask for reasonable reimbursement you will receive it. They don't want to help you build out infrastructure to satisfy an investigation.

20) Does the OpenCALEA Merit software satisfy the formatting requirements of the LEAs?

They cannot answer these kinds of questions until testing is performed.

21) What do we do with networks that are built around NAT at the AP?

They will work with those doing NAT to identify the target. If they are unable, then a full collection may be required and they will do the deep packet inspection and keep only the communications of the target.

In networks where NAT is done, we may have a WISP that only has half of a class C CIDER block. That ISP may be NATting behind a couple of dozen Router/APs. His hardware may not allow him to collect IP traffic on the inside of those Router/APs. What does he do?

We need to put this into the WISPA CALEA standard. In most cases, a collection can happen. This case is similar to the Open AP question. The LEAs may specify a specific device in the intercept order, or specific devices, and then do the packet inspection to remove the non-target communications from the target communications. If a single carrier offers the Wi-Fi access service and performs the NAT law enforcement will expect the carrier to isolate the targets communications and make them available to law enforcement prior to NATing.

22) Again, does Merit software satisfy the real time intercept requirement?

Without testing, they cannot answer this question. If it satisfies an industry standard, then, yes, it would satisfy the requirement. They want us to work with them on any standard that WISPA seeks to establish.

Do we even have a real time requirement?

Yes. CALEA prescribes capabilities for "real time" interceptions, so there is a near real time requirement. Basically if the collection requirement is against VoIP, there will be a near real time (meaning milliseconds, not seconds) collection requirement.

23) Does the FBI speak for other LEAs? Does an FBI approved standard automatically count for other federal, state or local agencies?

The FBI does not approve standards, but does work with providers on developing standards that meet law enforcement's needs. Once WISPA develops our standard and publishes it, this will provide the WISPA members who comply with that standard a thing called "safe harbor" under CALEA.

—End