This time, the FBI showed up at ISPCON.

by Alex Goldman ISP-Planet Managing Editor [June 8, 2007]

People came to talk to Maura Quinn, head of the FBI's Electronic Surveillance Technology Section (Operational Technology Division) based in Quantico, Va.

She opened with words that might surprise many WISPs. "We appreciate your efforts [to comply with CALEA]. We know it's tough. Thank you."

She said that CALEA's section 103 allows the ISP to provide information to the Law Enforcement Agency (LEA) in any format that complies with "published industry standards."

Quinn said that means, "you can provide the data according to the standard if that doesn't make the LEA happy."

In some cases, the ISP may have part of the data. For example, for a VoIP call, the ISP might have the content but the VoIP provider might have the signaling information (start of call, duration of call, destination of call). She said it's up to the LEA to reassemble the data (this is particularly complex when conference calls are involved).

She recommended ISPs look at the AskCALEA website.

Questions about CALEA
As you can imagine, attendees had questions.

One asked for more details. "Are you just going to come in with a box and put it on our network?"

Quinn explained that no LEA can deploy a box until they understand how the ISP's network works. The LEA is looking to isolate data concerning the target of a warrant for surveillance. "The LEA will call in advance and ask you about your capabilities."

The only case in which the government might show up without warning is in an Exigent Circumstance in which lives are in danger (murderer on the loose, kidnapping being tracked, etc.).

I asked whether ISPs should call their local police now and get to know them in advance in case something like this happens. Quinn said getting to know local police was a good idea.

An attendee asked, "I am about to build a network. How do I know what's compliant?"

Quinn replied, "the FBI cannot endorse specific equipment. TTPs and equipment makers can advise you as to what's CALEA compliant. The FBI does not have a list. Service providers can obtain detailed documentation by contacting the FBI.

Another attendee asked how much time an ISP has to respond to a warrant. "Is it an hour? Is it a week?"

Quinn said it depends. Most ISPs will get advance notice. In the case of an emergency (Exigent Circumstance), there might be no warning.

She added that there is no exception for "hairpinning."

We found out about this problem through Google, which referred us to the WISPA lists, where Adam Greene reported:

CALEA requires the ISP to be able to sniff *all* customer traffic, including traffic passing *between* two of its customers (referred to as "hairpinning"). If the LEA requires this and the ISP can't provide it, the ISP may need to go to court

The issue of free service with unauthenticated users has not been resolved.

"This is an American issue," said Quinn. "It's not the FBI versus the industry. It's public safety."

Eden Recor said that the whole thing is scary to ISPs. "How do we know if we're compliant? How is it tested?"

Quinn replied, "we understand that. We're not the CALEA police."

Record reiterated, "we want to help."

Quinn said, "we understand that. We're working with WISPA. We're working to help you and will continue to."

— End