We talked to a guy who's so enmeshed in this stuff that he's got a blog about it: demystifying li.

by Alex Goldman ISP-Planet Managing Editor [April 24, 2007]

Scott Coleman, director of marketing for San Jose, Calif.-based equipment maker SS8, says in his presentation that lawful intercept is the targeted intercept of voice and data services on behalf of a Law Enforcement Agency (LEA) as specifically authorized by a court.

It is used to prosecute criminal activity and in intelligence gathering.

Coleman says SS8 is educating the industry again. This last occurred in 2000, when lawful intercept rules for VoIP came into effect. "CALEA was passed in 1994," he notes. "It's been around a while."

CALEA is now
The latest CALEA deadline, May 14, 2007 for ISPs, is bringing the law to new industries, such as Wi-Fi. Other industries are well acquainted with it. "For the cellular industry, it came into effect in 1999-2000. It's all old hat for them. They've been doing it for a long time."

For ISPs, CALEA is new, even though the rules were promulgated 18 months ago, and the ATIS standard was published in March.

"I spoke to several Wi-Fi vendors at IWCE in Las Vegas. The people I talked to had not thought about lawful intercept yet."

Coleman expects the industry to realize it needs to comply when the ISPs start to demand CALEA compliance in equipment. People won't pay for what they don't think they need. So, meanwhile, SS8 is educating another industry.

Coleman says this was happening in 2000 with regard to VoIP. "When we started working in the softswitch environment, they were brand new to this. We developed a generic interface and published it said if you give us this information, we will make you CALEA compliant."

SS8 therefore has a process that it can use to incorporate the complexities of various technologies. For example, a call made directly to a suspect can be covered at the nearest router, but a call forwarded to a cell phone may need to be handled at the gateway.

Every ISP has a slightly different network and many vendors have proprietary standards, so each intercept can be different from others.

How it's done
There are specific procedures, described roughly in law and explicitly in industry standards, for CALEA.

A warrant can ask for one of three things:

1. Call records (data similar to what appears on the phone bill)
   SS8 says there are up to 2 million of these each year
   
   
2. Real time call data (time of call, answer, disconnect, call forward, etc.)
   SS8 says there are approximately 130,000 of these each year
   
   
3. Call content
   SS8 says there are only about 2,600 each year, in part because it's expensive for the LEA, requiring 24 hour surveillance and monitoring

Coleman says that CALEA is about lawful intercept. "This is not about vacuuming up data and looking for information. The Law Enforcement Agency (LEA) says, 'I've done the police work and obtained the warrant and identified who they are.' They go to the carrier with specific identifying information. It can be a SIP URL, a chat handle, a mailing address, or a phone number."

The device on the network looks for an authentication event, such as a logon. It then needs to determine the appropriate edge device for the intercept, usually a gateway or router.

The company's solution for handling the data is called XCIPIO.

Coleman identifies two kinds of intercepts: active and passive. In an active intercept, the device (i.e., router or gateway) can communicate directly with the data collecting device (also called a mediation device). In a passive intercept, and additional piece of hardware, which SS8 calls a probe, is required. The probe interacts with the router or gateway or similar device to extract the required data. Some warrants may require access to more than one network device, and may therefore use a hybrid approach, active or passive depending on which device is being accessed.

CALEA, to review, splits data delivery into three parts: access, mediation and collection. Access utilizes either existing network elements or probes to replicate target traffic in the network. Mediation aggregates all the replicated target traffic, formats it and delivers it to law enforcement according to the appropriate standard. Collection is the receiving end of the architecture and stores the information for later use.

Collection is handled using INI protocols (INI-1 for provisioning, INI-2 for communication data, and INI-3 for content). Delivery is handled using HI protocols (HI-1 for provisioning, HI-2 for communication data, and HI-3 for content).

The cable industry has written standards for INI-2 and INI-3, but otherwise, each manufacturer has their own proprietary standard, if they provide CALEA functionality at all. Cisco, for example, defines its own Service Independent Intercept (SII).

Delivering data to the LEA requires the use of a standards based Handover Interface (HI-2 and HI-3). HI-2 delivers call data and signaling while HI-3 delivers content (voice or data). Another HI interface (HI-1) also exists, but in definition only. HI-1 is the process by which the LEA faxes the signed Court Order to the carrier so that the carrier can implement the intercept.

There are limits to what Coleman can talk about. He says, "as we demystify LI we are walking a fine line between open frank conversations and revealing information that is too sensitive to be released."

— End