North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISP CALEA compliance

  • From: Jack Bates
  • Date: Thu May 10 17:10:54 2007

William Allen Simpson wrote: 
Speaking from experience, that's very likely -- a lot of negotiation
trouble.  No matter what happens, you'll pay some attorney fees.

Also, the gag order was ruled unconstitutional, so always inform your
customer!  They may be willing to work out attorney fees, and/or join
you in a suppression hearing.

You probably should remember to call your congresscritters to complain
each and every time it happens.

Most important: call your state ACLU, as they are trying to keep track,
and might be of some help. ;-)

You work so hard to defend people that exploit children? Interesting. We are talking LEA here and not the latest in piracy law suits. The #1 request from a LEA in my experience concerns child exploitation.

Follow the usual best practices, and you may save time and money.

1. Ensure that your DHCP, RADIUS, SMTP, and other logs are always,
ALWAYS, *ALWAYS* rolled over and deleted within 7 days without backup.
I'd recommend 3 days, but operational requirements vary.

This has been a nice trick by many, and it does circumvent CALEA as if you can't give the the customer info to begin with, they probably won't be able to request a tap. The exception is emergency taps requested while an action is going on.

2. Insist that you receive payment *in advance* before doing anything!
And wait until the check clears.


I'm not sure that this would work with all LEA orders.

3. Remind the requesting agency that everything must be signed by a
judge.  Call the issuing court to confirm.  Don't accept "exigent"
administrative requests.  The recent inspector general report showed
that most administrative requests were never followed up by actual
judicially approved requests, and virtually none of them warranted
exigent status -- they were illegal shortcuts.


The last I checked, LEAs have a 48 hour window for emergency orders, and they are supposed to be honored. I'd definitely check with a lawyer on that one.

4. Never, NEVER, *NEVER* speak to a federal agent of any kind.  Do not
allow them into the building.  Require them to speak to your attorney.
Require everything in writing.  No exceptions!

We returned the first request as inadequate -- since it misspelled the
name of the company and the address, and wasn't accompanied by a check.

Our problem was that we weren't rigorous about #1 (some staff had been
keeping some backups sometimes), and the resulting time and expense for
extracting "lawful" information from all the rest was painful.  Learn
from our mistake.

Hmmm, you must have been one of those types the agents I talked to were referring to. They said that those who give them the most flack usually get the least amount of slack. Play hardball with the government, and it will play hardball back at you. I'd definitely make sure you stick to #4 if following #1-3.

Of course, IANAL and YMMV.

Jack Bates