Demystifying Lawful Intercept and CALEA

Some of you may have seen articles about a presentation made by Professor Paul Ohm (former trial attorney at the Justice Department) at the "Search & Seizure in the Digital Age" symposium held at Stanford University last Friday. Professor Ohm, currently a law professor at Univ. of Colorado, spoke about the new "full-pipe recording" approach the FBI is now using when doing a broadband intercept.

His description asserts that instead of just intercepting the IP traffic of the target, they are collecting traffic from a point in the network that includes other user's traffic as well. I would suggest that in an environment that hasn't achieved CALEA compliance yet (the FCC CALEA deadline is May 14, 2007 see earlier entries) this may be necessary. But once true LI solutions are in place this will no longer be necessary. Current LI technology provides for both active and passive solutions that can identify the specific traffic of a target, assuming the target is known. There may be challenges with some enterprises in identifying their users but certainly all service providers know who their users are since they have to bill them :-)

And don't be surprised if you continue to hear about "full-pipe" intercepts even after CALEA compliant solutions are in place. In LI circles "full-pipe" actually has a different meaning and references the traffic on the "pipe" that goes to the target's location. This is in contrast to an intercept that would intercept a specific type of traffic (email, VoIP, chat, http etc.).

An example makes this clear. I happen to use Charter as my cable/broadband provider and Vonage as my VoIP provider. Because Vonage operates within the U.S., law enforcement could get a warrant, serve Vonage with it and only intercept my voice IP traffic. Now if my VoIP provider happened to be out of the country, then law enforcement could go to Charter and intercept the "full pipe" going to my house in order to access the voice traffic that is embedded in the IP stream going across the pipe I have from Charter. They would have the "full-pipe" but it would only be my traffic, not any one else's.

 

Feel free to comment.  Till next time ...

Ever since the Foreign Intelligence Surveillance Act (FISA) was passed in 1978 there have been two processes for obtaining and implementing wiretaps. One utilizes the traditional court system while the other uses a secret court system, but in both cases the judicial branch has acts as one side of the "check and balance" in the request and approval process of obtaining wiretaps.

For normal criminal activity and investigations sworn law enforcement agents, with the appropriate training and certification, build portfolios with information that allows them to justify to a judge why a wiretap is needed. The judge then either approves or denies the request, but even with approval puts restrictions on the duration and use of the wiretap. For cases involving foreign targets/communication, the same process is followed but due to the highly sensitive nature of foreign intelligence, the requests are taken out of the public system and processed through a separate and distinct Foreign Intelligence Surveillance Court system.

An issue arose at the end of 2005 when it was discovered that the Bush administration, under the umbrella of executive war time powers, authorized wiretaps without the review or approval of any court system. Now I'm not a legal authority so I'm not in a position to comment one way or the other on the legality of the action but it is clear to see why this raised concerns with many Americans.

However, this past Wednesday the administration has reversed their position and has apparently worked out an agreement to work with the FISA court system to obtain expedited authorization for the intercepts they need.

I think this agreement is good news for America. It allows the government to keep doing what it needs to do to protect the citizens of the U.S. in a timely manner while also protecting the privacy rights and concerns of those same citizens.

 

Please feel free to comment.  Till next time ...

I was cleaning out my basement this weekend and came across an assortment of telephony equipment from my past (butt set, continuity tester, bridge clips, punchdown tool, 66 blocks etc.), a little museum of sorts. The last time I used any of it was when I was teaching my son's Cub Scout den how phones and phone networks work (no I wasn't teaching them how to wiretap anyone). As I reflected on my past and my father-in-law's career at New York Telephone (way back before Verizon and Bell Atlantic), it impressed me with how significantly and how rapidly things have changed in the past 20+ years.

In the 80's most everything was still analog and services like caller id, call forwarding were just being introduced. I remember getting "Total Phone" in 1982 in Connecticut, just after we replaced our rotary phone with a touchtone. Of course this was all prior to CALEA and wiretapping was still done by bridging on a copper pair or using a "loop around" trunk that terminated on analog recorders. But by the late 80's digital technology was on a tear and law enforcement was starting to realize what it was potentially missing and asked for help.

CALEA was passed and new solutions were implemented that were able to access call forwarding, conf calls etc. and most of it was done right on the "big iron" switches of the day. But by the late 90's IP services were making their presence know and a new generation of LI needed to be deployed. No longer was traffic going to be delivered over POTS dial up lines, new IP connectivity for data and content was needed and implemented.

And it appears we're on the brink of another change, another generation. Forget the centralized softswitches and media gateways of today's VoIP services, communication is now done with simple SIP clients using standard broadband pipes. So what does that mean for LI solutions? Well they have had to adapt and include "application" servers so that things like conference calls, prepaid calls and PTT talk groups are captured. Deep packet inspection has also become a critical component of these solutions as communication traffic needs to be filtered out as these broadband pipes become consumed with the transfer of entertainment media. And forget about using "well known ports" to identify traffic, protocol characterization is now the key to finding and tracking the targeted traffic.

From the use of butt sets for decades, to nationalized standards in 2 decades, to 2 new generations of IP LI in one decade, the pace of technology advancement, and the equivalent advances needed within LI, certainly is increasing rapidly.

Please feel free to send comments or questions. Till next time ...

As noted in previous posts, I both attended and spoke at ISS World in December '06. At the conference my speaking topic was "Centralized Management - We missed the boat ". I'd like to briefly address that subject again here.

The original intent and concept for the Mediation (Delivery) Function, by the standards bodies, was to create a single, centralized point in the network, with clear demarcation points that would handle all interfaces needed to perform lawful intercept. The benefits of this are fairly well known and include at a high level:

• Centralized control
• Scaling across systems
• Support of legacy systems
• Securing sensitive information
• Reducting the amount of “technical” support needed to actually implement an intercept
• Software license expansion instead of incremental hardware to support new equipment
• Single point of interface for Law Enforcement

And for the most part the industry has done a good job in creating and implementing Mediation Functions, however there is an area where I think the industry has missed the boat. With the exception of Packet Cable, for the cable industry, none of the standards bodies have created standards for the INI (network side) interfaces. And even Packet Cable hasn't defined INI-1 (provisioning). The result is that almost every network element (router, gateway, wireless switch, PDSN, SGSN, AAA, DSLAM, softswitch etc.) has a unique or proprietary interface.

How did this happen? As with many things it was about money. When CALEA was first passed, wireline and wireless communications were the norm and switching manufacturers saw an opportunity to grab a share of the $500 million that congress set aside for implementation. So instead of creating INI interfaces that would support a single unified LI interface they built proprietary interfaces into their switches and charged the government for it. Now however the government money is gone and carriers are paying for CALEA capabilities.

The effect of this is that solution costs are higher and implementation schedules are longer because new interfaces have to be continually created in order to support LI on the various technologies that are being deployed. And in some cases it is even worse. No only do certain "old school" switch manufacturers still have proprietary interfaces, but they are also tightly guarding them and requiring their customers to pay a premium to open them up. When compared to a next generation company like Cisco, that has readily published and supported a consistent LI interface, it is obvious that these companies are not acting in the best interest of their customers.

Recommendation: Follow PacketCable's example and define interfaces on both sides of the Mediation Function. This will afford the following benefits:

• Allow Mediation Function developers to focus development efforts on:
–Security of sensitive information
–User experience
–Correlation of data and content
–Identification of IAPs (Intercept Access Points) in the new, complex IP networks
–Secured interfaces (INI and HI)
–Encryption
–Separation of applications/services
(movies, TV etc. from valuable transactions or communications)

• Lower total cost of ownership
–Single DF
–Reduced development for new network element support

• Higher quality products and solutions

• Quick integration and support of new “probe” technologies and capabilities

• Certification and qualification could occur faster and easier, similar to what has been done at Cable Labs in the past.


Summary

LI solutions have come a long way towards meeting the initial intent but aren’t there yet when it comes to the creation of standards based INI interfaces. In order to help push this effort forward, service providers need to change expectations and demand open, standards based INI interfaces from equipment manufacturers. And finally, the standards bodies should define a single INI standard, fully embracing the concept of separated AFs, MFs and CFs and removing equipment providers from undue influence over a function that is non-revenue generating for service providers.


Please send me any comments or thoughts. Till next time ...

For those of you that have been waiting for the FCC to set the deadlines for filing reports for Section 105 , Section 107 and Monitoring reports, the Office of Management and Budget has now given their approval. For those of you that have not been waiting or didn't even know they were pending, these are the milestones that accompany the current May 14, 2007 deadline for CALEA compliance.

The 105 filing is a security process and procedure document that describes how the carrier is going to meet its obligations for maintaining a secure environment with regard to the handling and processing of wiretap requests.

The 107 filing is a cost recovery procedure that will have little application to current carriers since the only equipment eligible for cost recovery is equipment deployed before October 25, 1998.

And the Monitoring Report provides a view into the carrier's progress with regard to meeting the May 14, 2007 CALEA deadline. This is accomplished by filing FCC Form 445.

The newly posted dates are as follows:

March 12, 2007 for Section 105 filings

February 12, 2007 for Section 107 filings

February 12, 2007 for Monitoring Reports

These dates seem close but all previous announcements and publications indicated that they would be coming shortly so it shouldn't be catching anyone by surprise.

For more information on these reports filings you can check with the FCC site http://www.fcc.gov/Daily_Releases/Daily_Digest/2006/dd061214.html or send me a question and I can provide more info.

There are two “domains” when it comes to lawful intercept, one is the carrier’s premises and the other is law enforcements’ premises. The carrier domain is tasked with access and delivery while law enforcement is more concerned with collection, recording and analysis; with the emphasis on analysis. While both sides are required in order to generate the information necessary to execute a successful wiretap, it is the collection function that makes the information useful and valuable.

The Collection Function is a PC based application that law enforcement uses to build their cases and create evidence. It receives and stores information from subpoenas for call records, warrants for Pen Register / Trap & Trace intercepts and Title III intercepts. From these various sources of information a chronological list of events is accumulated and retained for analysis.

Analysis focuses on finding and building relationships based on the information obtained during the intercept. The information includes calling and called parties, time of the calls, call duration and various other attributes of the call. In addition of course is the call (content) itself. The events of the call are automatically associated with the appropriate call so that the law enforcement agent can efficiently determine the flow of the call (call waiting, conference call etc.) as it is being reviewed.

In addition to matching call data with the appropriate call to decipher activities on the call, the collection functions also seek to build relationships or “links” with other events in its’ database. By automatically identifying these relationships within the data (i.e. a commonly called number shared by two targets), law enforcement is better able to establish patterns and areas of influence for that target.

While electronic surveillance and the automated implementation of wiretaps in networks are making the wiretap process more efficient, it is the capabilities of the collection function that are making the information more valuable.

As noted in my last entry, I attended ISS World this week in Washington D.C. The usual suspects (pun intended) were there: law enforcement (FBI, state/county police, FCC, DOJ), vendors and carriers. In addition to U.S. attendees, representatives from over 30 different countries (mostly law enforcement) were also there.

For those that had been there before it didn't hold much new information but I continued to be amazed by those that were new to the conference and how informative they found it to be. I guess once you have been embedded in something for so long you forget how much information there is on the subject and how much of a specialty it is.

I think the two things that stood out for me were the number of "probe" vendors exhibiting and the strong stance the FCC is taking with regard to compliance by May 14 2007 (see earlier post "Current CALEA Deadline".

There have always been probe vendors and LI solutions that utilize probes but to date they have played a fairly minor role in most LI solutions. With new requirements on broadband and VoIP providers to become compliant, many IP companies that have packet analysis capabilities have started positioning themselves as LI providers even though they have never deployed an LI solution. While these capabilities will become important in the ensuing deployments, a comprehensive solution incorporating these capabilities into established and well known solutions will be the best approach, ensuring that both carriers and law enforcement are comfortable with the solution.

With regard to the FCC's stance, in several conference sessions they, along with the FBI and DEA, made it quite clear that they are expecting full compliance and no extensions to the deadline. After repeated delays, exemptions and extensions the first time in the '90s, they don't want anything to drag out this implementation.

Feel free to sends comments or questions on ISS World or anything LI related and I'll take a crack at responding. Till next time ...

On Dec. 4th 2006 (next week) the largest gathering of people interested in the operation and implementation of lawful intercept will gather in Washington DC at ISS World. This is a bi-annual conference presented by Telestrategies (http://www.telestrategies.com/ ) whose attendees, speakers and exhibiters includes law enforcement, service providers (carriers) and solution providers.

The focus of the 3 day conference is on the five speaking tracks that cover various topics (international events, LI technology, analysis solutions etc.) although there are sponsored events and vendor exhibits.

SS8 will of course be there and I’ll be speaking if any of you would like to stop by and say hi or share a beer after hours :-). If I don’t get to see you there, I’ll provide an update on the happenings after the show.

When someone says “wiretap” most people immediately think of a law enforcement agent huddled over a recorder listening intently to some bad guys plotting their next crime. However, only a very small percentage of wiretaps include the voice portion or “content” of a call. In practice there are three “levels” of “assistance” that carriers have to support when requested by law enforcement.

The first level is a subpoena for call records. These are historical records reflecting the calling activity of a particular target. This is by far the most frequently asked for and utilized capability by law enforcement. In 2006 there were approximately 2 million subpoenas/court orders requesting these types of records. The records for each request are provided to law enforcement either by electronic transfer to their collection function or by a manual process.

The next level moves from static, historical records to real-time reporting of the target’s activities. This level includes two categories of activity. The first category is a “Pen Register” which captures only the outgoing calls of the target. The second is a “Trap and Trace” which captures the inbound calls. Both of these types require the carrier to utilize a standards based, real-time solution that identifies and delivers call “events” to the collection function. These events include outgoing call attempts, incoming call attempts, digits dialed during the call, conferencing, transfers etc. In practice, carriers typically receive Pen Register and Trap/Trace requests together so that all inbound and outbound traffic is received. Far fewer of these were done in 2006, approximately 130 thousand, as compared to subpoenas for call records.

The final level is the Title III. This too is a real-time interface based on safe harbor standards (J-STD, ETSI, PacketCable etc.) but instead of just receiving call events (like the stand alone Pen Register / Trap &Trace), the actual content (conversations) are included. This means that a copy of the conversation is delivered along with the call event messages. Even though the whole conversation is provided, the call events perform a very important function in this scenario as they allow law enforcement to understand, as they are listening, who the active parties of a call are during transfers, call waiting, conferences etc. And as was true with the previous tiers, the number of Title III intercepts done each year is dramatically smaller, only about 2,600 were done in 2006.

These levels represent increased amounts of information but also an increased burden on law enforcement. At each step along the way, the judicial system is scrutinizing and critically reviewing these requests to make sure the need is genuine and justifiable.

Till next time ...

Deadlines, those always catch people’s attention, especially when they are government mandated, regulatory deadlines. For lawful intercept (CALEA) in the U.S., the next deadline is May 14 2007. That is the date that all “broadband” service providers and “interconnected VoIP” providers must have their networks CALEA compliant. So what is CALEA? The Communications Assistance for Law Enforcement Act, a law passed back in 1994 requiring service providers to assist law enforcement, in a uniform, standards based way, with the process of intercepting (wiretapping) the communications of “bad guys”.

In 1994 an explosion of new communication technologies (cell phones, the internet, distributed networks, roaming, faxes …) were placing a technological burden on law enforcement to do a job they no longer had enough expertise or resources to handle, thus they placed request for help and congress supported their request by creating and passing the CALEA legislation. But how does legislation in 1994 drive a deadline in 2007, some 13 years later? Surely by now any obligations under that law have been fulfilled. For the most part carriers have complied but the catch is that originally “information services” were exempted under CALEA. The internet was young then, email wasn’t an indespensible tool, VoIP didn’t exist, neither did Instant Messaging, Chat, Skype or all the other communication tools now in widespread use.

To address this ever expanding gap in coverage, the FBI, DEA and DOJ filed a joint petition in 2004 asking the FCC to include broadband and VoIP providers since so much communication traffic was now occuring over those media. After due consideration, a lengthy review process and input from many different parties, the FCC issued a Report and Order requiring the previously mentioned “broadband” and “interconnected VoIP” providers to come into compliance by May 14, 2007. So now, with not much time left, carriers are scrambling to understand their obligations, figure out how to meet this deadline and put plans in place to implement a solution.

Still mystified? Read on or ask some questions, I’ll definitely take a stab at answering any question relevant to LI (or maybe even any other interesting questions that get posed).

Deadlines, those always catch people’s attention, especially when they are government mandated, regulatory deadlines. For lawful intercept (CALEA) in the U.S., the next deadline is May 14 2007. That is the date that all “broadband” service providers and “interconnected VoIP” providers must have their networks CALEA compliant. So what is CALEA? The Communications Assistance for Law Enforcement Act, a law passed back in 1994 requiring service providers to assist law enforcement, in a uniform, standards based way, with the process of intercepting (wiretapping) the communications of “bad guys”.

In 1994 an explosion of new communication technologies (cell phones, the internet, distributed networks, roaming, faxes …) were placing a technological burden on law enforcement to do a job they no longer had enough expertise or resources to handle, thus they placed request for help and congress supported their request by creating and passing the CALEA legislation. But how does legislation in 1994 drive a deadline in 2007, some 13 years later? Surely by now any obligations under that law have been fulfilled. For the most part carriers have complied but the catch is that originally “information services” were exempted under CALEA. The internet was young then, email wasn’t an indespensible tool, VoIP didn’t exist, neither did Instant Messaging, Chat, Skype or all the other communication tools now in widespread use.

To address this ever expanding gap in coverage, the FBI, DEA and DOJ filed a joint petition in 2004 asking the FCC to include broadband and VoIP providers since so much communication traffic was now occuring over those media. After due consideration, a lengthy review process and input from many different parties, the FCC issued a Report and Order requiring the previously mentioned “broadband” and “interconnected VoIP” providers to come into compliance by May 14, 2007. So now, with not much time left, carriers are scrambling to understand their obligations, figure out how to meet this deadline and put plans in place to implement a solution.

Still mystified? Read on or ask some questions, I’ll definitely take a stab at answering any question relevant to LI (or maybe even any other interesting questions that get posed).

“Put up a wire”, get a “pen”, do a tap, perform a Title III or Trap and Trace, big brother, eavesdropping, Lawful Intercept, electronic surveillance, CALEA; all terms used to describe what is commonly known as wiretapping. Wiretapping is a useful and important tool for law enforcement allowing them (the good guys) to listen to and monitor what the targets (the bad guys) are doing. And while conceptually everyone understands what wiretapping is, many questions and concerns surround this activity. Questions on the subject include how much it costs to implement, who needs to “comply”, how does one become compliant, what standards are in use, what are the deadlines and does the government pay for it. While concerns usually focus on due process, invasion of privacy, checks and balances and what legal footing (legislation) supports all of the above.

Now I may not be able to answer every question regarding answer “D” (all of the above) but given the business I’m in, the job I do, the experience I have and the people I interact with, I think I can do justice to the topic of Lawful Intercept. My name is Scott Coleman and I am the Director of Marketing for SS8 Networks a provider of Lawful Intercept solutions. SS8 has been in this business for 12+ years and I’ve personally been working in this environment for 7+ years both as a Product Manager and as a Marketeer. I have over 18 years experience in telecommunications, have published articles on the subject, have spoken numerous times about it and have worked with law enforcement agencies and service providers around the world.

But enough with the resume, this blog has been initiated to provide the reader with frank, honest and open answers/opinions to the many aspects of this subject. In a word, we are “Demystifying” lawful intercept.