Electronic Surveillance Standards
Standards play three key roles in communications interception:
- They define the scope of laws for particular types of intercepts.
- They facilitate interoperability of interception equipment.
- They give service providers “Safe Harbor” protection.
Types of Intercepts
Two types of intercepts of importance exist in the U.S.:
- Pen-Register Intercepts: – Only addressing and signaling information can legally be provided.
- Content Intercepts: – Communications content is also provided.
There are subtle differences between the two, as well as tangential questions, such as when location information can and cannot be provided. Standards help define the proper course of action. Attempting to provide intercepts to law enforcement without following one of the industry standards is fraught with many legal risks.
Interoperability in surveillance standards specifies in great detail the “handover” interface between the service provider and law-enforcement agencies. This interface or protocol provides the communications for the mediation or delivery system which resides in the service provider or trusted third party network and the collection or monitoring system which is housed within the law-enforcement agency.
Safe Harbor protection is a provision of the Communications Assistance for Law Enforcement Act – (CALEA) that gives a service provider protection if the industry standards are followed. Specifically section 107(a)(2) of the statute says “(a) telecommunications carrier shall be found to be in compliance with the assistance capability requirements under Section 103, and a manufacturer of telecommunications transmission or switching equipment or a provider of telecommunications support services shall be found to be in compliance with Section 106 if the carrier, manufacturer, or support services provider is in compliance with publicly available technical requirements or standards adopted by an industry association or standard-setting organization, or by the FCC under subsection (b), to meet requirements of Section 103.”
Standards are developed by committees within industry associations and standards organizations. Typical committee members include carriers and service providers, interception-equipment manufacturers, trusted third parties, and law-enforcement agencies. The primary organizations of interest to service providers in the U.S. are:
- ATIS (Alliance for Telecommunications Industry Solutions): Developer of most of the widely-used CALEA standards.
- TIA (Telecommunications Industries Association) Pertains mainly to traditional phone service standards.
- CableLabs: Developer of several standards for the cable industry, although most cable companies are utilizing ATIS standards.
- 3GPP (Third Generation Partnership Project): collaboration among several standards organizations, including ATIS, TIA, and ETSI (the European Telecommunications Standards Institute).
Versions and Supplements
Standards undergo changes for a variety of reasons. A major re-publication of a standard is called a “Version,” while a lesser change is called a “Supplement.” For instance, the widely used VoIP intercept standard, 678, is currently at Version 3.
It is important to understand that a new version supersedes the previous version, and that all material in a supplement supersedes the specific earlier material being changed. To ensure Safe Harbor and interoperability, it is important to keep your solutions up-to-date with the standard, or to work with a partner who can ensure that you are current.
One significant aspect of surveillance standards is the existence of optional capabilities and protocol messages. Optional capabilities exist for one of two reasons:
- The standard is a CALEA Standard, but the Standards Committee cannot state categorically that the capability falls within the CALEA requirements.
- There is disagreement within the Standards Committee about the capability (often meaning that the law-enforcement community wants the capability, but a sufficient number of other participants do not want it to be mandatory.)
Many, but not all, of the optional capabilities are useful and should be implemented, although the definition of an optional capability means that you can claim compliance with the standard without implementing that capability.