Subsentio Safe Harbor Compliance Program
Subsentio helps communication service providers comply with their statutory obligations to implement lawful electronic surveillance on criminal suspects who use their networks. The statutes do not force service providers to apply any particular surveillance technology. Instead they let industry bodies develop technical standards as they see fit, as long as the standards produce certain basic surveillance capabilities. An industry standard is presumptively valid unless a party such as a law enforcement agency or privacy group challenges it with a petition before the Federal Communications Commission. The presumption of validity is known as “safe harbor” status.
Subsentio is the leading trusted third party provider of safe harbor surveillance solutions. Our exclusive relationship with a top surveillance solution vendor gives us a central voice in how the solutions are made. We use that voice to market solutions that meet safe harbor standards, fit networks of all shapes and sizes, and conform to tight budgets.
Subsentio’s safe harbor approach involves more than just good technology. We offer a complete compliance program that also ensures:
- Expert installation, testing and ongoing 24/7/365
- technical support — to assure the highest levels of performance
- Validation and management of court orders, with defective orders returned to law enforcement for correction
- Secure transmission of intercepted data —Performance of legally-required record-keeping for each surveillance
Only with a complete compliance program can a service provider meet the needs of both law enforcement and privacy protection.
What is CALEA?
The primary statute that requires communication service providers to assist law enforcement with surveillance capabilities is the Communications Assistance for Law Enforcement Act (CALEA). The broad principles of CALEA are sometimes difficult to apply to the specifics of today’s rapidly evolving networks. Nevertheless, service providers must find a way to comply. Otherwise they may be targeted by enforcement actions.
CALEA Section 103 sets forth the framework of surveillance capabilities that must be installed in the CALEA-covered network. Among other things, the capabilities must “expeditiously” and “unobtrusively” isolate the criminal suspect’s communications and “call-identifying information,” capture the targeted data, “format” it, and relay it to the authorized law enforcement agency.
CALEA Section 107 offers industry a “safe harbor” path to meeting the standards of Section 103. Section 107 states that if a service provider installs a surveillance solution that conforms to a published technical standard adopted by an “appropriate association or standard-setting organization” the provider “shall be found to be in compliance with” Section 103.
Other sections of CALEA address issues of privacy protection, cooperation needed from telecommunications equipment vendors, and enforcement.
In 2005 the Federal Communications Commission extended CALEA coverage to facilities-based broadband Internet access providers and providers of two-way interconnected VoIP. The order established that CALEA applies to both traditional telecommunications carriers and certain broadband providers.
A follow-up FCC order of 2006 expressly recognized that service providers who retain trusted third parties such as Subsentio have chosen a valid approach to comply with CALEA. Since then numerous service providers nationwide have retained Subsentio to help meet their lawful surveillance obligations.
Today Subsentio serves the full gamut of communication providers, from small rural telephone companies to nationwide advanced competitors. If you have launched a communication service, and you’re not sure whether you are subject to CALEA, give us a call. We’ll perform a free regulatory analysis to determine whether you are covered. If so, we’ll recommend an efficient, cost-effective solution that will not disrupt your business model.
The Steps to Compliance
When a communication service provider receives a court order mandating electronic surveillance of a subscriber there is no reason to panic, provided the staff knows what to do. The following are the five basic steps that Subsentio clients follow:
- You Receive a Surveillance Order: A law enforcement agency (LEA) serves your company with a court order requiring electronic surveillance of a subscriber
- You Notify Subsentio: complete Subsentio’s Service Provider Authorization form and email it, along with the court order, to firstname.lastname@example.org.
- Subsentio Reviews the Order: We review the court order to determine whether it is valid. If so, we proceed to the next step. If not, we notify the law enforcement agency of the defect and advise on how it may be cured.
- Subsentio Activates the Surveillance: We initiate the electronic intercept as required by the court order and begin comprehensive administration, tracking and reporting. If the surveillance is disrupted our engineers act swiftly to help diagnose and solve the problem.
- Subsentio Terminates the Surveillance: We terminate the surveillance as required by the court order and perform the related record-keeping required by the FCC’s rules.
The Cost of Self Compliance
So, you want to do it yourself? Here are some functions and costs that you need to consider. The equipment supplier provides the technical solution. You pay for it. You install it. You maintain it. That’s just the start. Your network must also establish a connection to the requesting law enforcement agency for transmission of the data.
Now let’s talk about personnel. When you receive a court order, it must be reviewed for validity by an expert with specialized legal training. The court order must also be managed by personnel with security training and preferably with security clearances. Specific records must be kept for each lawful intercept. Then you need personnel available 24×7 for both receipt and management of court orders. They then hand off the order to specified technicians who can initiate, test, intercept and transmit the targeted suspect data to the requesting agency. Self- compliance requires technical, legal, regulatory and law enforcement expertise that most carriers simply don’t have and can’t afford.