Is Your Company Really CALEA Compliant?
Martin McDermott, Chief Operating Officer
CALEA compliance is a cost of doing business for service providers. They are not able to directly recover all of their costs, but regardless, they must comply.
Most switch manufacturers face the same situation. By law, they outfit their switches with software that allows for lawful intercept. However, in most cases this software application has to be paid for by their customers. Some service providers believe that the mere purchase of a software app makes them CALEA compliant. Others think they can save money utilizing another technical solution that makes them compliant. Yet there is more to CALEA compliance than just a technical solution.
Exactly what is CALEA compliance for lawful intercept, how does it work, what is the service provider’s responsibility – and how does Subsentio help?
This month’s Squawk Box interviews Subsentio’s EVP for Marketing Services
Martin McDermott for the details on this complex process.
Subsentio: Tell us a little about your background.
McDermott: I’ve worked in almost all areas of the competitive telecommunications industry for more than 30 years, including sales, marketing and customer service management. I joined Subsentio a year ago to provide marketing support to a company that was becoming a leader as a Trusted Third Party CALEA service bureau. After learning just how complicated CALEA compliance is, I wondered if Subsentio’s customers understood what they were required to do. So, I developed a customer care program and began calling them to introduce it.
Subsentio: You called your customers? All of them?
McDermott: Yes. I spent the summer calling, emailing, setting up Go-to-Meeting events to introduce our support program, update our contact information, request updated network information, and to answer their questions. I was able to reach most of them.
Subsentio: What did you find out?
McDermott: None of our customers were happy having to be CALEA compliant. However, they recognized their responsibility to obey the law. Most thought compliance was just a technical solution. Generally, the people managing CALEA were the last ones stampeding from the conference room and were stuck with it. So, the people who were responsible for CALEA compliance changed frequently. As a result, Subsentio didn’t always have current contact information. Compounding this challenge, the network services offered by carriers changed over the years, and Subsentio didn’t always have updated network diagrams. Equally importantly, most of the customers didn’t have written CALEA compliance procedures. In fact, even though they thought they were in compliance, often they were not.
Subsentio: What makes a service provider CALEA compliant?
McDermott: A service provider is CALEA compliant if it has the technical capability to implement a lawful intercept in response to a court order, and the processes and procedures in place to both manage the intercept and protect the privacy of its subscribers’ information. Because service providers are comfortable with technology they tend to think only of the technical solution they have installed. Typically, that solution is nothing more than a gateway from the switch to the law enforcement agency that has requested the intercept. But what carriers don’t realize is that the management of the entire surveillance process is much broader and more involved.
Subsentio: Why aren’t they compliant if they have the switch manufacturer’s lawful intercept software?
McDermott: They could be. But, for many manufacturers, the software only allows for routing the target to a mediation device which formats the data into industry acceptable standards. Most switch manufacturers don’t produce mediation devices. They would have to have a mediation device from another vendor such as Verint, which designs their systems for Tier One carriers –meaning these solutions are expensive.
Subsentio: What’s the big deal about managing the intercept process?
McDermott: Many times the service provider is dealing with classified information from the FISA court and private information of the subscriber. When a court order is delivered to a service provider, it should be properly received by individuals who have signed a company non-disclosure agreement. The court order needs to be verified to make sure that the information contained is both accurate and legal. This usually means that it is reviewed by the company’s attorney, if they have one. Then, the intercept target information has to be transmitted to a company’s technician who supervises the technical solution, and who also should be under an NDA. Finally, there are strict time limits on a lawful intercept: It has to go up at a certain time and be taken down at a certain time.
Subsentio: What happens if a service provider is not compliant?
McDermott: The company leaves itself open to actions by the court as well as to legal exposure to subscriber privacy issues — if any are violated. If a law enforcement agency can’t proceed with an investigation because a carrier isn’t responding, the judge who issued the court order could issue a ‘show cause’ order to the CEO asking why they are not compliant. Having to answer to a judge about possible criminal charges for non-compliance is not a good position for anyone to be in.
Subsentio: What is Subsentio doing today to help its customers?
McDermott: We’ve created the Subsentio Certification Program. It is an annual program whereby we telephone each of our customers to update our records with those individuals who are managing their program, receive the most current network diagrams, review any new services that they have implemented, and finally, schedule a test of the system to make sure that all is in working order. We have written the Subsentio Guide for CALEA Compliance as a detailed reference on every aspect of compliance, and we provide any assistance required for administrative support of their program.
Subsentio: Sounds like a customer service program.
McDermott: It is that and more. We think that customer service is what a company does both before and after the customer calls with a problem. We are proactive before the fact, and immediately responsive when called into action. We hope Subsentio’s customer care provides our customers with ongoing support features that preclude potential problems from happening.