SERVICE PROVIDERS WHO ARE SUBJECT TO THE CALEA STATUTE?

Many communication service providers (CSPs) have trouble determining whether they are subject to the Communications Assistance for Law Enforcement Act (CALEA). The analysis is not always easy. But the following guidelines should point you in the right direction.

INTRODUCTION

CALEA Section 102 states that an entity is subject to the statute if it is “engaged in transmission or switching of electronic communications to the public for a fee” and does not fall in any of the CALEA exemptions. The following applies these terms of art to the common types of CSP.

As you read the analysis, remember that CALEA was enacted in 1994, before the widespread adoption of the Internet. That limitation can make it difficult to apply CALEA’s terms to the advanced networks of today.

Transmission or Switching

All CSPs (e.g. wireline, wireless, satellite) are engaged in transmission or switching of electronic communications. The switching could be performed by a circuit switch or “soft” switch. Likewise, transmission may be traditional telephone SS7 signaling or SIP (in the case of VoIP). Broadband providers also meet this test. Congress expressly intended CALEA to be “technology neutral.”

A reseller provides transmission or switching even though the facilities may be owned by a third party. For example, a mobile virtual network operator (MVNO) provides switching and transmission, although the facilities that perform the switching and transmission may be owned by a facilities-based wireless carrier such as Sprint.

A reseller’s obligation is to ensure that its facilities-based wholesaler has installed a CALEA solution. The reseller itself need not perform any of the technical work. It should only ensure that its wholesale/resale agreement makes the wholesaler responsible for CALEA compliance.

Aside from CALEA compliance, resellers may receive subpoenas, warrants and/or court orders from law enforcement and other entities. These instruments of due process seek stored (or “historic”) subscriber records, whereas CALEA involves real-time surveillance. Resellers should be prepared to respond lawfully to requests for stored records. Such requests are more common than court orders for CALEA surveillance.

To the Public

A communication is “to the public” if it enables two-way interconnection to the public switched telephone network or enables access to the public Internet. A “click-to-call” feature on a web site that enables a one-way VoIP call (e.g. to a retailer) does not create two-way interconnection.

Access to the public Internet means access to web sites like Amazon.com, CNN, Youtube, etc. A university research network available only to the university’s students and faculty would not be “to the public.”

VoIP-based conference calling services such as Citrix and WebEx are to the public in the sense that they are two-way (actually, multi-way) communications and they are interconnected to the PSTN.

For a Fee

Usually, if a communication service is to the public it is for a fee. An obvious example would be a subscription to telephone service or cable service. In addition, where a hotel or coffee shop offers free WiFi service it’s still for a fee because the hotel or coffee shop pays for the service.

The Private Network Exemption

Private networks are exempt from CALEA. The exemption makes sense because networks such as the above-described university research network are not “to the public.” A bank’s ATM system and a corporate PBX system are also exempt private networks. However, a network that connects PBX systems to the PSTN is not private; it is to the public.

If you operate a private network, and you receive a court order for lawful surveillance, it is perfectly valid to tell the law enforcement agent you have no CALEA obligations. On the other hand, all network operators – even those exempt from CALEA, are still obligated to provide “reasonable assistance” to an implementation of lawful surveillance. There is very little case law to define what is “reasonable” in these situations. The issue commonly leads to a negotiation between the law enforcement agent and the network operator.

The Interconnecting Carrier Exemption

An interexchange carrier (IXC) is exempt from CALEA as an “interconnecting carrier.” A fiber backbone operator that acts only as “a carrier’s carrier” is also considered an exempt interconnecting carrier, although neither the statute nor the FCC’s rules expressly addresses this point.

The logic is that if a carrier does not serve end users (i.e. is not a “last-mile” provider) law enforcement does not need to intercept the carrier’s communications. Instead, law enforcement can accomplish the intercept through the last-mile carrier.

The Electronic Messaging Service Exemption

Providers of email, SMS text messaging, and web chat services are exempt from CALEA. The reason for this exemption is that in 1994, when CALEA was enacted, there was no significant criminal use of these “electronic messaging services” and therefore law enforcement did not ask Congress to reach them with CALEA coverage.

The Web Publishing Exemption

Web sites are also exempt from CALEA. In 1994 there were no social networking sites like Facebook, LinkedIn, and Match.com, so law enforcement did not consider web sites a threat.

More recently law enforcement has changed its mind about social networks. Don’t be surprised if one or more Congressmen sponsor a “CALEA II” legislation that extends CALEA coverage to these entities.

CONCLUSION

You don’t have to be an engineer or lawyer to determine whether a CSP is subject to CALEA. The coverage rules generally make sense, at least from the perspective of 1994, when the statute was enacted.

As noted above, even if an entity is not subject to CALEA it remains subject to the “reasonable assistance” obligation. And the reasonableness of the requested assistance is typically negotiated between the law enforcement agency and the service provider. In any event, the provider may not simply refuse to facilitate the court-ordered surveillance. And once a law enforcement agent gains access to a service provider’s switch it may be difficult to control the nature or extent of the resulting surveillance.

For this reason a non-CALEA-covered service provider may voluntarily decide to install a CALEA solution and establish a CALEA compliance program. Such an arrangement would help reassure privacy-minded subscribers that all surveillance on the network remains strictly within the provider’s control.