September 2015 Newsletter
Biggest and Best – With the Emphasis on Best
By Steve Bock, President & CEO
Our last Newsletter highlighted Subsentio’s excitement, optimism and expectations over our acquisition of the Legal Compliance Service business of Neustar. This transaction put a new face on the lawful intercept marketplace, making Subsentio the largest U.S. provider of “Trusted Third Party” solutions. More importantly, it fueled our commitment to being the best in the marketplace at serving our clients.
With that goal uppermost, we made three pledges to you:
- There would be no change in your service.
- We would introduce Records Production as a new service to legacy clients.
- We would expand our operational base.
I am pleased to report success on all three counts.
The transition has been remarkably smooth, with new clients reporting that their level of service meets or exceeds the same high level as before. One factor contributing to this success is the commonality of the two companies’ technical solutions and support practices – a key driver of the acquisition, ensuring continuity.
As with any change, there have been occasional technical challenges, but they were resolved quickly. Installations have proceeded on schedule. Annual testing schedules continue to be met. Through communications outreach programs such as customer care webinars we’ve worked hard to keep everyone “in the loop” on progress, and answer your questions. Overall, the migration of former Neustar clients to Subsentio has been a huge success, with zero impact on legacy clients and significant new benefits for clients.
Chief among these customer-focused achievements is the nationwide launch of Records Production, now available to all Subsentio clients.
Records Production was a major factor in our decision to acquire Neustar’s legal compliance business, and is a very exciting – and timely – service. With the spike in LEA demand for customer records, communications service providers (CSPs) today are overwhelmed trying to manage records production on their own. Now they can kiss that headache goodbye.
Any CSP can outsource the time-consuming and resource-intensive burden of records production to Subsentio, for any records request, any time. Subsentio Records Production operates 365 X 24 X 7, including for exigent/emergency circumstances. Backed by an advanced automated system and expert team, the service indemnifies clients from risks associated with records production, and delivers accurate reliable results at a significant cost savings.
The good word on expanding our operational base: Completed right on schedule. On July 1st, we established our East Coast data center in Reston, VA and as of the 1st of August, we were operational in our new office facility in Chantilly, VA, all the while continuing to conduct routine business and support of our customers.
Based on these successes, we feel very positive about the future. Exciting new things happen every day. As I write, we have acquired the latest Verint technical platform to provide additional features for Harbor Intercept customers. We have fully integrated the Pine Digital platform used by some new clients, and given it a new name – “Harbor Light.” Finally, never satisfied – even with the term “great” — Subsentio is deploying a new workflow processing platform for Records Production to make service even better.
The job of providing a superior experience to our clients is never “done.” As they say, it’s a road, not a destination. Watch us grow in the quest to serve you better.
U.S. Department of Justice Clamps Down on IMSI Catchers
Makers of “IMSI” catchers, (International Mobile Subscriber Identity) devices that emulate cell towers to determine mobile location and intercept call traffic, got a rude shock earlier this month — new rules from the U.S. Department of Justice (DoJ) that strictly limit how such “off the air” interception tools may be used. While the DoJ’s new mandate has zero impact on Subsentio clients, it’s possible you’ve heard about the change and wondered what’s going on. Here we’ll explain all.
Before we dive into a discussion of the rules, a brief tutorial on “IMSI Catcher 101” is in order.
In mobile networks, devices and radio towers routinely ping one another to handle calls and identify the customer’s location in the event of an emergency. Essentially the IMSI catcher is a “fake” mobile tower that intercedes between the target’s mobile phone(s) and the service provider’s real towers. It works by emitting a stronger radio signal that lures mobile devices to a “fake” tower operated by a law enforcement agency (LEA). When a suspect is in range, the technology identifies his mobile device’s unique International Mobile Subscriber Identity (IMSI) number, and also has the ability to intercept other data. All the action happens “off the air,” that is, straight from the radio airwaves without the assistance or knowledge of the mobile operator.
With that degree of latitude possible, some argue that IMSI catching users may have at times stretched the limits of the law, for example, by working without a warrant.
Effective Sept. 3, the Justice Department has reined in the IMSI catcher. The FBI and other agencies that fall under the domain of the DoJ now must obtain a warrant showing “probable cause” in order to use such devices. Intercepting content is now off limits. So is data retention. In the latter case, federal agents using an IMSI catcher must delete any captured data, preferably immediately but no later than same day.
The DoJ’s actions do not affect Subsentio clients or any aspect of the CALEA compliance services that we offer. Under CALEA, the use of IMSI catchers for real-time data collection on wireless networks has always been off-limits. Any gathering of “mobile location” data under the auspices of CALEA is confined to call detail records (CDRs) that show a suspect’s general location in the network at a given day and time to see possible connections between his whereabouts and crime patterns. Under CALEA, such mobile location requests are always confined to the suspect, handled by court order and with strict observance of the CSP customers’ privacy.
Up until this month, the use of IMSI catchers was more open-ended, which led to complaints.
Privacy activists claimed that LEAs were using IMSI catchers without supervision by a court of law, and violating 4th Amendment privacy rights. They claimed that police were intercepting and retaining call data, call content including voice and texts, and even peering into mobile devices’ files. They also complained that IMSI catchers were being used indiscriminately, intercepting not just mobile location of suspects, but of everyone in range of an IMSI catcher.
The Justice Department felt it was time for rules that established a firm policy and set privacy advocates’ minds at rest. Federal lawmen, it was said, would feel negligible impact from the change. According to the DoJ, IMSI catchers have been used in only a “fraction” of federal investigations.
All fine and well. And from the standpoint of Subsentio and our clients, nothing changes.
However, there is one important “catch” that affects another vital Subsentio audience: local LEAs. Whenever a DoJ agency such as the FBI becomes involved in a joint investigation with state or local law enforcement — and use of an IMSI catcher comes into play — all the new rules apply. Warrant required. No data retention. No content collection allowed.
Of the three, the restriction on data retention is arguably the most worrisome. In essence, this rule is an order to destroy evidence – the whole point of an investigation. On announcement day, nobody seemed to pick up on that point.
In announcing its new mandate, the DoJ was mindful of crediting IMSI catchers for their role in apprehending kidnappers, drug traffickers, murderers and other dangerous elements. Applying the rules to DoJ agencies first may serve as a test, not only of their effect on improving privacy protections, but of the flip side — the cost to public safety when LEAs lose full use of a surveillance tool proven highly effective in the war on crime.
Down with “Just-in-Time,” Up with Subsentio Cloud
Most business persons are familiar with the term “Just-in-Time.” When used by large retailers, Just-in-Time is a proven method of controlling product shipments and inventory management so that retail outlets have only the merchandise they need to sell, when they need it – and products don’t gather dust on the shelf and contribute to storage costs.
But did you know that Just-in-Time enjoyed brief popularity in the lawful intercept (LI) arena? It did – though almost from Day 1 JiT gave both providers and clients a case of the jitters.
Here’s the story of how JiT for LI came into being, where it went wrong – and how Subsentio is replacing JiT with a far better alternative for all concerned, in “the cloud.”
Ten years after passage of the 1994 passage of the Communications Assistance for Law Enforcement Act (CALEA), federal law enforcement officials recognized that the law had become outdated. New services including VoIP and broadband were by then rising in popularity – including with criminals and terrorists – but were outside the scope of CALEA.
On March 10, 2004, the U.S. Department of Justice (DoJ) and Drug Enforcement Administration (DEA) filed a “joint petition for expedited rulemaking” with the Federal Communications Commission (FCC). Their goal: bringing broadband and Internet traffic under CALEA for purposes lawful intercept.
The FCC responded with a “First Report and Order” applying CALEA to facilities-based broadband Internet access providers and providers of VoIP services that interconnect with the public switched telephone network. A second “Report and Order” issued in May 2006 clarified the requirements:
- The new rules applied to facilities-based ISPs and providers of VoIP that interconnect with the PSTN.
- The deadline for compliance was confirmed as May 27, 2007.
- CSPs themselves would be accountable for the cost of CALEA compliance.
- All CSPs could meet their CALEA compliance requirements by using “Trusted Third Parties” (TTPs), private companies that met the technical requirements set forth in the law.
Reaction from the new “participants” under CALEA: shock and awe. Shock: They had just 12 months to take action. Awe: The road to CALEA compliance had some mind-bending, Olympic high jump-sized cost hurdles. No off-ramps, either. They were now under CALEA, and could face serious penalties for non-compliance.
The commercial technology options offered scant solace. At the time, the lawful intercept market was dominated by vendors that catered primarily to large Tier 1 operators. Companies such as SS8 and Verint sold high-end mediation devices, “active” solutions that directly interconnected with the carrier’s network hardware and required significant investment in software. As a result, active lawful intercept solutions were expensive – upwards of six figures and beyond.
The big carriers could afford the big iron, but for Tier III and Tier IV, CALEA compliance carried a considerable new financial burden. And it was not an isolated problem. In all, the count of broadband and VoIP providers suddenly subject to CALEA totaled some 2,500 operators. Who could they turn to for help?
One bright spot: the new “next generation” TTPs. These innovative vendors already marketed “passive” devices called probes that provided an economical alternative for CALEA compliance. Probes did nearly everything the big ticket active systems could do, in a price range of just $10,000 to $15,000 per probe. Unfortunately, though, even that amount was a bit much for some smaller operators.
Then the TTPs had what seemed like an inspired idea. Why not bring the price down even further by overnighting probes to clients upon receipt of a court order for lawful intercept? Small CSPs could “buy in” for a low monthly recurring charge.
The TTPs called it “Just-in-Time Lawful Intercept.”
Great idea, and it worked for a while – sort of. Smaller carries paid their monthly charge, and the TTP really did (usually) have a probe waiting for shipment. But the concept often fell apart.
Among the problems: (1) Many CSPs didn’t know what to do when they received a court order; (2) they didn’t have rack space for the Probe; (3) they lacked a trained technician to support the device; and (4) as a result of the foregoing and other issues, carriers often ended up being not CALEA compliant, at all.
Subsentio picked up on the problems quickly. While we still support clients that use JiT, we no longer sell it. But we have never quit on the idea of providing exactly the service a client needs, whatever their size and budget.
At the beginning of 2015, we found a far superior approach: an intelligent router/controller that with some minor programming can be made CALEA compliant and and “talk to” network probes in our Network Operations Center (NOC).
We call it “Subsentio Cloud.” The basic idea: provide an inexpensive piece of hardware that is easy for clients’ technicians and Subsentio to administer and maintain.
“Subsentio Cloud” is coming soon, at no increase in customers’ current MRR rate. Look for a major announcement in the October or November timeframe.
Do We Have Your Number?
As parents will tell you, nothing good happens after midnight. “Normal” business hours are just that – normal, from 8:00 AM to 5:00 PM. And fortunately, even in the surveillance business, probably 60% to 70% of court orders and even FISA orders or exigent circumstance situations happen during those “normal” business hours. But there is a whole other world that starts after 5:00 PM and especially Friday nights and through the weekend.
Frankly, it doesn’t make any difference whether it is a FISA court order or an exigent circumstance, an intercept needs to be implemented regardless of day of week or time of day. We facially validate the court order or the agent calling and immediately call you, our client, to alert you of the required intercept, and ask for technical assistance. And therein lies the proverbial wrench in the intercept surveillance works. Far too often the people we call don’t pick up the phone!
You ask why? And so do we! There seems to be several common reasons. First, the person listed in our customer profile for your company may no longer be with the company and a replacement hasn’t been assigned. Second, people change jobs, contact numbers, locations, etc. and Subsentio isn’t alerted to the change. Then there is the “no answer” phone call with a voice mail left and a subsequently issued email, but the situation is the same. The intercept is not being implemented and Subsentio personnel are now frantically calling all the numbers that are in the customer profile contact section desperately trying to find someone in your company who can help. The good news is that we usually do. The bad news is that sometimes we don’t and we’re not able to respond to an emergency situation as quickly as standards dictate.
What to do? Two things: Every quarter we’re going to be emailing the primary contact listed in your customer profile, asking you to take a moment to update the information. That will include updating the network diagram. Secondly, in the short term, we’re going to be calling each of you to make sure that we have correct information for between now and the end of the year. Then we’ll know that we really do have your number.
Products & Services: Records Production
Tackling the Hidden Costs of Records Production
by, Michael Alison & John Gregory, Legal Compliance Analysts
A large variety of subpoenas are produced in order to obtain historical call records from a service provider. Beyond the glaring surface costs and time spent reviewing and processing legal demands, a communication service provider must also invest significant resources towards legal process oversight, monitoring state and federal legislation while updating policies accordingly, processing customer requests, and operating an after-hours exigent support center. To do so requires facilities as well as trained people.
Subsentio can alleviate these costs and the burden of spending more money, time, and man-hours lost for employees not dedicated for legal compliance services. Subsentio not only offers a successful compliance rate of 98% on over 425,000 legal demands processed, but boasts a processing time significantly quicker than the industry average. Our dedicated and professional team of analysts will manage processing and responding to legal demands served from law enforcement and civil litigants but as importantly, will protect you from potentially costly fines and lawsuits that can result from non-compliance. As your Trusted Third Party, Subsentio ensures all legal process will be processed timely, efficiently, and above all, accurately.
Client Profile at a Glance
Customer: A leading VOIP service provider
Challenge: Jeff is an engineer who has been tasked with handling the legal compliance aspect of a CSP’s ever-expanding VOIP business. Jeff is a technical person with no legal background. He also has his normal technical tasks and duties to perform, allotting him little time to address the legal inquiries being forwarded to his inbox. Jeff had a decision to make: continue making considerable in-house capital and talent investments to keep up with increasing lawful records production requests or turn to Subsentio Legal Compliance Services for support.
Solution: Jeff selected Subsentio as the CSP’s Trusted Third Party agent to receive and process law enforcement, civil and Public Safety Answering Point (PSAP) requests on behalf of the service provider.
Results: Subsentio now handles all records production as well as emergency call support for the service provider. Non-urgent law requests are processed in three to five days on average (versus the industry average of 2-3 weeks). Emergency calls are routed to and handled by Subsentio 24x7x365. The service provider’s public profile has been updated to direct records request inquiries to Subsentio. Anything Jeff receives in his inbox that appears legal compliance-related is simply forwarded to Subsentio for handling. Jeff can now focus on evolving services and technologies, and not on managing and processing lawful records requests.
Rules & Regulations
At ISS World: Subsentio General Counsel Joel Margolis on “Internet Giants Battle With LEAs Over User Privacy Rights”
Joel Margolis, General Counsel
In recent years we’ve seen more frequent litigation between U.S. law enforcement and the Internet giants. A U.S. law enforcement agency serves what it regards as a routine court order, warrant or subpoena on a service provider such as Google, Facebook or Microsoft. The global Internet provider files a motion to vacate the order on the grounds that it violates a right of privacy. Then the dispute erupts into a legal war involving high attorney fees, multiple levels of judicial review, and years of delay.
One segment of the global communications industry keeps getting into legal fights with one segment of the global law enforcement community. What’s going on here? Has U.S. law enforcement become more aggressive when investigating suspects on the networks of the major Internet players? Have the high-tech leaders developed an antipathy towards U.S. law enforcement?
I’ll explore this mystery at the upcoming ISS World Americas conference, Wednesday, September 30th from 3:00 to 4:00 pm, summarizing the relevant court cases, highlighting the commonalities, and examining the prospects for judicial war and peace.
ISS World Americas runs September 29th through October 1st in Bethesda, Maryland.