International Lawful Surveillance
For nearly 15 years Subsentio, the CALEA Compliance Company®, has operated as a trusted third-party service bureau providing its U.S. customers with three types of law enforcement agency (LEA) assistance service in support of the Communications Assistance for Law Enforcement Act, (CALEA). Through technical interfaces with its communications service provider (CSP) customers, Subsentio provides real-time lawful intercept service (LI Service); records production service (RP Service); and data retention service (DR Service). These four services are offered in a principal-agent relationship through Subsentio’s compliance bureau model. Subsentio’s compliance bureau acts as a limited agent supporting its customers when they receive the various types of lawful surveillance orders.
A natural evolution in legal compliance has emerged as both VoIP and broadband technology have grown in popularity and assumed the traditional functions of the old telephone networks. Both VoIP and broadband traffic now transit the Internet, allowing domestic CSPs to offer international calling services with affordable network augmentation. Technically, the expansion of these capabilities to foreign countries follows a familiar model that is easy for CSPs to implement. Far more complex – and all too often overlooked – is that other nations’ governments have their own in-state laws on regulations governing telecommunications and legal compliance requirements.
As communication technologies evolve, it becomes harder to determine the legal requirements for LEA technical assistance on diverse types of networks, and how these requirements vary country to country. Some CSPs are subject to greater assistance obligations than others. Further complicating matters, as service providers extend their networks internationally, they find that different nations have adopted different LEA assistance laws. However, the different foreign legal systems have one thing in common: non-compliance with LEA assistance mandates is against the law and can lead to serious monetary penalties.
A non-compliant service provider may incur liability from either of two sources: (1) an inadvertent over-disclosure of their customers’ communications, call and IP data records that provokes abuse of privacy complaints and lawsuits; and (2). an under-disclosure of legally mandated surveillance that triggers government enforcement action.
In EU countries and other nations, CSPs must install solutions to perform real-time surveillance. Each nation’s unique version of lawful intercept specifies the technical capabilities to be delivered to LEAs in the given jurisdiction. Unlike the US, the EU, for example, does not exempt information services such as social media or “electronic messaging services” from its surveillance capability requirements.
As stated, surveillance technical standards also vary from one country to the next. Australian telecom regulations are similar but not identical to those of the UK. While Canada’s regulations compare with those of the U.S., there are some significant differences. Consequently, a technical standard designed to comply with CALEA in the U.S. cannot be expected to match the surveillance solution blueprints of the EU or any other country. Employing the wrong standard is no minor flaw. If a CSP uses the U.S.-based ATIS standard to transmit a suspect’s data to an LEA in the EU, where the ETSI standard prevails, the LEA may receive all the packets associated with the suspect’s communications but would be unable to reconstruct the packets to make them intelligible.
Subsentio’s legal experts specialize in understanding the differences between surveillance technical standards in a wide array of nations. We can furnish a CSP with an intercept solution that follows a given country’s legal and technical demands.
Subsentio’s intercept solutions also keep pace with the trend of virtualization as networks migrate to the Cloud. Thanks to these efforts, it is now possible for a CSP to deploy a virtual service internationally and still comply with individual countries’ surveillance mandates. But, they need to understand just what those mandates are.
Just as U.S. LEAs may serve subpoenas on CSPs to collect the subscriber records of criminal suspects, so may a foreign-based LEA serve a “production order” on a CSP doing business in the jurisdiction to get the same kind of records. When it operates in provides services to another country, an American CSP must be ready to perform the same kind of validation and processing work it carries out in the US.
In many EU member states, service providers are also subject to “data retention” mandates. These regulations require a CSP to save its subscriber records for a minimum number of months or years in case the items are later needed for a criminal investigation. Special privacy and security safeguards are required to protect the retained data from unauthorized access.
Notice one key difference between U.S. records production and EU data retention. In the U.S., if an LEA requests a type of record that the CSP has not stored, or a record so old that it is no longer in storage, the CSP may validly reject the request. But in most EU states, as well as any other nation with a data retention mandate, if an LEA requests a record, and the record falls within the specified retention period, the CSP must comply or risk an enforcement action.
Subsentio’s compliance bureau can handle both U.S. records production and EU and other countries’ data retention requirements while meeting the attendant privacy and security standards. Still, close coordination between the CSP and Subsentio is needed to establish protocols that are lawful, reliable, rapid, and efficient.
When Foreign CSPs Enter the U.S.
International service providers that seek to do business in the US are typically subject to U.S. CALEA laws. If a foreign-owned CSP applies for a Federal Communications Commission license to serve the U.S. public, the FCC will likely require the competitor to jump through an additional regulatory hoop known as a Team Telecom review.
Team Telecom is an inter-agency task force authorized to ensure that foreign CSPs enter the U.S. market only after demonstrating their commitment to meet the needs of U.S. law enforcement and national security. At a minimum, Team Telecom will expect the CSP to install a valid CALEA solution. Beyond that, the task force may extract other concessions. For example, the applicant may be compelled to name a U.S. citizen or a trusted third party on American soil who is prepared to receive court surveillance orders on the CSP’s behalf. The applicant may even have to equip its network with technical capabilities not expressly mandated by CALEA.
If you are thinking about bringing the lawful intercept process in-house and performing all the processing yourself, here are some functions and costs that you need to consider. An equipment supplier provides the technical solution. You pay for it. You maintain it. You operate it. And, that’s just the start. Your network also needs to be able to establish a connection to the requesting law enforcement agency for transmission of court-ordered communications and call or IP data of individuals under investigation. You will need to install the equipment, write a security policy, hire personnel with appropriate security clearance credentials and insure the privacy of your customers.
Now let’s talk about personnel. When you receive a court order, it needs to be reviewed for authenticity and correctness by an attorney. The court order needs to be managed by personnel with security experience and preferably with security clearances. Specific information needs to be maintained for each lawful intercept. There must be personnel available 24×7 for both receipt and management of a court order. These personnel must hand off the order to specified technicians who can test the technical equipment, then initiate, intercept and transmit the requested information to the appropriate agency. Do-it-yourself self-compliance requires technical, legal, regulatory and law enforcement expertise that most carriers simply don’t have and can’t afford.
Finally, there is the whole issue of legal and technical competence. Each CSP’s network is different. Thus, the intercept solution must be tailor-made to fit that individual network. Different networks require different legal compliance solutions, requiring very experienced installation and test engineers. Then, there is the whole issue of court documents. In the U.S. alone there are three primary types of court orders and 13 different types of subpoenas. What CSP has the specialized legal regulatory staff to validate court orders in each of the countries it wants to serve? Enter Subsentio’s International Lawful Surveillance service.