March 2017 Newsletter
By Steve Bock, President & CEO
For several years Subsentio has contemplated expanding internationally. This year we decided to make the move. The reason for the delay had nothing to do with technology. We’ve proven ourselves year after year as the company that fixes technical problems where others have failed. It had nothing to do with interfacing with different law enforcement agencies. Our staff has decades of connections with the thin blue line and the intelligence community around the world.
The delay on our part has been deliberate: to ensure we have established the framework to provide legal resources not just in the U.S., but worldwide.
As our customers know, one of the great values that we add is our ability to provide regulatory and “law related services” to our clients. This is critical for service providers who don’t have the expertise that Subsentio has in reviewing thousands of legal documents related to electronic surveillance and records production.
However, the international market presents unique challenges – multiplied by the number of nations where our clients require international support. Some countries require all of the collected intelligence to stay within their country so our equipment needs to be physically located in the same country as the subscriber or in a cloud that serves that country. Many countries have strict data retention laws. Unlike the United States, this means that it is incumbent on the service provider to store call records in a secured manner; in many cases for several years. This could mean terabits of information and in some cases the records must be stored within the country of origin as well.
Then there are fluid legal issues such as the impact of Brexit on the European Union surveillance laws or the recent court decision on US companies storing call records overseas. (see the legal blog on UK Surveillance law from our General Counsel, Joel Margolis http://www.subsentio.com/calea-affairs/government-affairs-blog/)
In the international arena, Subsentio’s mission remains the same. We are the honest broker that keeps our service provider clients compliant and law enforcement happy with the intelligence we provide based on legal authority. To expand our US model, we made the decision to have legal representation in every country or region where we provide our services. This means that U.S. companies can be confident that as they expand overseas, Subsentio will provide the same level of regulatory services that they rely on in the U.S.
The reception to our expansion plans has been overwhelmingly positive. We are not only aggressively filling a vacuum with our Trusted Third Party model for service providers, but law enforcement is welcoming us, as well, because we still share the same mission, to catch the bad guys so that the world is a safer place. Unfortunately, in our business, the bad guys are everywhere.
The Race Toward Virtualization
Virtualization is a technology which makes applications independent of underlying infrastructure. The “Cloud” is a service, powered by virtualization, that provides resources on demand…Marcus Thomas, CTO, Subsentio
Virtualization is getting everyone’s attention. Network functions virtualization, or NFV, replaces dedicated network devices with software running on general-purpose CPUs or virtual machines, operating on standard servers. Throw out the firewalls, load-balancers, or routers from specific vendors. Virtualization draws on the successful integration of IT virtualization with new advancements in server hardware.
What that means for our clients: The racks and racks of equipment in your equipment rooms or data centers are going to migrate to your own designed network or to use facilities by companies such as AWS, IBM or Oracle to house your network.
The question many communications service providers face: Why go through this virtual migration headache when you just got your physical network the way you like it?
Key drivers include faster time to market and revenue. By going virtual, network operators can rapidly deploy new features, upgrade network functionalities and quickly install new network functionalities wherever they are most effective. This means lower expenses with commercial off-the-shelf server elements providing both improved economics and simplified operations.
Virtualization is not some far-flung science fiction. It is real and happening now. Already, work is underway to create a standardized framework for the new architecture and related technologies.
This effort is led by the NFV Industry Specification Group (ISG) within ETSI, the European Telecommunications Standards Institute. In October 2013, the NFV ISG published its first technical framework to support interoperable NFV solutions. As a result, today almost all telecom manufacturers have adopted product migration schedules for the virtualization of their networks. There are estimates that the market for NFV solutions will reach $5 billion by 2018, covering associated software, servers, and storage.
Virtualization will transform all aspects of the telecommunications industry, including CALEA compliance. Subsentio, as usual, is out in front. We have just announced our first virtualization service with Sonus, integrating our Safe Harbor Intercept Mediator with Sonus’s new virtual SBC capability. This software-based lawful intercept solution combined with Sonus’s SBC Swe is well-suited to function in any VoIP network. CSPs that are eager to transition from hardware to virtual networking now have a cost-effective alternative for meeting international lawful surveillance needs.
DMCA: Don’t Even Think About It (not complying)
Under DMCA, communications service providers may be held liable when their customers use copyrighted material online without permission. CSPs are required to follow strict procedures for notifying customers of violations. A CSP’s failure to issue “takedown notices” to offenders can result in stiff financial penalties. In December, 2015, a major ISP was fined $25 million “because the company did not ‘reasonably implement’ a policy to terminate repeat infringers.” They appealed and lost. That judgement sent a message to the entire industry: Obey the mandate.
If the DMCA act was instituted in 1998, why did it take so long for someone to file a lawsuit? Simple answer: content providers reached an unsustainable pain threshold from loss of revenue to due copyright violations.
The abuse finally reached a level where the Apple Music’s, Netflix’s or in this case BMG music publisher were losing so much money to subscribers who downloaded their material without paying that they had to enter into a legal action to stop the abuse. And they had friends. Several copyright industry groups such as RIAA, MPAA and the Copyright Alliance rallied behind BMG during the appeal process.
Large Internet service providers receive hundreds of thousands of claims per month. Even small ISPs receive thousands per month. Up to this point, they have generally either been ignored or managed in such a way as to be addressed on an informal basis without most companies even having a formal claim procedure.
Subsentio DMCA Records Production establishes a process that helps put CSPs in “Safe Harbor” from legal action under the DMCA. Reacting to customer requests, Subsentio has expanded its Records Production services to now include the validation and subscriber notification of “takedown notices” received from individuals claiming copyright infringement of specific material posted on their websites. Subsentio has historically provided Records Production services designed to mitigate the costs and risks associated with legal compliance.
Subsentio offers a very viable and cost effective way of managing an ever increasing number of DMCA claims for our customers. Call us or signup for one of our monthly webinars for DMCA or Records Production.
HOW SHOULD COMMUNICATION SERVICE PROVIDERS HANDLE LAW ENFORCEMENT REQUESTS FOR EMAILS STORED ABROAD?
A recent disagreement between two federal courts has sent mixed signals to communication service providers (CSPs) about the processing of requests from US law enforcement agencies (LEAs). The legal quandary arises when an LEA requests a criminal suspect’s emails stored on CSP servers located outside the U.S.
Ever since the American public began exchanging emails, LEAs have served American CSPs with court-issued search warrants to collect the emails of individuals suspected of crime or terrorism. CSPs have routinely complied.
In October 2016 the Second Circuit Court of Appeals ruled that a US warrant lacks “extraterritorial jurisdiction” to obtain communications content store abroad. Then, in January of this year the Second Circuit denied a request by the Department of Justice (DOJ) to rehear the case.
On February 3, 2017, just ten days after the Second Circuit declined to rehear the Microsoft case, its ruling was expressly contradicted by a decision in the Eastern District Court of Pennsylvania. The Eastern District Court stated that regardless of whether the targeted emails happened to be stored domestically or abroad, the warrant validly ordered a “search” (i.e. disclosure) of the data in the US, where Google’s security staff would access the material and forward it to the LEA.
To communication subscribers, the Microsoft decision may seem arbitrary. Most email users do not control or monitor the CSP server locations where their emails are stored. They just want their messages kept private and secure. So the location factor does not appear relevant to a user’s expectation of privacy.
If an American citizen’s emails are maintained in a foreign server they may actually receive less privacy protection than emails kept in the US because the criminal procedures of many foreign countries, including those in the European Union, lack the high due process standard of probable cause. That means European LEAs may gain access to an American’s EU-stored emails more readily than American LEAs.
The Microsoft ruling is a win for persons residing outside the US. Many foreigners distrust the combined power of American law enforcement and American CSPs, especially after 2013, when National Security Agency contractor Ed Snowden exposed the global surveillance operations of that intelligence agency. In their view, the FBI has no business accessing a European user’s emails in Ireland, regardless of whether the agents demonstrate probable cause to an American judge. Hence, these consumers are likely glad to hear that American investigators acting in the Second Circuit are obstructed from collecting emails deposited in non-US servers.
LEAs oppose the Microsoft decision because it blocks them from using a warrant to obtain foreign-stored emails, even if the warrant is valid, the suspect is American, the victim is American, the crime takes place in America, and the email communications are sent and received in America. US law enforcement considers this ironic outcome a threat to public safety that was not contemplated by the SCA.
Another topsy-turvy result of the Second Circuit decision creates a disparity between American LEAs and foreign LEAs. An American LEA may be excluded from the foreign-stored emails of American suspects, even though the same emails may be readily viewed by foreign LEAs who lack any interest in the American crime.
The Second Circuit believes its decision will not harm public safety because LEAs have a work-around. Specifically, the US and many nations have signed mutual legal assistance treaties (MLATs) that provide LEAs a government-to-government channel to obtain stored communications such as emails. However, LEAs complain that MLATs are slow and unreliable. In some cases, an LEA may have to wait several months or more to receive the needed evidence. By that time a criminal could literally get away with murder.
The DOJ could appeal the Second Circuit ruling to the Supreme Court or seek a congressional amendment of the SCA.
Governments worldwide recognize the need for global standards to balance the interests of privacy, public safety, and business. If international regulators would devote more attention to the cross-border email issue, they could establish better ground rules that take all the above interests into account. Then we could stop the madness of trying to solve the global problem through ad hoc courtroom fights.
Gotta Git ‘er Done
And you have to let us know. We’re referring to many of our customers expanding the capability of their networks from 1Gb to 10Gb. If you think that there is a rush towards virtualization, which is true, it shouldn’t surprise you that your networks need more capacity. Think about it. Two years ago there were about 750,000 apps available for downloading. More and more video was showing up on websites. Netflix was making a move towards streaming movies. Today, there are more than 1,000,000 apps. Now, ponder that for a moment. Then, realize that Netflix is an internet fixture and even ads are now using video. So, more applications, faster speeds need networks with more capacity.
Realizing this, Subsentio recently sent out a one question survey. Have you already or are you now planning to upgrade your network from 1Gb to 10Gb in the foreseeable future? We have close to 300 customers. We sent the survey to our contact list on the customer profiles our customer care managers are constantly sending to you. Less than half of our customers responded. (More on that in a minute.) But of those that did, only a very few were not expanding their networks. About one third of those responding had already expanded their capability with the rest planning on doing so this year or early next.
So far so good, for you, that is. When were you going to tell us? Let’s take our base solution, the Safe Harbor Probe. Historically, it has the ability to connect up to four 1Gb inputs. Subsentio introduced its 10Gb probe in the middle of last year. Very few of our customers have the 10Gb probe. Most of you have our 1Gb probe which cannot accept 10Gb inputs. Should you get a court order for an intercept, we can’t implement it. You will not be compliant.
Remember that we continually update our customer profile by asking you to provide the not only names of the individuals we need to contact upon receipt of a court order but also up-to-date network diagrams. About one third of the people we sent emails to were bounced back. Obviously, those individuals are no longer with the company, but we didn’t know.
So, two problems. Solutions that won’t work on networks with expanded capacity and outdated customer contact information. Now, we really need your help to continue meeting your CALEA compliance needs. We “Gotta Git ‘er Done”.