RE: [Raven] Should Tin Cans and String Comply With CALEA?

[Chris Savage <chris.savage@crblaw.com>]

> -----Original Message-----
> From: Melinda.Shore@nokia.com [mailto:Melinda.Shore@nokia.com]
> Sent: Tuesday, October 12, 1999 11:09 AM
> To: raven@ietf.org
> Subject: RE: [Raven] Should Tin Cans and String Comply With CALEA?
> 
> 
> > Does it make sense for standards-setters (here, IETF) to 
> > worry about CALEA compliance merely because the thing they 
> > are setting the standard for *could be* used for telephony 
> > and because *some of* the folks who use it for that
> > purpose have CALEA obligations?  
> 
> First, this is not strictly a CALEA issue (the EU has arguably
> more stringent regulatory requirements), and second, it's not
> strictly a telephony issue, either.

Agreed.  My general point is, *IF* there is some clear legal obligation on
equipment vendors and service providers in this space to assist law
enforcement in surveillance (analogous to CALEA in the US for
"telecommunications carriers"), then IMHO it makes sense for IETF to be
involved in helping vendors and service providers do what they need to do.

OTOH if there is *not* any such obligation, I don't see much of a rationale
for IETF to jump in.

> For example, some wiretap laws require the ability to eavesdrop on data
traffic, to
> differentiate between different types of data (mail vs. file
> transfer, for example), and to differentiate between control
> information and data (which is an issue for protocols like
> SMTP, which effectively use in-band signaling).

True.  The issue (as I see it) is not whether LEAs can get a warrant or
other official process directing a service provider to do something.
Presumably if they could convince a judge that they needed authority to put
some specially engineered gizmos at all the MAEs in the US, and then showed
up with the devices, that could be "legal."  (One can easily imagine many
objections to the warrant that authorized the placement of such gizmos, but
that is a separate issue.)  The issue is, in effect, should vendors and
service providers take extra steps to make the surveillance easier, so that
either the LEAs don't need special gizmos at all, or the gizmos they need
are simple and cheap?

In the US, for telecom carriers, CALEA tells us that the answer is "yes."
But that does not apply with any great clarity to the Internet in general,
or most Internet entities, in the US.  I confess ignorance of other
countries' "thou shalt aid law enforcement by purchasing and installing
equipment with particular capabilities" laws.

My references to CALEA are not intended to imply that CALEA applies to the
Internet, or that CALEA or any other US law applies outside the US.  I'm
drawing an analogy here: there is a clear obligation on certain entities in
the US to purchase and install equipment that has been designed to
facilitate surveillance.  That clear obligation created a situation where it
makes sense for industry to sit down and figure out how to meet it via a
standards process.  (CALEA also gives a bonus of "safe harbor" treatment for
those complying with such standards, but that, too, is another issue.)

Is there any such clear obligation on "the Internet" as a whole?  Not that I
am aware of.  The point of my references to CALEA is not to imply that it is
global, but, to the contrary, to suggest that it is local (to the US and to
telecom carriers) and unusual.

Christopher W. Savage
Cole, Raywid & Braverman, L.L.P.
1919 Penn. Ave. N.W., Suite 200, Washington, D.C. 20006
voice: 202-828-9811	fax: 202-452-0067	

_______________________________________________
raven mailing list
raven@ietf.org
http://www.ietf.org/mailman/listinfo/raven