This story appeared on Network World at

http://www.networkworld.com/columnists/2006/061906bradner.html

Do you have to be ready to be tapped?

'Net Insider

By Scott Bradner, Network World, 06/19/06

The U.S. Court of Appeals for the District of Columbia Circuit on June 9 decided 2-to-1 the FCC acted within its statutory authority when it said much of the Internet had to be designed to be open to being wiretapped. I'm sure this decision will be appealed, and Judge Harry Edwards' dissenting opinion may prevail in the end. Even if this does happen, however, Congress is sure to support the idea the Internet should not be safe from wiretapping - so any FCC defeat would just delay the inevitable.

A less-predictable part of the FCC order applies to enterprise networks. Just what will your corporate network need to be ready to do? So far, the FCC has not made it clear that enterprise network managers will need to do anything in response to its order extending the Communications Assistance for Law Enforcement Act (CALEA) to the Internet and VoIP. There is an ominous hint, however, in footnote 100 on page 19 of the original FCC order. The footnote ostensibly deals with educational networks, but there is nothing in the order or in the FCC's filing with the Appeals Court - quoted in a statement by FCC Commissioner Deborah Taylor Tate - that limits the impact to networks in educational institutions.

CALEA defines what a telecom provider must be able to do in response to a proper request from law enforcement. CALEA covers information about communications and the communications themselves. Note CALEA does not limit what information law enforcement can ask you to provide; it just says what information you must be able to provide and that you can be fined as much as $10,000 per day if you cannot. Just as in other situations, law enforcement can ask for anything a court agrees is relevant to a case, and you have to produce any information you are able to. The CALEA law has a specific exemption for private networks. If a private network is connected to the Internet, however, footnote 100 and the FCC court filing say "the connection point between the private and public network is subject to CALEA." This applies whether the connection point is provided by an ISP or by the operator of the private network.

The implication of this is fuzzy at best. It may mean the router connecting an enterprise network manager to the Internet is subject to CALEA. It could mean the ISP router is the CALEA point, but it's hard to see how an ISP could map your boss to an IP address to be able to tap his or her Internet usage. Such mapping becomes all that much harder if the enterprise is using a network address translation (NAT) system or NAT functionality in a firewall. The ISP will have to give all your corporate communications to the cops if it reliably cannot select just your boss's. For the geeks: Enterprise multihoming makes ISP-based tapping even more questionable.

Given history, do not expect any useful clarification from the FCC until close to or after the May 14, 2007, effective date of the law.

Meanwhile, you might ask your corporate lawyer to look into the long list of things the final rules (see pages 45-50) say you will have to do if you are subject to CALEA. Or better yet, get your lawyer to contact your lobbying group and get them to find out how much this is going to hurt.

Disclaimer: Dealing with pain the way Harvard Med School suggests - good drugs - has other complications in this type of case. Anyway, the above is my opinion, not the university's.