title:

Do you have to be ready to tap your boss?

By Scott Bradner

The U.S. Court of Appeals for the District of Columbia Circuit decided 2-1 (http://pacer.cadc.uscourts.gov/docs/common/opinions/200606/05-1404a.pdf) on June 9th that the FCC was acting within it's statutory authority when it said that much of the Internet had to designed to be wiretapable. I'm sure that this decision will be appealed and Judge Edwards dissenting opinion on this decision may prevail in the end. But even if it does, Congress is sure to support the idea that the Internet should not be safe from wiretapping so any FCC defeat would just delay the inevitable. A less predictable part of the FCC order applies to enterprise networks. Just what will your corporate network need to be ready to do?

So far the FCC has not made it clear if enterprise network managers will need to do anything in response to their order extending the Communications Assistance for law Enforcement (CALEA) to the Internet and voice over IP (VoIP) but there is an ominous hint in a footnote of the original FCC order. (http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-05-153A1.pdf) Footnote 100 on page 19 ostensibly deals with educational networks but there is nothing in the order or in the FCC's court filing with the Appeals Court (quoted in a statement by FCC Commissioner Deborah Taylor Tate ( http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-06-56A5.pdf) that limits the impact to networks in educational institutions.

CALEA (http://www.epic.org/privacy/wiretap/calea/calea_law.html) defines what a telecommunications provider must be able to do in response to a proper request from law enforcement. CALEA covers both information about communications and the communications themselves. Note that CALEA does not limit what information law enforcement can ask you to provide, it just says what information you must be able to provide or you can get fined up to $10,000 per day that you cannot provide the information. Just as in other situations, law enforcement can ask for anything that court agrees is relevant to a case and you have to produce any of that information that you are able to produce.

The CALEA law has a specific exemption for "private networks" but if a private network is connected to the Internet footnote 100 and the FCC court filing say that "the connection point between the private and public network is subject to CALEA." This applies whether the "connection point" is provided by an ISP or by the operator of the private network. The implication of this is, at best, fuzzy. It may mean that the router connecting an enterprise network manager to the Internet is subject to CALEA. It could mean that the ISP router is the CALEA point, but it's hard to see how the ISP could be able to map your boss to an IP address in order to be able to tap his or her Internet usage. Such a mapping becomes all that harder if the enterprise is using a NAT or NAT functionality in their firewall. The ISP will have to give all of your corporate communications to the cops if they cannot reliably select just your boss's. For the geeks: enterprise multihoming makes ISP-based tapping even more questionable.

Given history, do not expect any useful clarification from the FCC until close to or after the May 14, 2007 effective date of the law. Meanwhile you might ask your corporate lawyer to look into the long list of things that the final rules (pages 45-50 of

http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-06-56A1.pdf) say that you will have to do if you are subject to CALEA. Or better yet, get your lawyer to contact your lobbying group and get them to find out how much this is going to hurt.

disclaimer: Dealing with pain the way the Harvard Med School suggests (good drugs) has other complications in this type of case and, anyway, the above is my, not the university's opinion.