To: IMCC Members
I have written to you before about the Communications Assistance for Law Enforcement Act (CALEA). Please see a copy of my memo dated November 6, 2006, attached. It describes the basics of CALEA and what the FCC is requiring communications companies to do to comply with the Act. I told you this was quite a complex set of laws and regulations and that even the FCC was not certain about how and when compliance could be achieved. In fact, this is as complex as any issue we have confronted in numerous years. I told you another memo would be sent when more information was available.
I also have retained Carl Kandutsch, the attorney that many of you know, to assist us in analyzing IMCC Member responsibilities and helping you comply with FCC regulations.
Below is the supplemental memo:
The FCC’s recent Second Report and Order (ET Docket No. 04-295 (rel. May 12, 2006)) extends CALEA’s scope beyond traditional telecommunications providers to include “facilities-based broadband Internet access providers,” as well as “interconnected VoIP providers.” Thus, virtually all ISPs and VoIP providers are required to comply with CALEA.
The next question is whether PCOs, MDUs and REITs that do not own, but lease or otherwise utilize the facilities of specialized Internet Service Providers (ISPs) and/or contract with specialized VoIP providers, are “facilities based” providers within the meaning of CALEA.
The answer is: Yes; it should be presumed that any PCO, MDU or REIT that owns any equipment used in the transmission of voice or data signals to consumers is required to comply with CALEA, unless and until the FCC clarifies the meaning of “facilities-based” to exclude entities that subcontract with other entities to provide Internet access and/or VoIP.
This answer is based on the following:
The Commission has explained that “facilities-based” means entities that “provide transmission or switching over their own facilities between the end user and the Internet Service Provider.” “Switching” includes “routers, softswitches, and other equipment that may provide addressing and intelligence functions for packet-based communications to manage and direct the communications along to their intended destinations.” This implies that a broadband Internet access service is “facilities-based” if the provider of the service owns any portion of the transmission or switching facilities used in providing the service to end users.
A strict application of these definitions implies that most PCOs, MDUs and REITs that offer broadband Internet access are “facilities-based,” to the extent that these companies own any equipment that is used in the “transmission” of digital signals to and from MDU residents, such as in-ground or in-building wiring infrastructure.
Thus, the fact that a PCO, MDU or REIT does not own but rather utilizes the facilities and services of an independent broadband ISP or VoIP provider does not exempt that PCO, MDU or REIT from CALEA’s coverage. As long as the PCO, MDU or REIT owns any of the facilities used in data transmission or switching, it must comply with CALEA’s surveillance requirements, as described in section (2) of this memorandum.
This interpretation has been confirmed by an FCC official, who stated that the Commission may at some future time clarify the meaning of “facilities-based” in order to lessen the burden on small companies and eliminate redundancy in CALEA compliance requirements. In the meantime, however, it must be presumed that all entities meeting the criteria described above are subject to CALEA.
As indicated in our November 6 email, compliance with CALEA does not imply any substantive obligations at this time. Rather, the Second Report and Order explains that the FCC will defer in the first instance to industry standard-setting bodies, working in conjunction with Law Enforcement Agencies (LEAs) and the FCC, to develop “safe harbor” standards for CALEA compliance. Because there is as yet no agreement on the technical standards, no substantive changes to broadband networks are required. At some point in the future, however, companies will be required to implement a surveillance system allowing the transmission of call-identification information to LEAs upon request.
However, covered entities are subject to several administrative obligations in the immediate future. Specifically, covered entities are required to file two reports with the FCC, at an undetermined date in early 2007:
A. First, at a date to be determined, covered entities must submit a Monitoring Report to ensure compliance. The Monitoring Report is known as FCC Form 445, and essentially requires companies to provide the FCC with contact information and assurance that compliance will be achieved by May 14, 2007. The FCC’s draft Form 445 is attached to this email, and the FCC’s instructions for completing the form are available through the link provided at the conclusion of this memo.
(Note: As described above, until the FCC adopts technical standards for compliance with CALEA’s surveillance capability requirements, covered companies are not required to take any substantive steps.)
B. Second, within 90 days of the effective date of the Second Report and Order, covered entities must file with the FCC a Systems Security and Integrity Plan, describing policies and procedures designed to ensure compliance with the system security requirements set forth in CALEA Sections 105 and 229(b). Those sections require that each covered entity establish and maintain an organizational plan to ensure that procedures are in place to respond to LEA requests for surveillance information, such as call-identification data. The specific information required in the Systems Security and Integrity Plan are set forth in 47 C.F.R. §§ 64.2103 – 64.2105, and address issues of employee supervision and control, as well as the maintenance of secure and accurate records relating to requests for electronic surveillance. A link to the text of pertinent C.F.R. (code of Federal Regulations) sections is provided at the conclusion of this memo.
There is as of this date (December 20, 2006), no deadline for filing either of these reports. It is expected, however, that deadlines for each report will be announced on the FCC’s CALEA website (linked below) in January or February 2007.
Public Notices relating to CALEA compliance, including the deadline for filing the two reports, are posted on the FCC’s CALEA webpage at http://www.fcc.gov/wcb/iatd/calea.html#6.
Instructions for completing Form 445, the Monitoring Report, may be found at http://www.fcc.gov/omd/pra/docs/3060-0809/3060-0809-06.doc.
Information that must be provided in the Systems Security and Integrity Plan identified in 47 C.F.R. §§ 64.2103 – 64.2105, accessed here: http://www.access.gpo.gov/nara/cfr/waisidx_03/47cfr64_03.html.
You are welcome to call me or Carl Kandutsch to help you understand and keep up with all that is going on in this area. He will give a special discount to IMCC Members and can be reached at 207 659 6247 or firstname.lastname@example.org
Do not hesitate to call or write.
William J. Burhop
202 362 0882