So you finally made it happen. With your help the company has invested in a next-generation global telepresence solution. You've got over 150 desktop users and 14 rooms around the world deployed and usage is through the roof. The CIO was commended by the CFO at a recent staff meeting for cutting travel costs, and the CEO has experienced the productivity gains for himself and was very impressed. Everything was going great until someone from Legal called regarding a subpoena that you've now been sworn to secrecy about.

As your raise, promotion, and move from the cube-farm into an office all flash before your eyes, the lawyer on the other end of the phone is spewing legalese at 1000 words a minute. You hear her say about a dozen new acronyms and phrases like CALEA, Lawful Intercept, Title III, and more. She asks you to come to her office at once so she can review the subpoena with you, as the FBI agent working the case will be there in about fifteen minutes.

When you get to the lawyer's office she's flanked by the chief security officer, the director of IT, and the director of risk management among others. For starters everyone wants to know why they were not involved in the telepresence project in the first place. They especially all want to know how the telepresence platform will permit the lawful interception of "calls" for a specific user. The problem is, you really have no idea what they're talking about and no clue how to make them happy. The solution vendor never mentioned anything about such capabilities and you admittedly never even thought to ask.

All you were out to do was replace the aging talking-heads-talking VTC system with something that would actually get used. Your requirements for telepresence were simple; real collaboration capabilities, seamless interoperability between conference rooms and the desktop, standards based technology, solid vendor support, and larger than life sound and video to wow the suits. You never considered socializing your project with the IT and security folks and now you not only have the issue of how to support the subpoena, but they're asking about other aspects of the project too. The CSO would like to speak with you about digital rights management and content security, and the IT director wants to know how you calculated storage costs plus he'd like you to explain your information lifecycle management strategy as well. If you could just go back and do it all over again, you'd ask better questions, involve all the right people, and consider future requirements too.

OK - Back to reality. While CALEA does not technically apply to enterprise networks today, it's anticipated that it may very soon. The FCC has stated that by May 14, 2007 VoIP service providers for the first time will have to comply with CALEA. In addition there's really nothing to stop law enforcement today from securing a subpoena to request telepresence session information for one of your users if deemed appropriate as part of an ongoing investigation. So the prudent course of action for solution architects today is to get smart on lawful intercept requirements and be prepared to challenge vendors during the RFI/RFP process.

Here are the essential terms you need to be familiar with and should be prepared to discuss with your telepresence vendor.

CALEA: Communications Assistance to Law Enforcement Act - A Federal Law aimed at commercial service providers that the FCC proposed in September of 2005 be more broadly applied to entities like universities and perhaps at some point public and private companies. The objective is to preserve law enforcement's ability to conduct lawfully authorized electronic surveillance of private communications.

Handover Interface: A physical and logical interface across which the results of interception are delivered to Law Enforcement.

Intercept Related Information: A collection of information or data associated with services involving the target, specifically call associated information or data, service associated information or data and location information.

Interception Interface: The physical and/or logical locations within your network where access to the content of communication and intercept related information is provided. The interception interface is not necessarily a single, fixed point.

Lawful Interception (LI): The legally sanctioned official access to private communications, such as telephone calls or e-mail messages. LI is a process in which a network operator or service provider gives law enforcement officials access to the communications of private individuals or organizations. The key elements of the LI process are as follows: the intercept must not be detectable by the targeted party; unauthorized personnel must not know about specific interceptions or be able to perform the LI processes themselves; separate agencies targeting a subject must not be able to detect each other; and that service providers must decrypt encrypted information for officials if they have access to the keys.

Mediation Device: a mechanism that passes information between your network and a handover interface.

Pen Register and Trap and Trace: Allows a law enforcement agency to acquire dialing and signaling information for incoming and out going calls (essentially call-identifying information). For data sessions (i.e. email) the identity and routing information. The objective here is to provide information describing the session without the actual content of the session (who, when, by what means) but not what was said or what information was passed between parties.

Title III: Commonly referred to as a "wiretap". In this lawful intercept scenario full collection of all communications content is provided (voice, data, video, stored data - email, voicemail, SMS).

Questions to discuss with your telepresence vendor:

• How they plan to support the ability for enterprise customers to provide law enforcement with lawful intercept capabilities in the future?

• When will their LI solution for enterprise customers be available?

• If all parts of the session (voice, data/collaboration, and video) will be available to law enforcement in their solution?

• Will both hardware and software investments be required by your company, and what about additional training and support costs?

• Does the vendor intend to support all the key elements mentioned in the LI definition above?

Reference Links:

Wikipedia article covering Lawful Interception

Cisco Architecture for Lawful Intercept in IP Networks

CALEA Information Website

HSL's Thoughts

While the Lab unequivocally supports the right of individuals and businesses to the privacy protections guaranteed under the 4th amendment, the Lab is also realistic with respect to the regulatory realities of doing business in America in 2006. As telepresence begins to grow in popularity there is no reason to doubt that telepresence solutions will not face the same regulatory burdens that telephony faces and Brent is the only expert that seems to be addressing the very real security and regulatory requirements that vendors and end-users will ultimately face. I, personally, look forward to a world of strong privacy and cyber anonymity (if desired) which will mean strong encryption. Those interested in strong encryption and privacy might enjoy this talk by economist David Friedman, entitled Will Strong Encryption Protect Privacy and Make Government Obsolete? given at the Independent Institute in 2001. A transcript can be found Here and a Real Player streaming download can be found Here.(Streaming Audio Recommended)

About the author:

Brent Houlahan, CISSP is a freelance writer and independent consultant who most recently was the CTO and VP of Operations at NetSec, an MSP acquired by MCI in February of 2005. To contact Brent email him at:
brent.houlahan (at) humanproductivitylab (dot) com