There's one cellular provider which has the obligation under CALEA to do wiretaps. They comply with the law strictly, which annoys the FBI.
First, CALEA requires that the company provide a "senior official" as a point of access for law enforcement, and a backup 24/7 contact. Their senior official is their general counsel, and the backup is another lawyer. It's not their network operations center. Their general counsel wants to see a warrant, and checks back with the court to make sure it's valid. This is the way to do it; bring in Legal.
There's a procedure for "emergency requests" in advance of a warrant under CALEA. This telco immediately faxes the law enforcement requester a brief form to fill in for those. It requires name, police department, office address, badge number, and a brief explanation of why there's no warrant yet. The form to be signed by the law enforcement official contains a statement that the official will provide a warrant within 48 hours, and in the event that they fail to do so, their department will take full responsibility for their actions, including indemnifying the telco against any costs and damages. That's followed by a statement that in the event the law enforcement organization fails to authorize the actions of their official, the official will be personally responsible for said costs. The telco also reserves the right to disclose requests for which a court order does not follow.
This discourages fake "emergency" requests. Get your legal people to draft something like that. The key to this is that law enforcement's interface to your company should go through your legal department.
(I used to have a link for this, including their forms, but can't find it now. Can anyone else find it? )
Here's Comcast's form for emergencies.[1] It ends with
"If Comcast makes an emergency disclosure to your law enforcement agency or
governmental entity pursuant to 18 U.S.C. § 2702(b) or § 2702(c), you agree to provide Comcast with a formal order to provide your agency with the information provided pursuant to this request within 72 hours. I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct."
The law enforcement rep has to sign that. This discourages bogus requests.
Each carrier has their own form. Collect those up and show them to your legal people.
More info: an ACLU copy of some guidance for law enforcement on CALEA. [2] Note that DOJ says different carriers have different requirements; some require a court order, and some don't.
More info: Sprint's form.[3] Another "under penalty of perjury" requirement, plus "Pursuant to Title 18 United States Code §2518, §2701, and §3125 all electronic surveillance assistance will terminate if the appropriate legal demand or customer consent is not received within
48 hours."
More info: MetroPCS's policy.[4] "At a minimum,
requests for interceptions citing Exigent Circumstances must include: ... a statement that no warrant or court order is required by law. ...
a statement that all statutory requirements have been met.
... the signature of EITHER (i) the Attorney General of the United States, OR (ii) a law enforcement officer
specially designated by the Attorney General, the Deputy Attorney General, the Associate Attorney General, or by
the principal prosecuting attorney of any state or subdivision thereof."
It looks like industry practice other than for AT&T is to impose reasonably strict standards on confirming such requests.
I think you conflating law enforcement/evidence-gathering surveillance (which the NSA does not give a rat's ass about) with national security/intelligence community spying. On all accounts the story is less dire for the former.
It is way more likely that your data is protected from the local police than from NSA/CIA.
I am very interested in these forms and would be grateful if someone could provide a link to them. If they're watertight, we could probably reduce some overhead with them. Although I dislike the idea of using an employee as an "responsibility-shield" for failing government agencies.
It helps that carriers now have immunity so they can do whatever the NSA asks of them without fear of any repercussions (another than stories like this one, but meh, everyone is going to think "it's not going to happen to us" at the time of doing the deed).
If it's a giant telecom they are already paying in-house lawyers. If it's a smallish ISP then this costs them big bucks to keep outside counsel on retainer. Maybe they can work with their law firm and cut a deal?
This stuff is pretty much boilerplate, so maybe a paralegal can do most of the work and then get it blessed by a J.D.?
First, CALEA requires that the company provide a "senior official" as a point of access for law enforcement, and a backup 24/7 contact. Their senior official is their general counsel, and the backup is another lawyer. It's not their network operations center. Their general counsel wants to see a warrant, and checks back with the court to make sure it's valid. This is the way to do it; bring in Legal.
There's a procedure for "emergency requests" in advance of a warrant under CALEA. This telco immediately faxes the law enforcement requester a brief form to fill in for those. It requires name, police department, office address, badge number, and a brief explanation of why there's no warrant yet. The form to be signed by the law enforcement official contains a statement that the official will provide a warrant within 48 hours, and in the event that they fail to do so, their department will take full responsibility for their actions, including indemnifying the telco against any costs and damages. That's followed by a statement that in the event the law enforcement organization fails to authorize the actions of their official, the official will be personally responsible for said costs. The telco also reserves the right to disclose requests for which a court order does not follow.
This discourages fake "emergency" requests. Get your legal people to draft something like that. The key to this is that law enforcement's interface to your company should go through your legal department.
(I used to have a link for this, including their forms, but can't find it now. Can anyone else find it? )