On Fri, 11 May 2007, Steven M. Bellovin wrote:
As Bill Simpson has quite correctly pointed out, you're also not required to roll over and play dead when someone from the government asks you for some data. There are laws they're obligated to follow, too. Even if you want to look at it from a purely selfish position, you and/or your company may be liable if you co-operate with an improper or illegal request. Have a look at http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002520----000-... which provides for civil liability for illegal wiretaps. You're clear, under that statute, if you have good reason to believe the request is legal under certain very specific sections of the wiretap law, but not otherwise.
An important thing to remember in this discussion is CALEA does not expand, contract or otherwise change other laws concerning electronic survellance. The government can not intercept anything under CALEA. All interception orders must be authorized by some other statute or some other lawful authority (e.g. claims of Executive Power). You might never, ever receive an lawful interception order, but still be in violation of CALEA. Likewise you might be 100% CALEA compliant, and still decline or be unable to perform some intercept orders. CALEA does enhance some monetary penalties for not being able to perform a lawful intercept authorized by some other statute or authority; but CALEA doesn't authorize the interception itself. Despite attempts by some folks, CALEA compliance != Wiretap authority.