ISP CALEA compliance

Steven M. Bellovin smb at
Fri May 11 21:05:20 UTC 2007

On Fri, 11 May 2007 12:47:56 -0700 (GMT-07:00)
Todd Glassey <tglassey at> wrote:

> Gee Steven, that's what everyone thought prior to a Federal Judge
> ordering Microsoft to produce seven years of Email...

We're getting off-topic here, but I'll respond.

First -- the context of the conversation is wiretap law, including the
stored communications and customer records provisions.  This covers
what communications providers do for their customers, not internal


	(a) The judge's order was for a civil lawsuit, under
	discovery procedures;

	(b) The order was for records that they apparently had.
	If Microsoft had had and enforced a policy, prior to that
	lawsuit, of not retaining internal email older than 30
	days, they'd have been in the clear.  Microsoft got in
	trouble because the judge believed they were not complying
	with his order to turn over data he believed they had,
	either deliberately or by not exerting sufficient effort;

	(c) you may have business reasons to retain certain records
	for longer, including the requirements of external auditors.
	For example, if you do usage-sensitive billing, you may
	need to retain certain records for a while so that your
	accounting firm can verify that your financial records
	accurately reflect actual customer behavior.

	(d) What doesn't exist can't be subpoenaed; what does exist,
	in general, can be, subject to other specialized exceptions
	(i.e., attorney work product)

Third -- that isn't what I'm talking about.  Please see, among others,

Note especially that last one, since it's only 3 months old and provides
for jail time for "employees of any Internet provider who fail to store
that information", and not just fines for the company.

I've tried hard to keep this discussion factual, with copious
references. But I think I've run out of things to say that are even
vaguely on-topic, so I'll shut up.

		--Steve Bellovin,

More information about the NANOG mailing list