ISP CALEA compliance
Steven M. Bellovin
smb at cs.columbia.edu
Fri May 11 21:05:20 UTC 2007
On Fri, 11 May 2007 12:47:56 -0700 (GMT-07:00)
Todd Glassey <tglassey at earthlink.net> wrote:
> Gee Steven, that's what everyone thought prior to a Federal Judge
> ordering Microsoft to produce seven years of Email...
We're getting off-topic here, but I'll respond.
First -- the context of the conversation is wiretap law, including the
stored communications and customer records provisions. This covers
what communications providers do for their customers, not internal
(a) The judge's order was for a civil lawsuit, under
(b) The order was for records that they apparently had.
If Microsoft had had and enforced a policy, prior to that
lawsuit, of not retaining internal email older than 30
days, they'd have been in the clear. Microsoft got in
trouble because the judge believed they were not complying
with his order to turn over data he believed they had,
either deliberately or by not exerting sufficient effort;
(c) you may have business reasons to retain certain records
for longer, including the requirements of external auditors.
For example, if you do usage-sensitive billing, you may
need to retain certain records for a while so that your
accounting firm can verify that your financial records
accurately reflect actual customer behavior.
(d) What doesn't exist can't be subpoenaed; what does exist,
in general, can be, subject to other specialized exceptions
(i.e., attorney work product)
Third -- that isn't what I'm talking about. Please see, among others,
Note especially that last one, since it's only 3 months old and provides
for jail time for "employees of any Internet provider who fail to store
that information", and not just fines for the company.
I've tried hard to keep this discussion factual, with copious
references. But I think I've run out of things to say that are even
vaguely on-topic, so I'll shut up.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG