Complying with the Communications Assistance for Law Enforcement Act (CALEA) isn't easy, and like so many government mandates (digital TV transition, for example) it falls hardest on the smallest companies in the industry.

Luckily, there's WISPA. The Wireless ISP Association formed a group to define a standard. As we explained around this time last year, at ISPCON Spring 2007 (see ISPCON Policy Update: Communications Assistance for Law Enforcement Act (CALEA) of 1994), the FBI does not ratify any particular standard as compliant or not.

Instead, the FBI issues guidelines and is asking the industry to create standards. Any standard becomes a safe harbor, meaning that if an ISP complies with it, the FBI cannot sue the ISP, it must fight the standard in court.

The best known standard (ANSI)/TIA J-STD-025- B-2006 -- Lawfully Authorized Electronic Surveillance) is from the Alliance for Telecommunications Industry Standards (ATIS). As you'd expect from a telco-dominated group, the standard is big and clunky. And you have to pay money just to see it.

WISPA's CALEA Standards (versions 1 and 2) are freely available at the WCS website.

WISPA is working on an implementation guide that will be free to members and not free to non-members.

I've got much work to do to cover this story completely, but I started during a talk with J.C. Utter, president of Imagestream, the router vendor.

He said that the ATIS standard has two flaws from the point of view of law enforcement:

1) It allows up to 1 percent packet loss.

2) It provides only streaming data.

Utter is pleased to point out that the WISPA standard solves both problems by storing the data at the ISP in Packet Capture (PCap) format. Thus, no packet loss, and no streaming. Instead, a simple data format that law enforcement can actually handle.

The hairpin problem
But there's a problem, and the problem explains why there are two versions of the standard. The problem, as explained in last year's article, linked above, is called "hairpinning."

If you're an ISP and you're recording the communications of a suspected terrorist, you'd like to do it at the core of your network. That's where you've got the rest of your monitoring tools. And capturing the data there works in most cases but not all cases.

It can be possible to communicate with another person without going through the center of the network if both the target and the other person are connected to the same edge device and that device is not CALEA compliant. In such a case, the device might route traffic directly between the two people without going through the core.

Version 1 of the WISPA standard accepts that you, the ISP, cannot do anything about this issue.

Version 2 of the WISPA standard says that you've had enough time to deal with the issue.

Dealing with the problem is not simple. CALEA also says that the target must not be able to detect the monitoring. Shipping in a probe to attach to the wireless access point, and doing maintenance on that access point, might be disqualified if the target knew the maintenance was being performed.

CALEA's complicated, and I've just started learning about the WISPA standard, so this is just my initial report. I will keep learning about it and will tell you more as I learn.

Uodate: This morning, at the conclusion of his ISPCON session, CLEC lawyer Kris Twomey said, "this is one of the coolest things any ISP association has ever done for its members."