[tonyb]

CALEA is not only for voice. Broadband providers are required to be CALEA compliant. Basically they have to be able to delivery data in a specific format to an LEA.

These devices are not (normally?) under LEA control. The service provider would receive a warrant/court order that says "send data for customer XYZ to this CALEA capture IP". Even if the LEA had direct control of the CALEA device it would need the assistance of the SP to know what data is coming from what customer.

[cromwellian]

Is it possible that the NSA is in cahoots with the CALEA device manufacturers? Once a CALEA device has been integrated with the SP's system, might it be the case that it can act as a trojan horse?

On the one hand, they could wall off the device, and have packets routed to it after reviewing the request. On the other hand, the device could be unfirewalled from the rest of the network.