2018 12 14 USDOJ Pet

PETITION submitted by USDOJ

USDOJ Petition to Adopt w Att LOA

2018-12-14

This document pretains to ITC-T/C-20180504-00082 for Transfer of Control on a International Telecommunications filing.

IBFS_ITCTC2018050400082_1590919

                                     Before the
                       FEDERAL COMMUNICATIONS COMMISSION
                                Washington, D.C. 20554


    In the Matter of the Joint Application of    )
                                                 )
    Tofane Global SAS                            )
            Transferee,                          )
                                                 )       IB File No. ITC-T/C-20180504-00082
    KPN B.V.                                     )
            Transferor,                          )       WC Docket No. 18-136
                                                 )
    and                                          )
                                                 )
    iBasis, Inc.                                 )
            Licensee                             )
                                                 )
    For Grant of Authority Pursuant to Section   )
    214 of the Communications Act of 1934, as    )
    amended, and Sections 63.04 and 63.24 of the )
    Commission’s Rules to Transfer Control of a )
    Company Holding Domestic and International )
    Section 214 Authorizations                   )


                            PETITION TO ADOPT CONDITIONS TO

                               AUTHORIZATIONS AND LICENSES



         The U.S. Department of Justice (“USDOJ”), to include its components, the National

Security Division (“NSD”) and the Federal Bureau of Investigation (“FBI”), with the

concurrence of the U.S. Department of Homeland Security (“DHS”) (collectively, the

“Agencies”) submits this Petition to Adopt Conditions to Authorizations and Licenses

(“Petition”) pursuant to Section 1.41 of the Federal Communications Commission

(“Commission”) rules.1 Through this Petition, the USDOJ advises the Commission that the



1
    47 C.F.R. § 1.41 (2017).
                                                1


Agencies have no objection to the Commission approving the authority sought in the above-

referenced proceeding, provided that the Commission conditions its approval on the assurances

of Tofane Global SAS (“Tofane”) and iBasis, Inc. (“iBasis”) to abide by the commitments and

undertakings set forth in the December 14, 2018 Letter of Agreement (“LOA”), a copy of which

is attached hereto.

          The Commission has long recognized that law enforcement, national security, and public

safety concerns are part of its public interest analysis and has accorded deference to the views of

other U.S. government agencies with expertise in those areas. See In the Matter of Comsat

Corporation d/b/a Comsat Mobile Communications, etc., 16 FCC Rcd. 21661, 21707 ¶ 94

(2001).

          After discussions with representatives of Tofane and iBasis in connection with the above-

referenced proceeding, the Agencies have concluded that the additional commitments set forth in

the LOA will help ensure that those agencies with responsibility for enforcing the law, protecting

the national security, and preserving public safety can proceed appropriately to satisfy those

responsibilities.

          Accordingly, the USDOJ with the concurrence of DHS advises the Commission that it

has no objection to the Commission granting the application in the above-referenced proceeding,

provided that the Commission conditions its consent on compliance with the December 14, 2018

LOA.




                                                  2


December 14, 2018   Respectfully submitted,

                    LOYAAN A. EGAL
                    Deputy Chief
                    Foreign Investment Review Staff
                    National Security Division
                    United States Department of Justice


                    /s/ Siobhan E. Dupuy
                    SIOBHAN E. DUPUY
                    Attorney Advisor
                    Foreign Investment Review Staff
                    National Security Division
                    United States Department of Justice
                    Washington, DC 20530




                      3


                                                                      10 Maguire Road
                                                                      Lexington, MA 02421
                                                                      Phone +1 781.430.7500
                                                                      Fax +1 781.430.7300
                                                                      iBasis.com


December 14, 2018

Assistant Attorney General for National Security
United States Department of Justice
National Security Division
950 Pennsylvania Avenue, N.W.
Washington, DC 20530

Subject:       FCC IB File No. ITC-T/C-20180504-00082, WC Docket No. 18-136
               Application by Tofane Global SAS, KPN B.V., and iBasis, Inc., for authority
               pursuant to Section 214 of the Communications Act of 1934, as amended, to
               transfer control of international Section 214 authorizations.

Dear Sir/Madam:

        This Letter of Agreement (“LOA” or “Agreement”) sets forth the commitments made by
iBasis, Inc. (“iBasis”) and Tofane Global SAS (“Tofane”) to the U.S. Department of Justice
(“USDOJ”) in order to address national security, law enforcement, and public safety concerns
arising from the joint application filed by Tofane, KPN B.V. (“KPN”) and iBasis with the
Federal Communications Commission (“FCC”) requesting approval to transfer control of iBasis
and its Section 214 authorizations to Tofane pursuant to Section 214 of the Communications Act,
as amended (the “Act”), and the implementing regulations in Part 63 of Title 47 of the Code of
Federal Regulations.

        This LOA supersedes and replaces a previous letter dated August 22, 2006 from iBasis
and KPN to DOJ, including the Federal Bureau of Investigation (“FBI”), and to the U.S.
Department of Homeland Security, which included a number of commitments and served as a
condition to the transfer of control of iBasis and its international Section 214 authorization, FCC
IB File No. ITC-214-19971126-00741, to KPN (FCC IB File No. ITC-T/C-200607070-00337).

       iBasis and Tofane (together, the “Parties”) adopt as true and correct any and all
representations made by each party to USDOJ through the Team Telecom review process,
whether such representations were made directly by Tofane or iBasis, or through each party’s
counsel.

       1.      For purposes of this LOA, the following definitions apply:

               a.      “Tofane” means Tofane Global SAS or its successors-in-interest.


Assistant Attorney General for National Security
December 14, 2018
Page 2

               b.     “Access” or “Accessible” means the ability to physically or logically
       undertake any of the following actions: (i) to read, copy, divert, or otherwise obtain non-
       public information or technology from or about software, hardware, a database or other
       system, or a network; (ii) to add, edit, delete, reconfigure, provision, or alter information
       or technology stored on or by software, hardware, a system or network; or (iii) to alter the
       physical or logical state of software, hardware, a system or network.

               c.      “Call Detail Record” (“CDR”) means the data records or call log records
       that contain information about each call made by a user and processed by switch, call
       manager, or call server.

              d.      “Customer Proprietary Network Information” (“CPNI”) shall mean as
       defined in 47 U.S.C. § 222(h)(1).

               e.    “Date of this LOA” shall mean the date on which the LOA is executed by
       iBasis and Tofane.

               f.     “Domestic Communications” or “DC” means: (i) Wire Communications
       or Electronic Communications (whether stored or not) from one U.S. location to another
       U.S. location; or (ii) the U.S. portion of a Wire Communication or Electronic
       Communication (whether stored or not) that originates or terminates in the United States:
       (A) “Electronic Communication” has the meaning given it in 18 U.S.C. § 2510(12);
       (B) “Wire Communication” has the meaning given it in 18 U.S.C. § 2510(1).

                g.      “Domestic Communications Infrastructure” or “DCI” means: (i) the
       transmission and switching equipment (including hardware, software, and upgrades),
       routers, servers, security appliances, and fiber and copper cable and associated facilities
       owned (to include leased) and controlled by or on behalf of iBasis to provide, process,
       direct, control, supervise or manage Domestic Communications; (ii) facilities and
       equipment leased or owned by or on behalf of iBasis that are physically located in the
       United States; or (iii) the property, facilities and equipment leased or owned by or on
       behalf of iBasis to control the equipment or facilities described in (i) and (ii) above. The
       phrase “on behalf of,” as used in this paragraph, does not include entities with which
       iBasis has contracted for peering, interconnection, roaming, long distance, or other
       similar arrangements.

                h.      “Electronic Surveillance” means: (i) the interception of wire, oral, or
       electronic communications as defined in 18 U.S.C. § 2510(1), (2), (4) and (12),
       respectively, and electronic surveillance as defined in 50 U.S.C. § 1801(f); (ii) Access to
       stored wire or electronic communications, as referred to in 18 U.S.C. § 2701 et seq.;
       (iii) acquisition of dialing, routing, addressing, or signaling information through pen
       register or trap and trace devices or other devices or features capable of acquiring such
       information pursuant to law as defined in 18 U.S.C. § 3121 et seq. and 50 U.S.C. § 1841
       et seq.; (iv) acquisition of location-related information concerning a subscriber or facility;
       (v) preservation of any of the above information pursuant to 18 U.S.C. § 2703(f); and


Assistant Attorney General for National Security
December 14, 2018
Page 3

       (vi) Access to or acquisition, interception, or preservation of, wire, oral, or electronic
       communications or information as described in (i) through (v) above and comparable
       state laws.

              i.      “Foreign” means non-United States.

             j.      “Geolocation Data” means any information collected by iBasis from its
       customers regarding a customer or the customer’s device location.

               k.      “Government” means any government, or governmental, administrative,
       or regulatory entity, authority, commission, board, agency, instrumentality, bureau or
       political subdivision, and any court, tribunal, judicial or arbitral body.

              l.      “Internet Protocol Detail Record” (“IPDR”) means a streaming data
       protocol used by Operations Support Systems (“OSS”) and Business Support Systems
       (“BSS”) to collect and record a user’s data traffic statistics on a network.

               m.      “Internet Search Information” includes any data collected by iBasis about
       its customer’s internet browsing or online purchasing activities through any mechanism
       permitted by the services offered by iBasis.

               n.      “Lawful U.S. Process” means U.S. federal, state, or local court orders,
       subpoenas, warrants, processes, directives, certificates or authorizations, and other orders,
       legal process, statutory authorizations and certifications for Electronic Surveillance,
       physical search and seizure, production of tangible things or Access to or disclosure of
       Domestic Communications, call-associated data, Transactional Data, Subscriber
       Information, or associated records.

               o.      “Managed Network Service Provider” or (“MNSP”) means any third party
       that provides services to iBasis and its subsidiaries in support of its (a) telecom and/or
       Internet infrastructure, business, services, or operation including but not limited to:
       network operation; provisioning of Internet and telecom services; routine, corrective, and
       preventative maintenance, including switching, routing and testing; network and service
       monitoring; network performance, optimization, and reporting; network audits,
       provisioning, development, and the implementation of changes and upgrades; or (b)
       provision of DC or operation of DCI, including: customer support; OSS; BSS; NOCs;
       information technology; cloud operations/services; next generation, including 5G (SDN,
       NFV, Applications); and datacenter services/operations.

              p.     “Mercury Affiliates” means SFR ICS (formerly known as Mercury
       France), Meo ICS (formerly known as Mercury Portugal), and Altice Dominicana ICS
       (formerly known as Mercury Dominican Republic).

              q.      “Network Elements” means a facility, equipment, software, hardware or
       applications used in the provision of telecommunications services, including features,


Assistant Attorney General for National Security
December 14, 2018
Page 4

       functions and capabilities that are provided by means of such facility or equipment,
       including subscriber numbers, databases, signaling systems, and information sufficient
       for billing, receiving and/or aggregating customer data, and collection or used in the
       transmission, routing, or other provision of telecommunications services.

              r.     “Network Management Capabilities” means software or applications used
       to manage or monitor network operations.

                s.      “Network Operations Center” or “NOC” means any locations and
       facilities performing network management, monitoring, accumulation of accounting and
       usage data, maintenance, user support, or other operational functions for Domestic
       Communications.

               t.      “Non-U.S. Government” means any government, including an identified
       representative, agent, component or subdivision thereof, that is not a local, state, or
       federal government in the United States.

               u.      “Offshoring” means performing obligations of this Agreement through the
       use of entities and personnel outside of the territorial limits of the United States, whether
       those entities or personnel are employees of iBasis or its subsidiaries, or third parties.

             v.     “Outsource” or “Outsourcing” means, with respect to Domestic
       Communications, supporting the services and operational needs of iBasis at issue in this
       LOA through the use of contractors or third parties.

               w.      “Personal Identifiable Information” (“PII”) means the name and aliases,
       social security number, date of birth, place of birth, citizenship status, contact
       information, and current address of an individual.

               x.     “Principal Equipment” means all primary telecommunications and
       information network (e.g., wireline, wireless , subsea, satellite, LAN, WAN, WLAN,
       SAN, MAN, IP, MPLS, FR, Wi-Fi, 3G/4G/LTE, 5G, etc.), equipment (e.g., hardware,
       software, platforms, OS, applications, protocols), that supports core
       telecommunication/information services (e.g., voice, data, text, MMS, FAX, video,
       Internet, OTT, Apps), functions (e.g., network/element management, maintenance,
       provisioning, NOC, etc.), operations (e.g., OSS/BSS, customer support, billing, backups,
       cloud services, etc.) including but not limited to routers, servers, circuit
       switches/softswitches, PBXs, call processors, databases, storage devices, load balancers,
       radios, smart antennas, transmission equipment (RF/Microwave/Wi-Fi/Fiber Optic),
       RAN, SDR, equalizers/amplifiers, MDF, digital/optical cross-connects, PFE,
       multiplexers, HLR/VLR, gateway routers, signaling, Network Function Virtualizations,
       hypervisors, EPC, BSC, BT, eNodeB, etc.

              y.    “Security Incident” means (i) any known breach or suspected breach of
       the Agreement, including a violation of any Network and Systems Security Plan


Assistant Attorney General for National Security
December 14, 2018
Page 5

       (“NSSP”) or use of Outsourced or Offshore service providers or network equipment
       except in compliance with the terms of this Agreement; (ii) any known exploitation or
       suspected exploitation of a security vulnerability; (iii) any unauthorized Access to, or
       disclosure of PII; (iv) any unauthorized Access to, or disclosure of, information obtained
       from or relating to U.S. federal, state or local government entities; or (v) any one or more
       of the following that affect the company’s computer network(s) or associated information
       systems: (A) unplanned disruptions to a service or denial of a service; (B) unauthorized
       processing or storage of data; (C) unauthorized changes to system hardware, firmware, or
       software; or (D) attempts from unauthorized sources to Access systems or data if these
       attempts to Access systems or data may materially affect company’s ability to comply
       with the terms of this Agreement.

              z.      “Sensitive Information” means information regarding:

                      i.      the persons or facilities that are the subjects of Lawful U.S.
                              Process;
                      ii.     the identity of the government agency or agencies serving such
                              Lawful U.S. Process;
                      iii.    the location or identity of the line, circuit, transmission path, or
                              other facilities or equipment used to conduct Electronic
                              Surveillance;
                      iv.     the means of carrying out Electronic Surveillance;
                      v.      the type(s) of service, telephone number(s), records,
                              communications, or facilities subjected to Lawful U.S. Process; or
                      vi.     other information designated in writing by an authorized official of
                              a federal, state or local law enforcement agency or a U.S.
                              intelligence agency as “Sensitive Information.”

              aa.     “Subscriber Information” means information of the type referred to and
       accessible subject to the procedures specified in 18 U.S.C. § 2703(c)(2) or 18 U.S.C.
       § 2709, as amended or superseded.

              bb.     “Transactional Data” means:

                      i.      any “call-identifying information,” as defined in 47 U.S.C.
                              § 1001(2), as amended or superseded, including, without
                              limitation, the telephone number or similar identifying designator
                              associated with a communication;
                      ii.     Internet address or similar identifying designator associated with a
                              communication;
                      iii.    the time, date, size, and duration of a communication;
                      iv.     any information relating specifically to the identity and
                              physical/logical address of a subscriber, user, or account payer of
                              iBasis;


Assistant Attorney General for National Security
December 14, 2018
Page 6

                        v.      to the extent associated with a subscriber, user, or account payer of
                                iBasis, any information relating to telephone numbers, Internet
                                addresses, e-mail accounts, text messages, Instant Messages
                                (“IMs”) or similar identifying designators, to include the physical
                                location of equipment, if known and if different from the location
                                information otherwise provided and the types of service, length of
                                service, fees, and usage, including CDRs, CPNI, and any other
                                billing records; and
                        vi.     any information indicating, as closely as possible, the physical
                                location to or from which a communication is transmitted.

               cc.     “U.S. Records” means iBasis’ customer billing records, Subscriber
        Information, text, Internet Search Information, online purchasing information, or
        Geolocation Data, CPNI, and any other related information used, processed, or
        maintained in the ordinary course of business relating to the services offered by iBasis in
        the United States, including information subject to disclosure to a U.S. federal or state
        governmental entity under the procedures specified in 18 U.S.C. § 2703(c) and (d) and 18
        U.S.C. § 2709.

        2.      iBasis confirms that it will comply with all applicable lawful interception statutes,
regulations, and requirements, including the Communications Assistance for Law Enforcement
Act (“CALEA”), 47 U.S.C. 1001 et seq., and its implementing regulations, as well as comply
with all court orders and other Lawful U.S. Process for lawfully authorized Electronic
Surveillance.

        3.      Upon receipt of any Lawful U.S. Process, iBasis shall place within the territorial
boundaries of the United States any and all information requested by the Lawful U.S. Process
within the period of time for response specified in the Lawful U.S. Process, or as required by
law, and shall thereafter comply with the Lawful U.S. Process.

       4.       iBasis agrees to notify USDOJ, at least 30 calendar days in advance, of any
change to (a) its current services portfolio or (b) any peering relationships or joint ventures with
Foreign companies providing data aggregation or reselling services.

        5.      iBasis agrees that it will not, directly or indirectly, disclose or permit disclosure of
or Access to U.S. Records or Domestic Communications or any information (including call
content and call data) pertaining to a wiretap order, pen/trap and trace order, subpoena, or any
other Lawful U.S. Process demand if the purpose of such disclosure or access is to respond to the
legal process or request on behalf of a non-U.S. Government entity without first satisfying all
pertinent requirements of U.S. law and obtaining the express written consent of USDOJ, or the
authorization of a court of competent jurisdiction in the United States. Any such requests for
legal process submitted by a non-U.S. Government entity to iBasis shall be referred to USDOJ as
soon as possible, but in no event later than five (5) business days after such request or legal
process is received by or made known to iBasis, unless disclosure of the request or legal process


Assistant Attorney General for National Security
December 14, 2018
Page 7

would be in violation of U.S. law or an order of a court of competent jurisdiction in the United
States.

        6.      Measures to Prevent Improper Use or Access: iBasis shall take all practicable
measures to (a) prevent the use of or Access to the equipment or facilities supporting those
portions of iBasis’ DCI’s necessary for conducting Electronic Surveillance where such use or
Access would violate any U.S. law or the terms of this Agreement or any implementation plans;
(b) prevent sharing of any captured data packets with any Mercury Affiliate; and (c) prevent any
Mercury Affiliates from having operational Access to iBasis’ infrastructure, DCI, customer
records, or electronic interfaces that allow control and monitoring of the iBasis infrastructure or
data content. These measures shall include technical, organizational, personnel-related policies
and written procedures, as well as necessary implementation plans and physical security
measures.

       7.      With regard to Foreign production of virtual mobile profiles of mobile network
operators, iBasis agrees that:

               i)      the Foreign production of such profiles used in devices in the United
                       States shall be limited solely to the initial profile, to include initial profiles
                       produced by Giesecke+Devrient (“G&D). Unless specifically approved in
                       writing by the USDOJ, no follow on remote access to phone/eSIM
                       cards, such as customization, updating or other provisioning of that
                       profile, is permitted from Foreign locations; and
               ii.     eSIM cards with virtual mobile profiles produced outside the United States
                       will be subject to statistically relevant integrity tests (e.g., Byte counts) to
                       ensure the integrity of the initial eSIM profile.

        8.     iBasis agrees to draft and submit: (a) a NIST-Compliant Cyber Security Plan; and
(b) a NSSP, which will be forwarded to USDOJ within 60 calendar days of the Date of this LOA
for objection or non-objection. The NSSP shall address, but not be limited to, information
security, remote access, physical security, cyber-security, third party contractors, Outsourcing
and Offshoring, system logs, protection of Lawful U.S. Process and protection of U.S. Records
obtained by iBasis from its customers or through the provision of services.

        9.      iBasis agrees to require any MNSP to disclose any data breach of any U.S.
Records, or any loss of U.S. Records, whether from a data breach or other cause, within 48 hours
of the third party discovering the breach or loss. To the extent that iBasis has current agreements
with any third party providers of services with Access to U.S. Records, iBasis agrees to amend
those agreements to require those third parties to make disclosure of breaches or loss of U.S.
Records consistent with this paragraph, and shall forward copies of those amended agreements to
USDOJ points of contacts listed herein within five (5) business days of executing those
amendments.

       10.    iBasis agrees to notify the FBI and U.S. Secret Service within seven (7) business
days upon having knowledge that a person or entity without authorization, or in exceeding their


Assistant Attorney General for National Security
December 14, 2018
Page 8

or its authorization, has intentionally gained Access to, used, or disclosed any of its customer’s
CPNI or that of a third party used by iBasis, and shall report the matter to the central reporting
facility through the following portal:

         https://www.cpnireporting.gov/cpni/content/disclaimer.seam

        11.     iBasis agrees to designate a Security Officer within 30 calendar days from the
Date of this LOA. The Security Officer will have appropriate senior-level corporate authority
within iBasis, and the necessary resources and skills, to maintain iBasis’ security policies and
procedures and oversee iBasis’ compliance with this LOA. The Security Officer will be a U.S.
citizen residing in the United States, and, if not already in possession of a U.S. security
clearance, shall be eligible to hold such security clearance immediately upon appointment. The
Security Officer will be subject to USDOJ’s review and non-objection and may be subject to a
background check at the sole discretion of USDOJ. If USDOJ objects to the Security Officer
nominee, such objection must be made within 30 calendar days of receiving notice of the
nominee. The Security Officer will serve as the primary point of contact for USDOJ regarding
any national security, law enforcement, or public safety concerns that USDOJ may raise. The
Security Officer shall be responsible for receiving and promptly effectuating any requests for
information pursuant to this LOA and for otherwise ensuring compliance with obligations set
forth in this LOA. iBasis shall notify USDOJ of any proposed change to the Security Officer at
least 10 calendar days in advance of such change, (except in the case of the unexpected firing,
resignation or death of the Security Officer in which case such written notice must be provided
within five (5) calendar days of such event). Any subsequently proposed Security Officer shall
be subject to USDOJ’s review and non-objection and may be subject to a background check at
the sole discretion of USDOJ. As applicable, the Security Officer will instruct and train iBasis
officers, employees, contractors and agents on the requirements of this LOA.

        12.     iBasis agrees to maintain a U.S. law enforcement point of contact (“LEPOC”) in
the United States. The LEPOC shall be a U.S. citizen residing in the United States unless
USDOJ agrees in writing otherwise, and the LEPOC must be approved by the FBI to receive
service Lawful U.S. Process for U.S. Records and, where possible, to assist and support lawful
requests for surveillance or production of U.S. Records by U.S. federal, state, and local law
enforcement agencies. This LEPOC and his/her contact information will be provided to USDOJ
within 15 business days from the date iBasis receives the FCC’s approval of the transfer. In
addition, iBasis will give USDOJ, including the FBI, at least 30 calendar days’ prior written
notice of any change to its LEPOC (except in the case of the unexpected firing, resignation or
death of the LEPOC in which case such written notice must be provided within five (5) calendar
days of such event), and iBasis’ nominated replacement shall be subject to USDOJ, including the
FBI, review and approval. iBasis also agrees that the LEPOC will have Access to all U.S.
Records, and, in response to Lawful U.S. Process, will make such records available promptly
and, in any event, no later than five (5) calendar days after receiving such Lawful U.S. Process
unless granted an extension by USDOJ.

      13.    iBasis agrees to provide USDOJ within 30 calendar days from the date that the
FCC approves the transfer of control:


Assistant Attorney General for National Security
December 14, 2018
Page 9


               a.      A complete and current list of all Principal Equipment, including: (i) a
                       description of each item and the functions supported, (ii) each item’s
                       manufacturer, and (iii) the model and/or version number of any hardware
                       or software; and

               b.      Any vendors, contractors, or subcontractors involved in providing,
                       installing, operating, managing, or maintaining the Principal Equipment.

      14.    iBasis agrees to meet and confer with USDOJ and to consider any concerns
USDOJ may raise about the Principal Equipment List submitted pursuant to this LOA and will
work with USDOJ if there are any concerns related to such Principal Equipment List.

        15.     iBasis agrees to provide USDOJ notice at least 10 business days in advance to
performing any maintenance, repair, or replacement that would result in any material
modification to existing Principal Equipment or systems or software used with or supporting the
Principal Equipment, including the names of providers, suppliers, and entities that will perform
any maintenance, repair, or replacement. USDOJ shall object or non-object to such new
Principal Equipment or change/modification to the Principal Equipment within 30 calendar days
of receipt of notice. iBasis need not comply with the advance notice requirement for any
maintenance, repair, or replacement that is undertaken in response to an unforeseen or
uncontrollable event and that is necessary to ensure the continued operability of the iBasis’
network. However, in such circumstances, iBasis shall provide advance notice to USDOJ of the
material modification, if practicable, and, if impracticable, iBasis shall provide notice within 10
business days after the material modification of the Principal Equipment commences. iBasis
agrees to meet and confer with USDOJ and to consider any concerns USDOJ may raise about
materials submitted pursuant to this provision.

         16.    iBasis agrees to provide notice at least 30 calendar days in advance to making any
modifications to the list of vendors, contractors, or subcontractors involved in providing,
installing, operating, managing, or maintaining the Principal Equipment. In addition, iBasis shall
provide notice at least 30 calendar days in advance to changing the service offerings or support
from a previously-listed vendor, contractor, subcontractor (i.e., where a previously-listed
provider will be offering support in a previously unidentified way). iBasis agrees to negotiate in
good-faith to resolve any national security, law enforcement, or public safety concerns USDOJ
may raise with respect to materials submitted pursuant to this provision.

        17.     iBasis agrees to take all reasonable measures to prevent unauthorized Access to
the DCI and to prevent any unlawful use or disclosure of information carried on the same. Such
measures shall include a NIST-compliant cyber-security plan, security procedures for any remote
virtual private network (“VPN”) access to the DCI, contractual safeguards and screening
procedures for personnel with administrative Access to the DCI; and procedures for applying
security patches to systems and applications. iBasis will submit policies regarding logical
(access) security measures for the DCI to USDOJ within 60 calendar days from the Date of this


Assistant Attorney General for National Security
December 14, 2018
Page 10

LOA. iBasis agrees to meet and confer with USDOJ, including the FBI, regarding such policies
upon request.

     18.      iBasis agrees to provide USDOJ within 30 calendar days from the Date of this
LOA with a list of:

              a.      All persons who have Access to Sensitive Information;

              b.      All persons who have Access to Domestic Communications Infrastructure
                      to monitor the content of Domestic Communications;

              c.      All persons who have the ability to monitor personnel with Access to
                      Domestic Communications under this subsection;

              d.      All persons who have Access to Transactional Data, Subscriber
                      Information, CPNI, CDRs, IPDRs, or PII for customers and network users
                      of iBasis;

              e.      All persons who have limited access to Domestic Communications
                      Infrastructure;

              f.      All persons who provision Network Elements either onsite or remotely;

              g.      All vendors, contractors, or subcontractors, including billing vendors and
                      managed service providers, involved in Accessing, managing, or
                      maintaining CDR, Classified Information, CPNI, IPDR, PII, Sensitive
                      Information, Subscriber Information or Transactional Data; and

              h.      All vendors, contractors, or subcontractors, including managed service
                      providers, involved in providing network or software services, to include
                      network security and cloud solutions.

       19.      USDOJ shall approve or disapprove any person included on the list required
pursuant to Paragraph 18 within 30 calendar days of receipt unless extended or otherwise
delayed by awaiting responses to inquiries for further information from iBasis, in which event
USDOJ shall be afforded additional time to approve or disapprove the listed person. USDOJ’s
additional time to approve or disapprove shall be the original 30-day window extended by the
number of days USDOJ awaited a response from iBasis. Failure by USDOJ to respond within
the required timeframe shall not be deemed to constitute a non-objection to the listed person.

        20.     iBasis shall provide USDOJ notice at least 30 calendar days in advance to making
any modifications or additions to the list of vendors, contractors, or subcontractors provided
pursuant to Paragraph 18. In addition, iBasis shall provide notice at least 30 calendar days in
advance to changing in any material respects the service offerings or support from a previously
listed vendor, contractor, subcontractor provided pursuant to Paragraph 18 (i.e., where a
previously listed provider will be offering support in a previously unidentified way). USDOJ


Assistant Attorney General for National Security
December 14, 2018
Page 11

shall approve or disapprove any additions, modification or change proposed pursuant to this
Paragraph within 30 calendar days of receipt unless extended or otherwise delayed by awaiting
responses to inquiries for further information from iBasis. Notwithstanding the foregoing, in the
event of exigent circumstances, USDOJ may extend the time for its approval or disapproval of
any notice provided by iBasis under this Paragraph by a maximum of 30 additional calendar days
by giving written notice of such extension to iBasis within 30 calendar days of the initial receipt
of the notice. USDOJ agrees that it will make good-faith efforts to respond to each notice within
the initial 30-day period (subject to any automatic extensions provided for above) and will not
routinely request extensions under this Paragraph.

        21.     iBasis agrees to promptly notify USDOJ, including the points of contact (“POCs”)
listed herein, of any breaches of this agreement, as well as any other Security Incidents such as,
but not limited to cyber-security incidents, intrusions or breaches of the DCI or Network
Elements. The notification shall take place no later than 15 calendar days after iBasis or any
third party providing Outsource or Offshore services to iBasis discovers the incident, intrusion or
breach takes place, or sooner when required by statute or regulations.

        22.     iBasis agrees to instruct and train appropriate officials, employees, contractors,
and agents as to iBasis’ obligations under this LOA, including the individuals’ duty to report any
violation, and shall issue periodic reminders of such obligations. iBasis shall issue these
instructions in writing within 60 calendar days of the Date of this LOA. iBasis will submit a
copy to USDOJ at the same time. Upon request, iBasis agrees to provide USDOJ a list of
individuals who have completed LOA training.

        23.     iBasis agrees not to monitor, collect, market, or sell data from any U.S.
Government customers in any way, including for any commercial purpose. This is not intended
to conflict with any law enforcement provision of this LOA or other legal requirements.

      24.      iBasis agrees to permit USDOJ requests for site visits and approve all requests to
conduct on-site interviews of iBasis employees.

       25.     iBasis further agrees that it will provide USDOJ notice at least 30 calendar days in
advance of all Outsourced or Offshore service providers, including but not limited to services
provided in relation to:
              Network Operation Center(s);
              Network maintenance services;
              Customer support services;
              Any operation/service that could potentially expose U.S. DCI and U.S. Records,
               including but not limited to customer data and records, CDR, or CPNI; and
              Any Network Management Capabilities that are provided by a person or entity
               owned, managed, manufactured or controlled by one or more foreign
               governmental or non-public entities.


Assistant Attorney General for National Security
December 14, 2018
Page 12

USDOJ shall object or non-object to Outsourced or Offshore service providers, within 30
calendar days of receipt of notice.

       26.     iBasis agrees to provide USDOJ with notice of any material changes to its
business, including but not limited to corporate structure changes, ownership changes, corporate
name changes, business model changes, corporate headquarter location changes, or business
operation location changes within 30 calendar days in advance of such change.

       27.    The Parties agree to provide an annual report to USDOJ regarding iBasis’
compliance with this Agreement, to include:
              a.      Certifications that there were no changes (where no changes were reported
                      to USDOJ/FBI during the preceding year);

              b.      Certification that iBasis has been in CALEA compliance;

              c.      Notice(s) regarding iBasis’ handling of U.S. Records, Domestic
                      Communications, and Lawful U.S. Process (i.e., whether handled properly
                      and in accordance with the assurances contained herein) including list of
                      individuals with access to U.S. CDRs of iBasis;

              d.      Recertification on any changes in the services that iBasis provides or
                      confirmation that no additional services are being offered;

              e.      Notification(s) of any relationships with foreign-owned
                      telecommunications partners, including any peer relationships;

              f.      Updated list of iBasis’s Principal Equipment, vendors and suppliers;

              g.      Updated NSSPs and Procedures;

              h.      Updated NIST-Compliant Cyber Security Plan;

              i.      Notification(s) of the installation and/or purchase or lease of any foreign-
                      manufactured telecommunication equipment (including, but not limited to,
                      switches, routers, software, and hardware);

              j.      Report(s) of any occurrences of cyber-security incidences, network and
                      enterprise breaches, and unauthorized Access to customer data and
                      information;

              k.      A re-identification of the name of and contact information of the Security
                      Officer and the LEPOC; and

              l.      Notifications regarding any other matter of interest to this LOA.


Assistant Attorney General for National Security
December 14, 2018
Page 13

       The annual report will be due every 31st day of January of each calendar year, beginning
on January 31, 2020, and will be addressed to:

                       Assistant Attorney General for National Security
                       U.S. Department of Justice
                       National Security Division
                       Three Constitution Square, 175 N Street NE,
                       Washington, DC 20002

                       Attention: FIRS/Team Telecom Staff

       Courtesy electronic copies of all notices and communications will also be sent to the
       following or individuals identified in the future to the Parties by USDOJ: Bermel Paz,
       USDOJ (at Bermel.Paz@usdoj.gov); Siobhan Dupuy, USDOJ (at
       Siobhan.Dupuy@usdoj.gov); David Jividen, USDOJ (at David.Jividen@usdoj.gov);
       Loyaan Egal, USDOJ (at Loyaan.Egal@usdoj.gov) and FIRS Team (at FIRS-
       TT@usdoj.gov).

       28.     Tofane agrees to ensure that iBasis complies with the obligations of iBasis under
this LOA.

        29.     The Parties agree that in the event that the commitments set forth in this letter are
breached, USDOJ may request that the FCC modify, condition, revoke, cancel, or render null
and void any relevant license, permit, or other authorization granted by the FCC to iBasis or its
successors-in-interest, in addition to any other remedy available by law or equity. Nothing
herein shall be construed to be a waiver by the Parties of, or limitation on, their right to oppose
or comment on any such request.

        31.    The Parties understand that, upon execution of this LOA by an authorized
representative or attorney, or shortly thereafter, USDOJ shall notify the FCC that it has no
objection to the FCC’s consent to the applications.

        32.   This LOA may be executed in one or more counterparts, including by facsimile and
portable document format, each of which shall together constitute one and the same instrument.

                                 [SIGNATURE PAGES FOLLOW]


Assistant Attorney General for National Security
December 14, 2018
Page 14



                                            Sincerely,




                                            A Iexandrc]Pebereau
                                            President /
                                            Tofane Global    §KS
                                            December 14, 2018




                                            Name:
                                            Title:
                                            iBasis, Inc.
                                            December 14, 2018


Assistant Attorney General for National Security
December 14, 2018
Page 14


                                            Sincerely,




                                            Alexandre Pébereau
                                            President
                                            Tofane Global SAS
                                            December 14, 2018



                                                    _    //__‘____»—-——-——5




                                         ///\l\ ‘    &


                                     €C___ Name: Feddo —Feare—w: —o!+—>
                                            Title: CE c
                                            iBasis, Inc.
                                            December 14, 2018



Document Created: 2018-12-14 15:41:01
Document Modified: 2018-12-14 15:41:01

© 2024 FCC.report
This site is not affiliated with or endorsed by the FCC