Petition to Adopt at

PETITION submitted by US Department of Justice

Petition to Adopt Conditions

2018-11-23

This document pretains to ITC-T/C-20180517-00094 for Transfer of Control on a International Telecommunications filing.

IBFS_ITCTC2018051700094_1578780

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C. 20554 In the Matter of ) ) Mitel Networks Corporation, Mitel Cloud ) Services, Inc., and MLN TopCo Ltd. ) ITC-T/C-20180517-00094 Joint Applications for Transfer and Control ) WC Docket No. 18-162 Of Mitel Cloud Services, Inc. to MLN ) TopCo Ltd. pursuant to Section 214 of the ) Communications Act of 1934, as amended ) PETITION TO ADOPT CONDITIONS TO AUTHORIZATIONS AND LICENSES The U.S. Department of Justice (“USDOJ”), to include its components, the National Security Division (“NSD”) and the Federal Bureau of Investigation (“FBI”), submits this Petition to Adopt Conditions to Authorizations and Licenses (“Petition”), pursuant to Section 1.41 of the Federal Communications Commission (“Commission”) rules.1 Through this Petition, the USDOJ advises the Commission that it has no objection to the Commission approving the authority sought in the above-referenced proceeding, provided that the Commission conditions its approval on the assurance of MLN Topco Ltd. (“TopCo”), and to abide by the commitments and undertakings set forth in the November 23, 2018 Letter of Agreement (“LOA”), a copy of which is attached hereto. The Commission has long recognized that law enforcement, national security, and public safety concerns are part of its public interest analysis, and has accorded deference to the views of other U.S. government agencies with expertise in those areas. See In the Matter of Comsat Corporation d/b/a Comsat Mobile Communications, etc., 16 FCC Rcd. 21,661, 21707 ¶ 94 (2001). 1 47 C.F.R. § 1.41.

After discussions with representatives of TopCo in connection with the above-referenced proceeding, the USDOJ, NSD and FBI have concluded that the additional commitments set forth in the LOA will help ensure that the FBI, which has the responsibility of enforcing the law, protecting the national security, and preserving public safety, can proceed appropriately to satisfy those responsibilities. Accordingly, the USDOJ advises the Commission that it has no objection to the Commission granting the application in the above-referenced proceeding, provided that the Commission conditions its consent on compliance with the LOA. Respectfully submitted, SANCHITHA JAYARAM Chief, Foreign Investment Review Staff National Security Division United States Department of Justice BERMEL R. PAZ National Security Division United States Department of Justice 3 Constitution Square 175 N St NE, Suite 12-1805 Washington, D.C. 20002 November 23, 2018

MLN TopCo Ltd. c/o Searchlight Capital Partners, L.P. 745 Fifth Avenue, 27th Floor New York, NY 10151 November 23, 2018 Assistant Attorney General for National Security United States Department of Justice National Security Division 950 Pennsylvania Avenue NW, Washington, DC 20530 Subject: FCC# ITC-T/C-20180517-00094/WC Docket No. 18-162 Joint Application by Mitel Networks Corporation (“Mitel”), Mitel Cloud Services, Inc. (“MCSI”), and MLN TopCo Ltd. (“Topco”) to transfer domestic and international section 214 authorizations from MCSI to Topco pursuant to section 214 of the Communications Act of 1934, as amended. Dear Sir/Madam: This Letter of Agreement (“LOA” or “Agreement”) outlines the commitments being made by Topco to the U.S. Department of Justice (“USDOJ”) in order to address national security, law enforcement, and public safety concerns arising from Mitel’s, MCSI’s, and Topco’s joint application to the Federal Communications Commission (“FCC”) to transfer domestic and international section 214 authorizations from MCSI to Topco. Topco adopts as true and correct all statements Topco, Mitel, and MCSI or their representatives have made to USDOJ or other Team Telecom member agencies and the FCC in the course of the review of the above-referenced application, and hereby adopts those statements as the basis for this LOA. 1. For purposes of this LOA, the following definitions apply: a. “Topco” means MLN TopCo Ltd. or its successors-in-interest. b. “Access” or “Accessible” means the ability to physically or logically undertake any of the following actions: (i) to read, copy, divert, or otherwise obtain non- public information or technology from or about software, hardware, a database or other system, or a network; (ii) to add, edit, delete, reconfigure, provision, or alter information or technology stored on or by software, hardware, a system or network; or (iii) to alter the physical or logical state of software, hardware, a system or network. c. “Customer Proprietary Network Information” (CPNI) shall mean as defined in 47 U.S.C. § 222(h)(1). d. “Date of this LOA” shall mean the date on which the LOA is executed by Topco.

e. “Domestic Communications,” as used herein, means: (i) Wire Communications or Electronic Communications (whether stored or not) from one U.S. location to another U.S. location; and (ii) the U.S. portion of a Wire Communication or Electronic Communication (whether stored or not) that originates or terminates in the United States. f. “Electronic Communication” has the meaning provided in 18 U.S.C. § 2510(12). g. “Electronic Surveillance” means: (i) the interception of wire, oral, or electronic communications as defined in 18 U.S.C. § 2510(1), (2), (4) and (12), respectively, and electronic surveillance as defined in 50 U.S.C. § 1801(f); (ii) Access to stored wire or electronic communications, as referred to in 18 U.S.C. § 2701 et seq.; (iii) acquisition of dialing, routing, addressing, or signaling information through pen register or trap and trace devices or other devices or features capable of acquiring such information pursuant to law as defined in 18 U.S.C. § 3121 et seq. and 50 U.S.C. § 1841 et seq.; (iv) acquisition of location-related information concerning a subscriber or facility; (v) preservation of any of the above information pursuant to 18 U.S.C. § 2703(f); and (vi) Access to or acquisition, interception, or preservation of, wire, oral, or Electronic Communication or information as described in (i) through (v) above and comparable state laws. h. “Foreign” means non-United States. i. “Geolocation Data” means any information collected by Topco from its customers regarding a customer or the customer’s device location. j. “Government” means any government, or governmental, administrative, or regulatory entity, authority, commission, board, agency, instrumentality, bureau or political subdivision, and any court, tribunal, judicial or arbitral body. k. “Internet Protocol Detail Record” means a streaming data protocol used by operations support systems and business support systems to collect and record a user’s data traffic statistics on a network. l. “Internet Search Information” includes any data collected by Topco about its customer’s internet browsing or online purchasing activities through any mechanism permitted by the services offered by Topco. m. “Lawful U.S. Process” means U.S. federal, state, or local court orders, subpoenas, warrants, processes, directives, certificates or authorizations, and other orders, legal process, statutory authorizations and certifications for electronic surveillance, physical search and seizure, production of tangible things or Access to or disclosure of Domestic Communications, call-associated data, transactional data, subscriber information, or associated records. 2

n. “Managed Network Service Provider” (“MNSP”) means any third party that provides services to Topco and its subsidiaries in support of its telecom and/or Internet infrastructure/business/operation including, but not limited to, network operation; provisioning of Internet and telecom services; routine, corrective, and preventative maintenance, including intrusive testing; network and service monitoring; network performance, optimization, and reporting; network audits, provisioning, and development, and the implementation of changes and upgrades; Domestic Communications (DC); Domestic Communications Infrastructure (DCI); customer support; Operations Support Systems (OSS); Business Support Systems (BSS); Network Operations Center (NOC); network optimization; information technology; cloud operations/services; 5G (SDN, NFV, Applications); and datacenter services/operations. o. “Network Elements” means a facility, equipment, software, hardware or applications used in the provision of telecommunications services, including features, functions and capabilities that are provided by means of such facility or equipment, including subscriber numbers, databases, signaling systems, and information sufficient for billing, receiving and/or aggregating customer data, and collection or used in the transmission, routing, or other provision of telecommunications services. p. “Network Operations Center” means any locations and facilities performing network management, monitoring, accumulation of accounting and usage data, maintenance, user support, or other operational functions for Domestic Communications. q. “Non-US Government” means any government, including an identified representative, agent, component or subdivision thereof, that is not a local, state, or federal government in the United States. r. “Offshoring” means performing obligations of this Agreement through the use of entities and personnel outside of the territorial limits of the United States, whether those entities or personnel are employees of Topco or its subsidiaries, or third parties. s. “Outsource” or “Outsourcing” means, with respect to Domestic Communications, supporting the services and operational needs of Topco at issue in this LOA through the use of contractors or third parties. t. “Principal Equipment” means any equipment, hardware, software, or applications capable of controlling Domestic Communications, as well as device controllers, signal routing and transfer routers, devices that perform network or element management, fiber optic line termination and multiplexing, core and edge routing, network protection, radio network control, mobility management, or lawful intercept functions, and non-embedded software necessary for the proper monitoring, administration and provisioning of any such equipment. This definition may be modified from time to time by USDOJ as may be necessary due to changes in technology, business model, management, structure of services offered, or governance of the Domestic Communications. 3

u. “Security Incident” means (i) any known or suspected breach of this agreement, including a violation of any approved policy or procedure under this Agreement; (ii) any unauthorized access to, or disclosure of, Personally Identifiable Information; (iii) any unauthorized access to, or disclosure of, information obtained from or relating to Government Entities; (iv) any one or more of the following which affect the company’s computer network(s) or associated information systems: (A) unplanned disruptions to a service or denial of a service; (B) unauthorized processing or storage of data; (C) unauthorized changes to system hardware, firmware, or software; or (D) attempts from unauthorized sources to Access systems or data if these attempts to Access systems or data may materially affect company’s ability to comply with the terms of this Agreement. v. “U.S. Records” means Topco’s customer billing records, subscriber information, text, Internet Protocol Detail Record, Internet Search Information, Geolocation Data, CPNI, and any other related information used, processed, or maintained in the ordinary course of business relating to the services offered by Topco in the United States, including information subject to disclosure to a U.S. federal or state governmental entity under the procedures specified in 18 U.S.C. § 2703(c) and (d) and 18 U.S.C. § 2709. w. “Wire Communication” has the meaning provided in 18 U.S.C. § 2510(1). 2. Topco confirms that it will comply with all applicable lawful interception statutes, regulations, and requirements, including the Communications Assistance for Law Enforcement Act (“CALEA”), 47 U.S.C. 1001 et seq., and its implementing regulations, as well as comply with all court orders and other Lawful U.S. Process for lawfully authorized Electronic Surveillance. 3. Upon receipt of any Lawful U.S. Process, Topco shall place within the territorial boundaries of the United States any and all information requested by the Lawful U.S. Process within the period of time for response specified in the Lawful U.S. Process, or as required by law, and shall thereafter comply with the Lawful U.S. Process. 4. Topco agrees to notify USDOJ, at least 30 days in advance, of any change to its current services portfolio or any peering relationships or joint ventures with foreign companies providing data aggregation or reselling services. Topco also agrees to notify USDOJ, at least 30 days in advance, of plans or activities to offer any 5G-based equipment or services in the U.S. for its objection or non-objection. 5. Topco agrees that it will not, directly or indirectly, disclose or permit disclosure of or Access to U.S. Records or Domestic Communications or any information (including call content and call data) pertaining to a wiretap order, pen/trap and trace order, subpoena, or any other Lawful U.S. Process demand if the purpose of such disclosure or access is to respond to the legal process or request on behalf of a non-U.S. Government entity without first satisfying all pertinent requirements of U.S. law and obtaining the express written consent of USDOJ, or the 4

authorization of a court of competent jurisdiction in the United States. Any such requests for legal process submitted by a non-U.S. Government entity to Topco shall be referred to USDOJ as soon as possible, but in no event later than five (5) business days after such request or legal process is received by or made known to Topco, unless disclosure of the request or legal process would be in violation of U.S. law or an order of a court of competent jurisdiction in the United States. 6. Topco agrees to draft: (a) a NIST-Compliant Cyber Security Plan; and (b) Network Systems Security Plan (“NSSP”), which will be forwarded to USDOJ within 60 days of the Date of this LOA for objection or non-objection. The NSSP shall address, but not be limited to, information security, remote Access, physical security, cyber-security, third-party contractors, Outsourcing and Offshoring, maintenance and retention of system logs, protection of Lawful U.S. Process, protection of U.S. Records obtained by Topco from their customers or through the provision of services, and Topco’s specific plan regarding new contracts or any amendments to existing contracts with third-party providers of services to require those third parties to notify Topco in the event of a breach or loss of U.S. Records within a specified time period after discovery, not to exceed five (5) business days from the date of discovery. 7. Topco agrees to require any third-party provider of services, including MNSPs, to disclose any data breach of any U.S. Records, or any loss of U.S. Records, whether from a data breach or other cause, within 48 hours of the third party discovering the breach or loss. To the extent that Topco has current agreements with any third-party providers of services with Access to U.S. Records, Topco agrees to amend those agreements to require those third parties to make disclosure of breaches or loss of U.S. Records consistent with this paragraph, and shall forward copies of those amended agreements to USDOJ points of contacts listed in paragraph 16 within five (5) business days of executing those amendments. 8. Topco agrees to report to USDOJ and the Federal Bureau of Investigation (“FBI”) within five (5) days upon discovery of any Security Incident. It also agrees to notify the FBI and the U.S. Secret Service within seven (7) business days upon learning that a person or entity without authorization, or in exceeding their or its authorization, has intentionally gained access to, used, or disclosed any of its customer’s CPNI or that of a third party used by Topco, and shall report the matter to the central reporting facility through the following portal: https://www.cpnireporting.gov/cpni/content/disclaimer.seam 9. Topco agrees to maintain a U.S. law enforcement point of contact (“LEPOC”) in the United States. The LEPOC shall be a U.S. citizen residing in the United States unless USDOJ agrees in writing otherwise, and the LEPOC must be approved by the FBI to receive service Lawful U.S. Process for U.S. Records and, where possible, to assist and support lawful requests for surveillance or production of U.S. Records by U.S. federal, state, and local law enforcement agencies. This LEPOC and his/her contact information will be provided to USDOJ within 15 days from the date Topco receives the FCC’s approval of the transfer. Topco also agrees to provide USDOJ at least 30 days’ prior written notice of any change in its LEPOC, with all such changes subject to the approval of USDOJ, including the FBI. In addition, Topco will give USDOJ, including the FBI, at least 30 days’ prior written notice of any change to its 5

LEPOC, and Topco’s nominated replacement shall be subject to USDOJ, including the FBI, review and approval. Topco also agrees that the LEPOC will have access to all U.S. Records, and, in response to Lawful U.S. Process, will make such records available promptly and, in any event, no later than five (5) business days after receiving such Lawful U.S. Process unless granted an extension by USDOJ. 10. Topco agrees to provide USDOJ within 60 days from the date Topco receives the approval of transfer with a list of all Principal Equipment. Topco further agrees to notify USDOJ, including the FBI, at least 30 days in advance, of any introduction of new Principal Equipment or changes/modification to any of its Principal Equipment, including the names of providers, suppliers, and entities that will perform any maintenance, repair, or replacement that may result in any material modification to its Principal Equipment or systems or software used with or supporting the Principal Equipment. USDOJ shall object or non-object to such new Principal Equipment or change/modification to the Principal Equipment within 30 days of receipt of notice. 11. Topco agrees to notify USDOJ of any plans to operate a Network Operation Center outside of the United States for objection or non-objection by USDOJ. Topco further agrees to obtain pre-approval from USDOJ prior to using its remote Access capabilities. 12. Topco agrees to permit USDOJ requests for site visits and approve all requests to conduct on-site interviews of Topco employees. 13. Topco agrees that it will provide USDOJ notice at least 30 days in advance of all Outsourced or Offshore service providers, including but not limited to services provided in relation to: Network Operation Center(s); Network maintenance services; Customer support services; Any operation/service that could potentially expose Domestic Communications Infrastructure, U.S. Records to include CPNI such as call detail records (“CDRs”); and Deployment of any Network Elements, hardware, software, core network equipment, and Network Management Capabilities that are owned, managed, manufactured or controlled by a foreign government or non-public entities. USDOJ shall object or non-object to Outsourced or Offshore service providers, within 30 days of receipt of notice. 14. Topco agrees to provide USDOJ with 30 days’ advance notice of any changes to its business, including but not limited to corporate structure changes, ownership changes, corporate name changes, business model changes, corporate headquarter location changes, or business operation location. 6

15. Topco agrees not to allow any person, entity, or subsidiary to sell or collect information such as web activities, contact list, location, etc. ofits subscriber or customer for third party‘s use or purpose without the consent ofthe customer. 16. Topco agrees to provide an annual report to USDOJ regarding its compliance with this Agreement, to include: Certifications that there were no changes (where no changes were reported to USDOT,including the FBI), during the preceding year; Certification that Topco has been in CALEA compliance; Notice(s) regarding the company‘s handling ofU.S. Records, Domestic Communications, and Lawful U.S. Process(.e., whether handled properly and in accordance with the assurances contained herein) including list of individuals with access to U.S. CDRs; Recertification on any changes in theservices that Topco provides or confirmation that no additional services are being offered; Notification(s) of any relationships with foreign—owned telecommunications partners, including any peerrelationships; Updated list of Topco‘s Principal Equipment, vendors and suppliers; Updated NSSP; Updated NIST—Compliant Cyber Security Plan: Summary of eyber security and cloud incidents reported to USDOT as well as the actions and resolutions undertaken by Topco; Notification(s) of theinstallation and/or purchase orlease of any foreign— manufactured telecommunication equipment(including, but not limited to, switches, routers, software, hardware); Report(s) of any occurrences of Security Incidents including eyber—security incidences, network and enterprise breaches, and unauthorized Access to customer data and information; A re—identification of the name of and contact information of the LEPOC; and Notifications regarding any other matter of interest to this LOA. The annual report will be due on the 31" day of January of each calendar year, beginning on January 31, 2020, and will be addressed to: Assistant Attorney General for National Security U.S. Department of Justice 7

National Security Division Three Constitution Square, 175 N Street NE, Washington, DC 20002 Attention: FIRS/Team Telecom Staff Courtesy electronic copies of all notices and communications will also be sent to the following or individuals identified in the future to Topco by USDOJ: Bermel Paz, USDOJ (at Bermel.Paz@usdoj.gov); Loyaan Egal, USDOJ (at Loyaan.Egal@usdoj.gov) and FIRS Team (at FIRS-TT@usdoj.gov). 17. Topco agrees that in the event that the commitments set forth in this letter are breached, USDOJ may request the FCC to modify, condition, revoke, cancel, terminate or render null and void any relevant license, permit, or other authorization granted by the FCC to Topco or its successors-in-interest, in addition to any other remedy available at law or equity. 18. Topco understands that, upon execution of this LOA by an authorized representative or attorney, or shortly thereafter, USDOJ shall notify the FCC that it has no objection to the FCC’s consent to Topco’s petition. Sincerely, ________________________________ Andrew Frey: Authorized Person ___________________________________ MLN TopCo Ltd. 8


Document Created: 2018-11-23 09:41:16
Document Modified: 2018-11-23 09:41:16
© 2024 FCC.report
This site is not affiliated with or endorsed by the FCC