Back in the day calea compliance meant you had to provide network connectivity and a signaling mechanism to specify what you wanted to be replicated to you. That meant voice calls and in some cases defining a network acl for packets (I knew folks who had to implement at router manufacturers - it was a hack that reused some of their multicast code base). The key part was an operator couldn't login to a device to see a calea intercept in progress or who was targeted. However due to the nature of how the replication/intercept was implemented you could see the results of it. High cpu, traffic leaving the box that didn't make sense, etc. I know one vendor who actually provided the trigger to the govt in the form of a snmpv3 query (and the communtiy string was hard coded in the os/binary...).