The whole point of the law was to add the ability to tap in, which is what this is. You still need someone to log into the router and setup the account which can do the tap, it can't be remotely activated by spooks.

Though if there are other remote access vulnerabilities, someone may be able to use the feature maliciously once they're in.