FAQ on the CALEA Expansion by the FCC
- What is CALEA?
- What are the different kinds of communications surveillance methods, and how are they relevant to the current debate regarding CALEA?
- Are communications services providers legally obligated to assist law enforcement in carrying out communications surveillance?
- What problem did Congress intend CALEA to solve?
- What is a Notice of Proposed Rulemaking (NPRM)?
- How does the NPRM address the definition of call-identifying information?
- What is the new application of CALEA in the NPRM?
- Does the FCC propose to apply CALEA to all types of online communication, including instant messaging and visits to websites?
- How do the proposed rules endanger technical innovation?
- What surveillance capabilities does CALEA require from telecommunications carriers?
- Does CALEA require carriers to follow certain standards?
- What did law enforcement request in its recent joint petition to the FCC?
- Who will bear the costs of implementing CALEA?
- Why does the NPRM ignore CALEA's "information services" exemption?
- In CALEA, what is the legal difference between "telecommunications carrier" and "information services"?
- Is the FBI trying to dictate how the Internet should be engineered to permit whatever level of surveillance the FBI deems necessary?
- Why can't CALEA be applied to the Internet in the same way it applied to the phone system?
- How are VoIP applications different from telecommunications services?
- What's the likely global impact if the FCC approves the tentative rules set forth in the NPRM?
- What is the administrative timeline for CALEA?
- What happens next?
- How does the EFF want the FCC to proceed?
- How does one comment on the NPRM?
- Who is the contact at the FCC for questions about the process?
- What are some of the key issues on which the FCC seeks comment?
- Are "Trusted Third Party" Models Appropriate?
- What about the Brand X decision?
- Where can I find more information?
What is CALEA?
The U.S. Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994 to aid law enforcement in its effort to conduct surveillance of digital telephone networks. CALEA forced telephone companies to redesign their network architectures to make such surveillance easier. It expressly excluded the regulation of data traveling over the Internet.
What are the different kinds of communications surveillance methods, and how are they relevant to the current debate regarding CALEA?
There are several different kinds of communications surveillance methods. In this FAQ we only discuss "live" or "real-time" communications surveillance, which allow law enforcement to capture information while it's being transmitted. Law enforcement also relies heavily on its power to gather or compel the disclosure of stored communications (like email) and transactional records (like ISP-created logs). CALEA does not directly affect the treatment of stored information.
Some kinds of communications surveillance discern the where, who, and when of a communication, revealing things like telephone numbers called, when they were called, and who was initiating the call — so-called "traffic" or "transactional" information. Other kinds capture the content of a communication session, revealing what exactly was said in a given phone conversation. Under federal law, to use a device to capture the content of a communication is to intercept that communication.
One example of content interception is a "wiretap"—an intercept of a telephone conversation. Originally, wiretaps were accomplished by "tapping" a particular target's telephone wire. Today, the term has a broader meaning, and can include the monitoring of communications occurring via radio link or fax. Congress has noted that "wiretaps . . . are potentially more penetrating, less discriminating, and less visible than ordinary searches." This makes wiretaps an extremely powerful investigative tool for law enforcement, but also highly invasive of individuals' privacy. Wiretaps, and intercepts generally, are far more tightly controlled than types of surveillance that acquire only traffic or transactional data.
Examples of the kind of surveillance methods that discover the "where, who, and when" of a communication are "trap and trace" (capturing the phone numbers on incoming calls) and "pen registers" (which capture numbers dialed out). Both are easily retrievable pieces of information given the current state of telephone technology and service providers' billing practices. Today, both methods also register the duration of a call, as well as whether the call was completed.
Moreover, the FCC has previously permitted the FBI to obtain:
- "Post-cut-through dialed digit extraction": Carriers use tone-detection equipment to generate a list of all digits dialed after a call has been connected. Such digits include not only the telephone numbers dialed after connecting to a dial-up long distance carrier (e.g., 1-800-CALL-ATT), but also, for example, credit card or bank account numbers dialed in order to check balances or transact business using automated telephone services;
- "Party hold/join/drop information": This includes telephone numbers of all parties to a conference call as well as signals indicating when parties are joined to the call, put on hold, or disconnected;
- "Subject-initiated dialing and signaling information": This includes signals generated by activating features such as call forwarding and call waiting; and
- "In-band and out-of-band signaling": This includes information about signals sent from the carrier's network to a subject's telephone, such as message-waiting indicators, special dial tones, and busy signals.
The D.C. Circuit Court in United States Telecom Ass'n v. FCC, 227 F.3d 450 (D.C. Cir. 2000) noted that some post-cut-through dialed digits are "content," but the bulk of the information listed above is not — and thus all potentially accessible without intercept authorization.
All of these terms are important to keep in mind because CALEA was drafted with an understanding of this history and with the traditional telephony field as its focus.
CALEA requires communications carriers to be capable of providing both "call-identifying information" (CII) and call content to law enforcement. In the circuit-switched world of traditional telephony, the meaning of CII was clear: telephone numbers are CII, and the conversations are content. But in the packet-mode world of the Internet, communications are encapsulated (see 16 below — link), and each protocol layer is associated with different "signaling information." Whether a component is "signaling information" or "content" depends on which layer is reading it. Thus CII on the Internet is not a clearly defined concept, although it is in traditional telephony. Compliance with CALEA in the packet-mode world of the Internet will therefore result in significant legal, technical, and economic problems.
The Administrative Office of the United States Courts has provided a "report to Congress [PDF] regarding the number and nature of federal and state applications for orders authorizing or approving the interception of wire, oral, or electronic communications." This report does not include PEN trap wiretaps.
Are communications services providers legally obligated to assist law enforcement in carrying out communications surveillance?
Yes. Even before CALEA, federal law required communication service providers to assist law enforcement in carrying out the interception of communications (whether via telephone or computer network) by providing "all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively."
Indeed, there has been a long history of telecommunications carriers and service providers assisting law enforcement with surveillance. If law enforcement can meet the strict standards of Title III of the Omnibus Safe Streets and Crime Control Act of 1968, court orders permit them to intercept the content of communications (although under the PATRIOT Act, some wiretaps may be done with documentation less stringent than a court order), and communications service providers must comply with law enforcement in facilitating that interception of content.
Law enforcement is now attempting to broaden CALEA by requiring communications service providers to design their networks to make it easy and fast for law enforcement to perform wiretaps, pen-register, and trap-and-trace surveillance on a large number of people. In other words, the FBI wants service providers and equipment manufacturers to design their networks to be surveillance-friendly from the ground-up and starting at the product design phase. CALEA would then serve as a technology mandate, imposing design or architecture duties upon communications technology itself to "guarantee" that surveillance will always be fruitful. This is a far cry from simply requiring communications service providers to assist law enforcement in retrieving information or content that is reasonably available given the current state of technology.
What problem did Congress intend CALEA to solve?
Congress passed CALEA to force telecommunications carriers to design their networks so as not to impede authorized law enforcement surveillance requests. At the same time, CALEA's legislative history shows that Congress recognized the need to protect the privacy of communications "in the face of increasingly powerful and personally revealing technologies" (H.R. Rep. No. 103-827, 1994 U.S.C.C.A.N. 3489, 3493 (1994) (House Report)) by mandating that carriers protect the privacy and security of communications and call-identifying information not authorized to be intercepted." (47 U.S.C. § 1002(a)(4)(A)). And Congress explicitly recognized the need to accomplish both of these goals without impeding innovation in the marketplace for new technologies, products, and services (see House Report).
The ability of law enforcement to conduct surveillance is not at issue in the current debate regarding CALEA. Rather, the dispute regarding CALEA centers on two issues: (1) what constitutes "content" on the Internet, and (2) the extent to which the government can mandate technical innovation.
What is a Notice of Proposed Rulemaking (NPRM)?
CALEA, like most complex laws, provides for a regulatory agency (in this case, the Federal Communications Commission) to institute regulations to further define the law's application. Both the FBI and the FCC have published CALEA regulations.
To institute a new regulation, the FCC generally publishes a Notice of Proposed Rulemaking in the Federal Register, providing a period of time for organizations, industry and members of the public to submit comments to the FCC. After receiving comment on the proposed rules, and sometimes holding a public hearing, the FCC issues a Final Rule, which then enters the Code of Federal Regulations. The FCC's interpretation is still subject to overview by the courts.
Initially, law enforcement sought an "expedited rulemaking" from the FCC, which would have curtailed the commission's usual lengthy review process. While the NPRM process is better than the expedited rulemaking, the tentative conclusions in the NPRM are still so sweeping that Congress, rather than the FCC, is the appropriate law-making body to evaluate and determine if CALEA should be amended.
How does the NPRM address the definition of call-identifying information?
The concept of call-identifying information ("CII") in packet-switched technology has no agreed-upon definition or scope at present. But law enforcement proposes to treat the fine-grained "transactional" information you can get by surveilling the Internet as being comparable to that available in the traditional phone network arena. As the FCC concedes, broadband access providers may not be able to easily isolate call-identifying information without examining the packets in detail, which would necessarily require examining the packet content. The NPRM seeks further comment on how to define call-identifying information in packet technologies, and how much information is "reasonably available" to broadband access and VoIP providers.
In the Internet context, one could interpret CII to mean that at most only the network layer transactions, along with source and destination IP addresses, should be treated as the functional equivalent of telephone numbers. And this would be only to the extent that those IP addresses do not map directly to a particular web page. The FBI's petition seeks rules far beyond Congress's intent when enacting the statute. They pose serious constitutional questions regarding the extent to which individuals' privacy may be invaded by government for investigative purposes.
What is the new application of CALEA in the NPRM?
The NPRM tentatively imposes CALEA obligations upon both broadband Internet access services and certain voice over Internet protocol (VoIP) services.
Broadband Internet access providers are all "facilities-based providers of any type of broadband Internet access service," including "wireline, cable modem, satellite, wireless and broadband access by powerline." Broadband is defined as any connectivity providing more than 200 kbs downstream.
By "facilities-based," the FCC refers to "entities that provide transmission or switching over their own facilities between the end user and the Internet Service Provider." The FCC interprets "switching" to "include routers, softswitches, and other equipment that may provide addressing and intelligence functions." This significantly broadens the understanding of "switches" in a telecommunications environment, as the term was previously thought to mean circuit-based switches.
The NPRM holds that "providers of managed VoIP services, which are offered to the general public as a means of communicating with any telephone subscriber, including parties reachable only through the PSTN, are subject to CALEA." However, "managed" is not directly defined, with the FCC adopting the Law Enforcement description of "those services that offer voice communications calling capability whereby the VoIP provider acts as a mediator to manage the communication between end points and to provide" call management information.
In addition, the FCC issued a Declaratory Ruling that commercial wireless "push-to-talk" services are subject to CALEA.
Does the FCC propose to apply CALEA to all types of online communication, including instant messaging and visits to websites?
Not yet. The NPRM proposes CALEA coverage of "only" broadband Internet access services and managed VoIP services, and excludes instant messaging and email. However, the FCC's broad understanding of the substantial replacement clause will create a stifling regulatory environment in which law enforcement will undoubtedly contend that other emerging communications technologies fall under CALEA. And industry could add surveillance-ready equipment, services, and network capability as an attempt to appease law enforcement given the current national focus on homeland security (and indeed some already have — see Cisco's CALEA architecture, which is expected to become a more formal RFC at some point). Given product-development cycles that can take two years or more, industry may hedge its bets by building in surveillance-friendly features now rather than waiting for government mandates. Inevitably, law enforcement will seek over time to bring more and more communications services under the CALEA umbrella.
How do the proposed rules endanger technical innovation?
In recent years, the FCC has been committed to lowering government barriers to innovation and the deployment of new services. However, the broad understanding of what it means to be a substantial replacement of the local telephone exchange — and therefore subject to CALEA — means that industry would be constantly under the threat of CALEA compliance costs. VoIP and broadband Internet access may be under the gun now, but a host of technologies — online gaming, instant messaging services, video conferencing systems and others — face the threat that law enforcement will look to them in the next petition.
Thus, rather than industry driving innovation, government would be dictating functionality. U.S. leadership in technological innovation would slip because time to market for new U.S. products would lengthen to accommodate surveillance technologies. Moreover, U.S. products would be less attractive outside the country because international customers won't want technology designed to facilitate U.S. surveillance. America's global competitiveness will be further eroded by overseas companies who will surely develop technology to circumvent CALEA surveillance capability.
What surveillance capabilities does CALEA require from telecommunications carriers?
If a carrier receives a court order or other lawful authorization, it must be able to: (1) quickly isolate all wire and electronic communications to and from a targeted person; (2) quickly isolate call-identifying information (numbers they've called and calls they've received) of a targeted person; (3) provide intercepted communications and call-identifying information to law enforcement; and (4) carry out intercepts unobtrusively, so targets are not made aware of the electronic surveillance, and in a manner that does not compromise the privacy and security of other people using the carrier.
Does CALEA require carriers to follow certain standards?
Yes. But CALEA relies on industry to set standards — not law enforcement. CALEA states that if a communications carrier complies with "publicly available technical requirements or standards adopted by an industry association or standard-setting organization," the government will consider it to be CALEA-compliant (Section 107(a)(2) of CALEA).
Subcommittee TR-45.2 of the Telecommunications Industry Association (TIA), along with Committee T1 of the Alliance for Telecommunications Industry Solutions, developed interim standard J-STD-025 to serve as a CALEA standard for wireline, cellular, and broadband PCS carriers and manufacturers. It defines how these carriers can assist with lawfully authorized electronic surveillance, and specifies interfaces necessary to deliver intercepted communications and call-identifying information. However, this standard has been under revision for some time and law enforcement has made numerous efforts to significantly modify this industry-led, standard-setting effort. The recent CALEA petition is simply their latest effort to do this.
What did law enforcement request in its recent joint petition to the FCC?
On March 10, 2004, the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Drug Enforcement Administration (DEA) filed a joint petition for expedited rulemaking with the Federal Communications Commission (FCC). The petition asks the FCC to issue a declaratory rulemaking that accomplishes the following:
- significantly broaden CALEA's scope by issuing a Declaratory Ruling or other formal FCC statement (rather than the usual rulemaking procedures), and ultimately adopt final rules, bringing broadband access services and broadband telephony services under CALEA;
- adopt rules that provide for the easy and rapid identification of future CALEA-covered services and entities as a way for CALEA to swallow emerging technologies that might not have been originally contemplated as within CALEA's scope;
- establish deadlines for CALEA packet-mode compliance to force communications providers to build in surveillance-ready networks;
- adopt rules that provide for the establishment of deadlines for CALEA compliance with future CALEA-covered technologies so that the federal government becomes a gatekeeper to future product and service development in the Internet sphere;
- establish rules to permit it to request information regarding CALEA compliance generally although the FBI has given no specifics on this vague request;
- establish procedures for forcing carriers to comply with their CALEA obligations; and
Who will bear the costs of implementing CALEA?
Consumers. The NPRM's proposed expansion of CALEA concluded that carriers should forced to spend millions of dollars on CALEA compliance. The FCC explores a mechanism by which these costs will pass to their customers, including a Commission mandated flat monthly charge. Quite literally, then, consumers would be subsidizing the surveillance state.
Why does the NPRM ignore CALEA's "information services" exemption?
Otherwise CALEA's "information services" exemption would have prohibited the unprecedented expansion of CALEA's scope. The NPRM proposes that providers of broadband Internet access services, which previously have been classified as "information services," be defined for CALEA purposes as "telecommunications carriers" though they would still be "information services" under the Communications Act. The FCC interpreted CALEA to have a different meaning for "telecommunications carriers," such that where a service provider is determined to be a "telecommunications carrier" under the CALEA substantial replacement clause, it can no longer qualify for the "information services" exemption.
To reach this conclusion, the NPRM ignores the plain language of the law, as well as legislative intent. Congress clearly excluded "information services" from CALEA's requirements. The legislative history states that "all information services . . . [are] excluded from coverage," and that "the bill does not require reengineering of the Internet . . . [or] impose prospectively functional requirements on the Internet." As the D.C. Circuit has explained, "CALEA does not cover 'information services' such as e-mail and internet access."
In CALEA, what is the legal difference between "telecommunications carrier" and "information services"?
Under CALEA's definitions, if one is "engaged in providing information services," then one is absolutely not a "telecommunications carrier." A telecommunications carrier is defined as "a person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire," and specifically excludes "persons or entities insofar as they are engaged in providing information services."
However, if the FCC determines that it is in the public interest to deem "a person or entity" a "replacement for a substantial portion of the local telephone exchange service," then it may do so. While Law Enforcement was unable to provide any examples of broadband or VoIP actually replacing the local exchange service, the NPRM reads "substantial" out of the clause, finding it means any portion, and suggesting that broadband replaces the "portion" where home computer users used to dial-up (via POTS) to their ISP.
Furthermore, the proposed rule ignores the "information services" exemption, finding that it does not apply to entities under the substantial replacement clause, and ignores Congress' stated "intention not to limit the definition of 'information services' to such current services, but rather to anticipate the rapid development of advanced software."
Is the FBI trying to dictate how the Internet should be engineered to permit whatever level of surveillance the FBI deems necessary?
Yes. What the FBI is really asking for is a massive overhaul of how the Internet works to make it easier for federal agents to listen in on people's digital conversations. EFF believes that law enforcement should not be allowed to have veto power over proposed innovations to the Internet in order to make spying easier. In addition, federal agencies should not force the broadband industry—and by extension, its consumers— to bear the considerable costs of purchasing and implementing surveillance-ready network technologies simply because it suits the government's needs.
Why can't CALEA be applied to the Internet in the same way it applied to the phone system?
The FBI would like all call-identifying information that is available in phone-network technology to be available in computer-network technology, even if it is not "reasonably available." However, packet-mode (i.e., computer) technologies can transmit a huge variety of services, and the information that law enforcement seeks may be buried in several layers of encapsulated packets. The issue is the scope of call-identifying information, and the question is whether that data is reasonably available and achievable in packet-mode technology as it is in circuit-mode (i.e., phone) technology. The NPRM tentatively concludes that CII may not be "reasonably available" if the information is only accessible by significantly modifying a network, but seeks comment on what information would available.
CALEA never contemplated that the information available in circuit-mode telephone systems would be the measuring stick for all future technologies. If law enforcement gets its way, it would obtain considerably more information about individuals merely by certifying that it is relevant to an investigation.
For purposes of CALEA, what distinguishes the Internet from the traditional phone system is something called "encapsulation." Encapsulation is the process of adding protocol-control information to a service data unit ("SDU," the information passed from above layer), thus forming a protocol data unit (current layer) to be passed as an SDU to the layer below.
On the Internet, traffic is defined and routed via "stacked" protocol layers that allow different Internet hosts to focus only on the addressing information that they need to move packets from one point to another. An explanation of protocol layers is available here.
- Applications and Programs
- L7 Applications layer
- L6 Presentation layer
- L5 Session layer
- L4 Transport layer
- L3 Network layer
- L2 Link layer
- L1 Physical layer
Packet activity reporting as requested by law enforcement requires the network to report on data that it does not manage. The network manages the connection, not the data. To require otherwise would significantly impact the development and deployment of network equipment. In the circuit-switched world of traditional telephony, the meaning of "call-identifying information" ("CII") was clear: telephone numbers are CII, and the conversations are content. But in the packet-mode world of the Internet, communications are encapsulated as described above, and each protocol layer is associated with different "signaling information." Whether a component is "signaling information" or "content" depends on which layer is reading it. As the NPRM recognizes, it may not be easy to isolate call-identifying information without examining packet content. Thus CII on the Internet is not a clearly defined concept as it is in the traditional telephony environment.
How are VoIP applications different from telecommunications services?
VoIP refers to a vast array of technologies that transmit voice over the Internet. A traditional telecommunications service, however, generally relies upon on one kind of protocol that is treated in the same way throughout the telephone network. VoIP, however, can refer to any number of applications. Skype manufactures a VoIP application that uses cryptography and a peer-to-peer architecture. Vonage, on the other hand, makes a VoIP application that links phones from the traditional telephone network to the Internet via special servers. These applications, while both routing phone calls through the Internet, do it in dramatically different ways using extremely different software.
The NPRM proposes to place "managed" VoIP under the purview of CALEA. However, "managed" is not directly defined, adopting the Law Enforcement description of "those services that offer voice communications calling capability whereby the VoIP provider acts as a mediator to manage the communication between end points and to provide" call management information.
There is a real danger when the government tries to regulate software applications as if they were telecommunications services. While a traditional telecommunications service like the telephone network is easily defined, VoIP software applications aren't. Inevitably, confusion will result, with possibly disastrous results for the software industry.
What's the likely global impact if the FCC approves the tentative rules set forth in the NPRM?
Building in "back doors" for law enforcement is likely to increase the market demand for foreign competitor offerings to U.S. software and hardware products. If the FCC enacts the tentative rules, it will impair innovation and drive Internet development offshore. Another possible problem would be U.S.-based criminals or terrorists importing gray-market equipment that is "CALEA-free." CALEA-driven mandates will cause technologies to be developed overseas to circumvent U.S. surveillance capability.
What is the administrative timeline for CALEA?
|1994||Congress passes CALEA.|
|15 August 2000||In the case of United States Telecom Association, et al., Petitioners v. Federal Communications Commission and United States of America, respondents and AirTouch Communications, Inc., Interveners. (D.C. Circuit, August 15, 2000) the United States Court of Appeals for the District of Columbia Circuit partially vacates and remands to the FCC the Third Report and Order. The court refuses to vacate the FCC's Order with respect to packet-mode communications and location information, so these two capabilities are not altered by the court's decision.|
|21 September 2001||FCC releases Order FCC 01-265, in which it denies CTIA's request for a blanket extension of the September 30, 2001 compliance deadline for these carriers to implement a packet-mode communications capability. However, due to the imminence of the packet-mode compliance deadline, the FCC grants these carriers until November 19, 2001, either to come into compliance or seek individual relief.|
|19 November 2003||FCC releases Public Notice DA-03-3722, in which the Wireline Competition Bureau and Wireless Telecommunications Bureau extends, until January 30, 2004, unless superseded by a final determination on the merits of individual petitions, the current November 19, 2003, preliminary extension granted to wireline and wireless carriers who filed for extensions of packet-mode surveillance capability requirements.|
|12 March 2004||FCC releases Public Notice DA 04-700 to request comments as a result of rulemaking proceeding RM-10865 opened at FBI's request.|
|17 March 2004||DOJ, FBI, and DEA issue press release regarding joint petition.|
|9 August 2004||FCC issues Notice of Proposed Rulemaking|
|???||FCC publishes Notice of Proposed Rulemaking in Federal Register|
What happens next?
The NPRM was formally published in the Federal Register on September 23, 2004. Comments are due November 8, 2004, and reply comments are due December 7, 2004. After receiving comment on the proposed rules, and potentially holding a public hearing, the FCC can issue a Final Rule, which then enters the Code of Federal Regulations.
How does the EFF want the FCC to proceed?
The EFF believes that the FCC's interpretation of the "substantial replacement" clause is fundamentally flawed, and does not support the expansion of CALEA proposed in the NPRM. Therefore, we would like the FCC to abandon the proposed rule, and allow Internet technologies to continue to flourish without government-mandated limitations.
How does one comment on the NPRM?
You may file comments on or before November 8, 2004, and reply comments on or before December 7, 2004. Comments may be filed using the FCC Electronic Comment Filing System, by email or by filing paper copies. For short comments, you can use ECFS Express.
To get filing instructions for e-mail comments, send an email to email@example.com and include "get form <your e-mail address>"in the body of the message. If you choose to file by paper, you must file an original and four copies of each filing. Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9300 East Hampton Drive, Capitol Heights, MD 20743. U.S. Postal Service mail should be addressed to 445 12th Street, SW, Washington, D.C. 20554. All filings must be addressed to the FCC Secretary, Office of the Secretary, Federal Communications Commission.
Who is the contact at the FCC for questions about the process?
For further information concerning this proceeding, you can contact the FCC's Office of Engineering and Technology's Rodney Small at (202) 418-2452 (Rodney.Small@fcc.gov) or Geraldine Matise at (202) 418-2322 (Geraldine.Matise@fcc.gov). Contact the FCC only for questions about procedure; comments about the proposed rule should be offered as described above.
What are some of the key issues on which the FCC seeks comment?
- FCC's interpretation of the substantial replacement clause and underlying definition of telecommunications carrier.
- The meaning of "public interest" in the FCC's consideration of the substantial replacement clause.
- What call-identifying information is "reasonably available" without modifying the network.
- Whether to identify future services and entities subject to CALEA.
- Feasibility of "trusted third parties" to provide CALEA compliance services.
- Appropriateness of available industry standards and specifications to serve as safe harbors for CALEA compliance.
Are "Trusted Third Party" Models Appropriate?
The FCC proposes to allow third parties to manage government surveillance requests: a private company would analyze all the data from a telecommunications carrier, extract information relevant to the court order, and send it to law enforcement.
Privatizing this traditionally government function is inappropriate. There's no assurance that private entities will safeguard the privacy and security of information not authorized to be collected. Where covert surveillance is at issue, we must ask, "who will watch the watchers?"
Currently, several large corporations are already offering CALEA services that might result in a loss of privacy for consumers. For example, VeriSign offers a legal intercept service to ISPs, which requires the providers to pipe all their data to VeriSign. Then the company's employees analyze the data, extract information relevant to the court order, and send it to law enforcement. This transaction leaves personal data potentially vulnerable when it travels from the service provider's network to VeriSign's. It also places the personal data of innocent people in the hands of a third party without customer consent. It's unclear how these "trusted third parties" can be overseen effectively to protect your communications. If too much information is collected, will you know about it?
More generally, services like these support and expand what the ACLU has called the Surveillance-Industrial Complex. Since compliance with surveillance requests is a significant cost for carriers, telecommunications companies have acted as a check on government power, lobbying against excessive proposals. Now, private entities that profit from surveillance will have an incentive to lobby for more government surveillance powers.
What about the Brand X decision?
In the FCC v. Brand X case, the Ninth Circuit ruled against FCC regulation [PDF] of broadband cable services as an "information service" under the Communications Act, concluding that "cable broadband service was not a 'cable service' but instead was part 'telecommunications service' and part 'information service.'" The FCC has sought certiorari [PDF] from the Supreme Court.
The NPRM essentially ignores the Brand X case, adopting the position that the definitions in the Communications Act are different from CALEA, and thus do not require consistent interpretations. However, some of the FCC Commissioners expressed reservations about the tension between the Brand X holding and the NPRM. Comm. Jonathan Adelstein wrote in a separate statement [PDF] that the NPRM's "failure to seek comment on a legal analysis that would comport with the Circuit's holding is an unnecessary failing." Comm. Michael Copps opined [PDF] that "ignoring the Ninth Circuit's decision in Brand X... is not the way to proceed here." As Comm. Kathleen Abernathy acknowledges [PDF], "at the end of the day, the federal courts — rather than this Commission — will be the arbiter of whether we are authorized to take the actions proposed in this rulemaking..."
Where can I find more information?
- "Introduction to the Internet" by Cisco Systems
- Law Enforcement's CALEA site
- Federal Communications Commission's CALEA site
- U.S. Department of Justice's CALEA site
- Administrative Office of the United States Courts' Wiretap Report