by Seth Schoen

1993: Government proposes Clipper Chip (government-designed voice & data encryption with a government backdoor, meant to take up demand for privacy tools). The proposal fails.

  • Clipper Chip proposal would not have banned other encryption tools, but would have tried to establish Clipper as the leading standard in the marketplace.

1994: Communications Assistance for Law Enforcement Act (CALEA) creates capability mandate for telephone carriers to be able to wiretap, including capacity requirements and obligation to support government-approved tech standards for categories of data to intercept and how to turn it over.

  • Previously, carriers must make best efforts to comply with court orders but can't be punished if technically unable to comply. Under CALEA, they must acquire ability to comply beforehand.
  • Internet and data services are excluded from CALEA, which applies only to phone companies.
  • CALEA does not ban or regulate use of privacy tools to protect communications (even if the tools are supplied to users by the carriers themselves!). Carriers must help decrypt if they possess decryption keys, but are not punished for carrying encrypted data they can't understand.
  • CALEA does not include a telecommunications data retention mandate.

2005: Government re-interprets CALEA to apply to “facilities-based” Internet service providers (that provide physical net connections to users) and “interconnected” voice over IP providers (that allow phone calls to or from the telephone network). After courts agree with this interpretation, such ISPs and VoIP providers must also acquire wiretapping capabilities and can be punished for not doing so.

  • CALEA still does not apply to intermediaries who do not own physical telecommunication infrastructure. (Examples: it doesn't apply to chat services, social networks, webmail providers).
  • CALEA still does not ban or regulate use of privacy tools to protect communications.

2006: Government re-introduces proposals for telecommunications data retention mandate.

2011: Government re-introduces proposals for extending CALEA to all communications intermediaries, and for restricting functionality of privacy tools to require a backdoor. These legal rules have never existed in the United States:

  • Data retention (obligation for ISPs or Internet service operators to retain any logs as a general business practice)[1].
  • Restrictions on domestic development or use of cryptography or privacy software.
  • Restrictions on crypto features of devices or software distributed domestically by carriers.
  • Obligations to create backdoors or vulnerabilities in any privacy or security system U.S. privacy advocates continue to oppose proposals to change any of this!

Note the distinction between end-to-end encryption (like PGP or OTR) and link encryption (like HTTPS or GSM voice encryption). End-to-end encryption protects communications with the person at the other end. Link encryption protects communications with an intermediary (like the mobile phone carrier or Gmail), who still has access to all communications content!

Some end-to-end encryption has a backdoor or way for someone other than the parties to communication to get access. Governments continue to try to require such backdoors or significantly discourage use of end-to-end cryptography.

[1] There are no categories of log or subscriber data that must be retained by any Internet provider, and there is no legally mandatory retention period. It remains legal to provide Internet services to anonymous subscribers and not log when or where they connect. Internet cafés do not need to collect any identifying information about users.