Extra Feeds & Services »

Home / Blogs

CALEA Roundup: 2005-2007

  • Aug 16, 2007 2:07 PM PDT
  • Comments: 0
  • Views: 3,798
Print Comment
By Susan Crawford
Susan Crawford

The wrangling around the Communications Assistance to Law Enforcement Act (CALEA) is one of those issues that creeps inexorably forward and is hard to follow unless you're really focusing. So here is a quick, if longish, overview:

CALEA is a 1994 statute that requires telephone companies to design their services so that they are easily tappable by law enforcement in need of "call-identifying information." Back in August 2005, following a request from the Dept. of Justice, the Commission moved swiftly to impose CALEA obligations on providers of broadband access services and "interconnected VoIP" services. Now the Dept. of Justice is asking for mandated design compliance for content (packets), location, and other issues—seemingly far away from the statute's focus on access.

Ever since CALEA was enacted, law enforcement, industry, and the FCC have been tussling over what needs to happen for compliance. The statute says that telecommunications common carriers are supposed to "expeditiously isolat[e] and enabl[e] the government, pursuant to a court order or other lawful authorization, to access call-identifying information that is reasonably available to the carrier...” and then deliver intercepted communications and call-identifying information to the government "in a format such that they may be transmitted… by the government to a location other than the premises of the carrier."

CALEA doesn't allow law enforcement to ask for designs that would enable access to "content" information beyond "call-identifying" information without proper legal process. The Commission has said that "privacy concerns could be implicated if carriers were to give to [law enforcement agencies] packets containing both call-identifying and call content information when only the former was authorized."

Much of the tussle has to do with cost-shifting: the original CALEA statute authorized $500 million to be allocated to paying the carriers back for their efforts in connection with compliance, but there's no money being offered to the internet players. But a lot of the recent tussle has to do with how to move CALEA's obligations into the internet era. The problem is that CALEA was specifically written not to cover online applications like email and other "information services." And saying what online "call-identifying" (non-content) information is presents a difficult task.

The CALEA Order released in August 2005 interprets CALEA to cover any services provided by non-telephone companies that are in some way (however minor) replacements for telephone services. Many people thought that was a very strange interpretation of the statute, which specifically exempts information services (online applications) from the definition of "telecommunications carrier."

Then, last summer (June 2006), the D.C. Circuit chose to defer [PDF] to the FCC's interpretation of CALEA. (Just as in BrandX—if Congress enacts a statute that can be categorized as "vague," and the FCC interprets it, the courts will often go along.) But the D.C. Circuit tried to make clear that CALEA could cover only the telecommunication-carrier aspects of broadband access and VoIP—the transport/access part/switching parts of these services that replace traditional phone service. CALEA pretty clearly does not apply to the other things these services could do, like storage of email or web hosting. CALEA, the court said, is about access.

So, if the FCC wanted to broaden the coverage of CALEA to take in other non-access functions, they'd have to go back to Congress.

Well, law enforcement didn't want to go back to Congress. Instead, in May 2007 the Dept. of Justice filed a "deficiency petition” [link goes to Part 1 of 3] with the Commission. DOJ is now asking for an "expedited rulemaking" that would require broadband access providers to provide "call-identifying information" in the form of packet activity reporting for all of those online applications - all information services. DOJ is also asking for location information that is more precise than just cell-tower level information, and they want wireless carriers to force consumers to always have the location function in their cellphones on - a CALEA location mandate.

This is a very big deal. In the past, CALEA required local phone companies to meet call-identifying obligations when it came to someone's phone call to reach his dial-up ISP. So the local phone company had to provide information about the start and end of that phone call. Even though "packets" were certainly traveling around this dial-up connection, no additional information had to be sent on to law enforcement, and the local phone company wasn't supposed to listen to the phone call.

Now, law enforcement wants wireless transmission service providers (say, Verizon) to be able to report to law enforcement about what packets are being carried by them, using which port numbers. (There's no real functional difference between wireless internet access and wired, so this same obligation would be applied to all highspeed internet access providers.) Driving things to the packet level is a big deal. It's way beyond what anyone understood "call identifying information" to mean in the days of the telephone. And port numbers would reveal information about what application was being used, which is "content."

This isn't about law enforcement's ability to get packet-level information from anyone. With lawful process (like a warrant), law enforcement could ask for content elements from any old VoIP provider within its jurisdiction. The key thing here is cost-shifting and design: can law enforcement ask in advance that information service providers design their systems to spew out exactly the information that law enforcement wants, in law enforcement's desired format? particularly when this information will necessarily include content?

The statute says (in my view) that law enforcement can't do this, and the FCC doesn't have the authority to rewrite the statute. The Commission can't just say that all packets and port numbers are part of "call identifying information," and can't extend CALEA's design obligations to information service functions (even information service functions of broadband access providers) that aren't part of transmission/access/switching. The location mandate would be hugely privacy-invasive, and would require handset providers to build their phones in a particular way.

VeriSign, predictably, has filed in this proceeding to remind the Commission that it's a provider of "CALEA Trusted Third Party Services," and urges the Commission to quickly grant law enforcement's petition. VeriSign takes the view that what law enforcement is asking for is "well-settled" and just needs"clarification" as being covered by CALEA.

Bottom line: the Dept. of Justice wants to require highspeed internet access providers to (1) design their systems so as to be able to provide detailed information about every packet that goes by, (2) to be able to provide fine-grained tracking information; and (3) to shift the cost of all of this to the carriers.

Implications: if you have to be able to do all of this to provide highspeed access, you won't go into business lightly. Only the largest incumbents will be able to handle these obligations if the FCC grants this petition. Open access doesn't fit with these requirements at all, because the whole point would be that the carrier wouldn't even know what applications were being used on its network. (So if you wanted to get rid of open access, you'd accept these changes to CALEA and then use CALEA as a reason never to allow competitive ISPs to connect to the wires and wireless systems of incumbents.) What about mesh, what about opportunistic community networks? And what about privacy? Should it be a condition of using a portable device that you permit your carrier to be able to easily report where you are at all times?

In late July 2007, several responses (CTIA, CDT et al.) were filed to the DOJ's May petition for expedited rulemaking. I can't tell from the docket when the Commission plans to rule on the petition, and I'm hoping they deny it. If law enforcement is going to suggest design mandates for all online applications, elected representatives should be aware- the statute they passed in 1994 clearly didn't cover this. It is not a good idea to rely on the Commission's discretion in these key areas.

By Susan Crawford, Professor, University of Michigan Law School. Visit the blog maintained by Susan Crawford here.

Related topics: Access Providers, Broadband, Law, Policy & Regulation, Privacy, Telecom, VoIP, Wireless

Get a weekly summary of postings to CircleID:

 Master Feed (more feeds)      Twitter      Mobile
Bookmark / Email This Post
Print Comment

Comments

To post comments, please login or create an account.

Related Blogs

Mobile Operators and the Broadband Boom

  • Mar 16, 2010
  • Comments: 0

What's Wrong With the FCC's Consumer Broadband Test?

  • Mar 15, 2010
  • Comments: 0

The Free Internet in Jeopardy

  • Mar 11, 2010
  • Comments: 0

American National Broadband Plan Good First Step

  • Mar 10, 2010
  • Comments: 9

OTT Threat to Telco's Middleware Opportunities

  • Mar 08, 2010
  • Comments: 0
View More

Related News

ICANN CEO Urges African Telcos to Shatter Monopolies

  • Mar 08, 2010
  • Comments: 1

German High Court Says No to Retaining Telecom, Email Data for Tracking Criminal Networks

  • Mar 02, 2010
  • Comments: 0

Comcast Announces Aggressive Plan to Deploy DNSSEC, Launches First Public Trial

  • Feb 23, 2010
  • Comments: 0

FCC Aiming for 100 Million Households at 100 Megabits Per Second

  • Feb 17, 2010
  • Comments: 0

How IT and Internet Saved Lives in Haiti

  • Feb 17, 2010
  • Comments: 0
View More

Other Topics

Access Providers Broadband Censorship Cloud Computing Cyberattack Cybercrime Cybersquatting Data Center DNS DNSSEC Domain Names Domain Registries Email Enum ICANN Internet Governance Internet Protocol IP Addressing IPTV IPv6 Law Malware Mobile Multilinguism Net Neutrality P2P Policy & Regulation Privacy Regional Registries Security Spam Telecom Top-Level Domains VoIP Web White Space Whois Wireless
View More



Industry Updates – Sponsored Posts

SPECIAL: Updates from the ICANN Meetings in Nairobi

ICANN and Cybersecurity: Hot Topics at The First Ever .ORG Forum

  • By PIR
  • Views: 1,658

Paid Search Ads Can Lead to Fake Goods

SPECIAL: Updates from the ICANN Meetings in Seoul

eComm 2009: Discussions on Restructuring Global Telecoms

eComm 2009 Signs Skype As Headline Sponsor Of European Conference & Awards Debut Event

Vertical Integration: A View from the Bottom Up

  • By PIR
  • Views: 2,440

Nominum CEO: Commercial vs. Open Source - Let Customers Choose

Ben Scott and Free Press in the Network Age

Supernova Interview: David Isenberg

Wendy Seltzer Interview: How Law Impacts the Network Age

Jon Peha, Chief Technologist, FCC, on the National Broadband Plan

Joi Ito Interview: Creative Commons and Intellectual Property

Supernova Interview: JP Rangaswami

Registry/Registrar Vertical Integration: The Registrant Pays the Check

  • By PIR
  • Views: 3,241

Enforcement Success Rates on Online Marketplaces

Growing Global Adoption of Nominum's Intelligent DNS Spells Obsolescence for Legacy DNS Systems

Nominum's Intelligent DNS Gives Service Providers Commanding Advantage Against Internet Threats

MarkMonitor to Host New Webinar Series with Noted Trademark Law Authority Anne Gilson LaLonde

Nominum Delivers Service Provider Compliance Solution For Blocking Child Exploitation Sites Online

View More