Home / Blogs

CALEA Roundup: 2005-2007

Susan Crawford

The wrangling around the Communications Assistance to Law Enforcement Act (CALEA) is one of those issues that creeps inexorably forward and is hard to follow unless you're really focusing. So here is a quick, if longish, overview:

CALEA is a 1994 statute that requires telephone companies to design their services so that they are easily tappable by law enforcement in need of "call-identifying information." Back in August 2005, following a request from the Dept. of Justice, the Commission moved swiftly to impose CALEA obligations on providers of broadband access services and "interconnected VoIP" services. Now the Dept. of Justice is asking for mandated design compliance for content (packets), location, and other issues — seemingly far away from the statute's focus on access.

Ever since CALEA was enacted, law enforcement, industry, and the FCC have been tussling over what needs to happen for compliance. The statute says that telecommunications common carriers are supposed to "expeditiously isolat[e] and enabl[e] the government, pursuant to a court order or other lawful authorization, to access call-identifying information that is reasonably available to the carrier...” and then deliver intercepted communications and call-identifying information to the government "in a format such that they may be transmitted… by the government to a location other than the premises of the carrier."

CALEA doesn't allow law enforcement to ask for designs that would enable access to "content" information beyond "call-identifying" information without proper legal process. The Commission has said that "privacy concerns could be implicated if carriers were to give to [law enforcement agencies] packets containing both call-identifying and call content information when only the former was authorized."

Much of the tussle has to do with cost-shifting: the original CALEA statute authorized $500 million to be allocated to paying the carriers back for their efforts in connection with compliance, but there's no money being offered to the internet players. But a lot of the recent tussle has to do with how to move CALEA's obligations into the internet era. The problem is that CALEA was specifically written not to cover online applications like email and other "information services." And saying what online "call-identifying" (non-content) information is presents a difficult task.

The CALEA Order released in August 2005 interprets CALEA to cover any services provided by non-telephone companies that are in some way (however minor) replacements for telephone services. Many people thought that was a very strange interpretation of the statute, which specifically exempts information services (online applications) from the definition of "telecommunications carrier."

Then, last summer (June 2006), the D.C. Circuit chose to defer [PDF] to the FCC's interpretation of CALEA. (Just as in BrandX — if Congress enacts a statute that can be categorized as "vague," and the FCC interprets it, the courts will often go along.) But the D.C. Circuit tried to make clear that CALEA could cover only the telecommunication-carrier aspects of broadband access and VoIP — the transport/access part/switching parts of these services that replace traditional phone service. CALEA pretty clearly does not apply to the other things these services could do, like storage of email or web hosting. CALEA, the court said, is about access.

So, if the FCC wanted to broaden the coverage of CALEA to take in other non-access functions, they'd have to go back to Congress.

Well, law enforcement didn't want to go back to Congress. Instead, in May 2007 the Dept. of Justice filed a "deficiency petition” [link goes to Part 1 of 3] with the Commission. DOJ is now asking for an "expedited rulemaking" that would require broadband access providers to provide "call-identifying information" in the form of packet activity reporting for all of those online applications - all information services. DOJ is also asking for location information that is more precise than just cell-tower level information, and they want wireless carriers to force consumers to always have the location function in their cellphones on - a CALEA location mandate.

This is a very big deal. In the past, CALEA required local phone companies to meet call-identifying obligations when it came to someone's phone call to reach his dial-up ISP. So the local phone company had to provide information about the start and end of that phone call. Even though "packets" were certainly traveling around this dial-up connection, no additional information had to be sent on to law enforcement, and the local phone company wasn't supposed to listen to the phone call.

Now, law enforcement wants wireless transmission service providers (say, Verizon) to be able to report to law enforcement about what packets are being carried by them, using which port numbers. (There's no real functional difference between wireless internet access and wired, so this same obligation would be applied to all highspeed internet access providers.) Driving things to the packet level is a big deal. It's way beyond what anyone understood "call identifying information" to mean in the days of the telephone. And port numbers would reveal information about what application was being used, which is "content."

This isn't about law enforcement's ability to get packet-level information from anyone. With lawful process (like a warrant), law enforcement could ask for content elements from any old VoIP provider within its jurisdiction. The key thing here is cost-shifting and design: can law enforcement ask in advance that information service providers design their systems to spew out exactly the information that law enforcement wants, in law enforcement's desired format? particularly when this information will necessarily include content?

The statute says (in my view) that law enforcement can't do this, and the FCC doesn't have the authority to rewrite the statute. The Commission can't just say that all packets and port numbers are part of "call identifying information," and can't extend CALEA's design obligations to information service functions (even information service functions of broadband access providers) that aren't part of transmission/access/switching. The location mandate would be hugely privacy-invasive, and would require handset providers to build their phones in a particular way.

VeriSign, predictably, has filed in this proceeding to remind the Commission that it's a provider of "CALEA Trusted Third Party Services," and urges the Commission to quickly grant law enforcement's petition. VeriSign takes the view that what law enforcement is asking for is "well-settled" and just needs"clarification" as being covered by CALEA.

Bottom line: the Dept. of Justice wants to require highspeed internet access providers to (1) design their systems so as to be able to provide detailed information about every packet that goes by, (2) to be able to provide fine-grained tracking information; and (3) to shift the cost of all of this to the carriers.

Implications: if you have to be able to do all of this to provide highspeed access, you won't go into business lightly. Only the largest incumbents will be able to handle these obligations if the FCC grants this petition. Open access doesn't fit with these requirements at all, because the whole point would be that the carrier wouldn't even know what applications were being used on its network. (So if you wanted to get rid of open access, you'd accept these changes to CALEA and then use CALEA as a reason never to allow competitive ISPs to connect to the wires and wireless systems of incumbents.) What about mesh, what about opportunistic community networks? And what about privacy? Should it be a condition of using a portable device that you permit your carrier to be able to easily report where you are at all times?

In late July 2007, several responses (CTIA, CDT et al.) were filed to the DOJ's May petition for expedited rulemaking. I can't tell from the docket when the Commission plans to rule on the petition, and I'm hoping they deny it. If law enforcement is going to suggest design mandates for all online applications, elected representatives should be aware- the statute they passed in 1994 clearly didn't cover this. It is not a good idea to rely on the Commission's discretion in these key areas.

By Susan Crawford, Professor, Cardozo Law School in New York City
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC