CALEA: Driving innovation offshore
Someone sent me a clandestine copy of the CALEA draft. I don't see how it could be worse.
The whole idea behind CALEA is to shift the cost of surveillance from law enforcement to industry. (The statute isn't about the legality of requests for information — the question is how much help industry should give law enforcement by making services easily tappable.) The 1994 statute recognized these cost issues by setting up a fund of $500 million to repay the telcos who were required to comply. It was also clearly limited to the large telecommunications carriers (traditional telephone companies) and to information identifying telephone calls, which was relatively limited and standardized from the outset. The internet was not covered.
In this new draft bill, the costs of making surveillance easy have been firmly shifted to the tech industry in the U.S. And innovators will have to satisfy law enforcement that their new applications and services are easily tappable and produce the data that government wants. “Communication-identifying information” is very broadly defined, and includes (but isn't limited to!) “source and destination Internet protocol and other protocol addresses, the port number, packet file size, and user authentication and logon information, including session time and duration.”
Here's what you need to know about the rewrite of CALEA now being proposed by law enforcement: It's limitless.
(1)It covers every possible communications service and application (voice and data), using every possible medium.
(2) To the extent any service is somehow not covered (because, say, it doesn't provide any routing or addressing attributes), the bill reserves unlimited discretion in the FCC to decide that it would be in the public interest to cover it.
(3) It says that communications-identifying information should be available in formats that law enforcement wants.
For example, the draft bill defines “communications carrier” to include any entity providing “replacement telephone service,” and then defines “replacement telephone service” to include any service using ”transmission, routing, addressing, or switching services” that make it possible for a customer using any technology to “send and receive any communications involving the human voice.”
This would cover any gaming application that sets up its own namespace/voice system; any online conferencing service, any instant messenger client that is voice-enabled. Webmail services are covered to the extent their provider makes available “transmission, routing, addressing or switching equipment, facilities, or services.”
All network access providers are covered, of course (as long as their services are offered to the public).
All of the covered entities/people will have to get all communication-identifying information to the government on request in a “standard, commercially available, and reliable format.” The network access providers will have to isolate the stream of communications being created by the subscriber and store that stream for law enforcement (no limits on time).
There is much more here — the FCC is to take into account noncompliance with CALEA in considering anything having to do with the covered entity (whether CALEA-related or not); the FCC doesn't necessarily have to give covered entities any reasonable amount of time to comply; and covered entities will bear all the costs of any modifications needed for equipment/services created after 1995.
The requirement that all applications that include any routing component provide an easily-accessed back door to government and spit out standardized data is breathtaking. And I'm sure there's more here that I haven't understood.
This is the bill that sends innovation offshore.
Comments
Got something to say?