CALEA: Five reasons why not
It's time to be actively concerned about a proposed DOJ draft amendment to CALEA — posted here by EFF. (Here's a post I did about this a short while ago.) Remember the outrage about the Hollings bill? Well, this is worse.
Quick review: back in 1994, the FBI had evidence that it had had trouble carrying out wiretap orders 183 times. So the FBI asked that telecommunications providers be required to design their equipment so as to be easily tappable — to make digital telephony as tappable as analog phones. At first, the FBI wanted all communications (including internet communications) to be subject to these design mandates — but that attempt was flatly rejected by Congress. We ended up with the current Communications Assistance to Law Enforcement Act of 1994.
CALEA requires telecommunications providers (not online services) to be able to get “call-identifying information” to law enforcement in a standard format. (Half a billion dollars was tagged to help these telecom providers redesign their systems to make this possible.) Call-identifying information doesn't include location information — it's pieces of information that could have been obtained in the old trap and trace/pen register days of traditional telephony, like the numbers dialed and the length of the call.
Although there is zero evidence that law enforcement has had problems carrying out wiretap orders since 1994, and indeed DOJ has only carried out a dozen or so interceptions of computer communications a year since 2003, DOJ has never liked the deal it got from Congress back in 1994. They want the internet. And so they've written a telephony-style bill and are trying to slap it on top of all online applications.
The draft bill is astounding. Here are five reasons why:
1. It covers all online communications services you can think of — instant messaging, gaming, peer to peer service providers, calendars, VoIP, search, and anything the FCC decides should be covered. In some narrow instances email may be excluded. But if the FCC decides email should be included, it'll be included. As I've said before, this would have enormous impacts on innovation if passed. Every single service would have to be redesigned to meet the compliance requirements of CALEA.
2. It forces all of these services to have a point of presence (servers) in the U.S. This is a very big deal. This means that any entity that allows people here in the U.S. to communicate has to have servers here. Remember ICQ? They started in Israel. They didn't have servers here. This means that no startup in any other country can help us communicate without being subject to the design desires of U.S. law enforcement. What?
This point of presence requirement is now found in China — they, too, want to make it easy for law enforcement to listen in and then arrest people.
3. It broadens the definition of “call identifying information” to include items that are content, and that will require deep packet inspection by ISPs. Example: “user authentication and logon information.” That's content — it's like the moment when you're on the phone and you tell someone your mother's last name. In order to get that information, you'd have to open up the communication and look inside. Example: ”post cut through digits.” That's content — it's like the moment when you're on the phone and you press number commands to make your voicemail system do something. (And, boy, what a telephony-style concept in the internet age.)
4. It says that law enforcement's interception needs trump every other interest, including (implicitly) getting communications to their destinations in a timely way. Think about it — if law enforcement wants real-time interception of VoIP calls and other online transactions, what do you think will happen to those communications? Right — they'll be slowed. And privacy concerns will go out the window.
5. It puts the cost of all of this squarely on the shoulders of online services. Sure, the big guys will be able to comply. But no garage startup is going to be able to handle these demands. Every tiny business needs 24/7 responsiveness to law enforcement (required in the bill)? Every tiny business copes with ever-changing law enforcement or FCC requirements? Every tiny application developer that helps its customers communicate in any way (every mesh network) has to comply with CALEA? Every dial-up system? Every private network that FCC decides should be covered?
Those are just the five big screaming headlines of what's wrong with this draft bill. I'm sure others can list more.
Comments
5 Responses to “CALEA: Five reasons why not”
Got something to say?
Dear Susan,
The draft bill is not astounding. With only one exception (POPs), it provides nothing more than is generally required in almost every other venue worldwide, and demonstrates its value many times a day in criminal and terrorist investigatory incidents.
To answer specific points:
1. All publicly provided services have long been covered worldwide and there is no effect on innovation. The equipment (actually generally the software) has been designed to support these capabilities. Where is has not, a simple passive probe can be readily employed. The rest of the world has now moved on to retained data requirements.
2. The point of presence requirement is a matter of some concern, but can be easily effected if virtual point of presence capabilities are used.
3. Call Identifying Information - also knon as IRI internationally or real time traffic data in the Cybercrime Convention - poses no special problem. It's long been required in almost every country, and new Direct Signal Reporting techniques make it a “no brainer.”
4. There is no apparent adverse effect on performance, and indeed, many of the requirements already are being provided on a far greater scale to enable operators to effectively manage their networks. Privacy concerns are actually enhanced under CALEA because it mandates a set of process and authentication requirements that must be filed with the FCC.
5. The compliance costs are trivial - an estimated one cent per subscriber per month when outsourced to a service bureau. The triviality is underscored by comparing these costs to other public infrastructure mandates such as USF, 911, priority access, etc, etc.
Tony Rutkowski, Distinguished Senior Research Fellow
Center for International Strategy, Technology and Policy
Sam Nunn School
Georgia Institute of Technology
By denying carriers the right to recoup their costs for making their networks CALEA compliant, the Department of Justice is effectively trying to fund their surveillance activities “off the books”. Recall the Iran-Contra Affair of the Reagan Administration where the CIA funded its operations in Nicaragua by selling arms to Iran, bypassing the federal budget process and privatizing national security. Now the Department of Justice is bypassing the federal budget and getting the telecommunications industry to fund its wiretap efforts.
The federal budget is a one of the ways that the citizenry curbs the power of government. If government is able to go off the books and fund its objectives, then there are no limits to government.
Hi, Tony,
I think it's only appropriate to let people know that in addition to your fellowship appointment at Georgia Tech you work for VeriSign. I know you are not speaking for VeriSign and that this is an individual comment of yours, but it's relevant that you and VeriSign have actively been pushing for broadened CALEA compliance obligations. VeriSign would like to provide services to companies that are covered by CALEA.
Susan
Tony:
You should really have a conversation with some engineers at XS4ALL about the impact of the Dutch requirements.
There is no apparent adverse effect on performance, and indeed, many of the requirements already are being provided on a far greater scale to enable operators to effectively manage their networks. Privacy concerns are actually enhanced under CALEA because it mandates a set of process and authentication requirements that must be filed with the FCC.
Yes there is an adverse impact on performance with deeper packet inspection. Check any literature for configuring packet inspection for any router or switch, and this fact is pointed out repeatedly.
Or, if you like, think of it this way: in order to perform any kind of inspection on the contents of a packet, the process of forwarding packets will in almost all cases have to be in a store-and-forward mode. Routers and switches go much faster when they just move a packet directly from one interface to another, without the need for the packet to be moved into main memory for handling. Once packets are forwarded using any kind of store-and-forward method (or any like it), performance is degraded down from direct memory transfers.