Comments on CALEA
Several strong reactions to the D.C. Circuit ruling on CALEA coverage the other day.
First, the Information Technology Association of America (ITAA) has put out a major study [pdf] saying that “government attempts to impose a poorly conceived wiretap surveillance regime on domestic Voice over the Internet Protocol (VoIP) phone traffic could destroy American leadership in telecommunications. Such a move could stall Internet innovation, introduce new cyber security concerns, and expose hundreds of thousands of unsuspecting Americans to law enforcement surveillance.”
The study has distinguished parentage - Susan Landau, Vint Cerf, Whit Diffie, Steve Bellovin, Matt Blaze, and others.
Second, the Center for Democracy & Technology (CDT) (of which I am a proud Policy Fellow) says that the CALEA decision is a “major setback for civil liberties.” Their full analysis is here. CDT notes that, quite apart from its many legal weaknesses, the ruling leaves unanswered how exactly we're supposed to define “call-identifying information” on the internet.
For Tony Rutkowski's reaction, see his comment.
Comments
One Response to “Comments on CALEA”
Got something to say?
Dear Susan,
The ITAA release was not a study, but rather a lobbying public relations document that was developed well before the Court of Appeals decision was released. Starting with the title - which doesn't quite get the name of the CALEA Statute correct, it resurfaces a set of hand-waiving objections recited over the years that have little nexus to the statutory requirements, the FBI Electronic Surveillance Needs documents, the FCC rules, or the substantial industry standards and implementation work that has occurred over the past several years - none of which are ever treated in the document.
At the risk of being a bit long, I'm including a list of CALEA Urban legend statements and explanations that the industry experts who actually support the requirements have recently put together.
CALEA is a uniquely U.S. requirement. In fact, CALEA-like provisions exist in almost every country and region in the world and are generally far more extensive, detailed, and vigorously enforced than in the U.S. Unlike the U.S. which has an “information services” exception, every other country requires full compliance for all publicly available services. These CALEA equivalent capabilities are coordinated and treated by many different intergovernmental and industry forums.
The principal interested party is the FBI. The majority of lawful interceptions in the U.S. are done by the more than 10,000 state and local law enforcement offices under local law. Under CALEA, the Attorney General responsible for coordinating and representing all law enforcement and delegates certain responsibilities to the FBI. This model is similar to most “Ministries of Justice” in countries worldwide. Because CALEA concerns the production of evidence to prosecute crimes (especially those which occur on-line), as well as the protection of network infrastructure and the domestic pursuit of terrorism and espionage, it is the network service providers and the American public who are the ultimate interested parties.
CALEA makes the infrastructure wiretap ready. CALEA, in fact, has a very limited and focused objective – enabling the hand over of basic real-time forensic data and content by a service provider when a court has determined a customer may be engaging in criminal conduct, and that data or content is reasonably available on the provider’s facilities. In actuality, the passive probes typically used for Internet intercepts have no effect whatsoever on network or application design. CALEA itself states this objective in very generic terms – quickly isolating and enabling the interception of call signalling and communications of a specific subscriber which is available to the provider by virtue of providing the equipment and service. There is no “infrastructure wiretap ready” requirement. Indeed, given the reality that criminal conduct rapidly occurs on and is directed against communication networks, it is not clear how evidence could be gathered by any other means than CALEA requirements.
CALEA changes the “design process.” CALEA, in fact, expressly does not change the design process. The forensic capability requirements of law enforcement are stated in generic terms, and each provider is free to support those requirements in any reasonable manner. There are a substantial number of options available to providers – ranging from changes to specific equipment or systems to “overlay” solutions that are minimally intrusive. Numerous industry collaborative forums also exist to help sort through these options and develop common “safe harbor” solutions. Trusted Third Party service bureaus provide turnkey solutions tailored to a provider’s infrastructure design. Ultimately it is the service provider’s choice as to the means employed.
CALEA requires standards. Under CALEA in the U.S., no standards are specified to implement a compliance solution – only generic requirements. This approach was chosen by Congress and underscored in FCC decisions to allow providers the flexibility to pursue their own solutions. This policy approach is covered at some length in the FCC Second Order released on 12 May. In most other countries, specific lawful interception standards are mandated and enforced through both regulatory and regular administrative testing practices. This is not the case in the U.S. where the CALEA approach provides greater flexibility and minimizes effects on infrastructure design and evolution.
CALEA adversely affects innovation. Because the CALEA approach does not rely on any specific compliance standards, providers are actually required to “innovate” CALEA solutions as they develop new platforms and services. In the FCC Second Order, it was also make clear that no “pre-approval” requirement would be established under CALEA. No credible argument exists for an assertion that CALEA affects innovation.
CALEA will force service providers to move abroad. Perhaps the most preposterous CALEA urban legend is the “service providers will move abroad” assertion. Most significant nations have requirements that are at least as extensive as CALEA. While some very remote jurisdictions may indeed exist that do not have lawful interception requirements, it is unlikely that this will compel any serious business to move to avoid the obligations, and in any case, the providers interconnecting with such a provider would still be subject to the requirements.
CALEA is expensive. The expense of meeting CALEA requirements for all but the very smallest providers lies largely in obtaining the necessary mediation equipment and maintaining a security office. Fortunately, these expenses are miniscule in a large provider organization, and for smaller companies can be shared in a Trusted Third Party arrangement. The costs are always going to be significantly reduced using such arrangements. In the FCC’s CALEA proceeding, a consultant calculated the TTP costs for significant size providers at less than a penny per subscriber per month – which have been confirmed in practice.
Roving wiretaps make CALEA worthless. Some argue that nomadic usage patterns using combinations of wireless and IP-based network technologies make CALEA worthless. In fact, it is such nomadic usage and the resulting roving wiretaps that have been facilitated under the Patriot Act that have made CALEA so essential.