The New Regulatory Capture II
Within the last ten days or so, the key vendor of CALEA compliance services (VeriSign) has taken a very stern tone [pdf] with the FCC, saying that the Commission has read CALEA far too narrowly. VeriSign wants any SIP-using service to be part of the program, and suggests that interconnection with the traditional telephone network shouldn't necessarily be the standard for compliance. Translation: any possible multimedia application (whether connected to the phone network or not) and all connections to the internet should be designed in advance so as to be easily tappable by law enforcement.
(What's a SIP-based service? It's any service using the Session Initiation Protocol, an IETF signaling protocol that can be used in connection with any multimedia or voice or gaming application. GoogleTalk will use SIP; MSN Messenger already does; a host of VoIP applications already do. It's a very broadly used peer-to-peer protocol.)
VeriSign is also arguing that the rest of the world is moving smoothly along the vendor-assisted interception path, and that “the only impediment to implementation domestically principally lies in the Commission's actions” in the CALEA proceeding. We are ready, sayeth VeriSign (describing itself as a member of the “entrepreneurial and innovative global lawful interception industry“) to provide these compliance services at minimal cost, but the Commission is getting in the way. Really, how could you, Commission?
Similarly, the DOJ has also taken a very stern tone [pdf] with the FCC, saying that the Commission has read CALEA far too narrowly. They'd like CALEA to cover any application that is capable of connecting to the traditional telephone service, whether for receiving or making calls, and they want all services (not just broadband services) to be covered, no matter what equipment they use.
What's extraordinary about all this firmness on the part of the sole listener (DOJ) and the key vendor (VeriSign) is that the FCC has reached very far indeed to do their bidding already. By virtue of a less-than-weak reading of CALEA (which doesn't apply to “information services”), the Commission has gotten up the nerve to act like Congress and proclaim that a huge range of actors have to be CALEA compliant within 18 months, without saying what compliance means. Non-compliant firms will be subject to fines of $10,000 a day. So entities have to start complying without knowing what to do, and they won't even know whether they're covered — because the FCC is sometimes flip about whether they are. Enormous, arbitrary, capricious, and aggressive confusion is in the air.
It's all pretty astonishing and pretty abusive, and the DC Circuit will have its say soon. The CDT coalition just filed a very strong request for a stay of the CALEA order with the FCC, and will file a similar request in court on December 7 if the Commission doesn't respond. The stay request points out that the FCC has effectively delegated its authority to decide how CALEA will be complied with to the DOJ. A key line:
With the looming deadline, the FBI can say in its “discussions” with industry representatives, “Define call-identifying information our way and you’ll be fine, define it a different way and we may bring a civil action against you for non-compliance in 18 months.”
But if you listen to VeriSign, we're all being silly, the world has moved on, and we should just shape up and get with the program. I feel sorry for the well-meaning professional staff at the Commission. They're under tremendous pressure.