CALEA roundup: 2005-2007
The wrangling around the Communications Assistance to Law Enforcement Act (CALEA) is one of those issues that creeps inexorably forward and is hard to follow unless you're really focusing. So here is a quick, if longish, overview:
CALEA is a 1994 statute that requires telephone companies to design their services so that they are easily tappable by law enforcement in need of “call-identifying information.” Back in August 2005, following a request from the Dept. of Justice, the Commission moved swiftly to impose CALEA obligations on providers of broadband access services and “interconnected VoIP” services. Now the Dept. of Justice is asking for mandated design compliance for content (packets), location, and other issues — seemingly far away from the statute's focus on access.
Ever since CALEA was enacted, law enforcement, industry, and the FCC have been tussling over what needs to happen for compliance. The statute says that telecommunications common carriers are supposed to “expeditiously isolat[e] and enabl[e] the government, pursuant to a court order or other lawful authorization, to access call-identifying information that is reasonably available to the carrier. . ” and then deliver intercepted communications and call-identifying information to the government “in a format such that they may be transmitted . . . by the government to a location other than the premises of the carrier.”
CALEA doesn't allow law enforcement to ask for designs that would enable access to “content” information beyond “call-identifying” information without proper legal process. The Commission has said that “privacy concerns could be implicated if carriers were to give to [law enforcement agencies] packets containing both call-identifying and call content information when only the former was authorized.”
Much of the tussle has to do with cost-shifting: the original CALEA statute authorized $500 million to be allocated to paying the carriers back for their efforts in connection with compliance, but there's no money being offered to the internet players. But a lot of the recent tussle has to do with how to move CALEA's obligations into the internet era. The problem is that CALEA was specifically written not to cover online applications like email and other “information services.” And saying what online “call-identifying” (non-content) information is presents a difficult task.
The CALEA Order released in August 2005 interprets CALEA to cover any services provided by non-telephone companies that are in some way (however minor) replacements for telephone services. Many people thought that was a very strange interpretation of the statute, which specifically exempts information services (online applications) from the definition of “telecommunications carrier.”
Then, last summer (June 2006), the D.C. Circuit chose to defer to the FCC's interpretation of CALEA. (Just as in BrandX — if Congress enacts a statute that can be categorized as “vague,” and the FCC interprets it, the courts will often go along.) But the D.C. Circuit tried to make clear that CALEA could cover only the telecommunication-carrier aspects of broadband access and VoIP — the transport/access part/switching parts of these services that replace traditional phone service. CALEA pretty clearly does not apply to the other things these services could do, like storage of email or web hosting. CALEA, the court said, is about access.
So, if the FCC wanted to broaden the coverage of CALEA to take in other non-access functions, they'd have to go back to Congress.
Well, law enforcement didn't want to go back to Congress. Instead, in May 2007 the Dept. of Justice filed a “deficiency petition” [link goes to Part 1 of 3] with the Commission. DOJ is now asking for an “expedited rulemaking” that would require broadband access providers to provide “call-identifying information” in the form of packet activity reporting for all of those online applications - all information services. DOJ is also asking for location information that is more precise than just cell-tower level information, and they want wireless carriers to force consumers to always have the location function in their cellphones on - a CALEA location mandate.
This is a very big deal. In the past, CALEA required local phone companies to meet call-identifying obligations when it came to someone's phone call to reach his dial-up ISP. So the local phone company had to provide information about the start and end of that phone call. Even though “packets” were certainly traveling around this dial-up connection, no additional information had to be sent on to law enforcement, and the local phone company wasn't supposed to listen to the phone call.
Now, law enforcement wants wireless transmission service providers (say, Verizon) to be able to report to law enforcement about what packets are being carried by them, using which port numbers. (There's no real functional difference between wireless internet access and wired, so this same obligation would be applied to all highspeed internet access providers.) Driving things to the packet level is a big deal. It's way beyond what anyone understood “call identifying information” to mean in the days of the telephone. And port numbers would reveal information about what application was being used, which is “content.”
This isn't about law enforcement's ability to get packet-level information from anyone. With lawful process (like a warrant), law enforcement could ask for content elements from any old VoIP provider within its jurisdiction. The key thing here is cost-shifting and design: can law enforcement ask in advance that information service providers design their systems to spew out exactly the information that law enforcement wants, in law enforcement's desired format? particularly when this information will necessarily include content?
The statute says (in my view) that law enforcement can't do this, and the FCC doesn't have the authority to rewrite the statute. The Commission can't just say that all packets and port numbers are part of “call identifying information,” and can't extend CALEA's design obligations to information service functions (even information service functions of broadband access providers) that aren't part of transmission/access/switching. The location mandate would be hugely privacy-invasive, and would require handset providers to build their phones in a particular way.
VeriSign, predictably, has filed in this proceeding to remind the Commission that it's a provider of “CALEA Trusted Third Party Services,” and urges the Commission to quickly grant law enforcement's petition. VeriSign takes the view that what law enforcement is asking for is “well-settled” and just needs”clarification” as being covered by CALEA.
Bottom line: the Dept. of Justice wants to require highspeed internet access providers to (1) design their systems so as to be able to provide detailed information about every packet that goes by, (2) to be able to provide fine-grained tracking information; and (3) to shift the cost of all of this to the carriers.
Implications: if you have to be able to do all of this to provide highspeed access, you won't go into business lightly. Only the largest incumbents will be able to handle these obligations if the FCC grants this petition. Open access doesn't fit with these requirements at all, because the whole point would be that the carrier wouldn't even know what applications were being used on its network. (So if you wanted to get rid of open access, you'd accept these changes to CALEA and then use CALEA as a reason never to allow competitive ISPs to connect to the wires and wireless systems of incumbents.) What about mesh, what about opportunistic community networks? And what about privacy? Should it be a condition of using a portable device that you permit your carrier to be able to easily report where you are at all times?
In late July 2007, several responses (CTIA, CDT et al.) were filed to the DOJ's May petition for expedited rulemaking. I can't tell from the docket when the Commission plans to rule on the petition, and I'm hoping they deny it. If law enforcement is going to suggest design mandates for all online applications, elected representatives should be aware- the statute they passed in 1994 clearly didn't cover this. It is not a good idea to rely on the Commission's discretion in these key areas.
Even If It's Broken, Don't Fix It: This Week in the White Spaces
If you go over and look at the docket for this week's filings in the FCC's “white spaces” proceeding, you'll find this:
1. Microsoft says the Commission tested a broken device, and never even tried the (functioning) backup device or called up Microsoft to find out why the heck the thing wasn't working:
In the presence of FCC engineers, Microsoft engineers tested the Prototype A device used by [FCC's Office of Engineering and Technology] for the DTV signal testing. This test revealed that the scanner in the device had been damaged and operated at a severely degraded level….
• Microsoft testing conducted in the presence of FCC engineers also revealed that the spare Prototype A device previously provided to the FCC Laboratory (which was in the FCC’s possession throughout the testing process) reliably detected occupied television channels at -114 dBm.
• OET staff acknowledged that they did not attempt to contact Microsoft after observing the performance of the damaged Prototype A device tested by OET, nor did OET use the spare/backup Prototype A device provided to it for any portion of its DTV signal testing.
2. Philips Electronics North America reminds the Commission that its prototype device was very good at sensing DTV signals and wireless microphones:
In analyzing the test results, it is essential to bear in mind the purpose of this prototype testing. It is not for equipment authorization. We are not yet at that stage in the process. The sole purpose is to test the feasibility of operating unlicensed [White Spaces Devices] without causing harmful interference, of which consistent and robust detection is a significant part. Viewed from that perspective, all parties should view the testing of [the Philips device] as a success.
3. Meanwhile, the cable industry's trade association group bravely tells the FCC that even though the Commission tested a broken device, the results of the tests “validate the concerns expressed by the cable industry and other parties regarding the substantial risks of wide-scale interference from unlicensed devices and the inadequacy of the signal sensing detection mechanism incorporated in prototype devices.”
Watch for both cable and broadcasters to get very up-in-arms about protecting wireless microphones. If we get this wrong, planes will fall from the sky!
Low-powered wireless microphones are essential to television journalists covering breaking news events, particularly on-the-scene coverage of emergency situations. And they are ubiquitous tools for the distribution of audio in all major sports and entertainment events in large venues.
4. A technical director for a church in Reno has this to say:
I would ask that your discussions and decisions keep in mind the thousands of churches across the country who rely on wireless technology to communicate messages of hope, encouragement, and love to millions of people every week.
5. Motorola chimes in, saying personal/portable devices could use geolocation information to avoid interference, and encourages the FCC to do more testing.
6. And the Community Broadcasters Association says that it
believes that the [FCC] report validates its position that any White Space operations must be limited to operations at fixed locations that are held accountable through licensing; and if any personal portable devices are allowed, their frequency selection must be controlled by a licensed centralized beacon that relies on not only sensitive spectrum sensing but also a database that requires exclusion of all broadcast signals expected to reach the user’s location.
That's just three days of filings. We've got a broken prototype being seriously tested by murmuring, clucking-with-concern engineers, immense security-plus-prayer concerns about wireless microphones, and a call for no unlicensed uses at all — much less the unlicensed, portable uses that would make a new opportunistic market for basic ubiquitous internet access possible. You can't make this stuff up.
[I couldn't resist this. I promise CALEA tomorrow.]