Scope of the CALEA order
Not long ago, Brett Glass posted a message to Farber's list saying:
“The FCC Report and Order on CALEA (see http://cryptome.org/fcc070506.htm) appears to drag all broadband providers - including small, rural ISPs such as myself — into a messy regulatory regime, merely because one of my customers might choose to use a VoIP service. Worse still, the requirements are vague and potentially extremely onerous.”
Someone sent me an email asking “Is he reading the Order right?” So I went off to look.
If you go to the August 2005 Order that asserted that CALEA covers “facilities-based” broadband internet access providers, you'll find that an entity can be covered if it:
1. is engaged in providing wire or electronic communication switching service OR
2. is engaged in providing wire or electronic communication transmission service AND
3. the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service AND
4. the Commission finds that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of CALEA.
That August 2005 Order states that the FCC had already found that “switching” is the same as (or includes) providing “routers, softswitches, and other equipment that may provide addressing and intelligence functions for packet-based communications to manage and direct the communications along to their intended destinations.” So, in other words, if you're providing routing services you fulfill condition #1. You're “facilities-based.”
The Commission found that broadband access services fulfill condition #3 because people used to use local telephone service to access the internet, and that such services fulfill condition #4 because deeming these entities covered by CALEA would “promote competition, encourage the development of new technologies, and protect public safety and national security.”
So — according to the Commission (whose interpretation has been deferred to by the D.C. Circuit), any entity providing access to the internet through a router (unless that entity is exempt for some other reason, for example because it is a private network operator) will need to assist law enforcement to tap its communications. At its own cost.
That means that every ISP falls under CALEA, because it operates routers.
So, yes, Brett Glass is arguably correct.
He continues:
“There is no rational reason to subject an ISP such as myself to the statute's expensive requirements. Yet, the FCC is trying to do so. What's more, to add insult to injury, it has stated that it does not intend to allow ISPs to be compensated for the expense of making their networks tappable. In short, the FCC seems eager to impose requirements upon us which would do nothing to enhance homeland security but could well drive us and other independent ISPs out of business. This would ensure a cable/telco duopoly and hamper the expansion of broadband service to rural areas like ours.”
Yup.
Comments
8 Responses to “Scope of the CALEA order”
Got something to say?
Are there requirements as to how the tapping is to be done? It doesn't need to involve expensive equipment.
As you note, it can be fairly simple at minimal cost. Commentors in the IP CALEA proceeding estimated 1 cent per subscriber per month for large subscribers - which seems borne out in practice.
The ETSI website contains both the requirements and the specifications that are used in most countries of the world outside the U.S. Go to http://portal.etsi.org/Portal_Common/home.asp and click on “LI.” You will find all the specifications. For Internet access providers, the most relevent new standard is TS 102234. In the U.S., go to the http://www.askcalea.org website and you'll find guidance to all the relevant requirements and standards.
Any assertion that it is not complex or expensive to tap the network demonstrates ignorance of how ISPs' networks operate.
Our network, like those of many wired and wireless ISPs, is decentralized. The traffic of the users on each wireless access point takes a different route to the Internet, and may not pass through any central location. Thus, tapping a particular user would require going close to the edges and tapping into the individual routers. And since we built these routers ourselves (their architecture is one of the things that gives us a competitive edge), the FBI would likely not know how to use them to monitor a user even if we gave them the keys to our network. To abandon those routers would be to incur huge costs, lose our advantage over the competition (should it be illegal to make a better mousetrap?), and compromise our network's security (which is the best in the industry; every user gets an individual, encrypted connection).
Also, as with many ISPs, the overwhelming majority of our users' traffic passes through routers which perform network address translation, or NAT. Hundreds of users' traffic appears to come from a single IP address, making filtering difficult.
What's more, like other providers such as AOL, we also use caching Web proxies, which likewise aggregate users' traffic. This is great for users' privacy; it's difficult to distinguish one user's browsing from another's. This is by design; it protects our users from snooping.
Unsurprisingly, the same features which protect users' privacy — one of the selling points of our small ISP — will make it difficult for the FBI to trace users' activities. If we're forced to abandon them to allow snooping, we'll lose one of our greatest edges over the big guys — in particular, the cable/telco duopoly.
Then there's the issue of bandwidth. Suppose we do capture specific users' traffic. Who pays for the extra Internet bandwidth that's required to transport it to the snoops?
The notion that making the network tappable would cost a penny per user is ludicrous. We estimate that the cost per user would only drop below a dollar per user per month if the network were huge — i.e. the size of a cable or telephone company network if all competitors such as ourselves were eliminated. Which, again, is what the CALEA regulations seem to be aimed at: eliminating innovative competitors such as our company.
I wouldn't have assumed it to be pennies per user, but would it not be feasable to capture traffic at or near an ISP's uplinks, such as a border network just prior to the trunk(s) to upstream providers as one example? Admittedly I haven't yet read the requirements, which if they stipulated capture right upstream of the target's site would incure a higher cost. Still if its possible to comply by capturing traffic based on an IP address that would make it easier. On the other hand, if an ISP changed IP addresses frequently, that's a different story. Capturing onsite would at least require installing taps or a readily tappable infrastructure, which could be quite expensive, depending on how an ISP has built itself out. I could see that cost easily spelling the end for a small ISP, if it had to re-vamp its buildout.
As for the added cost of the bandwidth for capturing, I would have assumed that any responsible law enforcement entity would much rather capture to storage rather than send it back over data lines. I would think there's a chance it could end up evidence, and sending it back over data lines would strike me as a bad idea in most situations.
Our network is multiply interconnected and has multiple connections to different upstream providers. Packets can be routed in different ways, depending on conditions, to balance the load. A single user's traffic may appear to originate from many different IP addresses, and many users' traffic will appear to originate from a single address. What's more, because much of our network is wireless, we encrypt users' traffic. We would literally have to replace our entire infrastructure with less capable and less secure equipment to allow tapping at will by the FBI (which is what CALEA mandates). Innovation and security would effectifvely be outlawed.
The instant, invisible tapping required by CALEA would require OUR equipment to do the tapping and OUR bandwidth to transmit the data back to the spooks, just as in the case of current taps of voice conversations. You may recall that the expense of this for phone comanies was so great that reimbursement was ordered. Well, due to the decentralized nature of our network, the difficulty is greater and the cost per user is even larger. Yet the FCC has mandated that ISPs NOT be reimbursed. This is an unprecedented regulatory taking that could shut us and others down.
CALEA mandates such things as “roving” taps, which in the case of a series of Wi-Fi hotspots or a metro network means that the tapping equipment could not be placed in just one location. Oh, and by the way, it appears that anyone who operates a hotspot is an ISP for the purposes of the FCC's CALEA order.
The silliest part of all of this is that any terrorist worth his salt will use encryption and/or steganography. And all decent VoIP systems encrypt as well, making it useless to tap the conversation in the middle (i.e. within our network). The CALEA dragnet will only sweep up the conversations of terrorists too stupid to be successful anyway, as well as those of people who are innocent or just happen to be political opponents of The Powers That Be.
Which is one of the real dangers in this. Remember the dossiers compiled by J. Edgar Hoover? They're nothing compared to what the FBI could get with these unlimited wiretaps. And broadband competition will likewise be caught in the crossfire. US citizens must know what's coming and have the political will to stop it.
Since I haven't read CALEA, I can't comment as intelligently as others who have, but it looks as though it was put together in the dark. Just from reading this discussion, something else struck me as having the potential to be relevant here, if perhaps only in a periphery way. Its a project called PERM http://swing.cs.uiuc.edu/projects/perm/, an addition to a computer's IP protocol stack which would essentially allow multiple computers to collaboratively share each others wireless bandwidth among multiple broadband carriers.
As I understand it, PERM analyzes your traffic and basically load balances it with neighbors who choose to participate in PERM. It doesn't need participation from ISPs in the sense that its the end hosts themselves that handle the sharing of bandwidth. Participating hosts collaborate amongst each other and re-route traffic amongst each other across multiple upstream carriers in a neighborhood. If a person were browsing the web, for example, on a computer running PERM and there were multiple neighbors with wireless access points connected to different carriers, then depending on the destination, traffic from a single computer could easily traverse multiple ISPs.
If PERM became widespread, and who knows - it seems like it could in the future, tracking people down in the CALEA sense (from what I gather from this discussion anyway) would become much harder even if ISPs could provide the kind of tapping abilities that it seems CALEA calls for.
Neither the requirements nor the standards for implementing those requirements were put together “in the dark.” Law enforcement and industry experts have been meeting for years to develop what are entirely reasonable and cost-effective solutions. These are also global requirements that have been implemented on a far more extensive scale in many countries. If you don't want to do the work yourself, outsource it to a Trusted Third Party.
That “Trusted Third Party” is sure to be incredibly expensive — surely enough to drive small or even medium-sized operators out of business.
Also, while there are standards for tapping ordinary phone calls, it is NOT true that there are “standards” for tapping people's Internet connections. And if there were, it would prevent innovative companies like ours from building our own equipment (which we do) which has features that no commercial product has and gives us a tremendous edge over the Big Guys.
What's more, the whole notion of tapping is contrary to the architecture of the Internet, which is decentralized and “end-to-end” rather than centralized like the telephone system. You cannot guarantee that the packets will go a particular way to their destination. You cannot easily FIND them in the middle of the network, much less decrypt them if they're encrypted. The whole notion of wiretapping in the middle is contrary to the architecture of the Internet. The only sensible thing to do is tap at the ends of the connection — which involves tapping the computer, not the ISP.