Law and Technology
disaggregation of telecommunications network compo-nents, and more entities than just the “corporate logo”on a customer’s phone bill were providing raw transmis-sion, signaling, and new applications.As for the communications industry, it’s fair to saythat no one considered law enforcement needs in de-sign criteria. Indeed, the notion of engineering a backdoor into a communications system for anything other than troubleshooting or maintenance was the equiva-lent of designing a security ﬂaw into the product. It’sone thing to tell the government which copper wireserves which customer so they can attach a pair of alli-gator clips to the line and listen; it’s quite another todedicate ports, rack space, and computer processing toenable wiretaps in the central ofﬁce, with serviceprovider personnel responsible for ﬂipping the prover-bial switch. Moreover, with increasingly intense com-petition for subscribers, some were concerned that theadded cost of developing surveillance solutions coulddelay or preclude the time to market or stiﬂe innova-tion altogether.Against this backdrop, and realizing that industrywould continue to deploy new communications serviceswithout surveillance capabilities, the US Congress de-cided to require that surveillance capabilities be includedin the deployment of all future telecommunicationsequipment. According to CALEA’s drafters, it embodiesthree key congressional policy goals:•preserve a narrowly focused capability for law en-forcement agencies to carry out properly authorizedintercepts;•protect privacy in the face of increasingly powerful andpersonally revealing technologies; and•avoid impeding the development of new communica-tions services and technologies.
In the end, the government passed CALEA to helppreserve law enforcement’s investigative capabilities inthe face of a changing telecommunications landscape.Some might argue that Congress actually set the stagefor industry to signiﬁcantly enhance surveillance capa-bilities through design improvements in the surveil-lance architecture, making it easier, faster, and cheaper to conduct wiretaps. This outcome could be good or bad, depending on your political viewpoint, but onething is certain—the current architecture provides for greater accountability and transparency, as wiretapsnow occur with the afﬁrmative intervention of serviceprovider personnel.
Requirements and consequences
Section 103 of CALEA requires telecommunicationscarriers to ensure that their systems have the technical ca-pability to•isolate expeditiously the content of targeted communi-cations transmitted within the carrier’s service area;•isolate expeditiously information identifying the tar-geted communications’ originating and destinationnumbers, but not targets’ physical locations;•provide intercepted communications and call-identifyinginformation to law enforcement in a format transmit-table over lines or facilities leased by law enforcement toa separate location; and•carry out intercepts unobtrusively, so electronic sur-veillance targets aren’t aware of the interception, and ina way that doesn’t compromise other communications’privacy and security.
CALEA doesn’t tell manufacturers or service providershow to meet these requirements, but lets individual en-tities decide how to comply, either ad hoc or throughstandards-setting organizations, which I discuss in thenext section.Telecommunications equipment installed or de-ployed before 1 January 1995 is grandfathered anddeemed compliant unless or until the government pays toupgrade it to meet CALEA or the service provider itself replaces or signiﬁcantly upgrades the grandfatheredequipment, installs new equipment, or launches new ser-vices.
Providers deploying equipment or services after this date receive no reimbursement for meetingCALEA’s assistance capability requirements.
Failure to meet these requirements could result inpenalties of up to US$10,000 per day.
Courts can alsoorder service providers to undertake network or equip-ment modiﬁcations to meet them.
However, before itcan impose any penalty, a court must ﬁnd that compli-ance is “reasonably achievable through the application of available technology to the equipment, facility, or serviceat issue or would have been reasonably achievable if timely action had been taken.”
This limitation on the court’s power is no loophole.CALEA requires a service provider to consult with itsmanufacturers in a timely fashion to ensure that currentand planned equipment, facilities, and services comply.
Additionally, manufacturers must make the necessaryCALEA-compliant features or modiﬁcations available toservice providers in a timely manner and at a reasonablecharge.
Signiﬁcantly, the absence of technical standardsis no defense to an enforcement action, but involvementin a standards effort might be important evidence of whether service providers took timely action to ensureavailable compliant equipment.
The role of standards
Although the absence of standards is no excuse for avoiding CALEA compliance, section 107 of the actdoes create a “safe harbor” for service providers or man-ufactures whose equipment, facilities, or services are in
IEEE SECURITY &PRIVACY