Law and Technology
A
LBERT
G
IDARI
Perkins Coie
PUBLISHED BY THE IEEE COMPUTER SOCIETY
■
1540-7993/06/$20.00 © 2006 IEEE
■
IEEE SECURITY & PRIVACY
29
“If you build it, they will come.” —
“Shoeless Joe” Jackson
in
Field of Dreams
T
he “field of dreams” today for communicationsservice providers and equipment manufacturersseems without limits. But these organizationsneed to understand that the much anticipated“they” also includes law enforcement agencies—withcourt orders in hand—demanding technical assistance inwiretapping the bad guys who find these new services sodelightful. So “if you build it”—for use in the US any-way—you had better “bake” a wiretap capability into theequipment, facilities, or service. The law requires this ca-pability for telecommunications providers, and the Fed-eral Communications Commission (FCC) has extendedthe law to cover interconnected voice over IP (VoIP) andall facilities-based, broadband Internet access providers.
1
Since 1995, the Communications Assistance for LawEnforcement Act (CALEA)
2
has required tele-communications carriers to install or deploy equipment,facilities, and services with surveillance capabilities at theready. (To reflect the fact that CALEA now applies tomore than just local incumbent carriers and traditionaltelephone companies, this article uses the term “serviceprovider” throughout). But who decides what capabili-ties the law requires? Is it a technical or legal decision?The short answer is that the communications industrysets the standards in the first instance; law enforcementand the FCC have significant influence on the process;and, ultimately, the courts are the final arbiters of whatCALEA requires. Thus, it’s both a technical and a legalquestion, joining lawyers and engineers at the proverbialhip to define and design CALEA’s assistance capabilityrequirements for tomorrow’s com-munications networks.
CALEA’s purpose
The US government passed CALEA in 1994 to preserveits “ability, pursuant to court order or other lawful au-thorization, to intercept communications involvingadvanced technologies such as digital or wireless trans-mission modes, or features and services such as call for-warding, speed dialing, and conference calling, whileprotecting the privacy of communications and withoutimpeding the introduction of new technologies, fea-tures, and services.”
3
This was landmark legislation— never before had service providers been required tobuild their systems with surveillance in mind.CALEA was necessary because by 1994, new tech-nologies were presenting enormous technical challengesfor law enforcement surveillance efforts. Indeed, by thetime CALEA passed, law enforcement had been over-whelmed by the digital revolution in communications.The movement from analog to digital communicationsand the introduction of new services and features left lawenforcement well behind the technological surveillancecurve. Aptly enough, CALEA was initially called theDigital Telephony Act.Moreover, a host of new entrants arrived in the mar-ketplace. With the Telecommunications Act of 1996 onthe horizon, competitive access providers and alterna-tives to the local exchange were appearing in all major markets, and the wireless industry had begun its rapid andsteady growth. No longer could law enforcement go toone service provider to capture all of a target’s communi-cations. At the same time, market forces were causing the
Designing theRight Wiretap Solution
Setting Standards under CALEA
The Communications Assistance for Law Enforcement Act(CALEA) requires telecommunications providers, including VoIP and broadband ISPs, to provide wiretappingcapabilities with their services. Law enforcement and thetelecommunications industry must work together to setCALEA-compliant standards.
Law and Technology
disaggregation of telecommunications network compo-nents, and more entities than just the “corporate logo”on a customer’s phone bill were providing raw transmis-sion, signaling, and new applications.As for the communications industry, it’s fair to saythat no one considered law enforcement needs in de-sign criteria. Indeed, the notion of engineering a backdoor into a communications system for anything other than troubleshooting or maintenance was the equiva-lent of designing a security flaw into the product. It’sone thing to tell the government which copper wireserves which customer so they can attach a pair of alli-gator clips to the line and listen; it’s quite another todedicate ports, rack space, and computer processing toenable wiretaps in the central office, with serviceprovider personnel responsible for flipping the prover-bial switch. Moreover, with increasingly intense com-petition for subscribers, some were concerned that theadded cost of developing surveillance solutions coulddelay or preclude the time to market or stifle innova-tion altogether.Against this backdrop, and realizing that industrywould continue to deploy new communications serviceswithout surveillance capabilities, the US Congress de-cided to require that surveillance capabilities be includedin the deployment of all future telecommunicationsequipment. According to CALEA’s drafters, it embodiesthree key congressional policy goals:•preserve a narrowly focused capability for law en-forcement agencies to carry out properly authorizedintercepts;•protect privacy in the face of increasingly powerful andpersonally revealing technologies; and•avoid impeding the development of new communica-tions services and technologies.
4
In the end, the government passed CALEA to helppreserve law enforcement’s investigative capabilities inthe face of a changing telecommunications landscape.Some might argue that Congress actually set the stagefor industry to significantly enhance surveillance capa-bilities through design improvements in the surveil-lance architecture, making it easier, faster, and cheaper to conduct wiretaps. This outcome could be good or bad, depending on your political viewpoint, but onething is certain—the current architecture provides for greater accountability and transparency, as wiretapsnow occur with the affirmative intervention of serviceprovider personnel.
Requirements and consequences
Section 103 of CALEA requires telecommunicationscarriers to ensure that their systems have the technical ca-pability to•isolate expeditiously the content of targeted communi-cations transmitted within the carrier’s service area;•isolate expeditiously information identifying the tar-geted communications’ originating and destinationnumbers, but not targets’ physical locations;•provide intercepted communications and call-identifyinginformation to law enforcement in a format transmit-table over lines or facilities leased by law enforcement toa separate location; and•carry out intercepts unobtrusively, so electronic sur-veillance targets aren’t aware of the interception, and ina way that doesn’t compromise other communications’privacy and security.
5
CALEA doesn’t tell manufacturers or service providershow to meet these requirements, but lets individual en-tities decide how to comply, either ad hoc or throughstandards-setting organizations, which I discuss in thenext section.Telecommunications equipment installed or de-ployed before 1 January 1995 is grandfathered anddeemed compliant unless or until the government pays toupgrade it to meet CALEA or the service provider itself replaces or significantly upgrades the grandfatheredequipment, installs new equipment, or launches new ser-vices.
6
Providers deploying equipment or services after this date receive no reimbursement for meetingCALEA’s assistance capability requirements.
6
Failure to meet these requirements could result inpenalties of up to US$10,000 per day.
7,8
Courts can alsoorder service providers to undertake network or equip-ment modifications to meet them.
8
However, before itcan impose any penalty, a court must find that compli-ance is “reasonably achievable through the application of available technology to the equipment, facility, or serviceat issue or would have been reasonably achievable if timely action had been taken.”
7
This limitation on the court’s power is no loophole.CALEA requires a service provider to consult with itsmanufacturers in a timely fashion to ensure that currentand planned equipment, facilities, and services comply.
9
Additionally, manufacturers must make the necessaryCALEA-compliant features or modifications available toservice providers in a timely manner and at a reasonablecharge.
9
Significantly, the absence of technical standardsis no defense to an enforcement action, but involvementin a standards effort might be important evidence of whether service providers took timely action to ensureavailable compliant equipment.
The role of standards
Although the absence of standards is no excuse for avoiding CALEA compliance, section 107 of the actdoes create a “safe harbor” for service providers or man-ufactures whose equipment, facilities, or services are in
30
IEEE SECURITY &PRIVACY
■
MAY/JUNE 2006
Law and Technology
compliance with publicly available technical require-ments or standards adopted by an industry association or standards-setting organization, or as set by the FCC, tomeet CALEA’s requirements.
10
(The FCC currently iscontemplating which bodies can promulgate standardsor requirements, including whether to recognize thosedeveloped by non-US standards organizations.) Con-gress determined that although the communications in-dustry should consult with law enforcement regardingsurveillance needs, industry itself would decide how tomeet those needs.
5
As Congress put it, “Those whosecompetitive future depends on innovation will have akey role in interpreting the legislated requirements andfinding ways to meet them without impeding the de-ployment of new services.”
11
Congress understood that disputes might arise over standards’ adequacy and, in response, provided a proce-dure for the FCC to review them. Section 107 providesthat any person who believes a published standard is defi-cient can petition the FCC to set the requisite technicalrequirements in a public rulemaking.
10
To be clear, a pri-vacy advocate can challenge a standard because it fails toprotect the privacy of communications not authorized tobe intercepted, just as a local law enforcement agency canbring a challenge because the standard fails to provide allthe required capabilities.If the FCC finds the standard deficient, it must settechnical requirements that•meet CALEA’s assistance capability requirements withcost-effective methods;•protect the privacy and security of communicationsnot authorized to be intercepted;•minimize the cost of such compliance on residentialratepayers;•serve the US’s policy of encouraging the provision of new technologies and services to the public; and•provide reasonable time and conditions for compliancewith and the transition to any new standard.
10
Any person who disagrees with the FCC’s findings canappeal the resulting order to an appropriate federal Cir-cuit Court of Appeals.
The standards process in practice
The efficacy of CALEA’s standards process was testedalmost immediately. Subcommittee TR45.2 of theTelecommunications Industry Association (TIA)worked for more than two years to develop Joint Stan-dard 025, Lawfully Authorized Electronic Surveillance,to serve as a “safe harbor” for wireline and wireless carri-ers under section 107(a) of CALEA (you can buy copiesof the standard and its subsequent iterations atwww.tiaonline.org). Law enforcement came into thestandards process with a long list of desired capabilities,whereas industry representatives took a minimalist ap-proach, addressing only those it understated the lawclearly required.The subcommittee’s meetings were often con-tentious, with law enforcement offering contributionsexplaining why certain capabilities were desirable or re-quired and industry participants rejecting many of thedemands as not clearly required by CALEA. For exam-ple, law enforcement desired, and industry refused to in-clude, a feature status message that would require aservice provider to notify law enforcement “when spe-cific subscription-based calling services are added to or deleted from the facilities under surveillance, includingwhen the subject modifies capabilities remotely throughanother phone or through an operator.”
12
Conversely, after many arguments, industry partici-pants finally included in the standard a capability to reporta cell phone’s location at the beginning and end of a call.This “compromise” (which excluded a law enforcementdesire to also receive messages whenever a call was passedbetween cell towers—that is, a tracking capability) disap-pointed privacy advocates, who believed that CALEAdidn’t include a requirement to report wireless call loca-tion information. (The FCC and ultimately the courtssustained the location requirement
.
)TIA and Committee T1 (sponsored by the Alliancefor Telecommunications Industry) published the finalstandard in December 1997. It defined the services andfeatures that must support surveillance (for example, callforwarding) and specified the permissible interfaces (suchas allocation of call content and data channels) for deliv-ery of intercepted communications and call-identifyinginformation to law enforcement.Privacy advocates challenged the standard almost im-mediately: on 27 March 1998, they petitioned the FCCfor review, claiming that the standard didn’t do enough toprotect privacy because it permitted delivery of locationinformation and packet-mode communications. Thenext day, the US Department of Justice (DoJ) likewisefiled its expected petition, claiming that the standardfailed to provide all the required capabilities. (For a list of the nine “essential” capabilities considered and rejectedduring the meeting, see the sidebar.)
www.computer.org/security/
■
IEEESECURITY &PRIVACY
31
The government passed CALEAto help preserve law enforcement’sinvestigative capabilities in the faceof a changing telecommunicationslandscape.
Search History:
Result 00 of 00
00 results for result for
p.
More From This User
Notes
Load more
