12 February 1998
Thanks to Declan McCullagh
Date: Wed, 11 Feb 1998 20:25:13 -0500
From: Declan McCullagh <declan@well.com>
To: politech@vorlon.mit.edu
Subject: FC: Privacy groups tell FCC to deep-six wiretap law
Seems as though even the folks (not the undersigned) who lauded the virtues
of the Digital Telephony wiretapping law and cut a deal to ensure its
passage are now claiming it's gone astray. Attached below are comments
filed (I believe today) with the FCC on the law.
Even if you don't care about wiretapping, consider this: the Digital
Telephony law requires technology firms to make communications readily
snoopable by law enforcement agents. Think of this as a precedent for
requiring technology firms to make encrypted communciations readily
snoopable by law enforcement agents.
Trust me, even if you haven't thought about that precedent and its value
when lobbying members of Congress, Louis Freeh has.
-Declan
******
Before the
Federal Communications Commission
Washington, D.C. 20554
In the Matter of )
) CC Docket No. 97-213
Communications Assistance for )
Law Enforcement Act )
Surreply Comments of
The American Civil Liberties Union
The Electronic Privacy Information Center
The Electronic Frontier Foundation
Computer Professionals for Social Responsibility
The American Civil Liberties Union (ACLU), Electronic Privacy
Information Center (EPIC), Electronic Frontier Foundation (EFF), and
Computer Professionals for Social Responsibility (CPSR) respectfully
submit these surreply comments in the above referenced proceeding. Our
organizations represent a broad perspective of public interest, privacy and
civil liberties interests.
ACLU, EPIC and EFF jointly filed comments with the Federal
Communications Commission in response to the Notice of Proposed
Rulemaking (NPRM) on implementation of the Communications Assistance
for Law Enforcement Act (CALEA) on December 12, 1997. In our
previous comments, we urged the Commission to exercise its statutorily
conferred authority to delay compliance with the Act until October, 2000.
However, after reviewing the comments filed by the Federal Bureau
of Investigation (FBI), public interest groups, and industry; and in light of
the FBI's four year delay in releasing to the public the statutorily required
Notice of Capacity; and the FBI's obstruction of the adoption of industry
compliance standards that are feasible and technically possible, we are
convinced that the Commission must indefinitely delay the implementation
of CALEA. We call on the Commission to report to Congress on the
serious legal, technical, and policy obstacles that have thwarted CALEA's
implementation. Our organizations also request that the Commission
require the FBI to provide comment-- on the public record-- explaining their
failure to meet the statutory Notice of Capacity Requirement imposed by
Congress nearly four years ago.
Our requests in this proceeding are based on several provisions for
government accountability and privacy protection incorporated in CALEA
and its legislative history, which has thus far been largely ignored.
Section 107 of CALEA provides that any person(s), including public interest
groups, concluding that any standard issued on the implementation of the
Act is deficient, may petition the Commission for review. This section
provides that one factor for judging the acceptability of standards is whether
they protect the privacy of communications that are not permitted to be
intercepted under the law.
Furthermore, the legislative history of CALEA makes clear that the
Commission's authority over this implementation process is designed to
ensure that the following goals are realized: (1) Costs to consumers are kept
low, so that 'gold-plating' by the industry is kept in check; (2) the
legitimate needs of law enforcement are met, but that law enforcement does not
engage in gold-plating of its demands; (3) privacy interests of all Americans are
protected; (4) the goal of encouraged competition in all forms of
telecommunications is not undermined, and the fact of wiretap compliance is
not used as either a sword or a shield in realization of that goal.
Because our organizations have concluded that these statutory goals
have not been satisfied, we believe it is incumbent on the Commission to
take action with regards to our requests. In these surreply comments we
will also address several issues raised in submissions of other interested
parties that call for an expansion of the CALEA's mandate and that run
counter to Congress' stated goals.
I. The FBI has Disregarded the Congressional Limitations and
Statutory Obligations Imposed on Law Enforcement by CALEA:
CALEA explicitly called on law enforcement to issue a technical
capacity notice by October 25, 1995, one year after the law's enactment.
Carriers were given three years after the notification to install capacity
meeting the notification requirements. Thus, under the statutory timetable,
industry's deadline for compliance was to have been October 1998.
Section 104(a)(2) requires that the technical capacity notice
provide a numerical estimate of law enforcement's anticipated use of electronic
surveillance for 1998. The notice is required to establish the maximum
interceptions that a particular switch or system must be capable of
implementing simultaneously.
By mandating the publication of numerical estimates of law
enforcement surveillance activity, Congress intended CALEA's notice
requirements to serve as accountability "mechanisms that will allow for
Congressional and public oversight. The bill requires the government to
estimate its capacity needs and publish them in the Federal Register."
In addition to the concerns of privacy advocates, the Public Notice
requirement was based on industry concerns that the cost of providing
intercepts was becoming an undue burden on companies and that the
number of intercepts was growing too rapidly for industry to respond. In
1994, AT&T testified that such law enforcement notice was necessary for
industry to accomplish the following:
-require law enforcement to focus on what it actually requires to
accomplish its legitimate needs thereby freeing resources they do not
actually require for other purposes;
-provide an essential mechanism for Congress to control both the costs
and level of law enforcement involvement in the development of new
services;
-ensure that the fewest taxpayer dollars are spent to address law
enforcement concerns.
As documented in detail in our prior comments, the FBI has yet to
provide the mandated Notice of Capacity. The Bureau has thus far released
two initial notices that were both withdrawn after sharp public criticism over
the FBI's failure to meet the statutory requirements.
The FBI comments also do not explain why the public and Congress
should ignore their failure to meet this statutory obligation. Instead, the
FBI asserts that public safety should override any technical problems industry
groups may face in complying with CALEA's statutory deadline. However, we
believe that this assertion has also not been justified by the FBI to date.
According to statistics released by the Administrative Office of the
U.S. Courts and the Department of Justice, the actual number of
interceptions has risen dramatically each year and in 1996 alone 2.2 million
conversations were captured by law enforcement. A total of 1.7 million of
these intercepted conversations were deemed not "incriminating" by
prosecutors. Our organizations believe that these numbers do little to
support the FBI contentions that CALEA should be given broad
interpretation.
Moreover, the FBI comments state that a blanket extension on the
compliance with CALEA should not be granted despite the impasse
between industry and law enforcement because of the potential threat to
public security. While we recognize the importance of protecting the
public, Congress required that there be a balancing of the interests of law
enforcement with the need to protect privacy and develop new technologies.
Specifically, Congress had the following objectives:
(1) to preserve a narrowly focused capability for law enforcement agencies
to carry out properly authorized intercepts;
(2) to protect privacy in the face of increasingly powerful and personally
revealing technologies; and
(3) to avoid impeding the development of new communications services and
technologies.
Hence, we are not persuaded by the FBI's conclusion that there
should not be a blanket extension for compliance with CALEA. Until it is
clear that each of the Congressional objectives is met and there is a public
release by the FBI of its statutorily mandated Notice on Capacity, the
technical compliance with the Act should be postponed.
II. The FBI Has Not Maintained Narrowly Focused Capability for
Law Enforcement Agencies to Carry Out Authorized Intercepts
The FBI's bad faith in the implementation process has prevented the
development of acceptable technical standards that are feasible by industry.
As our prior comments document and industry comments support, the FBI
has repeatedly endeavored to require that industry meet a FBI wish-list of
surveillance capability needs never contemplated by Congress. Indeed,
avoiding such an impasse was precisely why Congress explicitly redrafted
the statute in 1994 to eliminate law enforcement control over industry
standard-setting.
Instead of preserving a narrow focus on surveillance capability, the
FBI has sought an expanded capability by interpreting CALEA to apply to
entities and user services specifically exempt by Congress. The comments
submitted by the FBI underscore the validity of our concerns by presenting
a wish-list of items that go far beyond the authorized electronic surveillance
under the provisions of Title III of the Omnibus Crime Control and Safe
Streets Act of 1968, the Electronic Communications Privacy Act of 1986
and CALEA.. For example, the FBI comments call for CALEA compliance
by carriers providing access to information services, private communications
services, and paging services -- an expansion of surveillance capabilities
never contemplated by Congress.
(a) Information services
In paragraph 29 of its submission, the FBI states that it agrees that
providers of "exclusively information services are excluded from CALEA"
but that "any portion of a telecommunications service provided by a
common carrier that is used to provide transport access to information
services is subject to CALEA."
Such services are explicitly exempt under the statute. Section 103
(4)(b) provides limitations on what services are required to meet assistance
capability requirements under CALEA. It states:
(b) Limitations:
(2)Information services; private networks and interconnection services
and facilities. The requirements of subsection (a) do not apply to--
(A) information services; or
(B) equipment, facilities, or services that support transport or
switching of communications for private networks or for the sole
purpose of interconnecting telecommunications carriers.
Congress explicitly rejected any application of CALEA to
information services including electronic mail and on-line services
recognizing that interception of those communications is the equivalent of
"call content" and is therefore, subject to a much higher degree of protection
under the Constitution. The FBI, and the Commission NPRM, incorrectly
assume there is a distinction between carriers that exclusively provide
information services and common carriers that provide access for
information services. The FBI is simply attempting to gain back-door
access to information services contrary to Congress' intent.
(b) Carriers Providing Private Services:
Paragraph 22 of the FBI comment states that "there may exist
telecommunications companies that do not hold themselves out to serve the
public indiscriminately that should also be treated as 'telecommunications
carriers' by the Commission. Otherwise, companies that hold themselves
out to serve particular groups may, intentionally or inadvertently, undermine
CALEA."
Thus, the FBI's conclusion that private services that do not
indiscriminately provide services to the public fall within CALEA's ambit is
unwarranted. Indeed as the legislative history states:
"...telecommunications services that support or transport switching of
communications for private networks or for the sole purpose of
interconnecting telecommunications carriers...need not meet any wiretap
standards...Earlier digital telephony proposals covered all providers of
electronic communications services, which meant every business and
institution in the country. That broad approach was not practical. Nor was
it justified to meet any law enforcement need."
Indeed the explicit exclusion of private networks was also based on
the potential threats to personal privacy that such could be incurred by
requiring private networks to meet the CALEA configuration requirements.
CALEA's legislative history states that private networks are not the usual
focus of court authorized electronic surveillance and that these networks,
although excluded by CALEA's requirements, may be required to provide
law enforcement with access to information after receiving a court order.
(c) Paging services:
Paragraph 25 of the FBI comments state: "Law enforcement
contends that paging systems should be included in the definition of
"telecommunications carrier" for the purposes of interpreting CALEA
because paging systems generally fall within the definition of common
carrier or, at minimum, rely on common carriers to be activated."
Paging service's reliance on common carriers for activation does not
automatically compel their compliance with CALEA.
III. The FBI Has Ignored Privacy Protection Requirements
The Congress specifically required privacy safeguards to assure that
communications not be made vulnerable to hackers and rogue wiretaps as a
result of CALEA. Section 105 of CALEA, Systems Security and Integrity,
mandates that "telecommunications carriers shall ensure that any
interception of communications or access to call-identifying information
effected within its switching premises can activated only in accordance with
a court order or other lawful authorization...". However, the FBI comments
and FCC NPRM merely reduce privacy concerns to questions of
telecommunication carrier recordkeeping and employee screening measures.
Furthermore, Section V of the FBI comments, which addresses the
carrier security procedures, attempts to undermine the protections against
unlawful government surveillance guaranteed in the Electronic
Communications Privacy Act of 1986. 18 U.S.C. 2510, et. seq. This section
asserts that there is "anecdotal evidence" that carriers have refused to
comply with law enforcement requests for wiretapping where there is
confusion as to the validity of court orders. As a result, the FBI has called
on the Commission to limit the ability of carriers to question the lawfulness
of requests for interception by various law enforcement entities. Similarly,
paragraph 47 states that "[c]arriers are the implementers, not the enforcers,
of lawful intercept orders or certifications under the electronic surveillance
laws."
We strongly disagree with that conclusion. Carriers have an
affirmative obligation under ECPA to ensure that they are not wrongfully
disclosing information to the government or third parties. The failure of
carriers to exercise good faith judgment and carefully scrutinize such
requests for information may expose them to criminal and civil liability
under ECPA. 18 U.S.C. 2520 (d). We believe that a Commission ruling
providing that carrier's lack the ability to scrutinize the validity of
warrants would require them to abrogate their statutory good faith
obligations. In addition, the Commission lacks authority to limit the
rights of carriers to review such orders and such a requirement would not
comport with other federal and state requirements.
Paragraph 46 of the FBI comments broadly states that carriers may
not question law enforcement authority to conduct wiretapping
investigations where one party has consented to interception. The FBI
broadly states that "[i]n such cases, the electronic surveillance statutes
clearly indicate that no court order is required."
We similarly disagree with this conclusion. Currently, at least 12
states do not permit "one party consent" to interceptions of communications.
Thus, we believe that a Commission rule limiting carrier discretion would
certainly create pre-emption questions where there is no Congressional basis
and where the request comes from state law enforcement.
Conclusion
Congress envisioned CALEA's implementation as an open process
that would ensure accountability and prevent the development of
unprecedented surveillance capabilities. The expanded capabilities sought by
the FBI, along with their non-compliance with CALEA's Public Notice of
Capacity Requirements warrant serious Commission and Congressional
response.
Our organizations believe that given the FBI's failure to meet public
accountability provisions, the Commission must indefinitely delay the
implementation of CALEA and report to the Congress on the serious
obstacles that have thwarted its implementation to date. We also ask that the
Commission require the FBI provide comment on the public record
explaining its failure to meet it unambiguous statutory obligations under
CALEA.
Respectfully Submitted,
_____________________________________
Laura W. Murphy, Director
Greg Nojeim, Legislative Counsel
A. Cassidy Sehgal, William J. Brennan Fellow
American Civil Liberties Union
Washington National Office
122 Maryland Ave, NE
Washington, D.C. 20002
(202) 544-1681
Marc Rotenberg, Director Barry Steinhardt, President
David L. Sobel, Legal Counsel Electronic Frontier Foundation
David Banisar, Staff Counsel 1550 Bryant Street, Suite 725
Electronic Privacy Information Center San Francisco CA 94103
666 Pennsylvania Ave., SE, Suite 301 (415) 436-9333
Washington, D.C. 20003
(202) 544-9240
Computer Professionals for
Social Responsibility
CPSR, P.O. Box 717,
Palo Alto, CA 94302
(650) 322-3778
cc:
Rep. Bob Barr
Sen. Orrin Hatch
Sen. Patrick Leahy
Rep. Henry Hyde
Sen. Ashcroft
Sen. Edward McCain
Sen. Arlen Spector
Rep. Billy Tauzin
Rep. McCollum
Rep. Charles Schumer
The Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414,
108 Stat. 4279 (1994) (codified as amended in sections of 18 U.S.C. and 47 U.S.C.)
Statement of the AT&T Corporation Before the House Subcommittee on Civil
and Constitutional Rights and Senate Subcommittee on Technology and Law,
reprinted, in Schneier and Banisar: The Electronic Privacy Papers, Wiley
and Sons, 1997.
See generally, EPIC letter to The Telecommunications Industry Liaison
Unit, November 13, 1995, reprinted in 1996 Electronic Privacy and
Information Center, Cryptography and Privacy Sourcebook, 1996, discussing
the failure of the Initial FBI Notification of Law Enforcement Capacity
Requirements to meet CALEA's obligations.
--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo@vorlon.mit.edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------