gidari-ieee
Transcript of gidari-ieee
-
8/8/2019 gidari-ieee
1/8
Law and Technology
ALBERT GIDARIPerkins Coie
PUBLISHED BY THE IEEE COMPUTER SOCIETY 1540-7993/06/$20.00 2006 IEEE IEEE SECURITY & PRIVACY 29
If you build it, they will come.
Shoeless Joe Jackson in Field of Dreams
The field of dreams today for communications
service providers and equipment manufacturers
seems without limits. But these organizations
need to understand that the much anticipatedthey also includes law enforcement agencieswith
court orders in handdemanding technical assistance in
wiretapping the bad guys who find these new services so
delightful. So if you build itfor use in the US any-
wayyou had better bake a wiretap capability into the
equipment, facilities, or service. The law requires this ca-
pability for telecommunications providers, and the Fed-
eral Communications Commission (FCC) has extended
the law to cover interconnected voice over IP (VoIP) and
all facilities-based, broadband Internet access providers.1
Since 1995, the Communications Assistance for Law
Enforcement Act (CALEA)2 has required tele-
communications carriers to install or deploy equipment,
facilities, and services with surveillance capabilities at the
ready. (To reflect the fact that CALEA now applies to
more than just local incumbent carriers and traditional
telephone companies, this article uses the term service
provider throughout). But who decides what capabili-
ties the law requires? Is it a technical or legal decision?
The short answer is that the communications industry
sets the standards in the first instance; law enforcement
and the FCC have significant influence on the process;
and, ultimately, the courts are the final arbiters of what
CALEA requires. Thus, its both a technical and a legal
question, joining lawyers and engineers at the proverbial
hip to define and design CALEAs assistance capability
requirements for tomorrows com-
munications networks.
CALEAs purposeThe US government passed CALEA in 1994 to preserve
its ability, pursuant to court order or other lawful au-
thorization, to intercept communications involvingadvanced technologies such as digital or wireless trans-
mission modes, or features and services such as call for-
warding, speed dialing, and conference calling, while
protecting the privacy of communications and without
impeding the introduction of new technologies, fea-
tures, and services.3 This was landmark legislation
never before had service providers been required to
build their systems with surveillance in mind.
CALEA was necessary because by 1994, new tech-
nologies were presenting enormous technical challenges
for law enforcement surveillance efforts. Indeed, by the
time CALEA passed, law enforcement had been over-
whelmed by the digital revolution in communications.
The movement from analog to digital communications
and the introduction of new services and features left law
enforcement well behind the technological surveillance
curve. Aptly enough, CALEA was initially called the
Digital Telephony Act.
Moreover, a host of new entrants arrived in the mar-
ketplace. With the Telecommunications Act of 1996 on
the horizon, competitive access providers and alterna-
tives to the local exchange were appearing in all major
markets, and the wireless industry had begun its rapid and
steady growth. No longer could law enforcement go to
one service provider to capture all of a targets communi-
cations. At the same time, market forces were causing the
Designing theRight Wiretap SolutionSetting Standards under CALEA
The Communications Assistance for Law Enforcement Act
(CALEA) requires telecommunications providers, including
VoIP and broadband ISPs, to provide wiretapping
capabilities with their services. Law enforcement and the
telecommunications industry must work together to set
CALEA-compliant standards.
-
8/8/2019 gidari-ieee
2/8
Law and Technology
disaggregation of telecommunications network compo-
nents, and more entities than just the corporate logo
on a customers phone bill were providing raw transmis-
sion, signaling, and new applications.
As for the communications industry, its fair to saythat no one considered law enforcement needs in de-
sign criteria. Indeed, the notion of engineering a back
door into a communications system for anything other
than troubleshooting or maintenance was the equiva-
lent of designing a security flaw into the product. Its
one thing to tell the government which copper wire
serves which customer so they can attach a pair of alli-
gator clips to the line and listen; its quite another to
dedicate ports, rack space, and computer processing to
enable wiretaps in the central office, with service
provider personnel responsible for flipping the prover-
bial switch. Moreover, with increasingly intense com-petition for subscribers, some were concerned that the
added cost of developing surveillance solutions could
delay or preclude the time to market or stifle innova-
tion altogether.
Against this backdrop, and realizing that industry
would continue to deploy new communications services
without surveillance capabilities, the US Congress de-
cided to require that surveillance capabilities be included
in the deployment of all future telecommunications
equipment. According to CALEAs drafters, it embodies
three key congressional policy goals:
preserve a narrowly focused capability for law en-
forcement agencies to carry out properly authorized
intercepts;
protect privacy in the face of increasingly powerful and
personally revealing technologies; and
avoid impeding the development of new communica-
tions services and technologies.4
In the end, the government passed CALEA to help
preserve law enforcements investigative capabilities in
the face of a changing telecommunications landscape.
Some might argue that Congress actually set the stage
for industry to significantly enhance surveillance capa-
bilities through design improvements in the surveil-
lance architecture, making it easier, faster, and cheaper
to conduct wiretaps. This outcome could be good or
bad, depending on your political viewpoint, but one
thing is certainthe current architecture provides for
greater accountability and transparency, as wiretaps
now occur with the affirmative intervention of service
provider personnel.
Requirements and consequencesSection 103 of CALEA requires telecommunications
carriers to ensure that their systems have the technical ca-
pability to
isolate expeditiously the content of targeted communi-
cations transmitted within the carriers service area;
isolate expeditiously information identifying the tar-
geted communications originating and destination
numbers, but not targets physical locations; provide intercepted communications and call-identifying
information to law enforcement in a format transmit-
table over lines or facilities leased by law enforcement to
a separate location; and
carry out intercepts unobtrusively, so electronic sur-
veillance targets arent aware of the interception, and in
a way that doesnt compromise other communications
privacy and security.5
CALEA doesnt tell manufacturers or service providers
how to meet these requirements, but lets individual en-
tities decide how to comply, either ad hoc or throughstandards-setting organizations, which I discuss in the
next section.
Telecommunications equipment installed or de-
ployed before 1 January 1995 is grandfathered and
deemed compliant unless or until the government pays to
upgrade it to meet CALEA or the service provider itself
replaces or significantly upgrades the grandfathered
equipment, installs new equipment, or launches new ser-
vices.6 Providers deploying equipment or services after
this date receive no reimbursement for meeting
CALEAs assistance capability requirements.6
Failure to meet these requirements could result inpenalties of up to US$10,000 per day.7,8 Courts can also
order service providers to undertake network or equip-
ment modifications to meet them.8 However, before it
can impose any penalty, a court must find that compli-
ance is reasonably achievable through the application of
available technology to the equipment, facility, or service
at issue or would have been reasonably achievable if
timely action had been taken.7
This limitation on the courts power is no loophole.
CALEA requires a service provider to consult with its
manufacturers in a timely fashion to ensure that current
and planned equipment, facilities, and services comply.9
Additionally, manufacturers must make the necessary
CALEA-compliant features or modifications available to
service providers in a timely manner and at a reasonable
charge.9 Significantly, the absence of technical standards
is no defense to an enforcement action, but involvement
in a standards effort might be important evidence of
whether service providers took timely action to ensure
available compliant equipment.
The role of standardsAlthough the absence of standards is no excuse for
avoiding CALEA compliance, section 107 of the act
does create a safe harbor for service providers or man-
ufactures whose equipment, facilities, or services are in
30 IEEE SECURITY & PRIVACY MAY/JUNE 2006
-
8/8/2019 gidari-ieee
3/8
Law and Technology
compliance with publicly available technical require-
ments or standards adopted by an industry association or
standards-setting organization, or as set by the FCC, to
meet CALEAs requirements.10 (The FCC currently is
contemplating which bodies can promulgate standardsor requirements, including whether to recognize those
developed by non-US standards organizations.) Con-
gress determined that although the communications in-
dustry should consult with law enforcement regarding
surveillance needs, industry itself would decide how to
meet those needs.5 As Congress put it, Those whose
competitive future depends on innovation will have a
key role in interpreting the legislated requirements and
finding ways to meet them without impeding the de-
ployment of new services.11
Congress understood that disputes might arise over
standards adequacy and, in response, provided a proce-dure for the FCC to review them. Section 107 provides
that any person who believes a published standard is defi-
cient can petition the FCC to set the requisite technical
requirements in a public rulemaking.10 To be clear, a pri-
vacy advocate can challenge a standard because it fails to
protect the privacy of communications not authorized to
be intercepted, just as a local law enforcement agency can
bring a challenge because the standard fails to provide all
the required capabilities.
If the FCC finds the standard deficient, it must set
technical requirements that
meet CALEAs assistance capability requirements with
cost-effective methods;
protect the privacy and security of communications
not authorized to be intercepted;
minimize the cost of such compliance on residential
ratepayers;
serve the USs policy of encouraging the provision of
new technologies and services to the public; and
provide reasonable time and conditions for compliance
with and the transition to any new standard.10
Any person who disagrees with the FCCs findings can
appeal the resulting order to an appropriate federal Cir-
cuit Court of Appeals.
The standards process in practiceThe efficacy of CALEAs standards process was tested
almost immediately. Subcommittee TR45.2 of the
Telecommunications Industry Association (TIA)
worked for more than two years to develop Joint Stan-
dard 025, Lawfully Authorized Electronic Surveillance,
to serve as a safe harbor for wireline and wireless carri-
ers under section 107(a) of CALEA (you can buy copies
of the standard and its subsequent iterations at
www.tiaonline.org). Law enforcement came into the
standards process with a long list of desired capabilities,
whereas industry representatives took a minimalist ap-
proach, addressing only those it understated the law
clearly required.
The subcommittees meetings were often con-
tentious, with law enforcement offering contributionsexplaining why certain capabilities were desirable or re-
quired and industry participants rejecting many of the
demands as not clearly required by CALEA. For exam-
ple, law enforcement desired, and industry refused to in-
clude, a feature status message that would require a
service provider to notify law enforcement when spe-
cific subscription-based calling services are added to or
deleted from the facilities under surveillance, including
when the subject modifies capabilities remotely through
another phone or through an operator.12
Conversely, after many arguments, industry partici-
pants finally included in the standard a capability to reporta cell phones location at the beginning and end of a call.
This compromise (which excluded a law enforcement
desire to also receive messages whenever a call was passed
between cell towersthat is, a tracking capability) disap-
pointed privacy advocates, who believed that CALEA
didnt include a requirement to report wireless call loca-
tion information. (The FCC and ultimately the courts
sustained the location requirement.)
TIA and Committee T1 (sponsored by the Alliance
for Telecommunications Industry) published the final
standard in December 1997. It defined the services and
features that must support surveillance (for example, callforwarding) and specified the permissible interfaces (such
as allocation of call content and data channels) for deliv-
ery of intercepted communications and call-identifying
information to law enforcement.
Privacy advocates challenged the standard almost im-
mediately: on 27 March 1998, they petitioned the FCC
for review, claiming that the standard didnt do enough to
protect privacy because it permitted delivery of location
information and packet-mode communications. The
next day, the US Department of Justice (DoJ) likewise
filed its expected petition, claiming that the standard
failed to provide all the required capabilities. (For a list of
the nine essential capabilities considered and rejected
during the meeting, see the sidebar.)
www.computer.org/security/ IEEE SECURITY & PRIVACY 31
The government passed CALEAto help preserve law enforcements
investigative capabilities in the face
of a changing telecommunications
landscape.
-
8/8/2019 gidari-ieee
4/8
Law and Technology
The FCC put the petitions out for public comment in
April 1998,13 but didnt resolve the challenges until Au-
gust 1999, when it published an order generally support-
ing most but not all of law enforcements requests.12 The
telecommunications industry challenged this order be-
fore the US Court of Appeals for the District of Colum-
bia, and in August 2000, the court concluded that theFCC had adequately considered privacy concerns, but
hadnt engaged in reasoned decision-making in regard
to law enforcements requests.14 Essentially, the court
concluded that the FCC didnt adequately explain the
basis of its decision.
The court sent the case back to the FCC for further
consideration. Unsurprisingly, the FCC engaged in
reasoned decision-making on remand, and in April
2002, upheld its initial determination that CALEA re-
quired law enforcements requested enhancements.15
The FCC gave the telecommunications industry 90
days to comply with the requirements, and no one ap-
pealed this decision.
While these legal maneuvers were progressing, the
telecommunications industry also moved to standardize
law enforcements so-called punch list items and pub-
lished an amendment to JSTD025 in May 2000.
JSTD-025A contains only those capabilities the FCC
identified as required by CALEA in its order after re-
mand by the court (see the sidebar). It didnt include law
enforcements other desired capabilities, and they arent
available today.
Standards for Internet access and VoIPAs I noted previously, the FCC has extended CALEA
to cover all facilities-based broadband Internet access
and all interconnected VoIP service providers. How-
ever, JSTD-025 actually included a surveillance capa-
bility for packet-mode communications, including
those delivered using IP. The solution calls for a service
provider to deliver each packet to law enforcement re-
gardless of the form of legal process received. On apen-
register order, which records a users dialing and signalingactivity associated with a call, law enforcement would
extract the communications identifying information
(that is, the packet header) itself. This capability was
part of the challenge to the standard I just described.14
The court upheld the capability on the grounds that any
acquisition of identifying information had to be law-
fully authorized, implying at least that a wiretap order
based on probable causewhich is much more difficult
than a pen-register order for law enforcement to get
was necessary.
The FCC itself was uneasy with how the standard calls
for responding to packet communication pen-register
requests. As part of its 1999 order, it requested that the
communications industry report on how to better ad-
dress privacy concerns raised by lawfully authorized
surveillance of packet-mode communications.16 In re-
sponse, industry convened a series of Joint Experts Meet-
ings (JEMs) to determine the feasibility of separating
packet content from the information identifying its ori-
gin, destination, termination, and direction.
The industry submitted its final JEM report to the
FCC on 29 September 2000, but the FCC took no ac-
tion on it or its recommendations. At the time, law
enforcement wasnt opposed to the JEM report recom-
mendationsit didnt like the JSTD-025 approach of
delivering a packets entire content on a pen-register
32 IEEE SECURITY & PRIVACY MAY/JUNE 2006
Law enforcement punch list items
Law enforcement claimed the industrys first standard was
deficient because it didnt have these nine capabilities:
Content of subject-initiated conference calls. This capability would let
law enforcement access the content of conference calls supported by
the subjects service (including the call content of parties on hold).
Party hold, join, drop. Law enforcement would receive messages that
identify a calls active parties. Specifically, on a conference call, these
messages would indicate whether a party is on hold, has joined, or
has been dropped from a call.
Subject-initiated dialing and signaling information. This capability
would give a law enforcement agent (LEA) access to all dialing and
signaling information available from the subject and would inform
the agent of a subjects use of features (such as flash-hook and otherfeature keys).
In-band and out-of-band signaling (notification message). A LEA
would receive a message whenever a subjects service sends a tone
or other network message to the subject or associate (such as a noti-
fication that a line is ringing or busy). Timing information. A LEA would receive information necessary to
correlate call-identifying information with the call content of a com-
munications interception.
Surveillance status. A LEA would receive a message verifying that an
interception is still functioning on the appropriate subject.
Continuity check tone(c-tone). An electronic signal would alert a LEA
if the facility used for delivering a call-content interception has failed
or lost continuity.
Feature status. A message would affirmatively notify a LEA of any
changes in features to which a subject subscribes.
Dialed digit extraction. Information a LEA receives would include
those digits a subject dialed after the initial call setup was completed.
A federal court ultimately agreed that six were required, excluding
feature and surveillance status, as well as continuity check capabilities.
-
8/8/2019 gidari-ieee
5/8
Law and Technology
order, and it viewed a separated delivery capability for
packet headers to be more desirable from an evidentiary
viewpoint. Essentially, law enforcement only wanted to
receive that which the law authorized, and it preferred to
have service providers take the necessary steps to ensurethat no more than this was delivered. (For more informa-
tion, see the Packet Surveillance Fundamental Needs
Document, available on request via www.askcalea.net.)
In an effort to develop a new standard that would sep-
arate call-identifying information from packet content,
the communications industry conducted a new round of
standards meetings in 2003 under the same auspices of
TIA. TIA approved JSTD-025B for trial use in January
2004. This standard incorporates all broadband access
surveillance standards under one umbrella, including
CDMA2000, Internet access and voice-over packets
using UMTS wireless technology, and wireline voice-over packet services.
Unfortunately, industry and law enforcement rep-
resentatives were again at odds over CALEA require-
ments, and law enforcement actually withdrew from
participating in the process. Law enforcement today
claims that the standards are deficient and dont provide
the same type of information and capabilities as do cir-
cuit-mode communications. (You can find its updated
packet requirements in Electronic Surveillance Needs for
Carrier Grade Voice over Packet Serviceand Electronic Sur-
veillance Needs for Public IP Network Access Services, both
available via www.askcalea.net.) Industry representa-tives who developed the standard counter that, assum-
ing CALEA extends to certain packet-based services
(which is in dispute and currently on appeal by privacy
groups and others), the FCC should examine the re-
quirements with respect to a particular technology
platform rather than on a service-focused basis.17 This
view is based on the belief that a platform approach
could define a set of network events common to all ser-
vices and specify call-identifying information that law
enforcement could extract without analyzing more of
the packet than necessary.17
The real fight, however, is over how to define call-
identifying information in packet-based technologies
when you can find relevant information within several
encapsulated layers of the protocol stack. The FCC rec-
ognized the issue, which is as yet unresolved:
The data link layer (supported by switches or
bridges) contains hardware source and destination
address information; the network layer (supported
by routers) contains the source and destination IP
address; and the transport/session/presentation/
applications layers (supported by host devices and
gateways) contain source and destination port ad-
dresses, session sources and destinations, and ses-
sion start and stop times. [These providers] may
not be able to easily isolate call-identifying infor-
mation without examining the packet in detail,
or in other words, examining the packet content.18
It seems that history is about to repeat itself in terms ofthe standards process now that the FCC has deemed facil-
ities-based broadband ISPs and interconnected VoIP
providers to be subject to CALEAalthough the FCC
has said whos covered, it has yet to say whats required.
Several areas of contention exist. One of the punch-
list capabilities for circuit-mode communications, for
example, involved the extraction of post-cut-through
dialed digits (that is, numbers dialed after a call has been
connected or cut through, such as bank account num-
bers or voicemail passwords). Under packet standards,
such extraction isnt required for VoIP calls, but law en-
forcement claims it should be. Another example in-volves law enforcements request for information about
each packet an Internet Service Provider (ISP) carries
that includes information at a protocol layer that the ISP
doesnt manage.17
Its unclear when the saga of the packet-mode com-
munications standard will be resolved, or if doing so will
even be necessary once the courts resolve the challenges to
the FCCs extension of CALEA. Regardless of whether
CALEA applies to these Internet services, however, law
enforcement might still seek an order for technical assis-
tance in wiretapping packet-mode communications.19
ISPs will likely still implement some capability require-ments, if not those identified in JSTD-025B.
In addition, the TIA effort with JSTD-025B isnt the
only ongoing standard setting activity. CableLabs, for ex-
ample, has produced a standard that law enforcement has
found suitable.20 In fairness, law enforcement participa-
tion in other venues has been less contentious. The
question remains, however, whether any uniform under-
standing of CALEA requirements exists, and how each of
these standards compares with others in terms of defining
call-identifying information.
Lessons learnedCALEA created a natural conflict: industry trying to
minimize the cost of compliance through efficient stan-
www.computer.org/security/ IEEE SECURITY & PRIVACY 33
Enforcement today claims that thestandards are deficient and dont
provide the same type of information
and capabilities as do circuit-mode
communications.
-
8/8/2019 gidari-ieee
6/8
Law and Technology
dards development and minimalist design requirements
set against law enforcement needs and the desire to want
all the bells and whistles, especially because someone else
is paying for it. Add to this mix the fact that the law
doesnt clearly articulate the legal requirements, and pro-
tracted conflict is inevitable, leading to protracted de-
ployment dates for any solution, leading to greatfrustration for law enforcement, which sees the process as
aiding and abetting the bad guy. In the end, the goal is to
arm law enforcement with the tools it needs to do its job
while protecting privacy and shareholder value. To
achieve that goal, a public-private partnership is needed
with adequate public funding of the process. After all, a
nations security is the quintessential public good, and we
all have a stake in it.
Lack of definition breeds disputeTen years of surveillance standards development has re-
vealed a gulf between law enforcement needs and ser-vice-provider requirements. To law enforcement, any
and all information about subscribers use of services is of
interest and could yield intelligence. To a service
provider, information unrelated to communications
processing (such as users receiving voicemail alerts) isnt
call-identifying and doesnt fall under CALEAs require-
ments. A further corollary is that information not relied
on by the subscribers provider to route a call shouldnt be
required (post-cut-through signaling acted on by another
carrier, for example).
Law enforcement and service providers cant bridge
this gulf because the difference relates to cost and who
bears it. Extracting signals that have no call-processing
function and delivering them to law enforcement creates
a vastly different surveillance architecture than merely
delivering user input when a call begins. Whether
CALEA requires one or the other remains to be seen, but
until its clear, the two sides will always dispute how much
is enough, with standards organizations acting as the
battlefield but not the court of last resort. (To be clear,
there is no law against providing more capabilities, as long
as the resulting output is lawfully authorized.)
Standards are always lateAlthough we might view the CALEA framework as pro-
viding a thoughtful and deliberate process to ensure that
its goals are met in a balanced way, lawyers who have
practiced before the FCC and engineers who have sat
through standards meetings know that the process is any-
thing but efficient and prompt. Its also a myth, albeit one
now enshrined in law, that standards ever really precedeservice or capability development and deployment. Usu-
ally, standards follow innovation and market acceptance
as service providers and manufacturers compete to be the
first to introduce a service or feature.
In short, there is no real industry standard until a
critical mass of industry participants is willing to share in-
formation to create one. The myth finally crumbles be-
cause surveillance standards development is divorced
from service standardization itself. The surveillance solu-
tion will never arrive when an organization is ready to
deploy a service.
Thus, both law enforcement and the communica-tions industry are in an endless cycle of CALEA catch-
up and catch-22. Catch-up for the reasons I just
outlined, and catch-22 because no safe harbor exists if
services are deployed without CALEA capabilities. True
enough, Congress made it unequivocally clear that
CALEA wasnt to hinder new service deployment, stat-
ing that if a service or technology couldnt reasonably be
brought into compliance with interception require-
ments, then it could still be deployed. Of course, this is no
real alternative because service providers wont want to
risk an enforcement action.
Nor will they want to design some rudimentary, oreven reasonably sophisticated, ad hoc solution. CALEA
doesnt mandate using a standards-based solution, but a
service provider that goes it alone runs the risk of law
enforcement deeming its solution unacceptable. Worse
yet, subsequent standards could render it obsolete or in-
adequate by comparison.
Such one-off solutions dont help law enforcement
either, which must buy up-to-date collection equipment.
Vendors rely on standards to make collection equipment
extensible so that law enforcement can buy one box to re-
ceive data from multiple service providers regardless of the
underlying technology. Standardization saves law enforce-
ment a fortune.
Nevertheless, extending the compliance obligation
pending standards development or commercialization
isnt authorized under CALEA, although the act does
permit the FCC, upon petition from a service provider
or manufacturer, to extend the date if compliance is
not reasonably achievable through application of tech-
nology available within the compliance period.10
However, the FCC has determined that this provision
doesnt let it grant any extensions beyond the original
CALEA compliance date of 1998. Although the courts
will debate this issue in the future, industry cant fill the
deployment gap if the FCC wont grant extensions in
the meantime.
34 IEEE SECURITY & PRIVACY MAY/JUNE 2006
The two sides will always dispute
how much is enough, with standards
organizations acting as the battlefield
but not the court of last resort.
-
8/8/2019 gidari-ieee
7/8
Law and Technology
So, although standards should theoretically drive
CALEA compliance in a timely and effective manner, in
reality, the framework is unlikely to serve any one well.
Engineers playing lawyers is a bad idea;lawyers playing engineers is worseThe law should define the necessary capabilitiesit
doesnt. Leaving it to engineers to guess is both unfair and
unlikely to yield a standard that actually meets either the
law or law enforcement needs. CALEA round 1 re-
sulted in an exhausting eight-year process to implement a
standard for circuit-switched communications that were
already losing ground to new IP-based communications
services. Industry didnt develop those services with sur-
veillance in mind because it believed them to be exempt
from CALEA as information services. The FCC has de-
veloped a theory to extend CALEA to these servicestoday, years after their marketplace deployment and
adoption by customers.
But how well did industry do with the first standard
with regard to noncontroversial capabilities? It still made
some fundamental mistakes despite law enforcements
active involvement. JSTD-025, for example, requires
that law enforcement receive a message showing the
numbers a subject dials on each origination or the in-
coming numbers of each call to the subject. One is a pen
register, whereas the other is a trap and trace; both re-
quire separate authorization, but law enforcement gets
them combined regardless.Another example is location information. Location
reporting is a parameter in each origination and termina-
tion message. In other words, to get location, you must
also get the number dialed or the incoming one. The
problem is that a separate legal standard (which is neither
a pen register nor a trap and trace) must authorize loca-
tion. Not all manufacturers implemented the standard
with location parameters as conditional; law enforce-
ment routinely received location information on pen
registers despite CALEAs express prohibition of doing so
pursuant to pen-register authorization.
Yet another example is the failure to differentiate be-
tween electronic and wire communications. Thus, law
enforcement would receive a voice call on a content
channel and short-message-service traffic or other elec-
tronic communications on the data channel. Again, the
two require separate legal authorizations, but the standard
provided law enforcement with both regardless of the au-
thorizations nature or CALEAs admonition to protect
the confidentiality of communications not authorized to
be intercepted.
Eventually, vendors, service providers, and collec-
tion-equipment manufacturers built solutions to rectify
these problems, but the standards remain unchanged in
addressing these infirmities, despite subsequent revisions.
The point is that surveillance law is arcane enough for
prosecutors and lawyers advising service providers with-
out making engineers put these legal requirements into
software code.
Whats more, an old axiom says that lawyers can find
ambiguity in a no smoking sign. How is it, then, thatCongress expected engineers to find clarity enough in
CALEA to set quasi-legal standards? Because the courts
are the final arbiters, the circle is complete as lawyers play
engineers in explaining standards to courts, who then de-
cide whether technical requirements meet the law. (Dur-
ing the oral argument in the court of appeals on the initial
standard, one judge asked Ted Olsen, who represented
the telecommunications industry and who ultimately
became the US solicitor general, what JSTD stood for.
The courtroom full of lawyers looked blankly on, until
one offered that it meant joint standardnot that this
was illuminating in any way.)
Its broken; fix itDespite everyones best intentions, the standards-setting
process for surveillance under CALEA is permanently
broken. The post-9/11 environment has given new
urgency to law enforcements demands for robust capa-
bilities in all new communications technologies. The
slowness of the standards-developing process has led law
enforcement to seek mandatory compliance deadlines
from the FCC.
Of equal concern, industry views some law enforce-
ment requests as gold-plating on an already expensive de-velopment process. Because service providers exclusively
bear the development and implementation costs, they
have every incentive to develop fewer capabilities and less
complex solutions.
And what of privacy concerns? They arent present at
the standards table, and the more complex standards be-
come as they extend to packet communications, the less
transparent or understandable the privacy impact could be.
In the end, all would be better served by a publicly
funded, joint industrygovernment development pro-
cess. CALEAs purpose was goodkeep law enforce-
ment current, dont impede innovation, and protect
privacybut could be better achieved with this collabo-
rative approach. The time has come to replace CALEAs
standards-setting provisions with a new, rapid, and fair
system of capability development.
AcknowledgmentsThe views expressed in this article are my own and should not be attrib-
uted to any of my clients.
References
1. In the Matter of Communications Assistance for Law Enforce-
ment Act and Broadband Access and Services, First Report
www.computer.org/security/ IEEE SECURITY & PRIVACY 35
-
8/8/2019 gidari-ieee
8/8
Law and Technology
and Order and Further Notice of Proposed Rulemak-
ing, ET Docket No. 04-295, RM-10865, 23 Sept. 2005;
www.askcalea.net/docs/20050923-fcc-05-153.pdf.
2. Communications Assistance for Law Enforcement Act, Public
Law No. 103414, Statutes at Large, vol. 108, 1994, p.4279 (codified as US Code, Title 47, sections 10011010
and US Code, Title 47, section 229).
3. House Report No. 103827, section 1; reprinted in US
Code Congressional and Administrative News, vol. 3489,
1994.
4. House Report No. 103827, section 1; reprinted in US
Code Congressional and Administrative News, vol. 3489,
1994, p. 3493.
5. US Code, Title 47, section 1002, 1994.
6. US Code, Title 47, section 1008, 1994.
7. US Code, Title 47, section 1007, 1994.
8. US Code, Title 18, section 2522, 2000.9. US Code, Title 47, section 1005, 1994.
10. US Code, Title 47, section 1006, 1994.
11. House Report No. 103827, section 1; reprinted in US
Code Congressional and Administrative News, vol. 3489,
1994, p. 3499.
12. In the Matter of Communications Assistance for Law Enforce-
ment Act, Third Report and Order, CC Docket No.
97213, 14 FCC Rcd 16794, paragraph 107, 31 Aug.
1999; www.askcalea.net/docs/fcc99230.pdf.
13. Federal Comm. Commission, Public Notice DA-98-762,
20 Apr. 1998; www.askcalea.net/docs/da980762.pdf.
14. United States Telecom. Assoc. v. FCC, Federal Reporter, 3rdSeries, vol. 227, 2000, p. 450 (US Court of Appeals for
the District of Columbia Circuit); www.fcc.gov/ogc/
documents/opinions/2000/99-1442.html.
15. In the Matter of Communications Assistance for Law Enforce-
ment Act, Order on Remand, CC Docket No. 97213,
17 FCC Rcd 6896, 11 Apr. 2002; www.askcalea.net/docs/fcc02108.pdf.
16. In the Matter of Communications Assistance for Law Enforce-
ment Act, Third Report and Order, CC Docket No.
97213, 14 FCC Rcd 16794, paragraph 55, 31 Aug.
1999; www.askcalea.net/docs/fcc99230.pdf.
17. Notice of Proposed Rule Making, ET Docket No. 04-295,
paragraphs 7785, 9 Aug. 2004; www.askcalea.net/
docs/20040809.fcc.04-187.pdf.
18. Notice of Proposed Rule Making, ET Docket No. 04-295,
paragraph 65, 9 Aug. 2004; www.askcalea.net/docs/2004
0809.fcc.04-187.pdf.
19. US Code, Title 18, section 2518(4), 2000.20. PacketCable Electronic Surveillance Specification, PKT-SP-
ESP-I03-040113, specification by CableLabs, 13 Jan.
2004; www.cablelabs.com/specifications/archives/PKT
-SP-ESP-I03-040113.pdf.
Albert Gidariis a partner with Perkins Coie, where he leads thefirms privacy and security practice. He represents serviceproviders in the implementation of CALEA and participated indevelopment of JSTD-025, the first electronic surveillance stan-dard developed to meet CALEAs requirements under the aus-pices of the Telecommunications Industry Association, andsubsequent standardization and implementation efforts. Gidarihas a law degree from George Mason University Law School
and a masters of law degree from the University of Washing-ton. Contact him at [email protected].
36 IEEE SECURITY & PRIVACY MAY/JUNE 2006
Learn how others are achieving systems and networks design and
development that are dependable and secure to the desired
degree, without compromising performance.
This new journal provides original results in research, design, and
development of dependable, secure computing methodologies,
strategies, and systems including:
Architecture for secure systems
Intrusion detection and error tolerance
Firewall and network technologies
Modeling and prediction
Emerging technologies
Publishing quarterly
Member rate: $31
Institutional rate: $285
Learn more about this new
publication and become a
subscriber today.
www.computer.org/tdsc
IEEE TRANSACTIONS ON DEPENDABLE
AND SECURE COMPUTING