A Statement of Concern about Expansion of CALEA (embedded below) has been issued with the support of a wide range of industry groups and public-interest advocates. (CALEA stands for the Communications Assistance for Law Enforcement Act.)
As the Joint Statement points out, the Administration apparently wants Congress to extend CALEA to communications technologies that are not now required to be designed in a way that facilitates governmental surveillance of their users. The Administration has failed to tell the public exactly what it is seeking and why, so it is not possible at this point to describe the Administration’s wish list or respond to it with specificity. Nonetheless, the Joint Statement urges policy makers not to impose new mandates without first confirming the necessity for those requirements, and without balancing their possible benefits against the corresponding impact on trust in the confidentiality of Internet communications, security, innovation, competitiveness, availability of encryption, and privacy.
In order to understand the debate that will take place if the Administration persists in its effort to expand CALEA, it will be helpful to know a little about the statute’s terms and its complex history.
As enacted in 1994, CALEA required telecommunications carriers to ensure that their equipment, facilities or services that provide a customer the ability to originate, terminate or direct communications were capable of expeditiously isolating and enabling the government, pursuant to a court order or other authorization, to intercept communications and access call-identifying information. CALEA expressly provided that these requirements did not apply to information services and did not require carriers to be responsible for decrypting information carried over their networks unless the carrier had provided the encryption capability and possessed the information necessary to decrypt that information.
CALEA defined “information services” in terms roughly similar to the Federal Communications Commission’s definition of “enhanced services” and the definition of “information services” later adopted in the Telecommunications Act of 1996. The FCC had used its basic/enhanced services distinction to avoid common carrier regulation of computer-based communications services. By adopting a similar distinction in CALEA, Congress signaled its intention to impose CALEA requirements only on traditional, circuit-switched landline and wireline telephone services and to avoid imposing burdensome CALEA requirements on more advanced services.
CALEA also defined “telecommunications carrier” as including any person “engaged in providing wire or electronic switching or transmission service to the extent the [Federal Communications] Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of this title.” Even here, CALEA expressly stated that an entity so classified may not include such “persons or entities insofar as they are engaged in providing information services.”
In 2004, the FCC considered a petition from Department of Justice, the Federal Bureau of Investigation and the Drug Enforcement Administration to expand CALEA obligations to broadband Internet access services and “managed” Voice over Internet Protocol services. (Managed or interconnected VoIP services offer the general public the ability to reach any number on the public switched telephone network).
In order to grant the petition, the FCC had to get around CALEA’s information services exception and its own, repeated findings that broadband Internet access, at least, is an information service and therefore not subject to common carrier regulation. (The classification of managed VoIP was less settled.)
The FCC nonetheless decided that CALEA obligations should be extended to broadband Internet access and managed VoIP, on the ground that the “substantial replacement” provision of CALEA shows Congress’s intent to create an information-telecommunications dichotomy in CALEA that is different from the FCC’s similar distinction between basic and enhanced services and the information-telecommunications distinction later made in the Telecommunications Act of 1996. The Court of Appeals upheld this decision.
The FCC’s decision on the government petition expressly declined, however, to identify “future services” subject to CALEA or to specify precise rules under which those services could be identified. This left the status of non-interconnected VoIP, smartphones, social networking and other media to be decided if and when the government petitioned to include them.
Now, with its apparent intention to seek new legislation, DoJ seems ready to bypass the FCC process. Rather than ask the Commission, once again, to erode CALEA’s information services exemption on a piecemeal basis, DoJ appears to want to amend CALEA so that the exemption is effectively eliminated.
Although DoJ’s precise proposal has not been disclosed, it certainly will require Congress to revisit the policy line it drew in 1994, when it declined to impose CALEA burdens on emerging information services. As the Joint Statement points out, extension of CALEA to new technologies that have evolved with a view to privacy, security and innovation raises issues of trust, cybersecurity, product innovation and competitiveness. Such an initiative, coming from the United States, also could spur other countries to impose mandates that are equivalent or worse.
If this historical discussion of CALEA has any value in the coming debate, it might show how DoJ’s apparent proposals will result, not just in an incremental extension of CALEA to newer technologies that are largely substitutes for the old, but to a qualitative change in the CALEA regime.
Consider the circuit-switched technologies to which Congress originally applied CALEA. Most of the implementation debates, post-CALEA, had to do with such questions as whether telecom companies should be required to provide government with access to advanced signaling information, such as “post-cut through digits” and the signals showing that participants in a conference call had left or entered the conversation. There never was a question that the telephone companies controlled and had ready access to that information, and in fact had generated those signals as a means of managing their services. Extension of CALEA to those signals did not require a redesign of the telephone companies’ networks to make them more centralized or to retrieve consumer-generated information that the carriers did not ordinarily monitor or collect. In a sense, CALEA compliance built upon, rather than transformed or undermined, the technological model on which the carriers’ networks were designed. This is very different, as I understand it, from the challenge CALEA compliance will present to peer-to-peer service providers that do not set up, take down or provide signaling for their customers’ communications on signaling, routing and transmission networks controlled by the service providers. The extension of CALEA to these “edge” technologies might transform them fundamentally, reducing drastically their value to users and the openness and innovation they represent. Before they run that risk, Congress and the Administration should make sure they have exhausted all of the less restrictive alternatives.