| CENTER FOR DEMOCRACY AND TECHNOLOGY 1634 Eye Street, N.W. Suite 1100 Washington, D.C. 20006 (202) 637-9800 | CENTER FOR NATIONAL SECURITY STUDIES Gelman Library, Suite 701 2137 H Street, N.W. Washington, D.C. 20037 (202) 994-7060 |
February 18, 1997
Mr. David F. Worthley
Unit Chief
Telecommunications Industry Liaison Unit
Federal Bureau of Investigation
14800 Conference Center Drive
Suite 300
Chantilly, VA 22021
Dear Mr. Worthley:
The Center for Democracy and Technology (CDT) and the Center for National Security Studies (CNSS) submit these comments in response to the referenced notice.
These comments are not intended to cover all the issues raised by the notice; other important concerns will be raised in the comments of other parties. We focus primarily on those aspects of the notice that affect accountability and privacy.
Summary -- The Second Notice Must Be Clarified to Unambiguously Rule Out Interpretations That Would Impose Unjustifiably Large Capacity Requirements
Read narrowly, the second capacity notice requires carriers to install surveillance capacity that is based on historical peaks of law enforcement surveillance activity. However, as we discuss below, even the historical baseline of "simultaneous" activity appears to have been overstated by the FBI's aggregation of actual switch-by-switch peaks over a 26 month period into a one-day hypothetical county-wide peak. This should be corrected.
Moreover, the notice is subject to an interpretation that yields capacity requirements totally inconsistent with historic patterns of surveillance activity, requirements exceeding even the levels in the FBI's earlier, widely criticized capacity notice of October 1995. Under such a broad reading of the notice, carriers would have to install in each switch a capacity sufficient to meet the requirements projected for an entire county or multi-county service area even when a county may have dozens of switches. To take the most extreme example, this broad reading of the notice would require just one of the wireline carriers in Los Angeles to install by 1998 the capacity to perform 136,000 simultaneous intercepts.* This is an absurd outcome that is contrary to the spirit and letter of the Communications Assistance for Law Enforcement Act ("CALEA").
Informally, the FBI has issued conflicting interpretations of the notice. In meetings with industry representatives as recently as February 11, FBI officials reportedly indicated that the capacity requirements must be met by every carrier, at every switching facility. However, in comments quoted in the New York Times on February 15, FBI officials claimed that was not their intent.
Given the lack of any official written interpretation of the notice that is subject to public review, we have concluded that the problems created by the conflicting interpretations of the notice are at this point so profound that we must urge the FBI to issue another notice for further public comment, making it clear that the more reasonable capacity levels were intended.
While the FBI is eager to move forward with CALEA implementation,
issuing for further public comment an unambiguous notice with
reasonable requirements is important for several reasons:
In order to limit surveillance capacity to reasonable levels, in a revised notice the FBI should make it clear that county-wide surveillance requirements are not to be applied to every switch in a county, but rather are to be distributed among the switches in the county, taking into account (1) the market share of each carrier within the county; (2) historic patterns of surveillance within the county, including the actual distribution of peak activity over time; and (3) any advances in technology that reduce the burden of carrying out electronic surveillance. Whether these criteria are susceptible of precise quantification requires further consideration, but they would provide an objective basis for the FBI to use in applying the capacity numbers set out in the notice and should be explicitly enumerated in the final notice.
These comments respond to the notice primarily from a wireline
perspective. While many of the concerns identified here also apply
to wireless services, there may be some unique considerations
in the wireless environment that would support a different approach.
Specific Ways in Which the Notice Should Be Clarified
While the second notice has some positive elements, most notably the Bureau's disclosure for the first time of historic data detailing past levels of law enforcement surveillance activity and its use of actual numbers instead of ambiguous percentages, the new notice is subject to various interpretations. Read narrowly, the notice imposes on companies (at taxpayer expense) surveillance capacity requirements in line with those traditionally experienced. Read a certain way, however, the notice proposes huge capacity requirements, far in excess of those justified by the FBI's own data, raising serious constitutional and statutory problems.
FBI officials have stated informally that any departures from
the more expansive reading of the notice will have to be separately
negotiated on a carrier-by-carrier, location-by-location basis.
These informal statements, although intended as assurances of
the FBI's desire to be reasonable, have given credence to the
broader interpretation of the notice. Rather than relying on negotiations
(sometimes referred to as "cooperative agreements"),
the ambiguity should be resolved on the record, providing the
type of public accountability that CALEA requires.
1. It should be made clear that the county-by-county requirements are to be distributed among carriers and among switching facilities based on historic patterns of activity.
The major source of ambiguity in the second notice arises from the FBI's statement of its requirements for wireline carriers on a county-by-county rather than a switch-by-switch basis.
To establish the requirements, the Bureau compiled historic baseline data, consisting of combined federal, state and local law enforcement surveillance activity on a county-by-county basis, nationwide between 1993 and 1995. This approach has the advantage of being grounded in past reality. However, all contact with reality would be lost if the Bureau were to insist that every switch in a county must meet the county-wide surveillance requirements.
Consider the following: The FBI found an aggregate peak of 1080 interceptions in Los Angeles county between 1993 and 1995. These intercepts were spread unevenly across the entire county. The FBI then estimated that, given past trends, the peak number of "simultaneous" intercepts would increase to 1360 by 1998. Assume that Los Angeles is served by only one local exchange carrier (in fact, there is more than one) and that the carrier has 100 central office switches for the county (we understand that one carrier in Los Angeles does have approximately 100 switches). The purpose of CALEA is to ensure that the carrier has notice of future law enforcement needs, so that it can install added surveillance capacity to accommodate multiple simultaneous intercept requests from law enforcement. Under this interpretation, therefore, the carrier would have to ensure that its system in Los Angeles has the capacity in 1998 to accommodate 1360 intercepts simultaneously, spread over all of Los Angeles, along the lines of past activity but with some margin of error for shifts in criminality.
Under the broad reading of the notice, however, the carrier would have to install surveillance capacity to serve 1360 intercepts on each switch in the county. That would increase the simultaneous capacity in Los Angeles by a factor of 100, to 136,000. *
To use the FBI's fire hydrant analogy, the baseline data shows the aggregate peak number of fires that ever broke out before throughout the entire Los Angeles county, but the notice can be read to require the installation of enough fire hydrants to fight the same number of fires simultaneously on each block in the county.
It seems unlikely that there was ever a time in the past or will ever be a time in the future when all the surveillance activity in Los Angeles was focused on one switch. It seems equally unlikely that the surveillance activity was or will be evenly spread over all the switches, so a company would not be justified in having the capacity to perform no more than 13.6 intercepts on each of its 100 switches serving Los Angeles. There must be some reasonable interpretation of the FBI proposal that falls between 1360 intercepts per switch and no more than 13.6 per switch.
The need to account for the distribution of surveillance activity
across a county or service area is brought home by the fact that
there are high activity counties in the FBI's survey where some
switches had zero surveillance activity. Information we have received
from the United States Telephone Association illustrates the problem:
In one county, there are approximately 100 switches. During the
FBI's survey period, a little over half of them had some surveillance
activity, but 47% of them had no surveillance activity at all.
A mechanical application of the notice would require the carrier
to install in those switches that never had an intercept the same
amount of surveillance capacity that it will install in the switches
that showed the most surveillance activity in the past. This result
must be disavowed conclusively.
The ambiguity in the notice is compounded when local phone service
competition is brought into the picture. What if two or three
carriers serve Los Angeles? Does each of them have to have capacity
to accommodate 1360 simultaneous intercepts? What if one of them
only serves 10% of the subscribers in the county? Does the company
serving 10% of the county have to install the capacity to carry
out the same number of intercepts as the carrier serving 90% of
the county? What if a new entrant leases its capacity from the
established carrier? The established carrier had the capacity
to meet 1360 orders. Does the new entrant, which is leasing only
a small sector of the original carrier's infrastructure, now have
to upgrade that sector to accommodate the full county-wide requirement
of 1360 intercepts? Again, the FBI reportedly has said informally
that each carrier in a region is responsible for meeting the county-wide
requirements. This effectively multiplies the requirements by
the number of carriers, with no law enforcement justification.
Finally, the FBI has not consistently applied the concept of "simultaneous"
intercepts. First, it determined the 24-hour peak of surveillance
activity for each switch, over the course of the 26 month survey
period. From switch to switch, these peaks did not occur on the
same day, let alone "simultaneously," but the FBI added
them together to obtain a county-wide "peak" which the
notice requires companies to meet as if occurred all on the same
day.
The final notice should address these concerns -- distribution
within a county, distribution among carriers, and distribution
over time -- and make it clear that the broad interpretations
are not what the Bureau intended. Equally important, the final
notice must make it clear that the FBI will not require separate
negotiations with each service provider to avoid the broad interpretations.
Separate negotiations would violate the fundamental goal of public
accountability in CALEA.
2. Recognition should be given to the differences between call content interceptions and access to dialed number information.
Another source of possible ambiguity in the notice is the fact that it draws no distinction between the capacity required to intercept call content and the capacity required to access dialed number information. The FBI indicates that 90% of all surveillances involve access only to dialed number information, not call content. Advanced telephone technology carries call content and signaling (dialing) information on separate channels. Given this development, accessing dialed number information may require less capacity or a less expensive kind of capacity than call content interceptions. If so, the difference should be taken into account in evaluating compliance with the capacity notice.
The distinction is important for privacy because access to only
the signaling channel is less intrusive than an interception that
captures call content as well. In traditional switching systems,
a law enforcement agency conducting a pen register intercepted
the entire subscriber line. That is, the telephone company delivered
to law enforcement at its monitoring facility access to the entire
line, consisting of both dialing information and call content.
In those 90% of interceptions where law enforcement was authorized
to collect only the dialed number information, law enforcement
agencies were expected not to listen to the call content. There
have long been concerns that some individual officers would listen
to call content when they only had authority for a pen register.
Now technology holds the promise of removing the temptation. Given
this development, the capacity requirements should reflect the
difference between call content interceptions and dialed number
interceptions, reinforcing the principle that carriers should
provide only the signaling channel to law enforcement in response
to a pen register or trap and trace order.
FBI Responses to Original CDT/CNSS Comments
In joint comments on the FBI's original, October 1995 capacity notice, CDT and the Center for National Security Studies (CNSS) made five points: (1) The notice did not disclose the historical baseline data that provided a crucial predicate to the proposal. (2) The notice did not describe the methodology by which the proposed capacity levels were extrapolated from the historical surveillance activity, with the result that there was no way to determine whether the projections were reasonable. (3) The notice did not specify the "actual number "of expected future intercepts, as required by CALEA. (4) The notice did not designate the geographic areas to which the capacity requirements apply, again in contravention of CALEA's requirements. (5) The notice did not define a key term, "engineered capacity." For these reasons, we contended, the proposed notice did not conform to the statutory requirements of CALEA. We recommended that the FBI issue a revised notice, subject to a new comment period.
We are pleased that the FBI, in the second notice, has responded to all of CDT's and CNSS's initial comments, by disclosing the historic baseline data, by describing its methodology for projecting future surveillance needs, by using actual numbers to define the requirements, by designating geographic areas, and by dropping the term "engineered capacity."
The improvements in the second notice are all for naught unless
the FBI explicitly adopts reasonable criteria for application
of the requirements. If the surveillance capacity required for
Los Angeles might be 1360 or 136,000 or something in between to
be determined in later negotiations, then the FBI has not provided
the "actual numbers" required by CALEA.
About CDT and CNSS
CDT is an independent, non-profit public interest policy organization working to develop and implement public policies to protect and advance individual liberty and democratic values in the new digital media. CNSS is a non-profit, non-governmental organization that works to prevent violations of civil liberties in the name of national security.
CDT coordinates the Digital Privacy and Security Working Group,
a diverse coalition of over 50 computer, communications, and public
interest organizations working to develop and implement policies
that protect personal privacy and network security on the expanding
and rapidly changing global information infrastructure. DPSWG
members played a critical role in the debate over CALEA, working
to ensure that the legislation was narrowly tailored to preserve
law enforcement access to communications while providing for public
accountability and strengthening privacy protections.
Conclusions
Some aspects of the FBI's second capacity notice are improvements over the first notice: (1) The FBI has disclosed the historic baseline data that formed the basis for its projections of future surveillance activity. The public has a right to this information, and carriers can examine this data to determine if it corresponds with their records of past activity. (2) As required by CALEA, the FBI has used actual numbers to describe future capacity requirements, instead of the confusing percentage of "engineered capacity" that was used in the first notice.
However, serious concerns remain. The capacity notice is subject to conflicting interpretations, interpretations that produce such widely divergent results as to vitiate the notice unless clarified. The FBI has suggested that it will answer questions about the application of the notice in one-on-one neg