CALEA: A Precedent for Domestic Encryption Controls? FBI argues domestic key recovery is comparable to the 1994 Communications Assistance for Law Enforcement Act "CALEA", which ordered telecommunications carriers to accommodate law enforcement wiretaps.

FBI officials argue that the mandatory imposition of domestic key recovery is comparable to the mandate that Congress imposed on the telephone system in 1994 with the adoption of the Communications Assistance for Law Enforcement Act ("CALEA" or the digital telephony law). CALEA ordered telecommunications carriers to ensure that their systems can continue to accommodate law enforcement wiretaps notwithstanding the introduction of new technologies and services.

CALEA Is Not Working

First of all, it is not clear that CALEA is a good precedent for anything, for in many respects, over three years after enactment, CALEA is not working: The FBI was over two years late in issuing a required capacity notice, and has now issued a notice that still seems to impose on carriers exaggerated capacity requirements. The FBI, contrary to the letter and spirit of the law, has tried to require the industry to adopt specific surveillance features. When industry did not agree to every item on the FBI's wish list of surveillance capabilities, the FBI blocked adoption of an industry standard for compliance. The FBI and industry are still locked in dispute on the meaning of fundamental provisions. The cost of CALEA compliance is still not known. The FBI has admitted that industry will be unable to meet the October 1998 deadline for compliance. Either Congress will extend the CALEA compliance dates, or the Attorney General will have to do so. The FCC may have to intervene to resolve the standards dispute and protect privacy.

Having supported a compromise bill in 1994, the FBI has worked ever since to write reasonableness out of the statute, acting as if it had the comprehensive authorities it originally sought rather than the balanced ones Congress enacted. If the FBI could not mange a smooth implementation of CALEA, where technical experts believed at the outset that compliance was feasible, it is hard to see how the FBI could mange implementation of a global key recovery infrastructure, when the technical experts agree that the solution is not available.

The primary substantive difference between CALEA and the encryption issue has to do with user control. Telecommunications customers have never had control over the paths taken by their electronic communications; encryption users do control their cryptographic keys (that is the essence of modern cryptography). CALEA requires telephone common carriers to design their systems to preserve what has always been in the carriers' control: the isolation and routing of calls so that they can be intercepted by law enforcement. The FBI proposals for encryption require manufacturers to do something they have never done before, to take back something that was intentionally given to users, namely, the control over their keys. Under the mandatory key recovery proposals, industry would be creating a form of vulnerability that the technology was specifically designed to avoid -- the creation of a means of access to plaintext outside the control of the user.

There are also many specific differences between CALEA and the mandatory key recovery/access proposal supported by the FBI:

During the CALEA debate, industry technical experts agreed that the FBI's demands could be met. In the encryption debate, experts have concluded that the FBI's demands for key recovery are not within the competence of the field, and would impose high degrees of risk of computer security. See Risks of Key Recovery report. CALEA is limited throughout by a reasonableness standard: carriers are required only to make reasonable adjustments to comply. In the crypto arena, the FBI would require companies to change the fundamental nature of their product. In CALEA, Congress said that if a technology or service could not be tapped, it could still be manufactured and deployed. The FBI crypto proposal would reverse this, making it a crime to manufacture or sell any product that does not allow immediate access to plaintext. In the wiretap area, Congress came up with the legal standards for access first (in 1968's Title III), and then 26 years later in CALEA imposed technical requirements. The mandatory key recovery proposals reverse this process: they would impose technical requirements without stringent legal standards. CALEA gave industry the authority to set standards for implementing the requirements, while the government-mandated key recovery proposals give effective regulatory authority to the Attorney General. CALEA authorized $500 million to reimburse carriers for the cost of retrofitting, while the pending encryption proposals put the entire cost on industry. Unlike the largely unregulated computer industry, the telephone industry covered by CALEA had been subject to extensive state and federal regulation since its birth and had been carrying out wiretaps for 70 years as part of along-standing relationship with law enforcement.

Other Digital Telephony issues