Status of CALEA Implementation

FBI Seeks to Impose Surveillance Mandates on Telephone System; Balanced Objectives of 1994 Law Frustrated

March 4, 1999

Status Report on the

Communications Assistance for Law Enforcement Act (CALEA):

FBI Seeks to Impose Surveillance Mandates on Telephone System;

Balanced Objectives of 1994 Law Frustrated

I. Overview

Congress’s 1994 effort to ensure that advanced digital technology did not prevent law enforcement agencies from conducting wiretaps has become snarled in FBI efforts to impose expensive and intrusive surveillance mandates on the nation’s telecommunications networks.

When Congress enacted the Communications Assistance for Law Enforcement Act (CALEA or the "digital telephony" law) in 1994, it intended to balance law enforcement, privacy and industry interests. The purpose of the law was to preserve but not enhance government power. The cost of upgrading equipment was supposed to be no more than $500 million.

Ever since the law was enacted, the FBI has tried to rewrite the statute in ways that would obliterate the balance Congress intended. The FBI has sought to use CALEA to require new surveillance features in the nation’s telecommunications systems. It wants all wireless phones to have a location tracking capability controlled by the government. It has opposed privacy improvements, even technologically trivial ones that do not harm law enforcement. It has issued a rule requiring carriers to install the capacity for far more numerous surveillances than ever before. The FBI wishlist would drive the initial cost of compliance up to an estimated $3 to 5 billion, and the FBI has sought to shift these costs onto carriers, thereby evading the budgetary constraints that Congress thought would force the FBI to moderate its surveillance demands.

CALEA is not working. The FBI’s efforts have delayed fulfillment of the specific law enforcement needs that prompted Congress to enact the law. The dispute over CALEA has been taken to the Federal Communications Commission and to federal court, and Congress this year will have to consider whether added expense must be borne by taxpayers or telephone ratepayers (basically the same group of average citizens) to meet the FBI’s demands.

Surveillance enhancements sought by FBI

Contrary to the intent of Congress, which wanted to preserve a basic minimum surveillance capability and left it to the telephone industry to decide the details, the FBI has tried to dominate the CALEA implementation process, insisting that telephone companies include in their systems many specific features that would give the government new and more comprehensive surveillance capabilities:

Under pressure from the FBI, the wireless phone industry has agreed to provide law enforcement with the capability to track the location of cellular phone users.

Industry has also agreed that carriers using increasingly common "packet switching" protocols may provide to the government the full content of customer communications when the government is only authorized to intercept the less sensitive addressing data that indicates who is communicating with whom.

Despite these concessions, the FBI was still unsatisfied with the industry’s proposed compliance plan (known as a "standard"). The FBI has continued its push for additional surveillance features, including the ability to --

continue monitoring parties on a conference call after the subject of the wiretap order has dropped off the call;

collect more detailed information identifying each party on a call, including parties not the subject of investigation;

collect under a minimal legal standard all numbers dialed by a customer on a touchtone pad after a call is connected, which will include content such as credit card and bank account numbers that the government is not authorized to intercept; and

receive instant notification when a customer has a voice mail waiting or makes any changes in service.

Capacity Requirements

In March 1998, the FBI issued a vague and confusing notice setting forth the number of simultaneous interceptions that wireline, cellular and PCS service providers must be prepared to conduct under CALEA. The deadline for compliance with these capacity requirements is 2001. The FBI’s confusing methodology overstated historical needs and resulted in excessive requirements. CALEA requires the government to pay for capacity, but the FBI is trying to avoid out-year costs. The various associations representing wireline and wireless carriers and equipment manufacturers have filed suit in federal district court challenging the FBI’s capacity notice. CDT filed an amicus brief arguing that the capacity notice violates CALEA by failing to inform the public of what is required of carriers.

Last December, the FBI issued a notice of inquiry concerning surveillance capacity for the next generation of technology, including specialized mobile radio, satellite services, and packet protocols. Comments were due on February 16, 1999. CDT's comments are at http://www.cdt.org/digi_tele/calea.noi.shtml.

FCC Proceedings

The Federal Communications Commission (FCC) oversees the process of implementing CALEA. In September 1998, the FCC extended the CALEA compliance deadline to June 2000.

In an ongoing proceeding, the FCC is considering the privacy issues posed by CALEA. The FBI has asked the FCC to impose on carriers the added surveillance features that the FBI wants. In March 1998, CDT filed a petition at the FCC, asking it to deny the FBI’s request for enhancements, and to strike from the industry standard the location tracking capability and the treatment of surveillance in packet-switched environments. In October 1998, the FCC tentatively rejected the privacy concerns and indicated that it was likely to impose most of the added features sought by the FBI. Among other things, the FCC ruled tentatively that wireless phone location was a CALEA mandate.

In a separate proceeding, the FCC is considering an FBI proposal to require telephone company employees to undergo background investigations and to sign nondisclosure agreements. The FBI is also urging the Commission to limit the ability of telephone companies to verify the validity of purported wiretap orders. CDT and other privacy groups have urged the Commission to reject these FBI rules and to focus instead on the security vulnerabilities inherent in the type of computerized surveillance administration systems that companies are expected to install.

II.Upcoming milestones

Congress must confront funding issues:

In coming months, Congress will have to address the question of how much to appropriate for CALEA and whether to use the purse-strings to limit the FBI’s demands (and thus moderate the cost impact of compliance). In 1994, Congress authorized $500 million to reimburse carriers for the expense of retrofitting equipment to bring it into compliance with CALEA. So far, only $101 million has been appropriated.

This year, the appropriations process has two steps: (1) appropriating 4th Quarter 1999 funds for the Justice Department and FBI, which were withheld as a result of the controversy over the census, and (2) appropriating FY 2000 funds. One or the other bill may serve as the vehicle for resolving pending CALEA disputes.

Congress may also revisit the so-called "grandfather clause," which determines whether the government or the carriers pay for the cost of bringing existing equipment into compliance. Last Congress, Rep. Bob Barr (R-GA) introduced legislation to protect carriers from bearing the huge (and growing) cost of abruptly retrofitting their existing equipment.

FCC:

Sometime this spring, the FCC will rule on the cellular phone tracking and other privacy issues. In October 1998, the FCC tentatively sided with the FBI on most issues. The FCC solicited further comments on its proposed decision. The comment period closed on January 27, 1999 and the FCC has indicated that it is eager to issue a final ruling. CDT’s comments are at http://www.cdt.org/digi_tele/proceedings.html.

An order on the security issues is being drafted for circulation within the Commission. The FCC in October 1997 issued a Notice of Proposed Rulemaking proposing new recordkeeping and personnel security measures for carriers. CDT filed comments arguing that the FCC overlooked the privacy and security risks posed by the installation of surveillance features in computerized switching facilities.

Lawsuit challenging FBI capacity and reimbursement rules:

In the industry lawsuit challenging the FBI's capacity and cost recovery regulations, cross-motions for summary judgement have been filed and briefed. In January 1999, CDT filed an amicus brief supporting the companies on the capacity issue. The court is expected to respond in late spring or early summer. CDT's brief is at http://www.cdt.org/digi_tele/capacitybrief.shtml. The industry suit also challenges the FBI’s efforts to shift the cost of CALEA compliance to the carriers.

III.Privacy Recommendations

Several steps should be taken to restore CALEA to the reasonableness that characterized its drafting, to serve immediately the goals of preserving a basic surveillance capability for law enforcement (without the enhancements sought by the FBI), to protect privacy in the face of the increasing surveillance potential of the new technology, and to avoid imposing unreasonable costs on industry. The FCC, Congress, and the courts have overlapping authority to resolve the pending issues:

A. Restoring CALEA to its original narrow focus

1.FCC

The interim industry standard should be approved, minus the two provisions that intrude on privacy: the requirement for wireless phone tracking and the provision on packet switching, which does not require the separation of call content from addressing information to protect privacy. The FBI’s "punchlist" of enhancements should be rejected.

The FCC should require industry to develop a more specific standard for surveillance in packet switching environments, requiring carriers to withhold the content of communications that law enforcement is not authorized to intercept.

The FCC should use its NPRM on security to assure itself of the security of the networked surveillance administration systems that carriers will be installing to comply with CALEA, consulting if necessary with computer security experts.

The FCC should reject the FBI’s proposals for intrusive background investigations of carrier personnel.

2.US District Court

The district court should remand the FBI’s capacity notice, on the ground that what the FBI issued is too ambiguous to serve the public accountability objectives of the Act.

3.Congress

Congress should make it clear that the FBI’s proposals for enhanced surveillance capability are beyond the mandate of CALEA. Through the appropriations process, Congress should direct the FBI to begin promptly to reimburse carriers and switch manufacturers to implement the interim industry standard minus location tracking and the packet switching option and minus the other additional items still sought by the FBI.

Congress has authority to address the capacity issue under its general oversight power and through the appropriations process. The appropriations committees should deny the FBI the ability to impose redundant capacity requirements on carriers, by limiting expenditure of the capacity reimbursement funds.

Congress should make it clear that the government is responsible for reimbursing industry to retrofit existing equipment, including equipment installed after January 1, 1995. This will force the FBI to prioritize its requests and will keep the funding issue in the public light, rather than shifting the costs to the companies, where they may be hidden in the phone bills of consumers. To do so, the January 1, 1995 grandfather date should be extended. However, extension of the grandfather date should not be traded for the enhanced capability in the punchlist.

B.Congress must update the surveillance laws to protect privacy

Separate from CALEA, and without any government impetus, continuing technological developments are increasing government surveillance capabilities, and legal standards are not keeping pace. For example, even without CALEA, many wireless phone systems will be able to track users with increasing precision, and computerized switching systems will generate more detailed information on calling patterns. Under current law, government has access to this information under minimal privacy standards. Other amendments are needed to keep pace with the global, networked nature of communications and information storage.

Nonconsensual government monitoring of location through a wireless phone implicates privacy interests. Wireless telephones are generally associated with an individual and are regularly carried into places where a person has a reasonable expectation of privacy. Since developments in technology and improvements in 911 are already making wireless phone tracking information available in some systems, Congress should clarify the law by requiring a warrant based on a showing of probable cause for nonconsensual governmental access to real-time wireless telephone location information.

The standard for governmental access to other transactional information (through pen registers and trap and trace devices) should be increased to require an affirmative finding by a judge that the information sought is relevant and material to an on-going investigation. (The current standard reduces the role of the judge to a mere rubber-stamp.)

The rule requiring the government to "minimize" the interception of innocent conversations should be tightened.

Standards should be adopted to protect the privacy of records held by third parties or in networked environments and communications intercepted by the US overseas for law enforcement purposes.

If CDT is wrong, and the technology does not allow carriers to withhold packet call content from the government when the government is not authorized to receive it, Congress should make it clear that the government can access packet data information only in response to a "probable cause" order, not in response to a pen register order issued under a mere "relevance" standard.

IV.CALEA Background

A.CALEA sought a balanced approach to surveillance

"CALEA" is the Communications Assistance for Law Enforcement Act. It was enacted in October 1994. It was intended "to balance three key policies: (1) to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts: (2) to protect privacy in the face of increasingly powerful and personally revealing technologies: and (3) to avoid impeding the development of new communications services and technologies." H. Rpt. 103-827, p. 13.

The essential features of the balance that Congress struck in CALEA were:

(1) Law enforcement’s ability to wiretap was to be preserved but not expanded.

(2)Telephone companies were required to ensure that their systems could satisfy four basic capability assistance requirements, to (1) expeditiously isolate and intercept call content; (2) expeditiously isolate and intercept call-identifying information; (3) deliver intercepted communications and call-identifying information to the government in a format that allows them to be transmitted to a law enforcement monitoring facility; and (4) do so in a manner that protects "the privacy and security of communications ... not authorized to be intercepted" and the confidentiality of the interception. CALEA Section 103.

(3) Law enforcement could not dictate how to fulfill those requirements; rather industry would develop the technical specifications for implementation, with an appeal to the FCC by any party if the standards process failed.

(4)Carriers must install sufficient surveillance capacity to conduct multiple simultaneous intercepts, up to a level to be specified by the FBI in published notices.

(5)Privacy protections were strengthened, especially to give added protection to transactional data associated with e-mail.

(6) Carriers would be reimbursed for expenses in retrofitting existing equipment and adding additional capacity for law enforcement.

(7)Carriers would be responsible for compliance only to the extent "reasonably achievable."

(8)The implementation process was to be open to the public, and the Congress, the FCC and the courts were given authority to oversee the process.

B.What did Congress intend?

1.Preserving the status quo, not enhancing government monitoring capabilities

In light of concerns that features associated with new digital transmission modes could render wiretapping obsolete, Congress intended in CALEA to preserve the surveillance powers of the FBI and other law enforcement agencies. Congress did not require companies to maximize the surveillance potential of the new technology. FBI Director Louis Freeh testified repeatedly and consistently that the legislation was intended to preserve, not expand, the capability as it had existed since 1968. See, e.g., Joint Hearings (1994), p. 113. The House and Senate Judiciary Committee reports state that CALEA was intended "to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts" (emphasis added). H. Rpt. 103-827, p. 13.

In part, the current debate concerns whether CALEA will be used merely to preserve a minimum law enforcement capability, or whether the government will be able to mandate development of the full surveillance capabilities of the new technology.

2. FBI assertions in 1994 as to why CALEA was needed are at odds with its push now for enhanced capabilities

In determining how far the FBI approach to CALEA implementation has departed from Congress’ intent, it is useful to look at the actual problems that were cited to Congress by the FBI as justification for the Act. Of the problems identified in 1994 by the FBI, the most common was lack of adequate capacity in cellular systems to accommodate multiple surveillances at the same time. This accounted for 30% of all problems law enforcement could identify in a series of surveys between 1992 and 1994. The second most common problem was the inability of certain cellular systems to provide law enforcement with call-identifying information on a real-time or contemporaneous basis. (The cellular systems collected dialing information, but there was a delay before the information could be accessed.) The third most common set of problems related to special dialing features. When a person uses speed dialing, voice dialing or automatic redial or call-back, the pen register on the customer line only picks up the coded command, not the full number that it represents. The fourth most common problem was call forwarding: law enforcement could not capture incoming calls to the target’s line that were forwarded at the central office using a service provided by the telephone company. See H. Rpt. 103-827, p. 15.

Based on this survey and statements of telephone company representatives, Congress concluded that there were problems meriting legislation. And, of course, Congress was concerned to ensure that the future evolution of technology did not create new problems. But Congress did not intend to require a comprehensive redesign of the nation’s telecommunications system. After all, of the tens of thousands of wiretaps, pen registers and traps and traces conducted in the 1992-94 timeframe, there had been only 183 documented problems. Congress never said it wanted wiretaps to be perfect; Congress merely said it didn’t want wiretaps eliminated.

Since 1994, even though CALEA implementation has been stalled and industry has continued to deploy digital equipment not designed with law enforcement’s requirements in mind, electronic surveillance continues to be carried out. In the years since CALEA was enacted, the numbers of wiretaps, pen registers and trap and trace devices have remained at all-time highs, while the number of persons intercepted and the number of conversations monitored have gone up. This shows that there is no need for a comprehensive redesign of the telecommunications networks.

The urgency expressed by the FBI when it sought enactment of CALEA is considerably belied by the tardiness of the FBI in addressing the capacity issue. While 30% of the problems identified by the FBI in 1994 involved lack of adequate capacity in cellular systems to accommodate multiple surveillances at the same time, the FBI delayed for more than three years the issuance of a capacity notice that would be the first step in solving this problem. Compliance with the capacity notice is not required until 2001.

C.How did CALEA get so off track? The FBI’s 100% solution

Rather than seeking to address the major problems that prompted enactment of CALEA, the FBI has sought a 100% solution -- a comprehensive examination of the nation’s evolving telephone systems that would address all potential law enforcement concerns in a single "standard" for use by switch manufacturers. The FBI has tried to identify all the permutations an interception could take, all the contingencies that might occur, all the bits of electronic information that it would be useful to have, and has tried to convince industry to address each and every one of them. The FBI’s goal has not been merely to prevent the loss of the wiretap capability, but to prevent the loss of any bit of potential electronic evidence.

Industry originally acceded to this approach, and devoted extensive resources to addressing each and every issue raised by the FBI. As a result, implementation of CALEA is in a state of paralysis. The FBI’s pursuit of a 100% solution has resulted in a substantial delay in meeting the specific and substantial needs identified by the FBI in the 1994 hearings on CALEA.

D.The FBI attempted to dominate the CALEA standards process, in contravention of Congress’s clear intent

Early versions of digital telephony legislation would have given the Department of Justice design control over the nation’s telecommunications system. Congress rejected that approach. It instead enacted the broad functional criteria of section 103 and deferred to the industry standards process to develop solutions, with an appeal to the FCC if that process failed. FBI Director Louis Freeh testified in 1994 that Congress’ version of CALEA was "a vast improvement" over the earlier FBI proposal. Freeh testified that the revised bill was a "remarkable compromise," that it achieved "a delicate, critical balance." He emphasized that the legislation "reflects reasonableness in every provision." 1994 Digital Telephony Hearings, pp. 112-113.

Since Congress finished its work, the FBI has rejected reasonableness. It sought to dominate the industry standards process and sought to assume for itself the type of very specific feature design control over the nation’s telecommunications system that Congress expressly denied it.

In 1997, the telecommunications industry adopted a standard to implement CALEA. The FBI and other law enforcement agencies had extensive involvement in this process -- involvement that went well beyond the "consultation" contemplated by CALEA and amounted to an attempt to dominate the process. Industry rewrote its standard in many respects to accommodate the FBI’s positions.

However, the FBI was not satisfied with the many concessions by industry. The FBI objected to industry’s proposed standard, because it did not include the enhanced capabilities, sometimes referred to as the "punch-list." Therefore, the FBI encouraged other law enforcement agencies to use the voting rights given all interested parties under the rules of the American National Standards Institute, and they blocked adoption of the industry standard. Industry instead adopted its proposal as an interim standard in November 1997.

On March 26, 1998, CDT filed a petition at the FCC challenging the industry interim standard for going too far in mandating location tracking capability and in failing to require carriers to separate addressing information from content in packet-switched environments, when law enforcement is authorized to intercept only the addressing information. The very next day, the FBI filed, seeking the enhanced capabilities that the carriers had rejected. The carriers, for their part, filed asking for a two year extension of the compliance date.

V. Privacy Issues Raised by FBI Demands

Despite the limited nature of the problems identified by the FBI and presented to Congress in 1994, and despite evidence that the nation’s telecommunications system continues to support law enforcement wiretaps, the FBI has pushed for a comprehensive redesign of communications infrastructures. Under pressure from the FBI, industry yielded to some of the FBI’s demands and adopted an interim standard that expands surveillance capabilities and fails to protect the privacy and security of communications not authorized to be intercepted.

Two provisions of the industry interim standard are of major concern:

A.Location Tracking

The FBI has claimed that CALEA requires wireless carriers to provide law enforcement agencies with location information on any cellular and PCS communication, thereby turning the nation’s wireless phones -- now used by millions of ordinary citizens -- into real-time tracking devices. It was the express intent of Congress, supported by the Director of the FBI on the record in public testimony, that CALEA not include any location or tracking requirement.

At the first joint House and Senate hearing leading to enactment of CALEA, FBI Director Freeh expressly testified that CALEA would not require carriers to make location information uniformly available. Director Freeh was very clear in disavowing any intent to cover such information:

"[Call setup information] does not include any information which might disclose the general location of a mobile facility or service, beyond that associated with the area code or exchange of the facility or service. There is no intent whatsoever, with reference to this term, to acquire anything that could properly be called ‘tracking’ information." 1994 Digital Telephony Hearings, p. 6.

Yet as soon as the law was signed, the FBI began claiming that tracking is a CALEA mandate. The wireless industry, while never agreeing that location information was a CALEA mandate, put it in the standard in an effort to reach a compromise.

Location information on wireless phones is fundamentally different from the type of location information that can be associated with a wireline phone. Wireless phones are normally directly associated with the physical presence of the individual user, even more than an automobile. Wireless phones are carried by their users into places where there is a reasonable expectation of privacy. Tracking of cellular phones implicates the movements of a person going about his or her business and personal life.

B.Packet Switched Content Delivery

Telecommunications companies are beginning to incorporate in their systems "packet switching" protocols similar to those used on the Internet. In a packet switching system, communications are broken up into individual packets, each of which contains addressing information that gets the packets to their intended destination, where they are reassembled.

This development has potentially profound implications for government surveillance. It has always been assumed that there is a distinction between call content, which is entitled to full Fourth Amendment protection requiring a judicial warrant based on probable cause, and signaling information, which is protected under a much lower "relevance" standard. In CALEA, Congress required companies to use technology that kept these two separate. But in the standards process, industry and the FBI assumed that it is not feasible to provide signaling information separate from the communications content in a packet switching environment. Therefore, the FBI and industry have proposed allowing companies to deliver the entire packet data stream -- including call communications -- when law enforcement is entitled to receive only dialing or signaling information under a pen register order. This approach relies on law enforcement to sort out the addressing information from the content, keeping the former but ignoring the latter.

This approach, were it followed, would obliterate the distinction between call content and signaling information that was a core assumption of the Electronic Communications Privacy Act of 1986. It also violates section 103(a)(4)(A) of CALEA, which requires carriers to ensure that their systems "protect[] the privacy and security of communications and call-identifying data not authorized to be intercepted."

The FCC has solicited comments on whether call-identifying information can reasonably be separated from the full data packet. CDT’s comments are at http://www.cdt.org/digi_tele/filing121498.html and http://www.cdt.org/digi_tele/cdtreply012799.shtml.

C.Additional surveillance enhancements sought by the FBI

In the foregoing respects, the interim standard adopted by industry under FBI pressure already exceeds the outer limits of what Congress intended to mandate through CALEA. The FBI, however, is asking the FCC to require functionality that goes even further beyond anything Congress contemplated, and the FCC is poised to rule in the FBI’s favor. The FBI’s "punch-list" of enhancements includes:

Multi-party monitoring - The FBI wants phone companies to design their systems so the government can monitor all parties to a multi-party call even after the subject of the intercept order is no longer participating in the call. The purpose of CALEA was to follow the target, but the FBI wants to continue monitoring those left behind after the subject of the court order is no longer on the call. Not only is this not mandated by CALEA, but providing it would violate section 103(a)(4)(A) of CALEA and the particularity requirement of Title III and the Fourth Amendment, since law enforcement is not authorized to intercept the calls of people not named in the order, when they are talking to the target or using the target’s phone.

The matter arises as follows: A is the intercept subject. A sets up a conference call with B and C using the conference call capability provided by A's service provider. Then A puts B and C on hold (or hangs up entirely) and calls D. The FBI is seeking the delivery of both A's conversation with D and the continuing conversation between B and C. Title III, embodying the Fourth Amendment standard of particularity, requires the specification in the order of the telephone facility to be tapped and the particular conversations to be seized. The Supreme Court has held that conversations between unknown individuals using a specified telephone line could be lawfully intercepted under Title III. United States v. Kahn, 415 U.S. 143 (1973). And lower courts have upheld the roving tap authority so long as it is limited to the interception only of conversations of named subjects. Intercepting the communications of unknown persons using telephones other than the target’s goes beyond these parameters.

Expanded definition of call-identifying information -Much of the controversy under CALEA relates to the distinction between interception of call content and the interception of call-identifying information. Call-identifying information is collected with pen registers or trap and trace devices, authorized without probable cause and without the discretionary review accorded to full call content interceptions. Because Congress was concerned with a blurring of the distinction between call-identifying data and call content, it included in CALEA an amendment to the pen register statute to require law enforcement when executing a pen register to use equipment "that restricts the recording or decoding of electronic or other impulses to the dialing and signaling information utilized in call processing." CALEA section 207(b). Contrary to this intent, the FBI is seeking an expanded definition of "call-identifying information" in order to increase the amount of information that it obtains under the minimal standard applicable to pen registers. FBI wants to use pen registers to collect --

digits that the subject dials after a call is connected -- these digits, which include credit card numbers and bank by phone information, do not identify a call in any sense but rather are content-related;

on-line notifications of customer changes in service;

messages indicating when a party puts a call on hold; and

messages indicating when the subject has a voice mail waiting.

D.Capacity

One of the major issues that prompted Congress to adopt CALEA was concern that telephone switches would not have the capacity to conduct multiple simultaneous intercepts. This had already been a problem in cellular systems, especially in New York City, where a number of law enforcement agencies operate and were competing for a limited number of surveillance ports on cellular switches.

Since law enforcement surveillance activity obviously varies from region to region, CALEA requires the FBI to issue notice of its capacity requirements for each geographic area, so that carriers know how much capacity to install. In October, 1995, the FBI issued its first proposed capacity notice. It seemed to require companies in major cities to install a surveillance capacity that would allow simultaneous monitoring of up to 1% of customer lines in service. This proposal was roundly criticized by industry and privacy groups, and the FBI withdrew it.

In March 1998, rejecting industry and privacy concerns, the FBI issued a final capacity notice, requiring carriers to install capacity far in excess of historical law enforcement surveillance needs, costing taxpayers many millions of dollars in unnecessary reimbursement.

In the final notice, the FBI exaggerated law enforcement’s past surveillance requirements by aggregating activity that had occurred over many months into a single, one-day peak.

The final notice implies that each and every carrier serving a particular area would have to install capacity sufficient to meet the total surveillance needs for that region, even if the carrier only served a portion of the customers in the area.

In other comments, the FBI has given an even broader interpretation of the notice, stating that carriers will have to install in each switch a capacity sufficient to meet the requirements projected for the entire county or multi-county service area. To take the most extreme example, this interpretation of the notice would require just one of the wireline carriers in Los Angeles to install the capacity to perform 46,100 simultaneous intercepts.

CDT’s detailed comments criticizing the second capacity notice are at http://www.cdt.org/digi_tele/970218_comments.html. CDT’s brief to the district court on the carrier’s challenge to the notice is at http://www.cdt.org/digi_tele/capacitybrief.shtml.

E.Security of new surveillance measures is not assured

Computers increasingly control telecommunications switching. Much of the telephone company efforts to comply with CALEA involve changes to the software controlling switching within telephone company central offices. Carriers will be establishing computerized surveillance administration functions. These functions may be networked with other systems administration functions. They are likely to be linked to functions and locations outside the particular switching office. While law enforcement will not have remote access to these administrative functions, it is likely that carrier employees will. This networking, like any other computer networking, creates a vulnerability to hackers and others.

CDT has urged the FCC to examine the security of the networked surveillance administration systems that carriers will be installing to comply with CALEA. Among the factors that should be considered:

System integrity. The surveillance administration systems (hardware and software) must be tamperproof.

Nontrivial individual authentication. Fixed passwords for user authentication are inherently insecure.

System-to-system authentication. It is likely that the surveillance administration function will be networked with other telephone company systems.

Audits trails that allow review of surveillance activity.

Intrusion detection programs that can help identify improper uses.

To date, little attention has been given to this issue. Instead, in September 1997, the FCC issued a "Notice of Proposed Rulemaking" (NPRM) in which the Commission tentatively adopted FBI suggestions that carriers be required to conduct background investigations on employees and keep paper records on surveillances activated in response to court orders. CDT and other privacy groups have explained that these personnel security and paper recordkeeping proposals are unresponsive to the technological problem of automated surveillance, and are not what Congress had intended. Our FCC filing is at http://www.cdt.org/digi_tele/971212_nprm_comments.htm .

VI.Conclusion

CALEA is not working as Congress intended. It is being used by the FBI to impose enhanced surveillance capabilities on the nation’s telecommunications system. Congress and the FCC should protect the communications privacy of Americans, making it clear that CALEA does not allow the FBI to use the industry standards process, the reimbursement process, or negotiations outside CALEA to write its own demands into the network design.

For further information, contact James X. Dempsey, senior staff counsel.