Public Accountability, Privacy, and Cost Reimbursement in Digital Telephony Implementation

Index to this document

I. Overview
II. Current Status of Appropriations Process
III Outline of Compliance Process
IV. Reporting Requirements
V. New Privacy Provisions
VI. Conclusion

M E M O R A N D U M

To: Interested Persons
From: The Center For Democracy And Technology
Date: May 1995
Subject: Public Accountability, Privacy, and Cost Reimbursement in Digital Telephony Implementation

I. Overview

In October of 1994 Congress enacted the Communications Assistance for Law Enforcement Act (CALEA) (PL 103-414), also known as the "Digital Telephony" legislation. The statute requires telecommunications carriers to ensure that their systems contain sufficient capability and capacity to permit law enforcement to conduct electronic surveillance. Although law enforcement officials must still obtain a search warrant in order to conduct a wiretap, the statute granted law enforcement new authority to influence the design of telecommunications networks. This authority must be closely monitored to ensure that law enforcement does not abuse the powers granted to it under the statute.

The statute also contains specific new statutory privacy protections for transactional records generated by online electronic communications services, prohibitions on pen register authority to gather location information, and greater protection for cordless telephones. Furthermore, the statute contains provisions which require public accountability and oversight over government design authority, telecommunications carrier liability, standards setting, and cost reimbursement.

The expanded law enforcement authority granted by this statute requires diligent use of the provisions designed to protect privacy and ensure public accountability. The Center for Democracy and Technology both on its own and with the Digital Privacy and Security Working Group (a coalition of public interest organizations, representatives from the telecommunications, computer, online services, and software industries and associations, coordinated by CDT) will vigorously monitor the implementation of the Digital Telephony statute. CDT stands ready to intervene before the Federal Communications Commission, the telecommunications industry standards bodies charged with setting technical standards for implementing the requirements, and at other points as necessary to ensure that privacy is protected and public accountability is enforced.

This document will describe the provisions of the statute that specify obligations on government and telecommunications carriers. Among the these points, perhaps the most critical is that the statute is specifically not self implementing. No tax-payer funds can be spent under the statute until the government completes specific procedures (detailed below), each of which provides an opportunity for public oversight and intervention.

In addition, the statute contains other important public oversight and accountability provisions. Among these:

Requirements for notice and public comment before and after law enforcement requests surveillance capacity from telecommunications carriers,
Technical standards for meeting the requirements of the statute must be set by industry standards setting-bodies, not the government,
Technical standards developed under the statute can be challenged by the public for any reason in a proceeding before the FCC,
Detailed reports by the Attorney General and Comptroller General of the costs and scope of compliance,

Finally, the statute requires the government to reimburse telecommunications carriers for capacity upgrades, as well as capability upgrades where compliance is not "reasonably achievable." The legislation authorized, but did not appropriate, $500 million for this purpose. If Congress fails to appropriate funds to cover reimbursement, telecommunications carriers will not be required to comply with all the requirements of the statute.

These procedures must be closely monitored to ensure that the privacy is protected and that law enforcement does not abuse the powers granted to it under the statute.

II. Current Status of Appropriations Process

The specific method of financing CALEA implementation, as well as the total 1996 outlay, have not yet been determined. However, regardless of Congressional Appropriations decisions or the sum of appropriated funds, no funds can be spent under the legislation until the Attorney General determines which telecommunications carrier's networks require upgrades or changes in order to comply with the statute.

In determining how appropriated funds will be spent under the statute, the Attorney General must complete a series of studies and consultations, and provide notice to telecommunications carriers and to the public. These provisions of the statue are outlined below.

The statute separates compliance into two categories: capacity (i.e., the ability of a system to accommodate a specified number of intercepts, pen register and trap and trace devices), and capability (i.e., the ability to meet the capability requirements of the statute (sec. 103, see below)).

The process for telecommunications carrier compliance with the capability requirements, and the obligations on law enforcement will be discussed first.

A. Capability Requirements

Section 103 of the statute requires telecommunications carriers to meet four functional requirements to enable law enforcement to conduct electronic surveillance. These requirements are to:

expeditiously isolate and enable the government to intercept all wire and electronic communications within a carrier's network;
expeditiously isolate and enable the government to access call-identifying information;
deliver intercepted communications and call-identifying information to a location specified by the government (but only with the affirmative intervention of the telecommunications carrier). Remote monitoring is explicitly prohibited;
to meet these requirements in a way that protects the privacy and security of communications and call-identifying information not authorized to be intercepted.

Compliance with Capability Requirements

Telecommunications carriers have four years to comply with the capability requirements. However, before a carrier is responsible for making any changes to its network, the government must first determine what specific capabilities it needs, and consult with the telecommunications industry. The telecommunications industry, through standards bodies, must develop technical standards to meet the capability requirements, and these standards can be challenged before the FCC if any person believes they do not adequately protect privacy or fail to meet other requirements.

Below is an outline of the capacity compliance process, including a detailed accounting of the obligations on the government and telecommunications carriers.

Government Prohibited from Requiring Specific Design of Features or Services: The statute specifically prohibits the government from requiring a telecommunications carrier to adopt specific design features or systems configurations, or to prohibit a carrier from deploying any feature or service that does not meet the requirements (section 103 (d)). Technical standards developed to meet the requirements outlined above must be created by telecommunications trade associations or standards setting bodies, in consultation with the Attorney General (sec 107 (a)(1)).
Consultation Required before Standards Setting Process: The consultation process required under section 107 (a) must occur before any standards are developed. The beginning stages of the consultation have begun through the TILU process described above. Telecommunications carriers have 4 years to comply with the capability requirements, and then only subject to reimbursement for modifications which are not "reasonably achievable" under section 109 (a).

Public Accountability and Privacy Protecting Provisions With Respect to Standards Setting

The statute provides several opportunities for public intervention with respect to standards setting, including a requirement that standards be publicly available and an opportunity for any person to challenge a standard before the FCC.

Public Oversight of Standards Setting Process: A telecommunications carrier is in compliance with the statute if it is in compliance with publicly available standards set by trade associations or standards-bodies (section 107 (a)(2)). Because these standards must be publicly available in order for a carrier to be in compliance (section 107 (a)(2)), the public will have the opportunity to examine these standards.
Public Intervention before FCC: If the standards are deficient, particularly in terms of privacy protection, network security, cost to ratepayers, or for any other reason, any person can petition the Federal Communications Commission (FCC) to hold a rulemaking to establish standards. In setting standards under this provision, the FCC must ensure that the standards:
- Protect the privacy and security of communications not authorized to be intercepted, and
- Minimize the cost of such compliance on residential ratepayers.

This provision provides a lever of public accountability for the assistance requirements of the statute (sec 103), and, if properly utilized, will help to ensure that technical standards for meeting these requirements to not unnecessarily diminish privacy or increase costs to consumers.

Privacy Protections Must be Considered at Design Stage: Technical standards set under the assistance capability requirements (section 103) must "protect the privacy and security of communications not authorized to be intercepted" (sec 103 (a)(4)(A)). This provision requires telecommunications carriers, and telecommunications industry standards bodies, to consider privacy protection at the design stage and enshrine those protections into technical standards. Before this legislation was enacted, telecommunications carriers were not required to consider privacy protection when designing their networks.

Because carriers and standards bodies are required to consider privacy protection during the standard setting process, and because standards set through this process can be challenged before the FCC for any reason, these provisions (if properly implemented) will enable the public to:

ensure that privacy is not compromised by technical standards developed to meet the requirements of the statute
know what law enforcement's surveillance capability is, and
have the opportunity to challenge law enforcement's capacity requests before they are implemented by telecommunications carriers.

Funding for Capability Requirements

The government is required to reimburse telecommunications carriers for all costs associated with meeting the capability requirements for upgrades of equipment deployed before January 1, 1995, and for costs where modifications are not "reasonably achievable" (based on a determination by the FCC), for features and services deployed after January first 1995.

Features and services deployed before January 1, 1995 -- Government Reimbursement for all compliance costs: The statute requires the government to reimburse carriers for reasonable costs directly associated with modifications necessary to meet the requirements (section 109 (a)). However, these modifications will not be made, and no funds will be spent, until the government consults with telecommunications carriers to facilitate the development of technical standards as specified under section 107.
Features and services deployed after January 1, 1995 -- Government Reimbursement for modifications not 'Reasonably Achievable': The statute requires the government, subject to a request from a telecommunications carrier or other interested person, to reimburse a carrier for the costs of modifications which are not "reasonably achievable" (section 109 (b)). The FCC will determine whether compliance is reasonably achievable based on an analysis of whether compliance would impose a significant difficulty or expense on the carrier or the users of its network, and shall consider:
- the effect on public safety and national security
- the effect on rates for basic residential telephone service
- the need to protect the privacy and security of communications not
- authorized to be intercepted
- the need to achieve the capability assistance requirements of section 103 by cost-effective methods

and other factors. Interested parties, including privacy and consumer advocates, will have an opportunity to intervene in these proceedings. Furthermore, these proceedings will be public record, providing an important level of public accountability to law enforcement's surveillance requests. This will ensure that law enforcement is not making unreasonable demands for unnecessary capability, or force the public to incur the costs of compliance as a hidden surcharge on their monthly bill. Instead, the entire process, both the requests for capability and the cost of compliance will be available to the public with an opportunity to intervene.

B. Capacity Requirements

The statute also requires telecommunications carriers to ensure that their system possesses sufficient capacity to accommodate a specified number of simultaneous intercepts, pen register, and trap and trace devices. The statute requires the Attorney General to consult with telecommunications carriers, then publish specific capacity requirements in the federal register for notice and comment by the public. The Government is required to reimburse telecommunications carriers for all reasonable costs associated with capacity upgrades.

Determination of Capacity Needs: Before making any requests to telecommunications carriers under this provision, the government must determine what its capacity needs will be. This process, headed by the FBI's Telecommunications Industry Liaison Unit (TILU), has begun soliciting information from telecommunications carriers as well as state and local law enforcement agencies. The statute requires that this process be completed, and notice provided to telecommunications carriers and to the public, on or before October 25, 1996 (sec 104 (a)(1)).
Consultation with State and local law enforcement agencies and telecommunications carriers and general public required: Section 104 of the statute requires the Attorney General to consult with state and local law enforcement agencies, telecommunications carriers, manufacturers of telecommunications equipment in order to determine where capacity upgrades will be required and what those upgrades will be. After an opportunity for public comment (required in section 104 (a)(1)), the Attorney General must publish in the federal register and provide to telecommunications carriers:
1. Notice of Actual Capacity: The actual number of intercepts, pen registers, and trap and trace devices that will be necessary 4 years from the date of enactment (sec 104 (a)(1)(A)); and
2. Notice of Maximum Capacity: The maximum capacity required to accommodate all intercepts, pen registers and trap and trace devices that the Attorney General estimates that government agencies will be authorized to conduct simultaneously after the date 4 years after enactment (sec 104 (a)(1)(B)).
Publication of Capacity Requirements: Based on the results of the TILU survey, the Attorney general will then publish capacity notices as described above (and as required under section 104 of the statute). Telecommunications carriers will then have 3 years to comply with capacity notices, subject to government reimbursement (sec 104 (b) and (e)).

Public Accountability Provisions

There are two separate opportunities for public oversight of the Capacity compliance process.

Notice and Comment Required: Section 104 (a)(1) of the statute requires notice and comment before the Attorney general publishes the final capacity notices. Thus, the law request that the results of the TILU survey of telecommunications carrier capacity and the recommendations for capacity upgrades must be made available to the public for comment. If the FBI is believed to be making unreasonable demands for surveillance capacity based on the TILU recommendations the public will know and will have an opportunity to challenge the recommendations.
Publication in Federal Register: The notices of capacity needs, as required under section 104 (a), must be published in the Federal Register, providing the public with a second opportunity to ensure that law enforcement is not making unreasonable capacity demands.

Funding for Capacity Upgrades

The entire process outlined above, including the public accountability opportunities, must occur before the government can spend any tax-payer funds to reimburse telecommunications carriers.

Government Reimbursement for Capacity Upgrades: Section 104 (e) requires the government to reimburse telecommunications carriers for all reasonable (*as defined in Section 109 (a), described below) costs associated with capacity upgrades required by the statute. If the government fails to reimburse a carrier, that carrier will not have to modify any feature or serv ice. This provision is intended to ensure that the government prioritizes capacity requests and does not demand unnecessary surveillance capability financed by hidden charges to subscribers.

V. Reporting Requirements

Finally, section 112 of the statute requires the government to issue several reports on the costs of meeting the capability and capacity requirements of the statute. These reports will provide the public with a detailed accounting of law enforcement surveillance expenditures, as well as an accounting of law enforcement surveillance capability and capacity, including capability and capacity for which law enforcement did not reimburse telecommunications carriers.

Starting on November 30, 1995 and for every year after, the Attorney General will report:

Government Costs: a detailed accounting of the amounts paid to each carrier and the equipment, facility, or service for which the amounts were paid;
Future Cost: projections of the amounts expected to be paid in the current fiscal year, the carriers to which payment is expected to be made, and the equipment, facilities, or services for which payment is expected to be made.

In addition to reports by the Attorney General, the Comptroller General, after consulting with the Attorney General and the telecommunications industry, will issue a report every 2 years describing:

Extent of Network Design Changes Made as a Result of CALEA: the type of equipment, facilities, and services that have been brought into compliance under the statute;
Cost-Effectiveness of Government Reimbursement: an analysis of the reasonableness and cost-effectiveness of the payments made by the Attorney General to telecommunications carriers for modifications necessary to ensure compliance under the statute.

This report will also include a description of the costs to be incurred by telecommunications carriers to comply with the capability requirements after the effective date, including projections of the cost and a description of the equipment and services for which cots will be incurred.

VI. New Privacy Protections

The statute adds several new statutory privacy protections. In addition to monitoring the implementation of the capability and capacity requirements and cost reimbursement provisions, these new privacy protections must be vigorously enforced.

Increased Protection for Online Transactional Information: Section 207 (a) amended 18 USC 2703 to increase the standard for law enforcement access to transactional data generated by electronic communications services from a mere subpoena to a court order based on "specific and articulable facts" that such records are "relevant and material to an ongoing criminal investigation" (sec 207 (a)(2)).

By enacting this provision, Congress recognized that transactional information generated by electronic communications networks such as the Internet, electronic bulletin boards and commercial online services (such as America Online and Compuserve) reveal a great deal more about the content of a specific communication than do telephone toll records. Because online transactional records are personally identifiable, this provision raised the standard for law enforcement access to require the affirmative intervention of a Judge, a standard similar to (although not as strong as) that required for law enforcement access to the content of a communication.

Limitation on Pen Register Authority to Preclude Location and other Transactional Information: Section 207 (b) amended 18 USC 2516 to limit the design of pen register devices (devices which identifies numbers dialed) to prevent the use of pen registers to track individuals throughout the network or to reveal information beyond numbers dialed.

This section prohibits the authority for pen register devices to be used to obtain tracking or location information, other than that which can be determined from the telephone number. This provision is particularly important in wireless networks, where transactional data that can be obtained through a pen register device can reveal location information. The section further creates a "technical minimization requirement", requiring law enforcement to use reasonably available technology to minimize the ability of pen register devices to generate any information beyond numbers dialed.

Expanded Protection for Cordless Telephones: Section 202 extends the privacy protections of the Electronic Communications Privacy Act (ECPA) to cover cordless telephones. Specifically, sec. 202 brings the radio portion of a cordless telephone communication (the transmission between the handset and the base unit) under section 2510 of ECPA.
No Prohibition on the Use of Encryption: Section 103 (b)(3) explicitly affirms the right of subscribers to use encryption, and places no obligation on a telecommunications carrier to have the ability (or to ensure the government's ability) to decrypt a communication, unless the encryption product is provided by the carrier or the carrier has the information necessary to decrypt it.

VII. Conclusion

If properly adhered to, these statutory privacy protections, combined with the public accountability provisions outlined earlier provide the public with a significant degree of oversight over law enforcement surveillance capabilities.

However, in order to ensure that the privacy protections are properly implemented and adhered to, the compliance process must be closely monitored and, when necessary, the provisions allowing intervention and public oversight must be utilized.

For More Information, Contact:

+1.202.637.9800

Return to the Digital Telephony Issues Page