A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
(1) Court Upholds Imposition of Technical Design Mandates on the Internet
(2) Background on CALEA and FCC's Extension of CALEA to the Internet
(3) There is No Legal or Factual Basis for Applying CALEA to the Internet
(4) Major Questions Still Unanswered
In a major setback for civil liberties, on June 9, 2006, a federal court, in a split 2-1 decision, ruled that telephone regulators and the FBI can control the design of Internet services and applications in order to make government wiretapping easier.
The decision, by the U.S. court of appeals in Washington, DC, came in a case where CDT and a coalition of universities, libraries, civil liberties organizations and Internet companies had challenged an August 2005 ruling of the Federal Communications Commission (“FCC”) expanding the reach of the 1994 Communications Assistance for Law Enforcement Act (“CALEA”). CDT and others had argued that Congress intended to exclude the Internet from the wiretap design mandates, especially in light of the ways in which the Internet is fundamentally different from the telephone network.
The FCC, expressing concern about terrorism, decided that it has jurisdiction to extend CALEA, and two of the three federal appeals court judges agreed. CDT had argued to the court that the FCC had wanted to reach a certain result, and the agency twisted or ignored the words of the statute to reach that result. The dissenting judge in the case, senior judge Harry T. Edwards, called the government's logic "utter gobbledygook."
The Communications Assistance for Law Enforcement Act (CALEA) was adopted in 1994 in response to law enforcement concerns that wiretaps would be more difficult in digital telephone networks than they had been in the analog phone system. CALEA required "telecommunications carriers," meaning telephone companies, to design basic wiretap capabilities into their networks. As it was implemented, CALEA gave the FBI very precise design control over telephone switches. The FBI was able to convince the FCC to mandate specific features, including -- at substantial cost to carriers -- features that gave the government capabilities going beyond those that had been available in older phone systems. Thus CALEA was used to enhance rather than merely preserve government surveillance capabilities.
On its face, the CALEA statute applies only to telecommunications common carriers, and it specifically does not apply to "information services," meaning Internet applications. Congress realized in 1994 that the Internet was fundamentally different from the telephone system, and Congress chose not to apply CALEA to the Internet and "information services" carried over it. E-mail, instant messaging, VoIP, and other forms of Internet communications are information services and thus are not supposed to be covered by CALEA. Although ISPs and Internet application providers must (and do) comply with interception orders under the wiretap laws, they have not had to design their networks and services to meet FBI specifications.
In March 2004, the FBI filed a petition with the FCC asking that the agency extend CALEA to the Internet and to VoIP services over the Internet. The FBI also asked the FCC to create a pre-review process under which all new Internet applications and services would be screened by the FBI prior to deployment to ensure that they satisfy FBI criteria. CDT and many others vigorously opposed the FBI's petition to the FCC. CDT filed comments and reply comments opposing the petition.
The FCC rejected the concerns of CDT and others and decided to extend CALEA to the broadband Internet and to certain VoIP services. The FCC asserted that Internet access was a "substantial replacement" for local telephone service and that the CALEA statute therefore gave the FCC the power to extend CALEA to the Internet. Although the FCC rejected the FBI's request for a pre-approval process for new Internet services, the ambiguous manner in which the FCC extended CALEA will have a similar harmful impact on innovation and the deployment of new technology on the Internet.
CDT and other petitioners challenging the FCC believe that both the agency and now the court ignored clear Congressional intent to exclude the Internet from the CALEA statute. CALEA expressly excludes "information services," which has been legal shorthand for Internet services. The FCC has consistently ruled under other laws that "information services" includes broadband Internet access.
CDT and others had argued that normal rules of statutory interpretation required a consistent application of the term across all statutes under the FCC's purview. The appeals court majority held that the Commission could give different interpretations to the same words, even if the inconsistency is not the best or most logical interpretation, so long as there is some reasonable basis for the distinction. In this case, the Commission hung its decision on small differences between CALEA and the main communications law. While there are some minor differences between the statutes as a general matter, Congress used the same words in each statute to define "information services," and clearly intended that that language to prevent the Internet from falling under the law.
The court ruling, like the FCC's decision, leaves many questions unanswered.
Neither the Commission nor the court addressed how to apply to the Internet CALEA's distinction between the content of a communication and the routing or signaling information about that communication. In applying CALEA to traditional telephone service, a major debate arose over how to define "call-identifying information." The FBI ultimately prevailed upon the FCC to define call-identifying information to include a long list of specific elements. CDT believes that Internet access providers and application provider should take a narrow view of call-identifying information. For example, in the context of broadband access, the access provider should be responsible only for identifying the IP address of origin and destination for each packet. The transport layer provider should have no responsibility to sniff into and decode any Internet applications used by a particular customer.