Earlier this week, the Electronic Frontier Foundation (EFF) filed comments with the Federal Communications Commission (FCC) objecting to the agency's plan to expand the reach of a law that forces communications service providers to build surveillance backdoors into their networks.

The Communications Assistance to Law Enforcement Act (CALEA), passed in 1994, forced telephone companies to redesign their network architectures to make wiretapping easier. It expressly did not regulate data traveling over the Internet. But earlier this year, law enforcement agencies petitioned the FCC to expand CALEA's reach to cover broadband providers so that it would be easier for law enforcement to tap Internet "phone calls" via Voice over Internet Protocol (VoIP) applications such as Vonage, as well as online "conversations" using various kinds of instant messaging (IM) programs like AOL Instant Messenger (AIM). The FCC responded with a "notice of proposed rulemaking" (NPRM), which proposes to introduce surveillance technology mandates to broadband Internet access and "managed" VoIP.

In its comments, EFF argues that this transformation in CALEA goes against the letter and the spirit of the law as it was originally written, which expressly ruled out information services like broadband.

"The NPRM relegates Congress' exclusion of information services to so much spilt ink," read the comments. Moreover, EFF argues, the rationale that law enforcement uses to justify its request -- that broadband has "significantly replaced" the telephone network -- is a misrepresentation that opens the door for CALEA to cover just about anything. "Any service that arguably replaces any portion of the prior telephony regime must look down the barrel of CALEA compliance."

In addition, the technological changes required by an expanded CALEA would undermine Internet security and subject new technologies to government review before they can be adopted for use with current Internet devices.

"Law enforcement already has the legal and technological means to access communications on the Internet," said EFF Staff Attorney Kurt Opsahl. "Expanding CALEA to cover broadband communication is not only unnecessary, it will retard innovation while depriving people of their privacy and security on the Internet."

Reply comments are due December 7.


COMMUNICATIONS ASSISTANCE FOR LAW ENFORCEMENT ACT (CALEA): EFF Comments

The Perils of Wiretapping the Internet
Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994 to make it easier for law enforcement to wiretap digital telephone networks. CALEA forced telephone companies to redesign their network architectures to make wiretapping easier. It expressly did not regulate data traveling over the Internet.

Dig deeper:

» EFF's CALEA FAQ
» EFF's CALEA summary
» EFF's CALEA archive
» EFF's Rough Guide to CALEA

But now federal law enforcement agencies want to change that. On March 10, 2004, the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Drug Enforcement Administration (DEA) filed a joint petition with the Federal Communications Commission (FCC). The petition requested that CALEA's reach be expanded to cover communications that travel over the Internet. Thus, Broadband providers would be required to rebuild their networks to make it easier for law enforcement to tap Internet "phone calls" that use Voice Over Internet Protocol (VoIP) applications such as Vonage, as well as online "conversations" using various kinds of instant messaging (IM) programs like AOL Instant Messenger (AIM).

EFF objected to a number of the requests in the joint petition, in conjunction with numerous other organizations.

On August 9, 2004, the Federal Communications Commission (FCC) released its Notice of Proposed Rulemaking (NPRM) in response to the Law Enforcement joint petition. Applying dubious legal reasoning, it greatly expands the reach of CALEA by redefining what constitutes a "substantial replacement" of the telephone service, tentatively concluding that broadband Internet access providers and managed VoIP systems substantially replace local exchanges, and therefore are subject to the requirements of CALEA. (See CALEA Summary.)

The NPRM was formally published in the Federal Register on September 23, 2004 (TEXT; PDF).
CALEA Legal and Policy Framework: TEXT; PDF

EFF filed comments [PDF 214k] November 8, 2004. Reply comments are due December 7, 2004.

Wiretapping Is Already Easy Enough

Law enforcement agencies convinced the FCC that CALEA needed to be expanded in order to maintain the status quo. Because wiretapping has gotten so much more complex in the Internet age, they argued, it's just too hard for them to intercept all the communications that they need. Without structural changes to the Internet, they won't be able to conduct the same quality of investigations that they did ten years ago.

It is crucial to remember that the issue here is not whether law enforcement can tap new technologies like VoIP, but whether they can tap it easily. Existing laws already permit law enforcement to place Internet users under surveillance, regardless of what programs or protocols they are using to communicate. Industry already cooperates with law enforcement to give it all the information requested, and this will continue to happen with or without a new FCC rule interpreting CALEA.

Ironically, most kinds of surveillance have gotten much easier in the digital age. Agents can tap mobile phones, gain access to reams of electronic communications such as email, conduct DNA identification tests, and track people's locations using cell phone signals. Surely the greater ease of surveillance in these arenas and others more than makes up for the negligible difficulty of capturing a few VoIP calls and IM conversations. We would be maintaining the status quo without expanding CALEA.

Just Because It Can Be Tapped Doesn't Mean It Should

The FBI used the "tappability principle" to justify the demands in its petition. This principle holds that if something is legally searchable sometimes, it should be physically searchable all the time. But there is a vast difference between a computer network switch created precisely to be tappable and one that can be tapped with the right tools under the right circumstances. If we applied the FBI's logic to the phone system, it would state that every individual phone should be designed with built-in bugs. Consumers would simply have to trust law enforcement or the phone companies not to activate those bugs without just cause.

The Cost of CALEA Will Be Passed on to Consumers

The NPRM's proposed expansion of CALEA would also punish broadband providers and consumers, concluding that carriers should forced to spend millions of dollars on CALEA compliance. The FCC explores a mechanism by which these costs will pass to their customers, including a Commission mandated flat monthly charge. Quite literally, then, consumers would be subsidizing the surveillance state.

Furthermore, this proposal completely restructures market incentives in the technology industry. Privacy-friendly technologies, which protect the personal information of consumers, would be pushed out of the marketplace. Instead, companies would be forced to design and manufacture surveillance-friendly technologies. The needs of government, not consumers, would guide the marketplace.

Innovation Will Suffer

When special interests like law enforcement commandeer the marketplace, innovation suffers. The NPRM suggests that all devices that provide broadband connectivity will have to be CALEA-compliant, which would severely limit the scope of high-tech research and development. Today's VoIP systems - revolutionary software tools that allow people to make phone calls over the Internet - would likely never have been developed in an environment where all products had to go through a CALEA-compliance test before making it to market. While the NPRM does not extend CALEA to providers of peer-to-peer VoIP, email and Instant Messaging, it seeks comment on whether other laws might give the FCC power over a wider array of technologies.

If the FBI gets its way, the NPRM's tentative regulations will only be the tip of the iceberg. Soon, software companie, under threat of an expansive definition of CALEA's requirements, will face economic incentives to create email and IM programs that are surveillance-ready. Many computer game consoles that people can use to play over the Internet, such as the Xbox, allow gamers to chat with each other while they play. If any communication program running on the Internet has to be CALEA-compliant before being bought and sold, what would stop law enforcement from pushing for a tappable Xbox?

CALEA means that innovators will always be forced to think inside the box of surveillance. Their designs and ideas will be limited by a government mandate that requires them to build technology for the purpose of spying rather than playing games, talking to colleagues, or collaboratively making art over the Internet. This will stifle creativity and result in a non-competitive technology market. The only creativity will exist off-shore, where developers outside the U.S. will develop technologies to circumvent U.S. law enforcement capability.

The Internet Is Not Like the Phone System

The NPRM suggests that rules applied to the phone system should also be applied to the Internet. But crucial differences between the two systems mean that what is healthy for one in terms of marketplace incentives and technological development is unhealthy for the other. What makes the Internet powerful are its edges: computers and other innovative technologies are located at the ends of the network wires. The phone system works the opposite way. Telephones are dumb, inflexible machines. Whereas the usefulness of the phone system comes from the telecommunications network itself, the Internet's usefulness comes from its endpoints.

In addition, the phone network is a closed, insulated system, while the Internet is open and ever-changing. End users cannot change the nature of the phone network on a whim. But on the Internet, people can deploy new services and new devices at will - they can invent new protocols for sending data, or connect a new kind of widget to the network. This is integral to making the Internet a vital source of technological and scientific innovation.

EFF believes that federal agencies should not force the broadband Internet access or voice over IP industries, and by extension, their consumers, to bear the considerable costs of purchasing and implementing surveillance-ready network technologies simply because it suits the government's needs.

CALEA Could Make the Internet Less Secure

While law enforcement's efforts to hijack the tech market are disturbing, EFF is also concerned that making the Internet CALEA-compliant might backfire: many of the technologies currently used to create wiretap-friendly computer networks make the people on those networks more pregnable to attackers who want to steal their data or personal information.

When broadband service providers are forced to make their networks or applications tappable, this introduces more points of vulnerability into the system. Users have to place blind trust in companies and services they may not realize they are signing up for.

The FCC's proposes to allow third parties to manage government surveillance requests: a private company would analyze all the data from a telecommunications carrier, extract information relevant to the court order, and send it to law enforcement.

Currently, several large corporations are already offering CALEA services that might result in a loss of privacy for consumers. For example, VeriSign offers a legal intercept service to ISPs, which requires the providers to pipe all their data to VeriSign. Then the company's employees analyze the data, extract information relevant to the court order, and send it to law enforcement. This transaction leaves personal data potentially vulnerable when it travels from the service provider's network to VeriSign's. It also places the personal data of innocent people in the hands of a third party without customer consent. If CALEA is applied to the Internet, it is likely that many more services like VeriSign's will spring up, introducing still more uncertainty into the system.

Services like these support and expand what the ACLU has called the Surveillance-Industrial Complex. Since compliance with surveillance requests is a significant cost for carriers, telecommunications companies have acted as a check on government power, lobbying against excessive proposals. Now, private entities that profit from surveillance will have an incentive to lobby for more government surveillance powers.

Ultimately, all of these problems can be traced back to a single root cause: CALEA was drafted specifically to regulate phone networks, which are designed to be closed systems. The Internet is an open, global system that handles countless forms of data-transfer and accommodates an ever-changing array of smart edge-devices. If CALEA is misapplied to the Internet, the results will be disastrous. The privacy of innocent people is likely to be violated, innovation will certainly be stifled, and the current and future functionality of the Internet will be crippled.