12 February 1998
Thanks to Declan McCullagh
Date: Wed, 11 Feb 1998 20:25:13 -0500 From: Declan McCullagh <declan@well.com> To: politech@vorlon.mit.edu Subject: FC: Privacy groups tell FCC to deep-six wiretap law Seems as though even the folks (not the undersigned) who lauded the virtues of the Digital Telephony wiretapping law and cut a deal to ensure its passage are now claiming it's gone astray. Attached below are comments filed (I believe today) with the FCC on the law. Even if you don't care about wiretapping, consider this: the Digital Telephony law requires technology firms to make communications readily snoopable by law enforcement agents. Think of this as a precedent for requiring technology firms to make encrypted communciations readily snoopable by law enforcement agents. Trust me, even if you haven't thought about that precedent and its value when lobbying members of Congress, Louis Freeh has. -Declan ****** Before the Federal Communications Commission Washington, D.C. 20554 In the Matter of ) ) CC Docket No. 97-213 Communications Assistance for ) Law Enforcement Act ) Surreply Comments of The American Civil Liberties Union The Electronic Privacy Information Center The Electronic Frontier Foundation Computer Professionals for Social Responsibility The American Civil Liberties Union (ACLU), Electronic Privacy Information Center (EPIC), Electronic Frontier Foundation (EFF), and Computer Professionals for Social Responsibility (CPSR) respectfully submit these surreply comments in the above referenced proceeding. Our organizations represent a broad perspective of public interest, privacy and civil liberties interests. ACLU, EPIC and EFF jointly filed comments with the Federal Communications Commission in response to the Notice of Proposed Rulemaking (NPRM) on implementation of the Communications Assistance for Law Enforcement Act (CALEA) on December 12, 1997. In our previous comments, we urged the Commission to exercise its statutorily conferred authority to delay compliance with the Act until October, 2000. However, after reviewing the comments filed by the Federal Bureau of Investigation (FBI), public interest groups, and industry; and in light of the FBI's four year delay in releasing to the public the statutorily required Notice of Capacity; and the FBI's obstruction of the adoption of industry compliance standards that are feasible and technically possible, we are convinced that the Commission must indefinitely delay the implementation of CALEA. We call on the Commission to report to Congress on the serious legal, technical, and policy obstacles that have thwarted CALEA's implementation. Our organizations also request that the Commission require the FBI to provide comment-- on the public record-- explaining their failure to meet the statutory Notice of Capacity Requirement imposed by Congress nearly four years ago. Our requests in this proceeding are based on several provisions for government accountability and privacy protection incorporated in CALEA and its legislative history, which has thus far been largely ignored. Section 107 of CALEA provides that any person(s), including public interest groups, concluding that any standard issued on the implementation of the Act is deficient, may petition the Commission for review. This section provides that one factor for judging the acceptability of standards is whether they protect the privacy of communications that are not permitted to be intercepted under the law. Furthermore, the legislative history of CALEA makes clear that the Commission's authority over this implementation process is designed to ensure that the following goals are realized: (1) Costs to consumers are kept low, so that 'gold-plating' by the industry is kept in check; (2) the legitimate needs of law enforcement are met, but that law enforcement does not engage in gold-plating of its demands; (3) privacy interests of all Americans are protected; (4) the goal of encouraged competition in all forms of telecommunications is not undermined, and the fact of wiretap compliance is not used as either a sword or a shield in realization of that goal. Because our organizations have concluded that these statutory goals have not been satisfied, we believe it is incumbent on the Commission to take action with regards to our requests. In these surreply comments we will also address several issues raised in submissions of other interested parties that call for an expansion of the CALEA's mandate and that run counter to Congress' stated goals. I. The FBI has Disregarded the Congressional Limitations and Statutory Obligations Imposed on Law Enforcement by CALEA: CALEA explicitly called on law enforcement to issue a technical capacity notice by October 25, 1995, one year after the law's enactment. Carriers were given three years after the notification to install capacity meeting the notification requirements. Thus, under the statutory timetable, industry's deadline for compliance was to have been October 1998. Section 104(a)(2) requires that the technical capacity notice provide a numerical estimate of law enforcement's anticipated use of electronic surveillance for 1998. The notice is required to establish the maximum interceptions that a particular switch or system must be capable of implementing simultaneously. By mandating the publication of numerical estimates of law enforcement surveillance activity, Congress intended CALEA's notice requirements to serve as accountability "mechanisms that will allow for Congressional and public oversight. The bill requires the government to estimate its capacity needs and publish them in the Federal Register." In addition to the concerns of privacy advocates, the Public Notice requirement was based on industry concerns that the cost of providing intercepts was becoming an undue burden on companies and that the number of intercepts was growing too rapidly for industry to respond. In 1994, AT&T testified that such law enforcement notice was necessary for industry to accomplish the following: -require law enforcement to focus on what it actually requires to accomplish its legitimate needs thereby freeing resources they do not actually require for other purposes; -provide an essential mechanism for Congress to control both the costs and level of law enforcement involvement in the development of new services; -ensure that the fewest taxpayer dollars are spent to address law enforcement concerns. As documented in detail in our prior comments, the FBI has yet to provide the mandated Notice of Capacity. The Bureau has thus far released two initial notices that were both withdrawn after sharp public criticism over the FBI's failure to meet the statutory requirements. The FBI comments also do not explain why the public and Congress should ignore their failure to meet this statutory obligation. Instead, the FBI asserts that public safety should override any technical problems industry groups may face in complying with CALEA's statutory deadline. However, we believe that this assertion has also not been justified by the FBI to date. According to statistics released by the Administrative Office of the U.S. Courts and the Department of Justice, the actual number of interceptions has risen dramatically each year and in 1996 alone 2.2 million conversations were captured by law enforcement. A total of 1.7 million of these intercepted conversations were deemed not "incriminating" by prosecutors. Our organizations believe that these numbers do little to support the FBI contentions that CALEA should be given broad interpretation. Moreover, the FBI comments state that a blanket extension on the compliance with CALEA should not be granted despite the impasse between industry and law enforcement because of the potential threat to public security. While we recognize the importance of protecting the public, Congress required that there be a balancing of the interests of law enforcement with the need to protect privacy and develop new technologies. Specifically, Congress had the following objectives: (1) to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts; (2) to protect privacy in the face of increasingly powerful and personally revealing technologies; and (3) to avoid impeding the development of new communications services and technologies. Hence, we are not persuaded by the FBI's conclusion that there should not be a blanket extension for compliance with CALEA. Until it is clear that each of the Congressional objectives is met and there is a public release by the FBI of its statutorily mandated Notice on Capacity, the technical compliance with the Act should be postponed. II. The FBI Has Not Maintained Narrowly Focused Capability for Law Enforcement Agencies to Carry Out Authorized Intercepts The FBI's bad faith in the implementation process has prevented the development of acceptable technical standards that are feasible by industry. As our prior comments document and industry comments support, the FBI has repeatedly endeavored to require that industry meet a FBI wish-list of surveillance capability needs never contemplated by Congress. Indeed, avoiding such an impasse was precisely why Congress explicitly redrafted the statute in 1994 to eliminate law enforcement control over industry standard-setting. Instead of preserving a narrow focus on surveillance capability, the FBI has sought an expanded capability by interpreting CALEA to apply to entities and user services specifically exempt by Congress. The comments submitted by the FBI underscore the validity of our concerns by presenting a wish-list of items that go far beyond the authorized electronic surveillance under the provisions of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Electronic Communications Privacy Act of 1986 and CALEA.. For example, the FBI comments call for CALEA compliance by carriers providing access to information services, private communications services, and paging services -- an expansion of surveillance capabilities never contemplated by Congress. (a) Information services In paragraph 29 of its submission, the FBI states that it agrees that providers of "exclusively information services are excluded from CALEA" but that "any portion of a telecommunications service provided by a common carrier that is used to provide transport access to information services is subject to CALEA." Such services are explicitly exempt under the statute. Section 103 (4)(b) provides limitations on what services are required to meet assistance capability requirements under CALEA. It states: (b) Limitations: (2)Information services; private networks and interconnection services and facilities. The requirements of subsection (a) do not apply to-- (A) information services; or (B) equipment, facilities, or services that support transport or switching of communications for private networks or for the sole purpose of interconnecting telecommunications carriers. Congress explicitly rejected any application of CALEA to information services including electronic mail and on-line services recognizing that interception of those communications is the equivalent of "call content" and is therefore, subject to a much higher degree of protection under the Constitution. The FBI, and the Commission NPRM, incorrectly assume there is a distinction between carriers that exclusively provide information services and common carriers that provide access for information services. The FBI is simply attempting to gain back-door access to information services contrary to Congress' intent. (b) Carriers Providing Private Services: Paragraph 22 of the FBI comment states that "there may exist telecommunications companies that do not hold themselves out to serve the public indiscriminately that should also be treated as 'telecommunications carriers' by the Commission. Otherwise, companies that hold themselves out to serve particular groups may, intentionally or inadvertently, undermine CALEA." Thus, the FBI's conclusion that private services that do not indiscriminately provide services to the public fall within CALEA's ambit is unwarranted. Indeed as the legislative history states: "...telecommunications services that support or transport switching of communications for private networks or for the sole purpose of interconnecting telecommunications carriers...need not meet any wiretap standards...Earlier digital telephony proposals covered all providers of electronic communications services, which meant every business and institution in the country. That broad approach was not practical. Nor was it justified to meet any law enforcement need." Indeed the explicit exclusion of private networks was also based on the potential threats to personal privacy that such could be incurred by requiring private networks to meet the CALEA configuration requirements. CALEA's legislative history states that private networks are not the usual focus of court authorized electronic surveillance and that these networks, although excluded by CALEA's requirements, may be required to provide law enforcement with access to information after receiving a court order. (c) Paging services: Paragraph 25 of the FBI comments state: "Law enforcement contends that paging systems should be included in the definition of "telecommunications carrier" for the purposes of interpreting CALEA because paging systems generally fall within the definition of common carrier or, at minimum, rely on common carriers to be activated." Paging service's reliance on common carriers for activation does not automatically compel their compliance with CALEA. III. The FBI Has Ignored Privacy Protection Requirements The Congress specifically required privacy safeguards to assure that communications not be made vulnerable to hackers and rogue wiretaps as a result of CALEA. Section 105 of CALEA, Systems Security and Integrity, mandates that "telecommunications carriers shall ensure that any interception of communications or access to call-identifying information effected within its switching premises can activated only in accordance with a court order or other lawful authorization...". However, the FBI comments and FCC NPRM merely reduce privacy concerns to questions of telecommunication carrier recordkeeping and employee screening measures. Furthermore, Section V of the FBI comments, which addresses the carrier security procedures, attempts to undermine the protections against unlawful government surveillance guaranteed in the Electronic Communications Privacy Act of 1986. 18 U.S.C. 2510, et. seq. This section asserts that there is "anecdotal evidence" that carriers have refused to comply with law enforcement requests for wiretapping where there is confusion as to the validity of court orders. As a result, the FBI has called on the Commission to limit the ability of carriers to question the lawfulness of requests for interception by various law enforcement entities. Similarly, paragraph 47 states that "[c]arriers are the implementers, not the enforcers, of lawful intercept orders or certifications under the electronic surveillance laws." We strongly disagree with that conclusion. Carriers have an affirmative obligation under ECPA to ensure that they are not wrongfully disclosing information to the government or third parties. The failure of carriers to exercise good faith judgment and carefully scrutinize such requests for information may expose them to criminal and civil liability under ECPA. 18 U.S.C. 2520 (d). We believe that a Commission ruling providing that carrier's lack the ability to scrutinize the validity of warrants would require them to abrogate their statutory good faith obligations. In addition, the Commission lacks authority to limit the rights of carriers to review such orders and such a requirement would not comport with other federal and state requirements. Paragraph 46 of the FBI comments broadly states that carriers may not question law enforcement authority to conduct wiretapping investigations where one party has consented to interception. The FBI broadly states that "[i]n such cases, the electronic surveillance statutes clearly indicate that no court order is required." We similarly disagree with this conclusion. Currently, at least 12 states do not permit "one party consent" to interceptions of communications. Thus, we believe that a Commission rule limiting carrier discretion would certainly create pre-emption questions where there is no Congressional basis and where the request comes from state law enforcement. Conclusion Congress envisioned CALEA's implementation as an open process that would ensure accountability and prevent the development of unprecedented surveillance capabilities. The expanded capabilities sought by the FBI, along with their non-compliance with CALEA's Public Notice of Capacity Requirements warrant serious Commission and Congressional response. Our organizations believe that given the FBI's failure to meet public accountability provisions, the Commission must indefinitely delay the implementation of CALEA and report to the Congress on the serious obstacles that have thwarted its implementation to date. We also ask that the Commission require the FBI provide comment on the public record explaining its failure to meet it unambiguous statutory obligations under CALEA. Respectfully Submitted, _____________________________________ Laura W. Murphy, Director Greg Nojeim, Legislative Counsel A. Cassidy Sehgal, William J. Brennan Fellow American Civil Liberties Union Washington National Office 122 Maryland Ave, NE Washington, D.C. 20002 (202) 544-1681 Marc Rotenberg, Director Barry Steinhardt, President David L. Sobel, Legal Counsel Electronic Frontier Foundation David Banisar, Staff Counsel 1550 Bryant Street, Suite 725 Electronic Privacy Information Center San Francisco CA 94103 666 Pennsylvania Ave., SE, Suite 301 (415) 436-9333 Washington, D.C. 20003 (202) 544-9240 Computer Professionals for Social Responsibility CPSR, P.O. Box 717, Palo Alto, CA 94302 (650) 322-3778 cc: Rep. Bob Barr Sen. Orrin Hatch Sen. Patrick Leahy Rep. Henry Hyde Sen. Ashcroft Sen. Edward McCain Sen. Arlen Spector Rep. Billy Tauzin Rep. McCollum Rep. Charles Schumer The Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414, 108 Stat. 4279 (1994) (codified as amended in sections of 18 U.S.C. and 47 U.S.C.) Statement of the AT&T Corporation Before the House Subcommittee on Civil and Constitutional Rights and Senate Subcommittee on Technology and Law, reprinted, in Schneier and Banisar: The Electronic Privacy Papers, Wiley and Sons, 1997. See generally, EPIC letter to The Telecommunications Industry Liaison Unit, November 13, 1995, reprinted in 1996 Electronic Privacy and Information Center, Cryptography and Privacy Sourcebook, 1996, discussing the failure of the Initial FBI Notification of Law Enforcement Capacity Requirements to meet CALEA's obligations. -------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe: send a message to majordomo@vorlon.mit.edu with this text: subscribe politech More information is at http://www.well.com/~declan/politech/ --------------------------------------------------------------------------