CALEA: How Will It End?

The Sept. 11 attacks have left people around the world clamoring for assurance that such attacks can be prevented in the future. Obviously, there was a massive failure of intelligence gathering, which includes the collection and analysis of information gleaned from wiretapping (more correctly known as lawfully authorized electronic surveillance, or LAES). Although it is not clear whether surveillance would have been more effective if there were more of it or if there had been more people to review what was being obtained, law-enforcement agencies are certain to ask for more capabilities and for full implementation of what they believe they already have a legal right to.

An essential part of LAES is the controversial 1994 U.S. legislation known as CALEA, which describes how U.S. carriers (both wireless and landline) should provide surveillance information to a law-enforcement monitoring center.

What has been written so far in the never-ending story that is CALEA is a standard jointly produced by the TIA and ATIS T1 known as J-STD-025. Initial drafts were based on a view that law enforcement was the customer, and it should be given what it was willing to pay for. This proved troublesome when the telecommunications industry realized that some of what was being defined (such as location information) was outside the scope of CALEA. Consequently, the standard was scaled back to adhere to what the industry felt was “the law, and nothing but the law.” The standard specifically did not include the nine requirements known as the “punch list.” After the standard was published, law enforcement appealed to the FCC, which later ruled that six of the punch- list items should be supported. Then the US Court of Appeals vacated four of them, ruling that justification by the FCC was inadequate. Partly due to the change of administration, there has not yet been a further rulemaking from the FCC.

J-STD-025 Revision 0 provides core eavesdropping capabilities for all voice-based telecommunications systems (not just wireless), with Revision A representing probably more than can be justified under CALEA. It is quite likely that if law enforcement cannot get what it wants under CALEA, it will lobby heavily for changes in legislation, particularly enhancements to its ability to monitor wireless communications and Internet traffic. Since 1994, these have become critical methods of communications, yet law enforcement’s ability to monitor them is less than for landline communications, due to their more complex and less predictable nature.

Even in the shadow of Sept. 11, the telecommunications industry cannot enhance J-STD-025 too much. No matter how much it wants to help law enforcement, it cannot put requirements into a standard that it believes is outside the law. Being too restrictive will not allow law enforcement to protect Americans adequately from terrorists and criminals, while being too liberal with its contents will result only in the standard’s being held up in court by those who are concerned that it violates American civil liberties. Furthermore, the industry has to be fiscally responsible, not spending limited funds on high-cost capabilities that provide little benefit or that perhaps cannot even be deployed because of legal challenges to the standard upon which they are based.

Some aspects of J-STD-025 and related standards being produced by Third Generation Partnership Project (3GPP; TS 33.106, 107 and 108) are outside the scope of CALEA and appear to have no legal ramifications. For example, the standard does not define a single transport interface, meaning that carriers could implement it with a bewildering array of connection types, significantly increasing implementation costs. It would help if the industry and law enforcement could agree on a single interface, but the industry leans toward TCP/IP, and law enforcement toward X.25, meaning that the standard can give no direction.

The industry also could help by trying to be more unified. 3GPP has a heavy European influence and has developed a set of standards that are designed to be used within a network. A current proposal to extend these standards to the law-enforcement interface would increase implementation costs without adding any real value. This is one area where it is unclear that the high level of competition between 3GPP and 3GPP2 is really in the public interest.

A large area that is still under study is packet data, particularly the issue of how to separate packet-identifying information from packet content. Voice communications are well understood by lawmakers, and the distinction between call-identifying information (who’s calling who, when and where) and call content (the voice) is well defined. This is critically important because most court orders only have the legal authority to obtain call- identifying information. With packet-mode communications, these traditional distinctions are more difficult to make. Internet packets usually contain multiple layers of identifying information (various headers with address, times and intervening servers) surrounding the packet content. Combine this with a bewildering array of different message formats that are used to transmit different types of information (e-mail, Web services, file transfers), and it becomes almost impossible to draw the dividing line with legal exactness.

The simplest approach for the industry is to send the entire packet to law enforcement, trusting it to determine the protocol, extract the identifying information and throw the content away when court orders do not allow its collection. Currently, this is being treated as a technical problem, but in reality, it is a failure of legislators to provide laws attuned to packet-based methods of communications. Because the distinction between packet identifying information and content does not make much sense, this leaves the problem of defining a new legal standard for obtaining combined packet information, which presumably must be higher than required to obtain call-identifying information but lower than required to obtain call content. The combined efforts of the telecommunications industry, law enforcement, regulators, legislators, the courts and, yes, also the sometimes-maligned civil libertarians are required to write the concluding chapters on the CALEA story. Hopefully, the story will end with Americans secure both from terrorist attacks and from unnecessary intrusions into their privacy.