The Implementation of the Communications Assistance for Law Enforcement Act
Audit Report 06-13
Office of the Inspector General
Criminal organizations and individuals frequently use telephones and other electronic communications devices to carry out criminal and terrorist acts. To combat and deter this activity, law enforcement and other authorized government agencies use court-authorized electronic surveillance for collecting information to investigate and prosecute criminals. According to the Federal Bureau of Investigation (FBI), electronic surveillance is a critical tool needed to meet its law enforcement, counterterrorism, and intelligence-collecting mandates.
Electronic surveillance consists of the acquisition of call-identifying information and the interception of communications content. Call-identifying information is defined as dialed number information that identifies the origin, direction, destination, or termination of any communication generated or received by a subject of surveillance. Normally, call-identifying information is collected via “pen registers” and “traps and traces.”16 Content is defined as the substance or meaning of a communication and is obtained by a wiretap.17 For purposes of this report, the term electronic surveillance is used only in the sense of the real-time interception of information.
The use of electronic surveillance is strictly limited by law. Title III of the Omnibus Crime Control and Safe Street Act of 1968, as amended (Title III),18 and portions of the Electronic Communications Privacy Act (ECPA),19 as amended, serve as the primary laws governing electronic surveillance of criminal investigations. Rules regarding electronic surveillance conducted for foreign intelligence, counterintelligence, and terrorism investigations are derived from the Foreign Intelligence Surveillance Act (FISA), as amended.20
In the early 1990s, technology advances in the telecommunications industry began challenging the ability of law enforcement agencies to fully implement electronic surveillance. In March 1994, the FBI Director testified that an informal FBI survey of federal, state, and local law enforcement agencies identified 91 examples where technological impediments precluded full implementation of court orders for electronic surveillance. According to the FBI, the survey results revealed that 33 percent of the examples involved cellular systems (of which 11 percent were related to the limited capacity of cellular systems to accommodate a large number of simultaneous intercepts), and 32 percent involved custom‑calling features like call forwarding, call waiting, and speed dialing.21
Subsequent to the hearing, the FBI worked with law enforcement agencies to identify further examples of such technological impediments. In April 1994, the FBI presented to the House and Senate Judiciary Committees details of 183 instances (including the original 91 examples) where the FBI, state, or local law enforcement agencies encountered problems with electronic surveillance, as shown in the following chart:
By the mid 1990s, what was once a relatively simple matter of initiating a wiretap by attaching wires to terminal posts now required the expert assistance and cooperation of a telecommunications carrier.23
To address law enforcement's difficulty in performing electronic surveillance in the face of new telecommunications and computer features, Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994. The purpose of CALEA was to ensure that telecommunications carriers had the necessary technical capability and capacity to fulfill their Title III and FISA obligations in order to assist law enforcement in conducting electronic surveillance.
CALEA required that telecommunications carriers ensure that their equipment, facilities, or services provided the following four capabilities (assistance capability requirements):
According to the FBI, CALEA was intended to bring about a fundamental shift in how the telecommunications industry viewed its electronic surveillance responsibilities. Although Title III and FISA required telecommunications carriers to provide any assistance necessary to accomplish an electronic interception, the question of whether telecommunications carriers had an obligation to design networks that facilitated an authorized interception had not been decided. In short, CALEA sought to ensure that the telecommunications industry considered law enforcement’s need and authority to conduct electronic surveillance as a basic element in developing its telecommunications products and in providing service.
Consequentially, CALEA assigned certain responsibilities to the Attorney General, the Federal Communications Commission (FCC), telecommunications carriers, telecommunications equipment manufacturers, and the Department of Justice (DOJ) Office of the Inspector General (OIG). In February 1995, the Attorney General delegated CALEA management to the FBI. The following table outlines the entities with CALEA responsibilities.
STATUATORY RESPONSIBILITIES UNDER CALEA
In summary, effective implementation of CALEA’s provisions relies on the shared responsibilities of the government agencies and the service providers and manufacturers subject to the law’s requirements.
Since CALEA’s enactment in 1994, the telecommunications industry has lobbied Congress to change certain provisions of the law. Appendix VI presents a summary of these efforts. While the FBI has been successful in blocking these efforts, CALEA remains controversial.
According to its legislative history, CALEA was supposed to strike a balance between three competing national priorities: preserving law enforcement’s ability to conduct electronic surveillance; protecting privacy; and promoting innovation. However, controversy surrounds these three priorities as discussed below:
The collision of these national priorities created controversy. At the time of its passage, it was clear that CALEA covered wireline and cellular communications; network-based services such as call-forwarding and conference calling; and technologies such as pagers and satellite phones. However, CALEA does not cover “information services,” and this exclusion has proven to be a major source of controversy.31 According to the FBI, at the time of CALEA’s enactment consumers used the Internet to obtain information, not as a telecommunications service. However, with the recent growth of Internet telephony, the question of whether CALEA applies to Internet Service Providers (ISP) or other VoIP providers continues to be widely debated.
An example of the controversy involves VoIP provider Vonage. In 2003, the Minnesota Public Utility Commission (MPUC) ruled that Vonage was a telephone service provider under Minnesota state law. As a result, Vonage was subject to certain state regulations, including those governing 911 emergency calling services. In September 2003, Vonage petitioned both the U.S. District Court in Minnesota for injunctive relief and the FCC for pre-emption of all state regulation on the grounds that Vonage is an ISP rather than a telephone service provider. In October 2003, the U.S. District Court in Minnesota ruled in favor of Vonage, concluding that Vonage is an ISP. The Minnesota Attorney General appealed on behalf of the MPUC. In December 2004, the U.S. Court of Appeals for the Eighth Circuit upheld the district court ruling that the MPUC may not regulate calls made through the Internet as it does calls made through traditional phone lines.
Meanwhile, the FCC sought comments on Vonage’s petition. The FBI filed comments stating that Vonage could not qualify for relief because its VoIP service is a telecommunications service instead of an information service. In November 2004, the FCC issued its decision ruling that Internet phone services should not be governed by the same state regulations as traditional telephone companies. As a result, whether CALEA applied to Vonage and other Internet phone services remained controversial.
Joint Petition for Expedited Rulemaking
In March 2004, the DOJ, the FBI, and the Drug Enforcement Administration (DEA) attempted to resolve problems faced by law enforcement with these new technologies by filing a Joint Petition for Expedited Rulemaking with the FCC. The Joint Petition also sought resolution on issues pertaining to carrier extensions for complying with CALEA, enforcement for noncompliance, and carrier fees.32 In the Joint Petition, the DOJ and other groups asked the FCC to:
The FCC declined to issue a declaratory ruling, finding instead that it was necessary to compile a complete record on the factual and legal issues. Therefore, on August 4, 2004, the FCC issued a Notice of Proposed Rulemaking (NPRM) in response to the DOJ petition and sought comments on its tentative conclusions.33 The comment period on the NPRM closed in December 2004. In response to the NPRM, interested parties filed about 650 comments with the FCC. Among the parties were DOJ; the carriers Verizon, Sprint, Bell South, and SBC; VoIP provider Vonage; ISP Earthlink; and “trusted third party” Verisign.34
In the opinion of carrier representatives with whom we spoke, the NPRM issues are, for the most part, already outdated. Carrier representatives stated that as technological change continues to accelerate, law enforcement agencies will have a harder time keeping up and electronic surveillance may suffer.
On August 5, 2005, the FCC ruled on the Joint Petition. The FCC stated that providers of facilities-based broadband Internet access service and interconnected (managed) VoIP services must be prepared to accommodate electronic surveillance within the scope of CALEA.35 According to the FCC, these services essentially replace conventional telecommunications services currently subject to CALEA.36 The ruling stated that the FCC’s determination is limited to facilities-based broadband Internet access service providers and VoIP providers offering services that permit users to receive calls from, and place calls to, the public switched telephone network or PSTN, the publicly available dial-up telephone network.37
The FCC also found that the definition of “telecommunications carrier” encompasses providers of services that are not classified as telecommunications services under the Communications Act of 1934. With respect to a deadline for compliance, the FCC reasoned that because newly covered providers need a reasonable amount of time to come into compliance with all relevant CALEA requirements, a deadline of 18 months from the effective date of the FCC’s Order would be appropriate.
In addition to ruling that certain broadband and managed VoIP services fall within the scope of coverage, the FCC adopted a Further NPRM seeking more information about whether certain classes or categories of facilities-based broadband Internet access providers (i.e., small and rural providers and providers of broadband networks for educational and research institutions) should be exempt from CALEA.
The FCC’s ruling, however, does not address any of the other issues raised in the March 10, 2004, Joint Petition (e.g., cost of compliance to be borne by industry for post-January 1, 1995, equipment; extensions of the compliance date; enforcement; and the identification of future services). The FCC is expected to provide a final ruling on these issues in the near future.
In October 2005, telecommunications firms, nonprofit organizations, and educators challenged the FCC’s August 5, 2005, ruling in the U.S. Court of Appeals in Washington, D.C. These groups are challenging the rules on both privacy grounds, and because they claim implementing the rules will be too expensive. In the OIG’s April 2004 report, we recommended that the FBI submit to Congress legislative changes to CALEA it believed necessary to ensure that electronic surveillance is achieved expeditiously in light of rapid technological changes.38 Despite the FCC’s ruling, we continue to believe that legislative clarification of CALEA’s intent is necessary.39 As discussed in Finding II of this report, previous litigation over what should be required for law enforcement’s wiretapping capabilities substantially delayed CALEA implementation, and we are concerned that this current litigation will delay CALEA implementation as it applies to new technologies.
|« Previous||Table of Contents||Next »|