The Implementation of the Communications Assistance for Law Enforcement Act

Audit Report 06-13
March 2006
Office of the Inspector General

Introduction


Criminal organizations and individuals frequently use telephones and other electronic communications devices to carry out criminal and terrorist acts. To combat and deter this activity, law enforcement and other authorized government agencies use court-authorized electronic surveillance for collecting information to investigate and prosecute criminals. According to the Federal Bureau of Investigation (FBI), electronic surveillance is a critical tool needed to meet its law enforcement, counterterrorism, and intelligence-collecting mandates.

What Is Electronic Surveillance?

Electronic surveillance consists of the acquisition of call-identifying information and the interception of communications content. Call-identifying information is defined as dialed number information that identifies the origin, direction, destination, or termination of any communication generated or received by a subject of surveillance. Normally, call-identifying information is collected via “pen registers” and “traps and traces.”16 Content is defined as the substance or meaning of a communication and is obtained by a wiretap.17 For purposes of this report, the term electronic surveillance is used only in the sense of the real-time interception of information.

The use of electronic surveillance is strictly limited by law. Title III of the Omnibus Crime Control and Safe Street Act of 1968, as amended (Title III),18 and portions of the Electronic Communications Privacy Act (ECPA),19 as amended, serve as the primary laws governing electronic surveillance of criminal investigations. Rules regarding electronic surveillance conducted for foreign intelligence, counterintelligence, and terrorism investigations are derived from the Foreign Intelligence Surveillance Act (FISA), as amended.20

Changing Technology Challenges Law Enforcement

In the early 1990s, technology advances in the telecommunications industry began challenging the ability of law enforcement agencies to fully implement electronic surveillance. In March 1994, the FBI Director testified that an informal FBI survey of federal, state, and local law enforcement agencies identified 91 examples where technological impediments precluded full implementation of court orders for electronic surveillance. According to the FBI, the survey results revealed that 33 percent of the examples involved cellular systems (of which 11 percent were related to the limited capacity of cellular systems to accommodate a large number of simultaneous intercepts), and 32 percent involved custom‑calling features like call forwarding, call waiting, and speed dialing.21

Subsequent to the hearing, the FBI worked with law enforcement agencies to identify further examples of such technological impediments. In April 1994, the FBI presented to the House and Senate Judiciary Committees details of 183 instances (including the original 91 examples) where the FBI, state, or local law enforcement agencies encountered problems with electronic surveillance, as shown in the following chart:

TECHNOLOGY-BASED PROBLEMS ENCOUNTERED
BY LAW ENFORCEMENT
(as of April 1994)22
Cellular Port Capacity-54, Audio Dial Digit Capture-33, Speed Dialing-20, Long Distance-4, Call Forwarding-10, Direct Inward Dial-4, Voice Mail-12, Digital Centrex-4, Other-42.
Source: U.S. House of Representatives Report No. 103-827, October 4, 1994

By the mid 1990s, what was once a relatively simple matter of initiating a wiretap by attaching wires to terminal posts now required the expert assistance and cooperation of a telecommunications carrier.23

The Communications Assistance for Law Enforcement Act

To address law enforcement's difficulty in performing electronic surveillance in the face of new telecommunications and computer features, Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994. The purpose of CALEA was to ensure that telecommunications carriers had the necessary technical capability and capacity to fulfill their Title III and FISA obligations in order to assist law enforcement in conducting electronic surveillance.

CALEA required that telecommunications carriers ensure that their equipment, facilities, or services provided the following four capabilities (assistance capability requirements):

  1. expeditiously isolate the content of targeted communications transmitted within the carrier's service area;

  2. expeditiously identify information regarding the originating and destination numbers of targeted communications, but not the physical location of the targets, except as could be determined by the phone number;

  3. transmit to law enforcement intercepted communications and call‑identifying information to a location away from the carrier's premises; and

  4. carry out intercepts unobtrusively, so that targets of electronic surveillance were not made aware of the interception and in a manner that did not compromise the privacy and security of other communications.24

According to the FBI, CALEA was intended to bring about a fundamental shift in how the telecommunications industry viewed its electronic surveillance responsibilities. Although Title III and FISA required telecommunications carriers to provide any assistance necessary to accomplish an electronic interception, the question of whether telecommunications carriers had an obligation to design networks that facilitated an authorized interception had not been decided. In short, CALEA sought to ensure that the telecommunications industry considered law enforcement’s need and authority to conduct electronic surveillance as a basic element in developing its telecommunications products and in providing service.

Consequentially, CALEA assigned certain responsibilities to the Attorney General, the Federal Communications Commission (FCC), telecommunications carriers, telecommunications equipment manufacturers, and the Department of Justice (DOJ) Office of the Inspector General (OIG). In February 1995, the Attorney General delegated CALEA management to the FBI. The following table outlines the entities with CALEA responsibilities.

STATUATORY RESPONSIBILITIES UNDER CALEA
Entity Responsibility
Federal Bureau
of Investigation

Ensures the industry-wide implementation of the assistance capability requirements.

Consults with state and local law enforcement agencies.

Provides estimates to various telecommunications industry organizations on the number of interceptions, pen registers, and trap and traces devices that government agencies may need to conduct.

Consults with the FCC regarding carrier petitions that seek a determination that compliance with the assistance capability requirements is not reasonably achievable.

Establishes rules to facilitate carrier reimbursements.

Allocates appropriated funds to carriers in a manner consistent with law enforcement priorities.

Annually reports to Congress the amount of carrier payments during the preceding year and the projected payments for the current year.

Federal Communications Commission25

Determines which entities are telecommunications carriers and may exempt any entity class or category as a telecommunications carrier by rulemaking and consulting with the FBI.

Establishes technical standards for compliance with assistance capability requirements if industry associations fail to issue technical standards, or if a government agency or any other person believes that industry-adopted standards are deficient.

Reviews petitions for extensions.

Telecommunications Carriers (service providers)26

Ensures that equipment, facilities, or services that provide customers the ability to originate, terminate, or direct communications meet the CALEA assistance capability requirements.

Equipment Manufacturers

Makes available all features or modifications necessary to meet assistance capability requirements, including consulting with carriers over current and planned equipment.

Office of the Inspector General27

Reports to Congress biennially on (1) CALEA-compliant equipment, facilities, and services; (2) analysis of payments to carriers for CALEA-compliant modifications; and (3) future-cost projections for assistance capability requirement modifications.

In summary, effective implementation of CALEA’s provisions relies on the shared responsibilities of the government agencies and the service providers and manufacturers subject to the law’s requirements.

Controversy Over Technologies Covered by CALEA

Since CALEA’s enactment in 1994, the telecommunications industry has lobbied Congress to change certain provisions of the law. Appendix VI presents a summary of these efforts. While the FBI has been successful in blocking these efforts, CALEA remains controversial.

According to its legislative history, CALEA was supposed to strike a balance between three competing national priorities: preserving law enforcement’s ability to conduct electronic surveillance; protecting privacy; and promoting innovation. However, controversy surrounds these three priorities as discussed below:

  • Preserving law enforcement’s ability to conduct electronic surveillance. CALEA was an attempt by Congress to stop electronic surveillance from becoming obsolete. Law enforcement hoped that CALEA would preserve its ability to access evidence against suspected terrorists and criminals.

  • Protecting privacy. Intercepted communications were required to be conducted in such a way as to “minimize the interception of communications not otherwise subject to interception.” These communications included unrelated, irrelevant, and non-criminal communications not specifically covered in the court order. Furthermore, advances such as “packet-mode” technology of Internet telephone service, also known as Voice over Internet Protocol (VoIP), confronted law enforcement with new surveillance challenges.28 The packet-mode technology of Internet telephony is more difficult to intercept than traditional circuit-mode communications because the data packets are not readily identifiable.29 Therefore, law enforcement may intercept packets of data from subscribers who are not the subject of electronic surveillance.

  • Promoting innovation. According to representatives from the Center for Democracy and Technology, applying CALEA to Internet telephone services would cause irreparable harm to the Internet by increasing consumer costs, impairing and delaying innovation and new services, and forcing telecommunications providers to develop Internet innovations outside of the United States.30 These representatives explained that even if the FCC finds that Internet telephone services fall under CALEA, the statute would only apply to U.S. providers. This would place U.S. telecommunications providers at a competitive disadvantage because they are directly competing with foreign-based providers. Officials from telecommunications carriers we interviewed also raised these issues.

The collision of these national priorities created controversy. At the time of its passage, it was clear that CALEA covered wireline and cellular communications; network-based services such as call-forwarding and conference calling; and technologies such as pagers and satellite phones. However, CALEA does not cover “information services,” and this exclusion has proven to be a major source of controversy.31 According to the FBI, at the time of CALEA’s enactment consumers used the Internet to obtain information, not as a telecommunications service. However, with the recent growth of Internet telephony, the question of whether CALEA applies to Internet Service Providers (ISP) or other VoIP providers continues to be widely debated.

An example of the controversy involves VoIP provider Vonage. In 2003, the Minnesota Public Utility Commission (MPUC) ruled that Vonage was a telephone service provider under Minnesota state law. As a result, Vonage was subject to certain state regulations, including those governing 911 emergency calling services. In September 2003, Vonage petitioned both the U.S. District Court in Minnesota for injunctive relief and the FCC for pre-emption of all state regulation on the grounds that Vonage is an ISP rather than a telephone service provider. In October 2003, the U.S. District Court in Minnesota ruled in favor of Vonage, concluding that Vonage is an ISP. The Minnesota Attorney General appealed on behalf of the MPUC. In December 2004, the U.S. Court of Appeals for the Eighth Circuit upheld the district court ruling that the MPUC may not regulate calls made through the Internet as it does calls made through traditional phone lines.

Meanwhile, the FCC sought comments on Vonage’s petition. The FBI filed comments stating that Vonage could not qualify for relief because its VoIP service is a telecommunications service instead of an information service. In November 2004, the FCC issued its decision ruling that Internet phone services should not be governed by the same state regulations as traditional telephone companies. As a result, whether CALEA applied to Vonage and other Internet phone services remained controversial.

Joint Petition for Expedited Rulemaking

In March 2004, the DOJ, the FBI, and the Drug Enforcement Administration (DEA) attempted to resolve problems faced by law enforcement with these new technologies by filing a Joint Petition for Expedited Rulemaking with the FCC. The Joint Petition also sought resolution on issues pertaining to carrier extensions for complying with CALEA, enforcement for noncompliance, and carrier fees.32 In the Joint Petition, the DOJ and other groups asked the FCC to:

  1. identify both the types of services and entities that are subject to CALEA, as well as services that are considered “packet‑mode services”;

  2. issue an initial Declaratory Ruling or other formal FCC statement, and ultimately adopt final rules that compel broadband access and telephony services be subject to CALEA;

  3. reaffirm that push‑to-talk service is subject to CALEA;

  4. adopt rules that provide for the easy and rapid identification of future CALEA-covered services and entities;

  5. establish rules, benchmarks and deadlines for CALEA compliance with packet-mode and other future CALEA-covered technologies.

The FCC declined to issue a declaratory ruling, finding instead that it was necessary to compile a complete record on the factual and legal issues. Therefore, on August 4, 2004, the FCC issued a Notice of Proposed Rulemaking (NPRM) in response to the DOJ petition and sought comments on its tentative conclusions.33 The comment period on the NPRM closed in December 2004. In response to the NPRM, interested parties filed about 650 comments with the FCC. Among the parties were DOJ; the carriers Verizon, Sprint, Bell South, and SBC; VoIP provider Vonage; ISP Earthlink; and “trusted third party” Verisign.34

In the opinion of carrier representatives with whom we spoke, the NPRM issues are, for the most part, already outdated. Carrier representatives stated that as technological change continues to accelerate, law enforcement agencies will have a harder time keeping up and electronic surveillance may suffer.

FCC Ruling

On August 5, 2005, the FCC ruled on the Joint Petition. The FCC stated that providers of facilities-based broadband Internet access service and interconnected (managed) VoIP services must be prepared to accommodate electronic surveillance within the scope of CALEA.35 According to the FCC, these services essentially replace conventional telecommunications services currently subject to CALEA.36 The ruling stated that the FCC’s determination is limited to facilities-based broadband Internet access service providers and VoIP providers offering services that permit users to receive calls from, and place calls to, the public switched telephone network or PSTN, the publicly available dial-up telephone network.37

The FCC also found that the definition of “telecommunications carrier” encompasses providers of services that are not classified as telecommunications services under the Communications Act of 1934. With respect to a deadline for compliance, the FCC reasoned that because newly covered providers need a reasonable amount of time to come into compliance with all relevant CALEA requirements, a deadline of 18 months from the effective date of the FCC’s Order would be appropriate.

In addition to ruling that certain broadband and managed VoIP services fall within the scope of coverage, the FCC adopted a Further NPRM seeking more information about whether certain classes or categories of facilities-based broadband Internet access providers (i.e., small and rural providers and providers of broadband networks for educational and research institutions) should be exempt from CALEA.

The FCC’s ruling, however, does not address any of the other issues raised in the March 10, 2004, Joint Petition (e.g., cost of compliance to be borne by industry for post-January 1, 1995, equipment; extensions of the compliance date; enforcement; and the identification of future services). The FCC is expected to provide a final ruling on these issues in the near future.

In October 2005, telecommunications firms, nonprofit organizations, and educators challenged the FCC’s August 5, 2005, ruling in the U.S. Court of Appeals in Washington, D.C. These groups are challenging the rules on both privacy grounds, and because they claim implementing the rules will be too expensive. In the OIG’s April 2004 report, we recommended that the FBI submit to Congress legislative changes to CALEA it believed necessary to ensure that electronic surveillance is achieved expeditiously in light of rapid technological changes.38 Despite the FCC’s ruling, we continue to believe that legislative clarification of CALEA’s intent is necessary.39 As discussed in Finding II of this report, previous litigation over what should be required for law enforcement’s wiretapping capabilities substantially delayed CALEA implementation, and we are concerned that this current litigation will delay CALEA implementation as it applies to new technologies.


Footnotes

  1. Pen registers are surveillance devices that capture the phone numbers dialed on outgoing telephone calls, whereas trap and trace devices capture the numbers identifying incoming calls. These two devices are not supposed to reveal the content of communications, identify the parties to a communication, or whether a call was connected. Rather, they only convey that one particular phone dialed another phone. A pen register and trap and trace, which can be obtained separately or together, provide real-time call-identifying information.

  2. A wiretap provides real-time call-identifying and content information.

  3. Title III contains the procedures law enforcement must follow to obtain the necessary judicial authorization to conduct electronic surveillance. Congress subsequently amended the statute to confirm the government’s authority to require providers of communications services to provide law enforcement with the “…technical assistance necessary to accomplish the interception….”

  4. The ECPA extended Title III coverage to the contents of electronic messages, such as e-mail, and to data transmissions from facsimiles and pagers.

  5. FISA requires carriers to furnish “…all information, facilities, or technical assistance necessary to accomplish the electronic surveillance in such a manner as will protect its secrecy and produce a minimum of interference…” with the services of the target of electronic surveillance.

  6. Capacity is defined as the number of simultaneous call-content interceptions, pen registers, and trap and traces that law enforcement can conduct in a given geographical area.

  7. Each technology-based problem is described in Appendix II.

  8. CALEA defines “telecommunications carrier” as a person or entity engaged in the transmission of communications as a common carrier for hire. It includes a person or entity engaged in providing communication services to the extent that the Federal Communications Commission (FCC) finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier. According to CALEA, the phrase “telecommunications carrier” does not include persons or entities insofar as they are engaged in providing information services, and any class or category of telecommunications carrier that the FCC exempts by rule after consultation with the Attorney General.

  9. A description of the CALEA statute by section can be found in Appendix III.

  10. A summary of FCC actions related to CALEA can be found in Appendix IV.

  11. To meet their responsibilities under CALEA, some carriers have chosen to contract with trusted third parties. A trusted third party is a private company whose services include providing reviews of a carrier’s CALEA-compliance, managing the intercept function, and serving as the custodian of record for the intercept information.

  12. See Appendix V for a summary of prior OIG audits.

  13. Unlike a traditional telephone service, Internet telephone service allows the routing of voice conversations over the Internet by converting the sound of a voice into packets of data, sending it across the Internet, and reassembling it into sound on the other end of a call.

  14. Circuit-mode communications refers to the routing of voice communications through a traditional telephone service.

  15. The Center for Democracy and Technology identifies itself as a public interest organization dedicated to promoting civil liberties and democratic values for the new digital communications media.

  16. According to CALEA, “information services” means the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications.

  17. We discuss extensions and enforcement in Finding II, and carrier fees in Finding IV.

  18. For additional information on the NPRM, see Appendix IV, August 4, 2004, Notice of Proposed Rulemaking and Declaratory Ruling.

  19. Appendix VII contains a summary of these comments.

  20. The FBI describes “managed VoIP services” as those that offer voice communications calling capability where the VoIP provider acts as a mediator to manage the communication between end points and to provide call set-up, connection, termination, and party-identification features, often generating or modifying dialing, signaling, switching, addressing, or routing functions for the user. The FBI distinguishes managed communications from “non-managed” or “peer-to-peer” communications where people can communicate directly without going through a central telephone company. The FCC requested comments on the appropriateness of this distinction between managed and non-managed VoIP communications for purposes of CALEA.

  21. The Substantial Replacement Provision of CALEA allows the FCC to classify a person or entity as a telecommunication carrier if the FCC finds that it is providing a communication service that is a replacement for a substantial portion of the local telephone exchange service, and if it is in the public interest to deem the person or entity to be a telecommunication carrier (47 U.S.C. § 1001(8)(B)(ii)). The FCC’s Deputy Chief, Office of Engineering and Technology, testified before the House of Representatives Subcommittee on Telecommunications and the Internet September 8, 2004, that an “irreconcilable tension” could exist for service providers that find themselves at the same time subject to CALEA under the Substantial Replacement Provision and exempted from it by virtue of the information services exclusion.

  22. With this determination, the FCC confirmed its February 12, 2004, Memorandum Opinion and Order (see Appendix IV) wherein the FCC considered a peer-to-peer VoIP provider an “information service” and therefore exempt from CALEA. The decision to exempt peer-to-peer VoIP from CALEA is a source of contention within the industry as summarized in some of the comments to the NPRM in Appendix VII. Although t he effect of this decision is too early to determine, in the opinion of a carrier representative to whom we spoke, peer-to-peer VoIP is the wave of the future, and these decentralized communications systems may present a challenge to law enforcement. [LAW ENFORCEMENT SENSTIVE INFORMATION REDACTED].

  23. Department of Justice, Office of the Inspector General Audit Report Number 04-19, The Implementation of the Communications Assistance for Law Enforcement Act by the Federal Bureau of Investigation, April 2004.

  24. Although we do not repeat our previous recommendation in this report, we will continue to monitor the FBI’s progress in pursuing legislative clarification through our audit follow-up process.


« Previous Table of Contents Next »