Communications Assistance for Law Enforcement Act
The Communications Assistance for Law Enforcement Act (CALEA), also known as the "Digital Telephony Act," is a United States wiretapping law passed in 1994, during the presidency of Bill Clinton (Pub. L. No. 103-414, 108 Stat. 4279, codified at 47 USC 1001–1010).
CALEA's purpose is to enhance the ability of law enforcement agencies to conduct lawful interception of communication by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in capabilities for targeted surveillance, allowing federal agencies to selectively wiretap any telephone traffic; it has since been extended to cover broadband Internet and VoIP traffic. Some government agencies argue that it covers mass surveillance of communications rather than just tapping specific lines and that not all CALEA-based access requires a warrant.
Journalists and technologists have characterised the CALEA-mandated infrastructure as government backdoors.[1][2] In 2024, the U.S. government realized that China had been tapping communications in the U.S. using that infrastructure for months, or perhaps longer.[3]
The original reason for adopting CALEA was the Federal Bureau of Investigation's worry that increasing use of digital telephone exchange switches would make tapping phones at the phone company's central office harder and slower to execute, or in some cases impossible.[4] Since the original requirement to add CALEA-compliant interfaces required phone companies to modify or replace hardware and software in their systems, U.S. Congress included funding for a limited time period to cover such network upgrades.[5] CALEA was passed into law on October 25, 1994, and came into force on January 1, 1995.[5]
In the years since CALEA was passed it has been greatly expanded to include all VoIP and broadband Internet traffic. From 2004 to 2007 there was a 62 percent growth in the number of wiretaps performed under CALEA – and more than 3,000 percent growth in interception of Internet data such as email.[6]
By 2007, the FBI had spent $39 million on its Digital Collection System Network (DCSNet) system, which collects, stores, indexes, and analyzes communications data.[6]
Provisions of CALEA
[edit]In its own words, the purpose of CALEA is:
- To amend title 18, United States Code, to make clear a telecommunications carrier's duty to cooperate in the interception of communications for Law Enforcement purposes, and for other purposes.
The U.S. Congress passed the CALEA to aid law enforcement in its effort to conduct criminal investigations requiring wiretapping of digital telephone networks. The Act obliges telecommunications companies to make it possible for law enforcement agencies to tap any phone conversations carried out over its networks, as well as making call detail records available. The act stipulates that it must not be possible for a person to detect that his or her conversation is being monitored by the respective government agency.
Common carriers, facilities-based broadband Internet access providers, and providers of interconnected Voice over Internet Protocol (VoIP) service – all three types of entities are defined to be “telecommunications carriers” and must meet the requirements of CALEA.
The CALEA Implementation Unit at the FBI has clarified that intercepted information is supposed to be sent to Law Enforcement concurrently with its capture.
On March 10, 2004, the United States Department of Justice, FBI and Drug Enforcement Administration filed a "Joint Petition for Expedited Rulemaking"[7] in which they requested certain steps to accelerate CALEA compliance, and to extend the provisions of CALEA to include the ability to perform surveillance of all communications that travel over the Internet – such as Internet traffic and VoIP.
As a result, the Federal Communications Commission adopted its First Report and Order on the matter concluding that CALEA applies to facilities-based broadband Internet access providers and providers of interconnected (with the public switched telephone network) Voice-over-Internet-Protocol (VoIP) services.
In May 2006, the FCC adopted a "Second Report and Order", which clarified and affirmed the First Order:
- The CALEA compliance deadline remains May 14, 2007.
- Carriers are permitted to meet their CALEA obligations through the services of "Trusted Third Parties (TTP)" – that is, they can hire outside companies, which meet security requirements outlined in CALEA, to perform all of the required functions.
- Carriers are responsible for CALEA development and implementation costs.
Technical implementation
[edit]For Voice and Text messaging, CALEA software in the central office enables wiretap. If a call comes in for a number on the target phone a "conference bridge" is created and the second leg is sent to law enforcement at the place of their choosing. By law this must be outside of the phone company. This prevents law enforcement from being inside the phone company and possibly illegally tapping other phones.
Text messages are also sent to law enforcement.
There are two levels of CALEA wiretapping:
- The first level only allows that the "meta data" about a call be sent. That is the parties to the call, the time of the call and for cell phones, the cell tower being used by the target phone. For text message, the same information is sent but the content is not sent. This level is called "Trap and Trace".
- The second level of CALEA wiretap, when permitted, actually sends the voice and content of text messages. This is called "Title III" wiretap.
USA telecommunications providers must install new hardware or software, as well as modify old equipment, so that it doesn't interfere with the ability of a law enforcement agency (LEA) to perform real-time surveillance of any telephone or Internet traffic. Modern voice switches now have this capability built in, yet Internet equipment almost always requires some kind of intelligent deep packet inspection probe to get the job done. In both cases, the intercept function must single out a subscriber named in a warrant for intercept and then immediately send some (headers-only) or all (full content) of the intercepted data to an LEA. The LEA will then process this data with analysis software that is specialized towards criminal investigations.
All traditional voice switches on the U.S. market today have the CALEA intercept feature built in. The IP-based "soft switches" typically do not contain a built-in CALEA intercept feature; and other IP-transport elements (routers, switches, access multiplexers) almost always delegate the CALEA function to elements dedicated to inspecting and intercepting traffic. In such cases, hardware taps or switch/router mirror-ports are employed to deliver copies of all of a network's data to dedicated IP probes.
Probes can either send directly to the LEA according to the industry standard delivery formats (c.f. ATIS T1.IAS, T1.678v2, et al.); or they can deliver to an intermediate element called a mediation device, where the mediation device does the formatting and communication of the data to the LEA. A probe that can send the correctly formatted data to the LEA is called a "self-contained" probe.
In order to be compliant, IP-based service providers (broadband, cable, VoIP) must choose either a self-contained probe, or a "dumb" probe component plus a mediation device, or they must implement the delivery of correctly formatted data for a named subscriber on their own.
Controversy
[edit]The Electronic Frontier Foundation (EFF) warns that:[8]
- CALEA makes US software and hardware less attractive for worldwide consumers.
- CALEA is a reason to move research and development out of the US.
- CALEA-free devices will probably be available in the grey market.
Journalist Marc Zwillinger from the Wall Street Journal explains his concerns with proposed revisions to the CALEA that would require Internet companies to provide law enforcement with a method of gaining access to communication on their networks.[9] Zwillinger warns this new mandatory access could create a dangerous situation for multinational companies not being able to refuse demands from foreign governments.[9] These governments could “threaten financial sanctions, asset seizures, imprisonment of employees and prohibition against a company’s services in their countries."[10] In addition, the creation of this new mechanism could create an easier way for hackers to gain access to the U.S. government's key.[9] Moreover, the U.S. telephone network and the global internet differ in that U.S. telephone carriers “weren’t responsible for decrypting communications unless the carrier possessed the decryption key. In fact, CALEA’s legislative history is full of assurances that the Department of Justice and FBI had no intention to require providers to decrypt communications for which they did not have the key.”[9] Therefore, a revision of the CALEA cannot necessarily secure companies from providing data on their devices during criminal investigations to foreign governments.
Lawsuits
[edit]Originally CALEA only granted the ability to wiretap digital telephone networks, but in 2004, the United States Department of Justice (DOJ), Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF), Federal Bureau of Investigation (FBI), and Drug Enforcement Administration (DEA) filed a joint petition with the Federal Communications Commission (FCC) to expand their powers to include the ability to monitor VoIP and broadband Internet communications – so that they could monitor Web traffic as well as phone calls.[11]
The Electronic Frontier Foundation has filed several lawsuits to prevent the FCC from granting these expanded domestic surveillance capabilities.[12][13]
The FCC's First Report and Order, issued in September 2005, ruled that providers of broadband Internet access and interconnected VoIP services are regulable as “telecommunications carriers” under CALEA. That order was affirmed and further clarified by the Second Report and Order, dated May 2006. On May 5, 2006, a group of higher education and library organizations led by the American Council on Education (ACE) challenged that ruling, arguing that CALEA did not apply to them. On June 9, 2006, the D.C. Circuit Court summarily denied the petition without addressing the constitutionality.[14]
See also
[edit]- Carnivore (FBI)
- NSA ANT catalog
- Tempora
- DCSNET
- ECHELON
- Hepting v. AT&T
- Lawful interception
- Magic Lantern
- PositiveID
- Secrecy of correspondence
- Secure communication
- SORM (Russia)
- Surveillance
- Telecommunications Intercept and Collection Technology Unit
- Telephone tapping
- Total Information Awareness
- Patriot Act
- Verint
- PRISM
References
[edit]- ^ "The 30-year-old internet backdoor law that came back to bite". 7 October 2024.
- ^ Michael Kan (7 October 2024). "Chinese Hackers Reportedly Breached ISPs Including AT&T, Verizon". PC Magazine. Retrieved 8 October 2024.
privacy researchers to call out the US government for maintaining a confidential "backdoor" to enable internet-based wiretapping. "Case in point: there's no way to build a backdoor that only the 'good guys' can use," tweeted Meredith Whittaker, president of the encrypted chat app Signal
- ^ Sarah Krouse; Dustin Volz; Aruna Viswanatha; Robert McMillan (5 October 2024). "U.S. Wiretap Systems Targeted in China-Linked Hack". Wall Street Journal. Retrieved 8 October 2024.
For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data
- ^ Trope, Konrad L. (2014). "US Government Eavesdropping on Electronic Communications: Where Are We Going?". SciTech Lawyer. 10 (2).
- ^ a b Figliola, Patricia Moloney. (2005). Digital surveillance : the Communications Assistance for Law Enforcement Act. Congressional Research Service [Library of Congress]. OCLC 61280196.
- ^ a b Singel, Ryan (29 August 2008). "Point, Click ... Eavesdrop: How the FBI Wiretap Net Operates". Wired.com. Archived from the original on March 14, 2010. Retrieved 14 March 2010.
- ^ "Archived copy" (PDF). Archived from the original (PDF) on 2004-12-20. Retrieved 2005-02-28.
{{cite web}}
: CS1 maint: archived copy as title (link) - ^ "FAQ on the CALEA Expansion by the FCC | Electronic Frontier Foundation". Eff.org. 19 September 2007. Retrieved 2013-10-09.
- ^ a b c d Zwillinger, Marc (April 20, 2015). "Should Law Enforcement Have the Ability to Access Encrypted Communications?". Wall Street Journal. Retrieved May 30, 2018.
- ^ Zwillinger, Marc (April 20, 2018). "Should Law Enforcement Have the Ability to Access Encrypted Communications?". Wall Street Journal. Retrieved May 30, 2018.
- ^ "FCC's Second Report and Order" (PDF). FCC. Retrieved 2014-12-19.
- ^ "EFF CALEA Archives 1999". W2.eff.org. Archived from the original on 2013-09-22. Retrieved 2013-10-09.
- ^ "EFF CALEA Archives 2000". W2.eff.org. Archived from the original on 2013-09-22. Retrieved 2013-10-09.
- ^ American Council on Education vs. FCC, United States Court of Appeals for the District of Columbia Circuit, Decision 05-1404(pdf) Archived 2012-09-07 at the Wayback Machine June 9, 2006
Further reading
[edit]- White Paper on Lawful Interception of IP Networks
- Communications Assistance for Law Enforcement Act of 1994
- FCC CALEA Home page
- EFF CALEA page
- Digital Surveillance: The Communications Assistance for Law Enforcement Act, Congressional Research Service, June 8, 2007
- RFC 3924 - Cisco Architecture for Lawful Intercept in IP Networks
- CALEA for Broadband? The Critics Are Unanimous :: Lasar's Letter on the Federal Communications Commission
- Law enforcement groups have been lobbying for years for FCC Internet wiretapping plan: Lasar's Letter on the Federal Communications Commission
- Cybertelecom: CALEA Information
- Guide to lawful intercept legislation around the world
- CableLabs Cable Broadband Intercept Specification
- CALEA Q&A
External links
[edit]- Communications Assistance for Law Enforcement Act (PDF/details) as amended in the GPO Statute Compilations collection