[IWAR] D.C. Privacy groups tell FCC to deep-six wiretap law

From: Mark Hedges (hedgesat_private)
Date: Wed Feb 11 1998 - 18:16:23 PST

  • Next message: Mark Hedges: "[IWAR] Regulators back down on SEC/NASD email snooping rules"

    I know it's not customary for IC/LEA to care about privacy, touting
    "national security" around as justification of watching everyone, but this
    is interesting anyway. -hedges-
    >X-Authentication-Warning: relay.pathfinder.com: Host []
    >claimed to be pathfinderfw.twi.com
    >X-Sender: declanat_private
    >Mime-Version: 1.0
    >Date: Wed, 11 Feb 1998 20:25:13 -0500
    >To: politechat_private
    >From: Declan McCullagh <declanat_private>
    >Subject: FC: Privacy groups tell FCC to deep-six wiretap law
    >Sender: owner-politechat_private
    >Reply-To: declanat_private
    >X-Loop: politechat_private
    >X-URL: Politech is at http://www.well.com/~declan/politech/
    >Seems as though even the folks (not the undersigned) who lauded the virtues
    >of the Digital Telephony wiretapping law and cut a deal to ensure its
    >passage are now claiming it's gone astray. Attached below are comments
    >filed (I believe today) with the FCC on the law.
    >Even if you don't care about wiretapping, consider this: the Digital
    >Telephony law requires technology firms to make communications readily
    >snoopable by law enforcement agents. Think of this as a precedent for
    >requiring technology firms to make //encrypted// communciations readily
    >snoopable by law enforcement agents.
    >Trust me, even if you haven't thought about that precedent and its value
    >when lobbying members of Congress, Louis Freeh has.
    >Before the
    >Federal Communications Commission
    >Washington, D.C. 20554
    >In the Matter of                )
    >                                ) CC Docket No. 97-213
    >Communications Assistance for   )
    >Law Enforcement Act             )
    >Surreply Comments of
    >The American Civil Liberties Union
    >The Electronic Privacy Information Center
    >The Electronic Frontier Foundation
    >Computer Professionals for Social Responsibility
    >	The American Civil Liberties Union (ACLU),  Electronic Privacy
    >Information Center (EPIC), Electronic Frontier Foundation (EFF), and
    >Computer Professionals for Social Responsibility (CPSR) respectfully
    >submit these surreply comments in the above referenced proceeding.  Our
    >organizations represent a broad perspective of public interest, privacy and
    >civil liberties interests.
    >	ACLU, EPIC and EFF jointly filed comments with the Federal
    >Communications Commission in response to the Notice of Proposed
    >Rulemaking (NPRM) on implementation of the Communications Assistance
    >for Law Enforcement Act (CALEA)  on December 12, 1997. In our
    >previous comments, we urged the Commission to exercise its statutorily
    >conferred authority to delay compliance with the Act until October, 2000.
    >	However, after reviewing the comments filed by the Federal Bureau
    >of Investigation (FBI), public interest groups, and industry; and in light of
    >the FBI's four year delay in releasing to the public the statutorily required
    >Notice of Capacity;  and the FBI's obstruction of the adoption of industry
    >compliance standards that are feasible and technically possible, we are
    >convinced that the Commission must indefinitely delay the implementation
    >of CALEA.  We call on the Commission to report to Congress on the
    >serious legal, technical, and policy obstacles that have thwarted CALEA's
    >implementation.  Our organizations also request that the Commission
    >require the FBI to provide comment-- on the public record-- explaining their
    >failure to meet the statutory Notice of Capacity Requirement imposed by
    >Congress nearly four years ago.
    >	Our requests in this proceeding are based on several provisions for
    >government accountability and privacy protection incorporated in CALEA
    >and its legislative history, which has thus far been largely ignored.
    >107 of CALEA provides that any person(s), including public interest
    >groups, concluding that any standard issued on the implementation of the
    >Act is deficient, may petition the Commission for review.  This section
    >provides that one factor for judging the acceptability of standards is whether
    >they protect the privacy of communications that are not permitted to be
    >intercepted under the law.
    >	Furthermore, the legislative history of CALEA makes clear that the
    >Commission's authority over this implementation process is designed to
    >ensure that the following goals are realized: (1) Costs to consumers are kept
    >low, so that 'gold-plating' by the industry is kept in check; (2) the
    >needs of law enforcement are met, but that law enforcement does not engage
    >in gold-plating of its demands; (3) privacy interests of all Americans are
    >protected; (4) the goal of encouraged competition in all forms of
    >telecommunications is not undermined, and the fact of wiretap compliance is
    >not used as either a sword or a shield in realization of that goal.
    >	Because our organizations have concluded that these statutory goals
    >have not been satisfied, we believe it is incumbent on the Commission to
    >take action with regards to our requests.  In these surreply comments we
    >will also address several issues raised in submissions of other interested
    >parties that call for an expansion of the CALEA's mandate and that run
    >counter to Congress' stated goals.
    >I.  The FBI has Disregarded the Congressional Limitations and
    >Statutory Obligations Imposed on Law Enforcement by CALEA:
    >	CALEA explicitly called on law enforcement to issue a technical
    >capacity notice by October 25, 1995, one year after the law's enactment.
    >Carriers were given three years after the notification to install capacity
    >meeting the notification requirements.  Thus, under the statutory timetable,
    >industry's deadline for compliance was to have been October 1998.
    >	Section 104(a)(2) requires that the technical capacity notice
    >provide a
    >numerical estimate of law enforcement's anticipated use of electronic
    >surveillance for 1998.  The notice is required to establish the maximum
    >interceptions that a particular switch or system must be capable of
    >implementing simultaneously.
    >	By mandating the publication of numerical estimates of law
    >enforcement surveillance activity, Congress intended CALEA's notice
    >requirements to serve as accountability "mechanisms that will allow for
    >Congressional and public oversight. The bill requires the government to
    >estimate its capacity needs and publish them in the Federal Register."
    >	In addition to the concerns of privacy advocates, the Public Notice
    >requirement was based on industry concerns that the cost of providing
    >intercepts was becoming an undue burden on companies and that the
    >number of intercepts was growing too rapidly for industry to respond.  In
    >1994, AT&T testified that such law enforcement notice was necessary for
    >industry to accomplish the following:
    >-require law enforcement to focus on what it actually requires to accomplish
    >its legitimate needs thereby freeing resources they do not actually require
    >other purposes;
    >-provide an essential mechanism for Congress to control both the costs and
    >level of law enforcement involvement in the development of new services;
    >-ensure that the fewest taxpayer dollars are spent to address law
    >enforcement concerns.
    >	As documented in detail in our prior comments, the FBI has yet to
    >provide the mandated Notice of Capacity.  The Bureau has thus far released
    >two initial notices that were both withdrawn after sharp public criticism over
    >the FBI's failure to meet the statutory requirements.
    >	The FBI comments also do not explain why the public and Congress
    >should ignore their failure to meet this statutory obligation. Instead, the
    >asserts that public safety should override any technical problems industry
    >groups may face in complying with  CALEA's statutory deadline.
    >However, we believe that this assertion has also not been justified by the
    >FBI to date.
    >	According to statistics released by the Administrative Office of the
    >U.S. Courts and the Department of Justice, the actual number of
    >interceptions has risen dramatically each year and in 1996 alone 2.2 million
    >conversations were captured by law enforcement.  A total of 1.7 million of
    >these intercepted conversations were deemed not "incriminating" by
    >prosecutors.  Our organizations believe that these numbers do little to
    >support the FBI contentions that CALEA should be given broad
    >        Moreover, the FBI comments state that a blanket extension on the
    >compliance with CALEA should not be granted despite the impasse
    >between industry and law enforcement because of the potential threat to
    >public security.   While we recognize the importance of protecting the
    >public, Congress required that there be a balancing of the interests of law
    >enforcement with the need to protect privacy and develop new technologies.
    >Specifically, Congress had the following objectives:
    >(1) to preserve a narrowly focused capability for law enforcement agencies
    >to carry out properly authorized intercepts;
    >(2) to protect privacy in the face of increasingly powerful and personally
    >revealing technologies; and
    >(3) to avoid impeding the development of new communications services and
    >	Hence, we are not persuaded by the FBI's conclusion that there
    >should not be a  blanket extension for compliance with CALEA.  Until it is
    >clear that each of the Congressional objectives is met and there is a public
    >release by the FBI of its statutorily mandated Notice on Capacity, the
    >technical compliance with the Act should be postponed.
    >II. The FBI Has Not Maintained Narrowly Focused Capability for
    >Law Enforcement Agencies to Carry Out Authorized Intercepts
    >	The FBI's bad faith in the implementation process has prevented the
    >development of acceptable technical standards that are feasible by industry.
    >As our prior comments document and industry comments support, the FBI
    >has repeatedly endeavored to require that industry meet a FBI wish-list of
    >surveillance capability needs never contemplated by Congress.   Indeed,
    >avoiding such an impasse was precisely why Congress explicitly redrafted
    >the statute in 1994 to eliminate law enforcement control over industry
    >	Instead of preserving a narrow focus on surveillance capability, the
    >FBI has sought an expanded capability by interpreting CALEA to apply to
    >entities and user services specifically exempt by Congress. The comments
    >submitted by the FBI underscore the validity of our concerns by presenting
    >a wish-list of items that go far beyond the authorized electronic surveillance
    >under the provisions of Title III of the Omnibus Crime Control and Safe
    >Streets Act of 1968, the Electronic Communications Privacy Act of 1986
    >and CALEA.  For example, the FBI comments call for CALEA compliance
    >by carriers providing access to information services, private
    >communications services, and paging services -- an expansion of
    >surveillance capabilities never contemplated by Congress.
    >(a) Information services
    >	In paragraph 29 of its submission, the FBI states that it agrees that
    >providers of "exclusively information services are excluded from CALEA"
    >but that "any portion of a telecommunications service provided by a
    >common carrier that is used to provide transport access to information
    >services is subject to CALEA."
    >	Such services are explicitly exempt under the statute.  Section 103
    >(4)(b) provides limitations on what services are required to meet assistance
    >capability requirements under CALEA.  It states:
    >(b) Limitations:
    >(2)Information services; private networks and interconnection services and
    >facilities.  The requirements of subsection (a) do not apply to--
    >(A) information services; or
    >(B) equipment, facilities, or services that support transport or switching of
    >communications for private networks or for the sole purpose of
    >interconnecting telecommunications carriers.
    >	Congress explicitly rejected any application of CALEA to
    >information services including electronic mail and on-line services
    >recognizing that interception of those communications is the equivalent of
    >"call content" and is therefore, subject to a much higher degree of protection
    >under the Constitution.  The FBI, and the Commission NPRM, incorrectly
    >assume there is a distinction between carriers that exclusively provide
    >information services and common carriers that provide access for
    >information services.   The FBI is simply attempting to gain back-door
    >access to information services contrary to Congress' intent.
    >(b) Carriers Providing Private Services:
    >	Paragraph 22 of the FBI comment states that "there may exist
    >telecommunications companies that do not hold themselves out to serve the
    >public indiscriminately that should also be treated as 'telecommunications
    >carriers' by the Commission. Otherwise, companies that hold themselves
    >out to serve particular groups may, intentionally or inadvertently, undermine
    >	Thus, the FBI's conclusion that private services that do not
    >indiscriminately provide services to the public fall within CALEA's ambit is
    >unwarranted.  Indeed as the legislative history states:
    >"...telecommunications services that support or transport switching of
    >communications for private networks or for the sole purpose of
    >interconnecting telecommunications carriers...need not meet any wiretap
    >standards...Earlier digital telephony proposals covered all providers of
    >electronic communications services, which meant every business and
    >institution in the country.  That broad approach was not practical.  Nor was
    >it justified to meet any law enforcement need."
    >	Indeed the explicit exclusion of private networks was also based on
    >the potential threats to personal privacy that such could be incurred by
    >requiring private networks to meet the CALEA configuration requirements.
    >CALEA's legislative history states that private networks are not the usual
    >focus of court authorized electronic surveillance and that these networks,
    >although excluded by CALEA's requirements, may be required to provide
    >law enforcement with access to information after receiving a court order.
    >(c) Paging services:
    >	Paragraph 25 of the FBI comments state: "Law enforcement
    >contends that paging systems should be included in the definition of
    >"telecommunications carrier" for the purposes of interpreting CALEA
    >because paging systems generally fall within the definition of common
    >carrier or, at minimum, rely on common carriers to be activated."
    >	Paging service's reliance on common carriers for activation does not
    >automatically compel their compliance with CALEA.
    >III. The FBI Has Ignored Privacy Protection Requirements
    >	The Congress specifically required privacy safeguards to assure that
    >communications not be made vulnerable to hackers and rogue wiretaps as a
    >result of CALEA. Section 105 of CALEA, Systems Security and Integrity,
    >mandates that "telecommunications carriers 	shall ensure that any
    >interception of communications or access to call-identifying information
    >effected within its switching premises can activated only in accordance with
    >a court order or other lawful authorization...".  However, the FBI comments
    >and FCC NPRM merely reduce privacy concerns to questions of
    >telecommunication carrier recordkeeping and employee screening measures.
    >	Furthermore, Section V of the FBI comments, which addresses the
    >carrier security procedures, attempts to undermine the protections against
    >unlawful government surveillance guaranteed in the Electronic
    >Communications Privacy Act of 1986. 18 U.S.C. 2510, et. seq. This section
    >asserts that there is "anecdotal evidence" that carriers have refused to
    >comply with law enforcement requests for wiretapping where there is
    >confusion as to the validity of court orders.  As a result, the FBI has called
    >on the Commission to limit the ability of carriers to question the lawfulness
    >of requests for interception by various law enforcement entities.  Similarly,
    >paragraph 47 states that "[c]arriers are the implementers, not the enforcers,
    >of lawful intercept orders or certifications under the electronic surveillance
    >	We strongly disagree with that conclusion.  Carriers have an
    >affirmative obligation under ECPA to ensure that they are not wrongfully
    >disclosing information to the government or third parties.  The failure of
    >carriers to exercise good faith judgment and carefully scrutinize such
    >requests for information may expose them to criminal and civil liability
    >under ECPA.  18 U.S.C. 2520 (d). We believe that a Commission ruling
    >providing that carrier's lack the ability to scrutinize the validity of
    >would require them to abrogate their statutory good faith obligations.   In
    >addition, the Commission lacks authority to limit the rights of carriers to
    >review such orders and such a requirement would not comport with other
    >federal and state requirements.
    >	Paragraph 46 of the FBI comments broadly states that carriers may
    >not question law enforcement authority to conduct wiretapping
    >investigations where one party has consented to interception.  The FBI
    >broadly states that "[i]n such cases, the electronic surveillance statutes
    >clearly indicate that no court order is required."
    >	We similarly disagree with this conclusion.  Currently, at least 12
    >states do not permit "one party consent" to interceptions of communications.
    >Thus, we believe that a  Commission rule limiting carrier discretion would
    >certainly create pre-emption questions where there is no Congressional basis
    >and where the request comes from state law enforcement.
    >	Congress envisioned CALEA's implementation as an open process
    >that would ensure accountability and prevent the development of
    >unprecedented surveillance capabilities. The expanded capabilities sought by
    >the FBI, along with their non-compliance with CALEA's Public Notice of
    >Capacity Requirements warrant serious Commission and Congressional
    >	Our organizations believe that given the FBI's failure to meet public
    >accountability provisions,  the Commission must indefinitely delay the
    >implementation of CALEA and report to the Congress on the serious
    >obstacles that have thwarted its implementation to date. We also ask that the
    >Commission require the FBI provide comment on the public record
    >explaining its failure to meet it unambiguous statutory obligations under
    >Respectfully Submitted,
    >Laura W. Murphy, Director
    >Greg Nojeim, Legislative Counsel
    >A. Cassidy Sehgal, William J. Brennan Fellow
    >American Civil Liberties Union
    >Washington National Office
    >122 Maryland Ave, NE
    >Washington, D.C. 20002
    >(202) 544-1681
    >Marc Rotenberg, Director		Barry Steinhardt, President
    >David L. Sobel, Legal Counsel		Electronic Frontier Foundation
    >David Banisar, Staff Counsel		1550 Bryant Street, Suite 725
    >Electronic Privacy Information Center	San Francisco CA 94103
    >666 Pennsylvania Ave., SE, Suite 301	(415) 436-9333
    >Washington, D.C. 20003
    >(202) 544-9240
    >Computer Professionals for
    >Social Responsibility
    >CPSR, P.O. Box 717,
    >Palo Alto, CA 94302
    >(650) 322-3778
    >Rep. Bob Barr
    >Sen. Orrin Hatch
    >Sen. Patrick Leahy
    >Rep. Henry Hyde
    >Sen. Ashcroft
    >Sen. Edward McCain
    >Sen. Arlen Spector
    >Rep. Billy Tauzin
    >Rep. McCollum
    >Rep. Charles Schumer
    >  The Communications Assistance for Law Enforcement Act, Pub. L. No.
    >103-414, 108 Stat. 4279 (1994)
    >(codified as amended in sections of 18 U.S.C. and 47 U.S.C.)
    >  Statement of the AT&T Corporation Before the House Subcommittee on Civil
    >and Constitutional Rights
    >and Senate Subcommittee on Technology and Law, reprinted, in Schneier and
    >Banisar: The Electronic
    >Privacy Papers, Wiley and Sons, 1997.
    >  See generally, EPIC letter to The Telecommunications Industry Liason
    >Unit, November 13, 1995,
    >reprinted in 1996 Electronic Privacy and Information Center, Cryptography
    >and Privacy Sourcebook, 1996,
    >discussing the failure of the Initial FBI Notification of Law Enforcement
    >Capacity Requirements to meet
    >CALEA's obligations.
    >POLITECH -- the moderated mailing list of politics and technology
    >To subscribe: send a message to majordomoat_private with this text:
    >subscribe politech
    >More information is at http://www.well.com/~declan/politech/

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:12 PDT