I know it's not customary for IC/LEA to care about privacy, touting "national security" around as justification of watching everyone, but this is interesting anyway. -hedges- >X-Authentication-Warning: relay.pathfinder.com: Host [206.245.67.33] >claimed to be pathfinderfw.twi.com >X-Sender: declanat_private >Mime-Version: 1.0 >Date: Wed, 11 Feb 1998 20:25:13 -0500 >To: politechat_private >From: Declan McCullagh <declanat_private> >Subject: FC: Privacy groups tell FCC to deep-six wiretap law >Sender: owner-politechat_private >Reply-To: declanat_private >X-Loop: politechat_private >X-URL: Politech is at http://www.well.com/~declan/politech/ > >Seems as though even the folks (not the undersigned) who lauded the virtues >of the Digital Telephony wiretapping law and cut a deal to ensure its >passage are now claiming it's gone astray. Attached below are comments >filed (I believe today) with the FCC on the law. > >Even if you don't care about wiretapping, consider this: the Digital >Telephony law requires technology firms to make communications readily >snoopable by law enforcement agents. Think of this as a precedent for >requiring technology firms to make //encrypted// communciations readily >snoopable by law enforcement agents. > >Trust me, even if you haven't thought about that precedent and its value >when lobbying members of Congress, Louis Freeh has. > >-Declan > >****** > >Before the > >Federal Communications Commission >Washington, D.C. 20554 > >In the Matter of ) > ) CC Docket No. 97-213 >Communications Assistance for ) >Law Enforcement Act ) > > >Surreply Comments of > >The American Civil Liberties Union >The Electronic Privacy Information Center >The Electronic Frontier Foundation >Computer Professionals for Social Responsibility > > > The American Civil Liberties Union (ACLU), Electronic Privacy >Information Center (EPIC), Electronic Frontier Foundation (EFF), and >Computer Professionals for Social Responsibility (CPSR) respectfully >submit these surreply comments in the above referenced proceeding. Our >organizations represent a broad perspective of public interest, privacy and >civil liberties interests. > > ACLU, EPIC and EFF jointly filed comments with the Federal >Communications Commission in response to the Notice of Proposed >Rulemaking (NPRM) on implementation of the Communications Assistance >for Law Enforcement Act (CALEA) on December 12, 1997. In our >previous comments, we urged the Commission to exercise its statutorily >conferred authority to delay compliance with the Act until October, 2000. > > However, after reviewing the comments filed by the Federal Bureau >of Investigation (FBI), public interest groups, and industry; and in light of >the FBI's four year delay in releasing to the public the statutorily required >Notice of Capacity; and the FBI's obstruction of the adoption of industry >compliance standards that are feasible and technically possible, we are >convinced that the Commission must indefinitely delay the implementation >of CALEA. We call on the Commission to report to Congress on the >serious legal, technical, and policy obstacles that have thwarted CALEA's >implementation. Our organizations also request that the Commission >require the FBI to provide comment-- on the public record-- explaining their >failure to meet the statutory Notice of Capacity Requirement imposed by >Congress nearly four years ago. > > Our requests in this proceeding are based on several provisions for >government accountability and privacy protection incorporated in CALEA >and its legislative history, which has thus far been largely ignored. >Section >107 of CALEA provides that any person(s), including public interest >groups, concluding that any standard issued on the implementation of the >Act is deficient, may petition the Commission for review. This section >provides that one factor for judging the acceptability of standards is whether >they protect the privacy of communications that are not permitted to be >intercepted under the law. > > Furthermore, the legislative history of CALEA makes clear that the >Commission's authority over this implementation process is designed to >ensure that the following goals are realized: (1) Costs to consumers are kept >low, so that 'gold-plating' by the industry is kept in check; (2) the >legitimate >needs of law enforcement are met, but that law enforcement does not engage >in gold-plating of its demands; (3) privacy interests of all Americans are >protected; (4) the goal of encouraged competition in all forms of >telecommunications is not undermined, and the fact of wiretap compliance is >not used as either a sword or a shield in realization of that goal. > > Because our organizations have concluded that these statutory goals >have not been satisfied, we believe it is incumbent on the Commission to >take action with regards to our requests. In these surreply comments we >will also address several issues raised in submissions of other interested >parties that call for an expansion of the CALEA's mandate and that run >counter to Congress' stated goals. > >I. The FBI has Disregarded the Congressional Limitations and >Statutory Obligations Imposed on Law Enforcement by CALEA: > > CALEA explicitly called on law enforcement to issue a technical >capacity notice by October 25, 1995, one year after the law's enactment. >Carriers were given three years after the notification to install capacity >meeting the notification requirements. Thus, under the statutory timetable, >industry's deadline for compliance was to have been October 1998. > > Section 104(a)(2) requires that the technical capacity notice >provide a >numerical estimate of law enforcement's anticipated use of electronic >surveillance for 1998. The notice is required to establish the maximum >interceptions that a particular switch or system must be capable of >implementing simultaneously. > > By mandating the publication of numerical estimates of law >enforcement surveillance activity, Congress intended CALEA's notice >requirements to serve as accountability "mechanisms that will allow for >Congressional and public oversight. The bill requires the government to >estimate its capacity needs and publish them in the Federal Register." > > In addition to the concerns of privacy advocates, the Public Notice >requirement was based on industry concerns that the cost of providing >intercepts was becoming an undue burden on companies and that the >number of intercepts was growing too rapidly for industry to respond. In >1994, AT&T testified that such law enforcement notice was necessary for >industry to accomplish the following: > >-require law enforcement to focus on what it actually requires to accomplish >its legitimate needs thereby freeing resources they do not actually require >for >other purposes; > >-provide an essential mechanism for Congress to control both the costs and >level of law enforcement involvement in the development of new services; > >-ensure that the fewest taxpayer dollars are spent to address law >enforcement concerns. > > As documented in detail in our prior comments, the FBI has yet to >provide the mandated Notice of Capacity. The Bureau has thus far released >two initial notices that were both withdrawn after sharp public criticism over >the FBI's failure to meet the statutory requirements. > > The FBI comments also do not explain why the public and Congress >should ignore their failure to meet this statutory obligation. Instead, the >FBI >asserts that public safety should override any technical problems industry >groups may face in complying with CALEA's statutory deadline. >However, we believe that this assertion has also not been justified by the >FBI to date. > > According to statistics released by the Administrative Office of the >U.S. Courts and the Department of Justice, the actual number of >interceptions has risen dramatically each year and in 1996 alone 2.2 million >conversations were captured by law enforcement. A total of 1.7 million of >these intercepted conversations were deemed not "incriminating" by >prosecutors. Our organizations believe that these numbers do little to >support the FBI contentions that CALEA should be given broad >interpretation. > > Moreover, the FBI comments state that a blanket extension on the >compliance with CALEA should not be granted despite the impasse >between industry and law enforcement because of the potential threat to >public security. While we recognize the importance of protecting the >public, Congress required that there be a balancing of the interests of law >enforcement with the need to protect privacy and develop new technologies. >Specifically, Congress had the following objectives: > >(1) to preserve a narrowly focused capability for law enforcement agencies >to carry out properly authorized intercepts; > >(2) to protect privacy in the face of increasingly powerful and personally >revealing technologies; and > >(3) to avoid impeding the development of new communications services and >technologies. > > Hence, we are not persuaded by the FBI's conclusion that there >should not be a blanket extension for compliance with CALEA. Until it is >clear that each of the Congressional objectives is met and there is a public >release by the FBI of its statutorily mandated Notice on Capacity, the >technical compliance with the Act should be postponed. > >II. The FBI Has Not Maintained Narrowly Focused Capability for >Law Enforcement Agencies to Carry Out Authorized Intercepts > > The FBI's bad faith in the implementation process has prevented the >development of acceptable technical standards that are feasible by industry. >As our prior comments document and industry comments support, the FBI >has repeatedly endeavored to require that industry meet a FBI wish-list of >surveillance capability needs never contemplated by Congress. Indeed, >avoiding such an impasse was precisely why Congress explicitly redrafted >the statute in 1994 to eliminate law enforcement control over industry >standard-setting. > > Instead of preserving a narrow focus on surveillance capability, the >FBI has sought an expanded capability by interpreting CALEA to apply to >entities and user services specifically exempt by Congress. The comments >submitted by the FBI underscore the validity of our concerns by presenting >a wish-list of items that go far beyond the authorized electronic surveillance >under the provisions of Title III of the Omnibus Crime Control and Safe >Streets Act of 1968, the Electronic Communications Privacy Act of 1986 >and CALEA. For example, the FBI comments call for CALEA compliance >by carriers providing access to information services, private >communications services, and paging services -- an expansion of >surveillance capabilities never contemplated by Congress. > >(a) Information services > > In paragraph 29 of its submission, the FBI states that it agrees that >providers of "exclusively information services are excluded from CALEA" >but that "any portion of a telecommunications service provided by a >common carrier that is used to provide transport access to information >services is subject to CALEA." > > Such services are explicitly exempt under the statute. Section 103 >(4)(b) provides limitations on what services are required to meet assistance >capability requirements under CALEA. It states: > >(b) Limitations: >(2)Information services; private networks and interconnection services and >facilities. The requirements of subsection (a) do not apply to-- > >(A) information services; or > >(B) equipment, facilities, or services that support transport or switching of >communications for private networks or for the sole purpose of >interconnecting telecommunications carriers. > > Congress explicitly rejected any application of CALEA to >information services including electronic mail and on-line services >recognizing that interception of those communications is the equivalent of >"call content" and is therefore, subject to a much higher degree of protection >under the Constitution. The FBI, and the Commission NPRM, incorrectly >assume there is a distinction between carriers that exclusively provide >information services and common carriers that provide access for >information services. The FBI is simply attempting to gain back-door >access to information services contrary to Congress' intent. > >(b) Carriers Providing Private Services: > > Paragraph 22 of the FBI comment states that "there may exist >telecommunications companies that do not hold themselves out to serve the >public indiscriminately that should also be treated as 'telecommunications >carriers' by the Commission. Otherwise, companies that hold themselves >out to serve particular groups may, intentionally or inadvertently, undermine >CALEA." > > Thus, the FBI's conclusion that private services that do not >indiscriminately provide services to the public fall within CALEA's ambit is >unwarranted. Indeed as the legislative history states: >"...telecommunications services that support or transport switching of >communications for private networks or for the sole purpose of >interconnecting telecommunications carriers...need not meet any wiretap >standards...Earlier digital telephony proposals covered all providers of >electronic communications services, which meant every business and >institution in the country. That broad approach was not practical. Nor was >it justified to meet any law enforcement need." > > Indeed the explicit exclusion of private networks was also based on >the potential threats to personal privacy that such could be incurred by >requiring private networks to meet the CALEA configuration requirements. >CALEA's legislative history states that private networks are not the usual >focus of court authorized electronic surveillance and that these networks, >although excluded by CALEA's requirements, may be required to provide >law enforcement with access to information after receiving a court order. > >(c) Paging services: > > Paragraph 25 of the FBI comments state: "Law enforcement >contends that paging systems should be included in the definition of >"telecommunications carrier" for the purposes of interpreting CALEA >because paging systems generally fall within the definition of common >carrier or, at minimum, rely on common carriers to be activated." > > Paging service's reliance on common carriers for activation does not >automatically compel their compliance with CALEA. > >III. The FBI Has Ignored Privacy Protection Requirements > > The Congress specifically required privacy safeguards to assure that >communications not be made vulnerable to hackers and rogue wiretaps as a >result of CALEA. Section 105 of CALEA, Systems Security and Integrity, >mandates that "telecommunications carriers shall ensure that any >interception of communications or access to call-identifying information >effected within its switching premises can activated only in accordance with >a court order or other lawful authorization...". However, the FBI comments >and FCC NPRM merely reduce privacy concerns to questions of >telecommunication carrier recordkeeping and employee screening measures. > > Furthermore, Section V of the FBI comments, which addresses the >carrier security procedures, attempts to undermine the protections against >unlawful government surveillance guaranteed in the Electronic >Communications Privacy Act of 1986. 18 U.S.C. 2510, et. seq. This section >asserts that there is "anecdotal evidence" that carriers have refused to >comply with law enforcement requests for wiretapping where there is >confusion as to the validity of court orders. As a result, the FBI has called >on the Commission to limit the ability of carriers to question the lawfulness >of requests for interception by various law enforcement entities. Similarly, >paragraph 47 states that "[c]arriers are the implementers, not the enforcers, >of lawful intercept orders or certifications under the electronic surveillance >laws." > > We strongly disagree with that conclusion. Carriers have an >affirmative obligation under ECPA to ensure that they are not wrongfully >disclosing information to the government or third parties. The failure of >carriers to exercise good faith judgment and carefully scrutinize such >requests for information may expose them to criminal and civil liability >under ECPA. 18 U.S.C. 2520 (d). We believe that a Commission ruling >providing that carrier's lack the ability to scrutinize the validity of >warrants >would require them to abrogate their statutory good faith obligations. In >addition, the Commission lacks authority to limit the rights of carriers to >review such orders and such a requirement would not comport with other >federal and state requirements. > > Paragraph 46 of the FBI comments broadly states that carriers may >not question law enforcement authority to conduct wiretapping >investigations where one party has consented to interception. The FBI >broadly states that "[i]n such cases, the electronic surveillance statutes >clearly indicate that no court order is required." > > We similarly disagree with this conclusion. Currently, at least 12 >states do not permit "one party consent" to interceptions of communications. >Thus, we believe that a Commission rule limiting carrier discretion would >certainly create pre-emption questions where there is no Congressional basis >and where the request comes from state law enforcement. > >Conclusion > > Congress envisioned CALEA's implementation as an open process >that would ensure accountability and prevent the development of >unprecedented surveillance capabilities. The expanded capabilities sought by >the FBI, along with their non-compliance with CALEA's Public Notice of >Capacity Requirements warrant serious Commission and Congressional >response. > > Our organizations believe that given the FBI's failure to meet public >accountability provisions, the Commission must indefinitely delay the >implementation of CALEA and report to the Congress on the serious >obstacles that have thwarted its implementation to date. We also ask that the >Commission require the FBI provide comment on the public record >explaining its failure to meet it unambiguous statutory obligations under >CALEA. > >Respectfully Submitted, > > >_____________________________________ >Laura W. Murphy, Director >Greg Nojeim, Legislative Counsel >A. Cassidy Sehgal, William J. Brennan Fellow >American Civil Liberties Union >Washington National Office >122 Maryland Ave, NE >Washington, D.C. 20002 >(202) 544-1681 > >Marc Rotenberg, Director Barry Steinhardt, President >David L. Sobel, Legal Counsel Electronic Frontier Foundation >David Banisar, Staff Counsel 1550 Bryant Street, Suite 725 > >Electronic Privacy Information Center San Francisco CA 94103 >666 Pennsylvania Ave., SE, Suite 301 (415) 436-9333 >Washington, D.C. 20003 >(202) 544-9240 > >Computer Professionals for >Social Responsibility >CPSR, P.O. Box 717, >Palo Alto, CA 94302 >(650) 322-3778 > >cc: >Rep. Bob Barr >Sen. Orrin Hatch >Sen. Patrick Leahy >Rep. Henry Hyde >Sen. Ashcroft >Sen. Edward McCain >Sen. Arlen Spector >Rep. Billy Tauzin >Rep. McCollum >Rep. Charles Schumer > > > The Communications Assistance for Law Enforcement Act, Pub. L. No. >103-414, 108 Stat. 4279 (1994) >(codified as amended in sections of 18 U.S.C. and 47 U.S.C.) > > Statement of the AT&T Corporation Before the House Subcommittee on Civil >and Constitutional Rights >and Senate Subcommittee on Technology and Law, reprinted, in Schneier and >Banisar: The Electronic >Privacy Papers, Wiley and Sons, 1997. > > See generally, EPIC letter to The Telecommunications Industry Liason >Unit, November 13, 1995, >reprinted in 1996 Electronic Privacy and Information Center, Cryptography >and Privacy Sourcebook, 1996, >discussing the failure of the Initial FBI Notification of Law Enforcement >Capacity Requirements to meet >CALEA's obligations. > > > >-------------------------------------------------------------------------- >POLITECH -- the moderated mailing list of politics and technology >To subscribe: send a message to majordomoat_private with this text: >subscribe politech >More information is at http://www.well.com/~declan/politech/ >-------------------------------------------------------------------------- >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:12 PDT