Access Law Threatens Privacy

Enhanced CALEA access to packet-based applications could hurt businesses' data privacy, Cameron Sturdevant writes.

My March 23 column on RFID hit a nerve with readers, a surprisingly large number of whom told me not to be so concerned about the widespread use of the tracking tags. Readers also questioned my understanding of how RFID technology works.

I do understand what RFID tags are: small, inexpensive chips that use radio energy to power a small transmitter that sends information from the chip to a receiver. And I do understand that the productivity and inventory management savings that RFID tags promise will drive their adoption in almost every industry. But all of this is precisely why I think it is so important to begin talking about how to ensure that personal privacy survives this latest technology innovation.

Of course, RFID isnt the only privacy puzzle IT managers and senior executives will have to figure out. A host of technologies, including voice over IP, instant messaging, peer-to-peer applications, and the granddaddy of corporate and personal communication—e-mail—are about to become subject to much more surreptitious snooping by the federal government.

The latest skirmish over access to personal data started March 10, when the Bush administration asked the Federal Communications Commission to require broadband service providers to give the FBI, the Department of Justice and the Drug Enforcement Agency greater access to their networks to facilitate wiretapping. See a PDF document here for more information on the act.

These agencies are asking for expedited rule-making regarding the Communications Assistance for Law Enforcement Act, also known as CALEA, which would provide access to packet-based applications. Aside from bread-and-butter issues such as cost—as in the cost of requiring carriers to facilitate access to broadband networks for equipment installed after January 1995—CALEA raises a host of regulatory concerns that in many cases run counter to companies desire to protect customers data privacy.

With the continued convergence of data and communications networks, IT managers must ask how they are going to ensure data privacy while also providing the myriad "back doors" that the law enforcement agencies involved in the CALEA filing are requesting. While the new CALEA filing is going after "packet mode services," the DOJ, FBI and DEA are also asking for guidelines on defining additional technologies that will fall under the CALEA purview—and thus under the wiretapping authority of at least three federal agencies.

I think, without overstating the case, that this is cause for alarm.

For example, I recently attended a briefing with Decru, maker of some of the most powerful data storage protection Ive seen. Decru wants to offer companies titanium-clad assurance that data will be kept secret—so secret that Decru can even provide a solution for a company that wants data to be available to CXOs but not corporate IT, according to the Decru representative with whom I met.

But can Decru really offer such a solution, in light of the new CALEA rules? Lets say some of the data that is being protected is e-mail or contains VOIP data packets. These data types are covered by CALEA, and, encrypted or not, the packets will have to be provided to law enforcement when they cross a service provider network.

Im afraid new search rules that cover what the DOJ and FBI call packet-mode services will set the stage for broad access to communications technologies used by consumers and business. Im concerned that the broad scope of rules and the accelerated schedule being requested by federal agencies will quickly blur the distinction between private information on a laptop in a hotel and on a PC at a branch office. I fear that data will be all too easily subject to search by federal law enforcement.

Before learning of the broad push for expanded domestic surveillance, I was concerned about the ability of ordinary people to manage and maintain privacy in the face of fast-changing technology. With the onset of enhanced CALEA access, businesses should now share that concern.

Senior Analyst Cameron Sturdevant can be reached at

/zimages/5/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis. Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/5/19420.gif