Slowly but surely, the screws of electronic surveillance are tightening, and in the process, changing the rules of what can and cannot be monitored and threatening to drive upward the costs that carriers charge their enterprise customers.
The move to more stringent surveillance became inevitable after Sept. 11, but laws granting access to law enforcement agencies were in place well before that; CALEA (Communications Assistance for Law Enforcement Act), for example, has been on the books since 1994.
“Sept. 11 didnt change what the FBI wants. It changed their intestinal fortitude over what they could get,” said Derek Kholopin, director of public policy and law for the Telecommunications Industry Association, the industry group of telecom equipment suppliers, in Washington.
Early last month, the FBI told a group of telecom carriers and their equipment suppliers at a meeting in Tucson, Ariz., they must ensure the FBI rapid access to their networks for wiretaps and call tracing.
The FBIs desires are simple enough: The agency wants to knock on the telecom carriers door with a wiretap order and get instant, real-time access to the network. It wants to be supplied with an alert when a suspect is attempting to communicate, and it wants an explanation if for some reason that communication fails to go through. Such information could show whether or not suspects believe they are being monitored. But with network technology changing constantly, the FBI is afraid it will find itself shut off from some information-rich links.
At the Tucson meeting, the FBI presented carriers and equipment suppliers with a 32-page “punch list” explaining how it expects to gain access thats granted under CALEA. That list caught the attention of Albert Gidari, partner in the noted wireless and telecom Seattle law firm of Perkins Coie LLP, who is sounding an alarm for the carrier community. Gidari said both the speed and extent of what the FBI wants may lead to “mind-boggling expenses.” Being able to supply immediate access to vast network traffic and then supply specific alerts and explanations about pieces of that traffic may lead some carriers “to reconfigure their networks, which would be enormously expensive—billions,” he said.
Its not that carriers havent been putting in place CALEA-compliant equipment for a number of years. Its that carriers and the feds havent always agreed on the nuts and bolts of CALEA implementation. Individual carriers may appeal to the Federal Communications Commission if they believe implementing CALEA is causing them undue hardship. But any carrier found guilty of foot dragging by the FCC is subject to penalties under the law.
Before Sept. 11, the carriers had far more political clout than they do in the current climate. For example, the U.S. Telecom Association took the FCC to court on one occasion. Now, however, carriers can expect little slack to be cut at a time when citizens are prepared to grant the government powers contemplated in only the most extreme national emergencies. The government is asking for more, and the carriers see little way around supplying it.
“Qwest [Communications International Inc.] has negotiated a deployment schedule with the FBI that covers both implementation of CALEA and the FBI punch list,” said spokeswoman Carey Brandt, in Denver. Brandt declined further comment due to “heightened security measures mandated by the federal law enforcement agencies.”
The stepped-up compliance doesnt come at a good time—neither telecom carriers nor their economically depressed equipment suppliers need added FBI operating costs right now. “The telecom market is a mess,” said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, in San Francisco. “No one took a bigger hit in the recent downturn than Cisco Systems [Inc.], Lucent Technologies [Inc.] and the carriers they supply,” Tien said.
Although much of the punch list is being kept secret for security reasons, part of the list defines how the FBI needs to be supplied with wiretap data in a common format, regardless of the nature of the network or the carrier supplying it. But achieving a standard on that issue might not be so easy. Consider: what to do about voice communication when it is digitized and packetized to go over a typical IP data network, so-called voice over IP, or VOIP.
CALEA covers voice, not data or information services, so Internet service providers and other intermediaries on the Internet have thus far escaped CALEAs reach. “Many telecom carriers have separate data networks. The FBI wants CALEA to cover these networks, and carriers believe they are exempt [as] information services,” Gidari said. “The FBI wants access to all packet mode communications—voice over IP, Short Message Service for wireless instant messages, e-mail, voice mail, etc.,” Gidari said.
In some cases, voice networks and data networks are no longer distinct, with voice being converted from analog signals to digitized packets and transmitted over the same network as data. Deltathree.com Inc., in New York, and IXTC Corp., in New Brunswick, N.J., are two third-party carriers offering VOIP.
Telecommunications carriers are not yet big users of VOIP, but corporations and small and medium-size businesses are finding it a way to merge voice services into their data networks. Sun Microsystems Inc., for example, provides server software that handles VOIP as a standard part of its SunForum and SunRay thin-client system. Customers may use the system to keep far-flung offices in constant contact without incurring long-distance phone charges. Whats more, small business is expected to turn increasingly to VOIP because it allows calls to be saved and retrieved as voice mail on a computer or forwarded to a designated device.
Such uses remain minuscule today compared with regular telephone voice transmissions. But Probe Research Inc., a telecommunications and wireless market researcher in Cedar Knolls, N.J., said it expects packetized voice—or voice as data instead of analog transmission—to be a $2.4 billion market by 2006.
The expense to carriers, which would likely be passed along to enterprise customers, would only grow if CALEA compliance is expanded to include the gray area of voice-over-data networks or all data-over-data networks. Data networks are still distinct and separate among most telecom carriers.
Some observers doubt the FBI will go so far as to require networks to be reconfigured wholesale. “CALEA is voice-specific, even for voice over IP,” said Grant Wakelin, president of SS8 Networks Inc., in San Jose, Calif., a supplier of application software that can monitor both voice and data on an IP network and a participant in the FBIs Tucson meeting. With such software, the FBI could separate the voice data from other electronic transmissions, Wakelin said.
Unfortunately, the various parties cant look to Capitol Hill for help. There is no further legislation in the hopper to clarify when a data network is subject to CALEA because it is carrying voice data. But the distinction between the two will get grayer and grayer as more voice and data services merge onto one network, Wakelin said.
For their part, FBI officials have denied they are seeking expanded power over either voice or data transmissions.
In another area, however, the FBI has been granted broad “trap and trace” authority for use of its Carnivore technology on data networks. Carnivore is not allowed to capture the message itself, but it can detect who is sending e-mail to what destination, whom is copied, time and date, and other header information. The Associated Press reported earlier this year that the FBI used Carnivore 13 times between and 1999 and August last year.
Much as law enforcement uses its trap-and-trace or “pen register” right to trace telephone calls, it may install Carnivore with only a subpoena, as opposed to a court order. Under the recently passed USA Patriot Act, the FBI gained “pen register” rights to public data networks, including Internet communications, a move that may give IT managers pause as they review how much corporate data moves over the Internet.
Nonprofit privacy groups describe the FBI CALEA punch list and new pen register rights as “a lot of new authority with a lot less oversight, a lot less accountability,” said Cindy Cohn, legal director of the Electronic Frontier Foundation. CALEA access becomes operative only when a law enforcement agency has obtained a court order, which requires a higher standard of suspected criminal conduct than a pen register subpoena, Cohn said.
“The Patriot Act made it clear that the FBI can install Carnivore on those [data, or voice and data] networks,” said Perkins Coies Gidari.
Still a gray issue, however, are voice messages attached to e-mail or other data transmissions. Are they voice or data? In an advisory to clients, Gidari said a search warrant is required to examine unopened voice mail. “The Department of Justice contends that once voice mail is opened, it is no longer in electronic storage and therefore may be obtained with [either] a subpoena or a court order.
“Most voice mail platforms do not permit service providers to distinguish between opened and unopened voice mail. Thus best practices dictate that service providers resist the demand [from law enforcement] and seek clarification of the order,” he wrote.
Gidari suggested one way to combat the lack of definition is to establish a publicly regulated company to supply Carnivore services to a telecom carrier, when e-mail and other data communications are being transmitted over a combined network. Carnivore would give the FBI the information to which it is entitled, while the regulated administrator could spare others the expense and uncertainty of administering Carnivore. And such a company would be more likely to know whether Carnivore was being used properly. The FBI has kept Carnivore workings secret, over the objections of privacy groups.
One way or another, as the mingling of voice and data over networks increases, the discussions will continue. But with the tide of grief and outrage over national tragedy still high, the FBI joins those discussions with a stronger hand than ever.
Charles Babcock is a free-lance writer in San Francisco. He can be reached at cbabcoc2@ix.netcom.com.