Excellent Coverage of Wiretapping Issues at News.com

News.com published an article titled FBI adds to wiretap wish list yesterday. This is the latest of many excellent News.com articles on wiretapping issues in the United States. News.com summarizes a a"joint petition for expedited rulemaking" (.pdf) submitted to the Federal Communications Commission by the US Dept. of Justice, FBI, and Drug Enforcement Agency.

The Feds are asking the FCC to expand the scope of the Communications Assistance for Law Enforcement Act, or CALEA. CALEA requires telecommunications carriers to allow law enforcement "to intercept, to the exclusion of any other communications, all wire and electronic communications carried by the carrier" and "to access call-identifying information," among other powers.

The EPIC wiretap page features the text of the law and supporting articles. The FBI maintains the AskCALEA site, which describes their interactions with the FCC and telecommunications providers. The FBI's rendering of the CALEA law text is easier to read than EPIC's version.

The heart of the matter is CALEA's distinction between a "telecommunications carrier" and "information services." CALEA says:

"The term `telecommunications carrier'--

(A) means a person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; and

(B) includes--

(i) a person or entity engaged in providing commercial mobile service (as defined in section 332(d) of the Communications Act of 1934 (47 U.S.C. 332(d))); or

(ii) a person or entity engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of this title; but

(C) does not include--

(i) persons or entities insofar as they are engaged in providing information services; and
(ii) any class or category of telecommunications carriers that the Commission exempts by rule after consultation with the Attorney General."

Regarding "information services":

"The term `information services'--

(A) means the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications; and

(B) includes--

(i) a service that permits a customer to retrieve stored information from, or file information for storage in, information storage facilities;
(ii) electronic publishing; and
(iii) electronic messaging services; but

(C) does not include any capability for a telecommunications carrier's internal management, control, or operation of its telecommunications network."

< he CALEA authors provided enough internal contradiction to confuse everyone. Law enforcement has complained that more and more criminals use "information services" to communicate, but service providers aren't designing their networks for ready access to these services. CALEA does not oblige service providers to provide easy access to information services; only telecommunications carriers must provide easy access.

The "Limitations" and "Encryption" sections of the law are very interesting:

"(b) LIMITATIONS-

(1) DESIGN OF FEATURES AND SYSTEMS CONFIGURATIONS- This title does not authorize any Law Enforcement agency or officer--

(A) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; or
(B) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services...

(3) ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

These sections are interesting because News.com makes this observation regarding the Feds' petition to the FCC:

"Legal experts said the 85-page filing includes language that could be interpreted as forcing companies to build back doors into everything from instant messaging and voice over Internet Protocol (VoIP) programs to Microsoft's Xbox Live game service. The introduction of new services that did not support a back door for police would be outlawed, and companies would be given 15 months to make sure that existing services comply."

It seems to me that CALEA explicitly prevents law enforcement from prohibiting services, yet their petition seems to ask for this power. A slightly more detailed analysis is available at Steptoe.com:

"The petition seeks a formal ruling that CALEA applies both to broadband Internet access and to broadband telephony. Since CALEA requires that all carriers and their services have built-in wiretap capability, this would mean that all Internet access and Internet telephony would have to have wiretap capability implemented at the time of deployment. It appears that any form of Internet access would be covered by the 'access' category, while any communications that are 'switched' in any fashion would be treated as telephony (Xbox Live, IM messages, etc.). All would be covered by CALEA.

The petition asks that the FCC make an immediate ruling that applies CALEA to broadband access and broadband telephony, perhaps without even taking comments (p.22).

Second, the petition calls for heavy regulation of any new Internet communications services. In essence, the petition asks the FCC to rule that CALEA will automatically apply to any new technology that directly competes with any service that is covered by CALEA (p. 33). Anyone who introduces a new technology that competes (or might compete) with an existing technology covered by CALEA would be required to go to the FCC to find out whether the new technology is covered (p. 54). If the technology is covered by CALEA, it could not be deployed until a fully satisfactory intercept solution was incorporated into the service (p.54). The effect would likely be that no new Internet services could be introduced without substantial regulatory proceedings and a design that meets all expected law enforcement requirements, starting with version 1.0."

One of the Steptoe's partners is Stewart Baker, former general counsel of the National Security Agency.

If the FCC rules that protocols previously classified as information services are not subject to CALEA, it will be difficult if not impossible for some services to comply. Voice over IP has been the biggest issue for the last few years. Last year News.com reported that the FBI submitted a proposal for tapping VOIP to the FCC, and then:

"...extended it to say that if broadband providers cannot isolate specific VOIP calls to and from individual users, they must give police access to the 'full pipe' -- which, by including the complete simultaneous communications of hundreds or thousands of customers, could raise substantial privacy concerns.

A summary of the meeting prepared by the FBI said the FCC could 'require carriers to make the full pipe available and leave law enforcement to perform the required minimization. This approach is already used when ISPs provide non-CALEA technical assistance for lawfully ordered electronic surveillance.'"

An example of a service which presently cannot be centrally tapped is Skype, a peer-to-peer Voice over IP implementation profiled by News.com last year. According to News.com, the FCC voted last month to investigate "whether Internet phone providers should rewire their networks to government specifications to provide police with guaranteed access for wiretaps."

Last year mobile phone providers wrestled with providing access to their instant message protocols, according to this News.com article. Members of the Global LI Industry Forum solved the problem. ("LI" stands for "Legal Interception," which must be unpopular enough to replace with the "LI" in the site's name and documentation.)

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics