On April 11, the Federal Communications Commission ordered the telecom industry to upgrade their systems to meet a list of FBI specifications by June 30. The upgrades give the FBI expanded wiretapping capabilities, including the ability to extract specific information about phone calls without a warrant.
The FCC order comes after years of wrangling among the FCC, the FBI, civil liberties groups, and telecom companies over exactly what telecom companies have to do to comply with the Communications Assistance for Law Enforcement Act (CALEA) of 1994. When the FCC issued a nearly identical order three years ago, an industry-advocate alliance fought it to a standstill in the courts. But this time around, the same groups have not so much as issued a press release in protest.
“It’s awful, the fact no one is willing to challenge this,” says Al Gidari, a lawyer who advises telecom firms on compliance with government surveillance issues. “It’s a sign of the times after 9/11. No one wants to be perceived as anti-government or anti-law enforcement.”
CALEA requires telecom companies to be able to provide police and federal agents with two kinds of surveillance: a full wiretap, which reveals the content of a communication, and a more limited tap that provides “call-identifying information.” Call-identifying information has traditionally been gathered via two kinds of taps: a “pen register,” named after an old-fashioned device that when hooked up to a phone can pick up the numbers dialed, and a “trap and trace,” which reveals the number of an incoming call, just like a caller I.D. box.
The controversy over CALEA and the upgrades sought by the FBI centers on the kind of information that will be provided to police with a pen register or a trap and trace. For a full wiretap, police must demonstrate to a judge that there is probable cause to believe the subject of the surveillance has committed a crime, the same standard for search warrants. But to gather call-identifying information — by pen register or trap and trace — police need only file a certificate with the court that asserts the information is “relevant to an ongoing criminal investigation.”
A judge cannot reject the request; the court merely certifies and files it. Because of this low legal standard, privacy advocates are very skittish about any blurring of the lines between call-identifying information and the actual content of calls, which is supposed to be accessible only with a wiretap warrant.
Civil liberties groups argue that “call-identifying information” is just an awkward term Congress used in reference to phone numbers of calls dialed and received. But the FBI has long sought a much broader definition, arguing that it should comprise much more than just telephone numbers. The FBI wants call-identifying information to include whether the “flash” button is hit to access call waiting, whether the caller gets a busy signal, and what parties are in on a conference call; and it wants all the digits dialed during a phone call — obtained through a process known as “dialed-digit extraction.”
What most concerns civil liberties watchdogs is dialed-digit extraction. Once activated, this handy feature enables police to detect what numbers are dialed during a call. Critics worry that police could use this capability to get bank information, voice-mail passwords, and the like with nothing more than a rubber-stamped order for a trap and trace or pen register.
The deadline for filing an objection to the FCC order has already passed, and the only complaint filed was from a group of rural telecom carriers worried that the upgrades will cost too much. In the post-9/11 era, denying the FBI anything it says it needs is a far more daunting proposition than it was 10 months ago. What was once a bitter battle for the FBI has become an uncontested jog into the end zone. And, some observers fear, the real issues at stake aren’t limited to phone calls. The big game being targeted by the FBI is communication via the Internet.
The last time the FCC ordered the telecom industry to build the expanded wiretapping capabilities the FBI wanted, in August 1999, the American Civil Liberties Union, the Electronic Frontier Foundation, the Electronic Privacy Information Center and the Center for Democracy and Technology promptly filed suit to block the FBI’s attempt, arguing that the changes expanded CALEA far beyond what Congress intended and that it set a dangerous precedent of designing telecommunications networks for new spy capabilities.
The United States Telecom Association filed a separate suit, saying that the industry’s existing standards for filling surveillance requests were adequate and should not have to be changed. The two groups then joined forces and took the FCC to court, hiring Theodore B. Olson, now the solicitor general of the United States (the man who represents the federal government before the Supreme Court), to plead their case.
The industry-advocate coalition won a key victory in August 2000. The U.S. Court of Appeals in Washington blocked four of the six changes the FBI sought and the FCC had ordered, sending them back to the FCC with instructions to better explain why the changes were necessary and how they would balance the needs of law enforcement, the public’s right to privacy, and industry’s right to a cost-effective way to enforce the law. The FBI took no further action for over a year, and it seemed possible the agency would admit defeat and let the issue die.
Then terrorists attacked the United States, and the picture changed overnight. Responding to frantic calls for improved domestic security, Congress hastily passed the USA Patriot Act. The act expands the kinds of information that law enforcement can collect without a warrant for a full wiretap, undermining a key argument the coalition used to beat back the FCC order in 2000. The attacks also skewed public opinion on the proper balance between privacy and security, making the public relations cost of fighting increased surveillance a dicey proposition for any company or organization. The FCC brushed off the old order, tacked on the additional explaining the court had asked for, and reissued its demands in April.
David Sobel, lead counsel for the Electronic and Privacy Information Center, was among the attorneys that successfully held back the FBI in court two years ago. He denied that 9/11 or the Patriot Act had influenced EPIC’s decision not to contest the FCC order this time around. Although he remains concerned about the expansion of FBI power, Sobel argued that the earlier court decision had addressed his key concerns. “We thought the big issues were resolved in 2000,” Sobel said. He cited, for example, the court’s rejection of the FCC request that call-identifying information include a cellphone caller’s location, something that is not back on the table this time. The court also made clear that FCC requirements cannot be construed as a legal definition for what qualifies as “call-identifying information,” leaving open the opportunity to challenge any abuse of the new surveillance capabilities being built into the telecommunications system.
But Gidari, who has consulted closely with privacy groups on the issue for years, doesn’t buy Sobel’s explanation. He argues the issues are just as pressing as ever, if not more so, but privacy and industry groups have given in to pressure. “The government has effectively cowed all of them,” Gidari said. “The order significantly alters the landscape of what surveillance has meant up to now. It is a huge expansion of the law, rewriting the rules of the game, and David knows that.”
Jerry Berman, executive directive of the Center for Democracy and Technology, agreed that the issue is still of deep concern to his organization, and conceded that the changes the country has seen since 9/11 made it difficult to mount a fight this time, primarily because of limited resources and a growing number of urgent battles.
“We’re essentially under siege,” Berman said, ticking off issues that had recently come up: the new Homeland Defense Department, new FBI data-mining rules, the Patriot Act. “Would we be challenging this if it were September 10th? Absolutely. The problem is priorities and resources, but don’t count us out yet.”
Berman and his CDT colleague Jim Dempsey actually helped draft the CALEA legislation, but they now fear the FBI has burst through the limits they tried so hard to write into the law. “It is essential we find away to draw a line around the original CALEA,” Berman said.
Dempsey, who helped put together the case against the FCC in 1999, agrees. “We opposed the [FBI] add-ons, and we still oppose them,” he said. “We have been very disappointed that the [FCC] did not do its job under CALEA; it was supposed to be a break on the FBI demands. The FBI used CALEA to get a lot of bells and whistles built into the system it never had before. This sets an unfortunate precedent for designing information systems for surveillance at the behest of the government. That is not what Congress intended.”
The FBI argues that the proliferation of calling cards requires the bureau to have access to numbers dialed after a connection is first made to a phone company via a toll-free number. The FCC order does not stipulate what kind of court order collecting those digits will require and also mandates that a “toggle” be built into the digit-extraction service so it can be turned off. But the concern is that once the system is rigged to collect them, those digits will be tossed in automatically when filling a trap-and-trace or pen-register order. The logic is, if you build it, they will spy.
So why are telecom companies agreeing to build it without a fight this time? According to Mike Altschul, general counsel for the Cellular Telecommunications and Internet Association, it is because the FBI found a way around the court order and has already gotten its standards built into 90 percent of the wireless and wired switches in the telecom network. Now all the FCC order does is instruct most companies to throw the switch.
“The reality is that these new capabilities have already been developed through the FBI and telecom switch vendors,” Altschul said. “So these features are readily available to industry.”
How did this happen? As part of CALEA, Congress set aside $500 million to defray costs the industry would incur to make the necessary upgrades to comply with the law. The FBI disburses this money. So, even though the court blocked four of the six items on its wish list in 2000, the bureau went ahead and cut deals with all the major telecom switch manufacturers. They agreed to build their equipment according to the FBI standards, and the FBI paid them millions to do it.
This is all backwards, according to Gidari. The upgrades preceded an FCC order for them, but the manufacturers (distinct from the telecom carriers) were afraid to build their equipment without the FBI standards, for fear they would have to add them in later. “When the court of appeals decision came down and remanded to the FCC, the manufacturers said, ‘We can’t wait. We have to have it ready to go,’” he explained. “The privacy groups should have been screaming, but they were asleep. They have limited resources.”
After Sept. 11, resisting the FBI’s overtures became even more difficult for his clients, Gidari said. “The FBI has said these changes are crucial for law enforcement, and no carrier wants to be named as the problem.” He said that the bureau is currently working behind the scenes with other standards-making bodies to get the surveillance capabilities it wants built into Internet Protocol telephony, DSL, the wireless Web, and other communications platforms, even some that are exempt from CALEA. “The standards groups are caving in to the FBI,” he said. “We are designing systems for surveillance.”
The debate over the interpretation of CALEA centers on the same vexing ambiguity that plagues nearly all telecom regulation: How do rules written for the old analog phone system apply to a digital, wireless, networked world? The answer is always open to interpretation, and special interests pick the one that suits them best.
Understanding this is the key to understanding why civil liberties activists care so much about how many digits the FBI gets when it traces a call. CALEA was written with phones in mind, and the FCC order sounds as though it’s about phone calls. But between the lines, the debate is all about the Internet. How should spying rules written for phones apply to digital communications like e-mail and Web browsing?
The FBI believes the CALEA guidelines apply to Internet and digital phone communications, and Congress gave that interpretation a huge boost in the Patriot Act. The new law makes it clear that an order for a pen register or trap and trace applies to e-mail and Internet communications as well. The huge problem with this from a privacy standpoint is that with digital communications, the destination of a message, the call-identifying information, and the content of the message come in the same digital packet. If law enforcement gets one, it gets the all the others.
The concern is that if the FBI is to get the digits dialed during a call sent over a digital network, for example, the telecom company will have to dig into all the packets of the call and either extract the digits or just send the whole stream of digital packets over to law enforcement and let them sort it out.
According to Gidari, who advises huge telecom companies of their obligations under CALEA, the packet issue is what makes the FCC order to implement digit-extraction capability so radical.
“That order basically says, If the voice goes over the network, you have to listen to it and pull out the digits,” Gidari says. “Now we have to dig into the packet to extract the digits. The serving carrier should not be in the business of listening in to your calls. But now we will be a content invader on a simple trap-and-trace order.”
Similarly, to find out the destination of an e-mail message — the equivalent of call-identifying information for a phone call — a telecom carrier or ISP will have to crack open packets that also contain the text of the message.
If the carrier does not do the extracting and just sends the whole packet, it will be up to law enforcement not to “peek” at the text. Leaving this job to the police makes civil liberties groups nervous, and it concerns Gidari too. “People have failed to recognize the impact this has on Internet communications,” he said.
But in the post Sept. 11 world, does anyone care?