1997 Congressional Hearings
Intelligence and Security
Testimony of Thomas E. Wheeler
The Cellular Telecommunications Industry Association ("CTIA") appreciates the opportunity to submit this testimony concerning the current state of implementation of the Communications Assistance for Law Enforcement Act ("CALEA") on this, the third anniversary of the Act. When CALEA was under discussion in the Congress in 1994, wireless communications providers served just 16 million customers. In three short years, the wireless industry has tripled and now serves over 50 million customers. CTIA represents providers of the commercial mobile radio services, including 48 of the 50 largest cellular providers, personal communications services, enhanced specialized mobile radio, and mobile satellite providers, and commercial mobile radio services equipment manufacturers.
In 1994, as president of CTIA, I joined FBI Director Freeh "with a gentleman's handshake" to support CALEA as a balanced bill that would ensure law enforcement's ability to conduct authorized wiretaps in the future without impeding the introduction of new technologies, features and services along the way. CALEA was the codification of the long-standing spirit of cooperation that has always existed between the telecommunications industry and law enforcement in the conduct of lawfully authorized surveillance.
Given that history of cooperation, it may be somewhat surprising to Congress that perhaps the best that can be said about the implementation of CALEA today is that the process has not been well managed by the FBI and we are not where we expected to be by this date. Nonetheless, I am proud to say that industry, led by the wireless community, has kept its part of the CALEA bargain by producing a standard for implementation of CALEA's capability requirements that is true to the letter and spirit of the law.
Industry's proposed standard - currently out for public comment and vote - meets all of the requirements of CALEA. Once implemented, criminals no longer will be able to use advance features such as call forwarding to evade lawfully authorized surveillance. Law enforcement will be able to identify the origin, destination and termination of all calls carried by a carrier to or from the target of surveillance. In short, the industry standard will bring law enforcement into the digital age, and keep them there, just as CALEA contemplated.
With this suite of surveillance capabilities poised for release, Congress may ask why there is any controversy over CALEA implementation today. The answer is that the FBI wants, and has demanded over the last three years, not a CALEA solution but rather an enhanced surveillance service replete with exotic capabilities that do not exist today and that would have extraordinary costs to develop -- costs they expect to shift to the telecommunications industry under the rubric of CALEA.
In passing CALEA, Congress directed law enforcement to avoid "overbroad interpretation of the requirements" and sought to "ensure that there will be no 'gold-plating.'" But the temptation has been irresistible, particularly in regard to the development of the industry standard. Congress gave industry the "key role in developing the technical requirements and standards that will allow implementation of the requirements." But, law enforcement has attempted to substitute its own judgment for that of the standards-setting body.
For example, law enforcement has proposed its own competing standard -- the Electronic Surveillance Interface ("ESI") document -- which, not surprisingly, elevates electronic surveillance above ordinary call processing. The ESI contains such demands as interception and delivery of information within 500 milliseconds -- several times faster than some current switching technologies actually react to dialed digits. The absence of such a capability, according to the FBI, renders the industry standard "deficient."
Industry has sought to curb these excesses in the course of producing its standard. At every seeming impasse, CTIA initiated efforts to resolve the matter, calling together legal summits when the scope and reach of CALEA legal terms such as "call-identifying information" were in dispute, seeking compromise when law enforcement demanded that mobile phones be used as tracking devices, and urging solutions that would bring the standard to the street sooner. However, the FBI apparently prefers a club to consensus. They have repeatedly threatened to derail the standards process and to seek enforcement orders against carriers if all of its demands as reflected in the ESI are not met.
Due to the opposition of the FBI and its "all or nothing" strategy, the future of the standard now is in doubt. After the FBI's first attempt to block release of the industry standard earlier this year, the wireless industry asked the Federal Communications Commission ("FCC"), in its capacity as arbiter of disputes under CALEA, to adopt the standard and reject the gold-plating attempts of the FBI. Simultaneously, the standards body further refined the proposed standard in an attempt to accommodate more of law enforcement's concerns within the bounds of CALEA. Balloting on that standard will be complete in just another week and Congress will learn whether the FBI is serious about getting CALEA capabilities on the street as soon as possible.
The timely and cost-effective implementation of CALEA is of the utmost importance to CTIA's membership. Wireless wiretaps accounted for less than 25% of all wiretaps conducted in 1993. The wireless share of wiretaps has grown, according to the government's 1996 Wiretap Report, to exceed 34% of all federal wiretaps conducted. Obviously, the wireless industry and law enforcement have a significant stake in a rapid, standardized implementation of CALEA.
Yet, the FBI continues to hold the industry standard hostage. Moreover, the FBI has failed itself to fulfill its CALEA obligation to inform industry of anticipated surveillance needs in the coming years. Congress directed the Attorney General to complete this task within a year of CALEA's enactment. But just as with capability, law enforcement over-reached. The first attempt at producing a capacity notice was roundly criticized for its excess and the FBI was forced back to the drawing board. The FBI's second capacity notice equally was flawed. With only 306 state and federal wireless Title III wiretaps (not including trap and trace, and pen register) in 1996 across the entire nation and over the entire year, the FBI proposed in its second capacity notice to conduct as many as 20,100 actual wireless wiretaps of all types three years from now simultaneously; that is, on the same day. Not surprising, the FBI once again has gone back to the drawing board and industry awaits the next notice.
Against this backdrop, two dates loom large. First, industry has not stood still over the last three years. New services and equipment have reached the market since the CALEA "grandfather" date of January 1, 1995. Equipment, facilities and services installed or deployed after that date are required to be CALEA-compliant by October 25, 1998 or the carrier may face significant penalties. Law enforcement is required to pay to retrofit equipment in place before January 1, 1995.
Many of CTIA's members did not even exist when CALEA was passed, but now are faced with the costs of compliance when standards are not yet available. Congress expected that standards would be deployed quickly so that the impact of the transition to CALEA compliance would be minimal. That reality has not come to pass. Law enforcement cannot tell Congress with any certainty how much it will cost to retrofit grandfathered switches; and the delay in release of the standard makes it impossible for any carriers to meet the assistance requirements of CALEA by October 25, 1998 in a standardized way. Non-standard implementation of CALEA will ensure that the cost of compliance simply will spiral out of control. The two CALEA dates must be addressed comprehensively and soon.
The solution to CALEA implementation requires resolution of what I call the 4-C's: (1) immediate promulgation of the industry standard with only the capabilities required by CALEA; (2) final promulgation of reasonable capacity requirements as soon as practicable; (3) extension of the October 28, 1998 compliance date until standards are available; and (4) cost reimbursement for upgrades and retrofits, including those deployed after January 1, 1995, that depended on the availability of a standard to meet compliance.(1)
II. CAPABILITY AND THE COMPLIANCE DATE -- TWO OF THE FOUR "C's" THAT MUST BE ADDRESSED
Development of surveillance capability functionality and meeting CALEA's compliance date are inextricably intertwined. To appreciate the current state of CALEA implementation of capability and the prospect of meeting the October 25, 1998 compliance date, it is necessary to review the recent history of development of the capability standard.
It is important to understand that industry has exercised more than due diligence in the balanced implementation of CALEA's capability requirements. Balance is the key word because in passing CALEA, Congress sought to balance three important policies: "(1) to preserve a narrowly focused capability for law enforcement agencies to carry out properly authorized intercepts; (2) to protect privacy in the face of increasingly powerful and personally revealing technologies; and (3) to avoid impeding the development of new communications services and technologies." H. Rep. No. 103-827, 103d Cong., 2d Sess. (1994), reprinted in 1995 U.S.C.C.A.N. 3489, 3493 ["House Report"]. These purposes are of equal weight and must inform any understanding of the specific requirements of CALEA.
A. The Safe Harbor Standard to Meet CALEA's Capability Requirements
Section 103 of CALEA imposes four specific requirements on telecommunications carriers: (1) isolate expeditiously the content of the targeted communications transmitted by the carrier within its service area; (2) isolate expeditiously information identifying the origin and destination of targeted communications, i.e., the numbers dialed to or from a target phone; (3) provide intercepted communications and call-identifying information to law enforcement so they can be transmitted over lines or facilities leased by law enforcement to a location away from the carrier's premises; and (4) carry out intercepts unobtrusively, so targets are not made aware of the interception, and in a manner that does not compromise the privacy and security of other communications. These assistance requirements were intended "to be both a floor and a ceiling" and Congress repeatedly "urge[d] against overbroad interpretations of the requirements." House Report at 3490.
Congress gave industry the key role in developing the technical standards and requirements necessary to implement the assistance requirements of CALEA, stating:
The legislation provides that the telecommunications industry itself shall decide how to implement law enforcement's requirements. The bill allows industry associations and standard-setting bodies, in consultation with law enforcement, to establish publicly available specifications creating "safe harbors" for carriers. This means that those whose competitive future depends on innovation will have a key role in interpreting the legislated requirements and find ways to meet them without impeding the deployment of new services.
House Report at 3499.
Section 107(a) of CALEA creates a "safe harbor" for carriers who are "in compliance with publicly available technical requirements or standards adopted by an industry association or standard-setting organization" or by the FCC under Section 107(b), to meet the assistance capability requirements of Section 103. To obtain this "safe harbor," in early Spring 1995 -- almost immediately after passage of CALEA -- industry began to formulate a technical standard under the auspices of the Telecommunications Industry Association, an association accredited by the American National Standards Institute ("ANSI") to set standards.
To put the process in perspective, on average, 40-50 representatives of carriers and manufacturers met for at least one week each month over the last two and one half years in different locations throughout North America to meld together a standard that could be implemented by dozens of manufacturers for several dozen current, and all future, platforms. In short, this was no mean task.
By October 1995, industry had produced a draft standard over 170 pages in length. The standard provided for such capabilities as intercepting call content when the target's facilities employed advanced calling features such as call forwarding as well as the identification of the numbers dialed by the target or to the target's phone, even when call forwarding features are utilized.
The standards meetings were open and law enforcement representatives attended each one, although they provided no significant technical contributions or assistance through Spring 1996 -- a full year after the meetings had commenced and months after the initial drafts of the standard had be created and the progression toward completion of the technical requirements commenced.
B. Hijacking the Standards Process
In April 1996, the FBI began to circulate its Electronic Surveillance Interface ("ESI") document, which set forth its preferred delivery interface for intercepted communications and the features, capabilities and types of information that law enforcement believed carriers must deliver. The FBI touted this de facto standard as a "safe harbor" and encouraged manufacturers and carriers to adopt it even though CALEA expressly prohibits law enforcement from requiring any specific design of systems or features or the adoption of any particular technology to meet CALEA. 47 U.S.C. § 1003(b)(1). Of course, the ESI ignored the CALEA safe harbor requirement that any standard be publicly available because the ESI was distributed to carriers under a restrictive use legend.
Widespread industry criticism of the ESI made it clear that the ESI had no standing in the technical community and would not be accepted as the CALEA standard. The FBI then submitted the ESI to the industry standards group as a so-called "contribution" to the standards process. This tactic significantly disrupted and delayed the progress of the standard as industry engineers were required to reconcile the inconsistent ESI line by line with PN-3580, the industry document.
Nonetheless, the industry group took up the ESI and integrated many of its requirements into the industry draft standard. The industry approach was simple -- if the requirement had a basis in CALEA and a clear legislative expression, it would be included in the standard. If there was not clear authority, the capability would be rejected. The standards group accommodated many of the functional requirements put forward in the ESI but several specific features were rejected.
For example, law enforcement demanded that industry provide electronic messages to indicate when, in the course of a conference call under lawful surveillance, a party joins or drops from the call. Law enforcement cites evidentiary needs for this capability -- a capability that does not exist today -- and asserts that such information is "call-identifying." Of course, when a party joins or drops from an existing call has nothing to do with the dialing or signaling information that routes a call through the network. Existing technical standards for wireless communications such as IS-41 do not accommodate the collection of such party add and drop information and no carrier today uses such information for billing purposes or otherwise. In short, while the capability certainly has investigative value for law enforcement, it is not covered by CALEA and therefore the standards group rejected the demand.(2)
After months of additional work, the standards body voted in early 1997 to issue PN-3580 as a full ANSI standard. This procedure allowed not only industry representatives to comment and vote on the standard, but also law enforcement agencies and non-traditional standards participants such as privacy advocates. Standards Proposal (SP)-3580 was issued for balloting in March 1997.
In response, the FBI produced over 70 pages of comments -- most of which had been considered and rejected during prior standards meetings and most of which came from the ESI. The FBI advised law enforcement agencies around the nation that SP-3580 was a "disaster" for law enforcement and urged these agencies -- none of whom actually participated in the standards meetings -- to vote "no" on their ballot.
After the close of the ballot, the industry standards body met to consider all comments received. Despite further accommodations to law enforcement's views during these meetings, law enforcement repeatedly threatened to challenge the industry standard before the FCC as "deficient" if industry brought the standard out over law enforcement objections. The law enforcement "no" votes effectively stymied release of the proposed standard.
C. CTIA Petitions the FCC for Relief
Faced with the impasse due to law enforcement's actions, CTIA filed a petition with the FCC on July 16, 1997, under Section 107 of CALEA. A copy of that petition is attached as Attachment 1. CTIA's goal in doing so was to break the standards deadlock by asking the FCC to adopt the industry consensus document as the "safe harbor" standard under CALEA. As CTIA noted in its petition, the industry consensus document would provide 100% of the capabilities required by CALEA and would "ensure that a giant leap forward can take place in law enforcement's electronic surveillance capability in the near future." Because even at that date it would have been impossible to meet the October 25, 1998 CALEA compliance date, CTIA also asked the FCC to extend the compliance deadline until two years after adoption of the industry standard -- a period of time recognized by both law enforcement and industry as necessary to build to and implement the standard.(3)
While the petition was pending but before the FCC took any action, the industry standards group met again. Given law enforcement's intractable position and the fact that there were significant changes to the proposed standard, the standards committee recommended that the proposed standard be distributed for another round of balloting. Accordingly, the proposed standard, as revised, was submitted for a second ballot with comments due by October 28, 1997. The industry group will meet on November 3, 1997 and again on November 19, 1997 to consider comments received by that date prior to deciding how to proceed.
Given the continued efforts by industry to resolve this impasse both within and outside the standards group, the FCC recently declined to act on the CTIA petition pending a report on the outcome of the pending balloting. See FCC Notice of Proposed Rulemaking, CC Docket No. 97-213, (Adopted: October 2, 1997; Released October 10, 1997). The FCC "encourage[d] the industry and law enforcement community to continue their efforts to develop the necessary requirements, protocols and standards." Id., ¶ 44. Accordingly, the compliance clock continues to tick and neither industry nor law enforcement is closer to deployment of CALEA-compliant equipment, facilities or services. In no event is the October 25, 1998, compliance date feasible or practicable.
III. CAPACITY -- THE THIRD "C" -- REMAINS A MYSTERY
Not only has industry been thwarted in its efforts to produce a safe harbor standard, but law enforcement has failed completely to promulgate the CALEA-mandated notice of actual and maximum capacity needed in the near term.(4)
As Congress is well aware, the Attorney General's first attempt at estimating future capacity as some percentage of the installed network was an admitted failure resulting in the complete withdrawal of the first notice.
The second capacity notice(5)
was equally flawed and subject to criticism.(6)
First, like its predecessor, the notice anticipated a widespread expansion of wiretapping that simply could not be justified by reference to historical data. The historical data in the second capacity notice indicates that there were only 2,703 simultaneous wireless wiretaps at any one time during the period evaluated. For wireless alone, the FBI states that it needs the ability to conduct 12,000 simultaneous wiretaps (that is, on the same day) throughout the nation and that it may need as many as 20,100. This is an unprecedented expansion of capacity.
Moreover, the FBI has stated that each new switch or equipment deployed after publication of its final notice would be required to have full capacity; that is, the ability to conduct simultaneously the number of wiretaps specified for the service area in the notice. For example, the FBI states in its second capacity notice that its actual wiretap needs in New York are 181 actual wiretaps. Under the FBI's interpretation, each carrier in a given service area must meet the total capacity number. Whenever a carrier deploys a new switch after the date of the final capacity notice, it must meet the full number for that specific switch. In other words, the original capacity is replicated with each new switch deployed after the final notice. (Original capacity also replicates with each new entrant into the market, creating a latent surveillance capacity that is stunning in its breadth.) In essence, if this truly is the FBI's understanding of CALEA -- and the FBI has said so publicly -- law enforcement would obtain an ever-scaling surveillance capacity without public notice, comment or Congressional oversight and all at carrier expense.
What is more remarkable about the FBI's view of capacity is that the provision of more it occurs without carrier compensation. The FBI has stated publicly its view that, notwithstanding the express words of Congress, a carrier is responsible for providing capacity at no charge for any equipment, facilities or services deployed after the final capacity notice is published. To the contrary, Congress made it clear that "to the extent that industry must install additional capacity to meet law enforcement needs, [CALEA] requires the government to pay all capacity costs from the date of [CALEA's] enactment, including all capacity costs incurred after the four year transition period." House Report at 3497 (emphasis added). If government refuses to pay all capacity costs, carriers are deemed to be in compliance with the capacity notices issued under Section 104(e) of CALEA. Thus, CALEA provides carriers with a "safe harbor" for capacity by mandating that law enforcement pay for all capacity sought under Section 104 before carriers have any obligation to provide it. House Report at 3505.
Apparently, in the face of overwhelming criticism of its attempted expansion of wiretapping, the FBI has returned to the drawing board and no final notice has yet been promulgated. However, the FBI shows no sign of retreat from its unreasonable interpretation of the capacity requirements of CALEA.
As Congress should know, capacity and capability are intertwined. There can be no dispute that implementation of CALEA's capability requirements will be more efficient and cost-effective if capacity requirements are known. The FBI's delays in publishing a credible capacity notice has a direct impact on the cost to develop and deploy CALEA equipment and software. Congress expected the Attorney General to complete this task within a year of CALEA's enactment -- we are now on the third anniversary of the act without an inkling of the government's capacity needs or any knowledge of when the information might be forthcoming.
CTIA urges Congress to exercise its oversight responsibility on this issue and to bring into alignment the capability and capacity compliance dates. This approach would bring rationality to a standards process that currently is designing capabilities without knowing "how much of them" are required.
IV. FULL CARRIER COST RECOVERY - THE FOURTH "C"
As illustrated in the capacity discussion above, the FBI has been engaged in a concerted effort to shift as many implementation costs to industry as possible, no doubt because of the limited funds available to compensate carriers for system upgrades. Nowhere is this effort more clear than in the cost recovery rules promulgated by the FBI.(7)
Section 109(e) of CALEA directs the Attorney General, after notice and comment, to establish regulations necessary to effectuate timely and cost-efficient payment to telecommunications carriers under CALEA. On May 10, 1996, the FBI initiated a rulemaking proceeding to implement the cost reimbursement provisions of CALEA.(8)
The proposed rules were widely criticized for violating the statutory requirement that all reasonable costs incurred in upgrading and modifying equipment and facilities be reimbursed. CTIA comments on the proposed rule are attached as Attachment 3.
The FBI published its final rule implementing the cost reimbursement provisions of CALEA ("Final Rule") in the Federal Register on March 20, 1997, with an effective date of April 21, 1997.(9)
The Final Rule, while clarifying some definitions, did not significantly alter the proposed rule with respect to the ability of wireless carriers to recover their costs.
For example, CALEA permits carriers to recover the costs of modifying telecommunications equipment and facilities "installed or deployed" on or before January 1, 1995.(10)
The FBI defined "installed or deployed" to mean the same thing -- essentially, plugged into the network and delivering service to customers -- and in a way that makes an untold amount of existing equipment and facilities obsolete. To illustrate the point, assume that Carrier A has a particular switching platform installed or deployed on December 1, 1994 -- a month before CALEA's January 1, 1995, grandfather date. Carrier A, under CALEA and the Final Rule, would qualify for reimbursement to upgrade the switch for CALEA capabilities. But if Carrier B, on that same date, bought the identical switch, had it under contract for purchase or simply had it sitting in its warehouse waiting for use, according to the FBI, Carrier B would NOT qualify for reimbursement. The platform would not be installed or deployed; it would be obsolete.
Put another way, the FBI's Final Rule requires any switching platform integrated into a network after January 1, 1995, to be CALEA-compliant at the carrier's own expense even if that same switch type was commercially available prior to January 1, 1995, or installed elsewhere in the carrier's own network or in any other carrier's network.
The FBI also has initiated another rulemaking, requesting comments concerning when it is NOT obligated to pay carriers for upgrades to equipment or facilities that otherwise would qualify under the grandfather provisions discussed above.(11)
Section 109(d) of CALEA provides that the installed or deployed network is deemed to be in compliance with CALEA until the equipment, facility, or service is replaced or significantly upgraded or otherwise undergoes major modification.(12)
Given its definition of installed or deployed, industry has every reason to expect that the FBI will use the opportunity to define these terms in a way that further shifts the burden of CALEA to carriers. For example, mere generic software upgrades that occur periodically in the wireless industry and that do not even affect surveillance capabilities could be grounds for shifting the costs of CALEA to carriers if the FBI determines the upgrade to be significant. Thus, a software upgrade to provide wireless enhanced 911 information, even though it has no effect on electronic surveillance, could result in a "significant upgrade," according to the FBI, thereby requiring a complete CALEA upgrade at the same time. The financial ramifications of this FBI CALEA theory cannot be overstated. CTIA comments on the proposed rulemaking are attached as Attachment 4.
While if successful, the FBI cost shifting strategy certainly would avoid some costs, it is not a strategy for funding necessary upgrades. The Omnibus Consolidated Appropriations Act for Fiscal Year 1997, Pub. L. 104-208), required the FBI to submit to Congress a CALEA implementation plan before funds could expended from the newly-created Telecommunications Carrier Compliance Fund. The FBI submitted its plan in early Spring 1996; however, it made no disclosure regarding the costs to implement CALEA. The FBI plan merely proposed to spread the $500 million appropriated when CALEA was passed over the following 5 years. CTIA joined others in criticizing this hollow approach by submitting to Congress a response to the FBI implementation plan. Remarkably, the FBI cannot state with any certainty today how much it will cost to upgrade per switch. Nor can they provide any estimated costs for deploying the proposed industry standard plus the FBI punch list of additional enhanced services.
Apart from the offensive cost shifting aspect of the Final Rule, the FBI unnecessarily increases the costs of even seeking to recover actual and unavoidable expenses of retrofitting equipment. The FBI requires telecommunications carriers to enter into cooperative agreements with the FBI under the Federal Grant and Cooperative Agreement Act, 31 U.S.C. § 6301 et seq., in order to be reimbursed for the costs of upgrades and modifications. It is CTIA's belief that these agreements are inconsistent with CALEA, place unlawful limits on the recovery of carriers' costs, and subject carriers to contractual requirements not contemplated by CALEA -- requiring for example, the transfer of certain data rights to the federal Government. The FBI's imposition of contractual terms that it says carriers must agree to as a prerequisite to receiving reimbursement is inconsistent with CALEA.
Far from mandating the execution of such "cooperative agreements," CALEA specifies a claims process whereby telecommunications carriers may simply submit claims for the reimbursement of costs incurred for CALEA compliance. That simple structure has been subverted by FBI regulations. Rather, the rules look more like what one would have expected to see in regard to the government procurement of a weapons systems, except that even in the defense procurement area, the government has made great strides to streamline the process -- not reflected in the proposed cooperative agreements.
These FBI procurement-like rules (a) require elaborate cost submissions with various categories of data to support them, (b) grant the FBI rights to acquire data rights in carrier intellectual property, (c) permit the FBI to conduct intrusive audits of the books and records of carriers and their subcontractors long after the requisite modifications have been completed and paid for, and (d) require, at least in the case of wireless carriers, restructuring accounting systems to meet FBI demands. This is not the timely and efficient claims submission process specified in CALEA -- a process intended to make carriers whole through compensation for the taking of their property for the public purpose of conducting lawfully authorized electronic surveillance.
The cost reimbursement morass must be solved before CALEA can ever be implemented as Congress intended.
V. MOVING PAST THE BLOCKADE --CTIA'S RECOMMENDATIONS
It should be apparent from the above comments that CALEA implementation is off the tracks. The FBI has not managed the process well and, despite industry's best efforts, implementation is at a virtual stalemate. The balance struck three years ago has been perverted. CALEA has become the largest unfunded mandate in history, but with an unaccountable FBI imposing the cost burden on carriers and their customers.
The 4-C's discussed above must be resolved if the promise of CALEA is to be fulfilled. First, the industry consensus standard for providing CALEA capabilities must be promulgated now so that manufacturers can be assured that resources dedicated to systems engineering and design work will not be wasted. Simply put, absent the long-term assurances of an acceptable standard, no carrier or manufacturer will dedicate the resources necessary today when the work may be for naught tomorrow. The industry consensus standard provides 100% of the capabilities required by CALEA. The FBI punch list of enhanced services and features, assuming that each function is otherwise lawful,(13)
should be pursued outside of the standards process.
Second, the CALEA compliance date of October 25, 1998, must be moved out until at least two years after the promulgation of the standard. Without this extension, carriers will seek non-standard solutions to meet CALEA rather than risk enforcement penalties. Such an approach will raise the cost for law enforcement significantly as they will have to find ways to receive delivery of surveillance information in as many ways as there are carriers. Further, once non-standard solutions are in place, carriers are not likely to then move to implement the standard because meeting compliance in a non-standard way today at a much increased cost eliminates all of the cost-savings benefits of standardization tomorrow. In sum, the compliance date looms not only as an enforcement threat to carriers, but as a milestone for standardization of surveillance capabilities.
Third, law enforcement must finalize its capacity notice and do so in a reasonable manner consistent with the intent of Congress. Once final actual and maximum capacity numbers are known, carriers can plan for capacity increases. Ideally, capacity and capability can be planned for and developed concurrently to take advantage of design and scale efficiencies. Finally, law enforcement must acknowledge its obligation to fund capacity no matter when it is deployed.
Finally, the cost of implementing CALEA grows larger with new entrants to the telecommunications industry each day and expansion of existing carriers' networks. Law enforcement must prioritize its needs, fund the necessary retrofits and do so in a way that maximizes the reach of each dollar. This does not mean that law enforcement may shift the cost of necessary upgrades to carriers. The industry has demonstrated that it intends to do its part to implement CALEA even though the cost of deploying the proposed standard is growing to be enormous. Further adding to the cost burden likely will lead to petitions to the FCC for a determination that implementation of CALEA is not reasonably achievable.(14)
CTIA has pledged its support of CALEA and is committed to breaking the impasse. As an industry, we took seriously the admonitions of Congress to construe CALEA as both the floor and ceiling of electronic surveillance. We took seriously the obligation to protect the privacy of communications not authorized to be intercepted. And we took seriously, and continue to take seriously, our obligation to assist law enforcement in this endeavor. We look forward to the same sense of compromise and commitment from law enforcement beginning with their support for the immediate deployment of the proposed standard, extension of the compliance date, finalization of the capacity notice, and compensation for the reasonable costs of upgraded systems.
0 Others appearing today will address the very serious privacy issues raised by law enforcement's surveillance demands. While not the focus of CTIA's testimony, we do not want to imply in any way that the privacy of our customers and other telecommunications users is not paramount. In drafting the industry standard, the wireless community in particular has been duly considerate of privacy concerns and the mandate of CALEA to protect the privacy of communications not authorized to be intercepted. The views of the Center for Democracy and Technology, for example, were considered in the standards process. CTIA believes that the proposed standard implements CALEA consistent with Title III of the Wiretap Act and the Electronic Communications Privacy Act.
0 The scope of the definition of call-identifying information has been the source of industry's greatest disagreement with law enforcement. The standards group took Congress at its word when it said call-identifying information "is typically the electronic pulses, audio tones, or signaling messages that identify the numbers dialed or otherwise transmitted for the purpose of routing calls through the telecommunications carrier's network. . . . Other dialing tones that may be generated by the sender that are used to signal customer premises equipment of the recipient are not to be treated as call-identifying information." House Report at 3501. Conversely, the FBI has offered numerous interpretations of this definition from the broadest view so as to encompass any signal within a carrier's network -- a concept they had to abandon for obvious reasons -- to any signaling information perceptible to a call participant such as voice message waiting indicators or busy signals, to post cut-through signals such as bank account numbers or signals to customer premises equipment.
CTIA will not use this venue to review the legal issues raised by law enforcement's interpretation of call-identifying information. CTIA has asked the FCC to resolve whether the FBI's "punch list" of capabilities are required by CALEA. But, this is no reason to hold up deployment of the industry standard and the capabilities law enforcement and industry agree are required by CALEA.
0 It should be noted that after CTIA filed its petition, certain privacy groups filed their own petition on August 11, 1997, urging the FCC to "institute a rulemaking proceeding to protect the privacy interests of the American public as the telecommunications industry and law enforcement proceed to implement CALEA, the digital telephony law." See Petition of the Center for Democracy and Technology and the Electronic Frontier Foundation at 1. The privacy interests specifically complained that the proposed standard went too far, especially in regard to providing location information on wireless intercepts that could be used to track individuals as well as the amount and nature of packet data provided on pen register and trap and trace orders.
0 Section 104(a) of CALEA requires the Attorney General to publish not later than one year after the date of CALEA's enactment and after public notice and comment, a notice of the actual and maximum number of interceptions, pen registers and trap and trace devices law enforcement may simultaneously conduct by the date that is 4 years after enactment of CALEA. Then, within three years of that publication, carriers must ensure, subject to government reimbursement, that its systems can accommodate the actual capacity and expeditiously expand to the maximum capacity.
0 62 Fed. Reg. 1902 (January 14, 1997).
0 Rather than review in detail here the significant deficiencies of the second notice, CTIA attaches its comments to the FBI on the second notice as Attachment 2.
0 Section 109 of CALEA authorizes the Attorney General, subject to the availability of appropriations, to agree to pay telecommunications carriers for: (a) all reasonable costs directly associated with the modifications performed by carriers in connection with equipment, facilities, and services installed or deployed on or before January 1, 1995, to establish the capabilities necessary to comply with Section 103 of CALEA; (b) additional reasonable costs directly associated with making the assistance capability requirements found in Section 104 of CALEA reasonably achievable with respect to certain equipment, facilities, or services installed or deployed after January 1, 1995, in accordance with the procedures established in CALEA Section 109(b); and (c) reasonable costs directly associated with modifications of any of a carrier's systems or services, as identified in the Carrier Statement required by CALEA Section 104(d), which do not have the capacity to accommodate simultaneously the number of interceptions, pen registers, and trap and trace devices set forth in the Capacity Notice(s) published in accordance with CALEA Section 104.
0 61 Fed. Reg. 21936 (1995).
0 62 Fed. Reg. 13307 (1997).
0 47 U.S.C. § 1008(e)(2)(A).
0 See 61 Fed. Reg. 58,799 (Nov. 10, 1996).
0 Section 109(d) specifically states:
(d) Failure to Make Payment with Respect to Equipment, Facilities, and Services Deployed on or Before January 1, 1995 -- If a carrier has requested payment in accordance with procedures promulgated pursuant to subsection (e), and the Attorney General has not agreed to pay the telecommunications carrier for all reasonable costs directly associated with modifications necessary to bring any equipment, facility, or service deployed on or before January 1, 1995, into compliance with the assistance capability requirements of section 103, such equipment, facility or service shall be considered to be in compliance with the assistance capability requirements of section 103 until the equipment, facility, or service is replaced or significantly upgraded or otherwise undergoes major modification.
0 The FBI has demanded the capability be built into the standard to monitor the held portion of a conference call whether or not the target of surveillance is present on the call. Certain privacy groups have objected to the capability on constitutional and statutory grounds, claiming that the demand fails particularity requirements. CTIA simply notes that the proposed standard does not address the desired capability because the demand really is a capacity issue -- law enforcement may monitor one or more lines so long as it provisions the necessary circuits. If, however, despite being aware of the target's services, law enforcement simply provisions a single channel, the standard requires that channel follow the direction of the target's call. That is, if the target places a conference call on hold to take a call waiting or to initiate another call, the standard provides that the wiretap follows the target to the call waiting or new origination.
0 Section 107 of CALEA provides that equipment, facilities and services are deemed compliant with CALEA unless law enforcement pays to make the upgrades reasonably achievable.
|Join the GlobalSecurity.org mailing list|