I recently spent a surprisingly difficult afternoon trying to figure out the current status of CALEA (Computer Assistance for Law Enforcement Act), the 1994 law that requires telecommunications companies to build tools into their telephone networks that allow them to respond quickly and fully to law enforcement requests for wiretaps. CALEA is a hugely important surveillance law that few people outside of the surveillance / networking field know about at all. And even for those of who spend our days studying surveillance, it’s difficult just to figure out what it means — not in larger sense, just what it actually requires in plain language. Relying largely on this excellent post by Susan Crawford, here’s my understanding:
The impetus for CALEA in 1994 was the growing use of a new generation of digital telephone switches that did not inherently provide the same support for wiretapping as did the older tools. In 2005, the FCC extended its interpretation of the law to require that ISPs provide wiretapping access to a range of Internet data. The accessible data includes voice over IP (VoIP) Internet telephony services like Vonage and Skype, data about when and for how long Internet broadband subscribers connect to the Internet, and packet header data (the source and destination addresses and the port number) of all VoIP packets. In order to reduce the very large cost of implementing this new interpretation of CALEA, the FCC has ruled that ISPs could forward their entire data stream to an independent “Trusted Third Party” to handle the wiretapping implementation, with the effect of exposing the entire data stream of an ISP using this option to a third party.
The Department of Justice submitted a petition in 2007, yet to be ruled on, to include the packet header data of all Internet data, not just VoIP data, but web, email, instant message, and all other Internet traffic. CALEA does not provide legal justification for anyone to actually access the provided data; it only mandates that the ISP build the technical capability to respond to such requests, whose legality is determined by other laws. And the laws that regulate wiretapping require law enforcement agencies wiretap only specific individuals and only with a warrant.
Between 2005 when the new requirements for ISPs were enacted and the 2007 deadline for compliance, there was a great deal of controversy over whether CALEA would cover universities (and libraries, schools, and other such organizations) that function as ISPs for their communities. According to This Ars Technica article, this EduCause policy letter, and my own private conversations indicate that universities chose not to comply with the CALEA requirements for ISPs, and that the FCC chose not to require compliance, though there is still a great deal of ambiguity about the meaning of CALEA for universities.
There is no oversight of the Trusted Third Parties that are now widely used by ISPs to comply with CALEA. For an ISP that uses a Trusted Third Party, every bit of data of every one of its customers flows through that external company. This arrangement invests a huge amount of trust in companies that customers don’t even know about, let alone have any reason to trust.
The legally mandated 2007 annual wiretap report reported 2,208 authorized wiretaps in the country, resulting in about 5,000 arrests. From those 5,000 arrests, abut 1,000 convictions were obtained. The 2005 updated ruling that required ISPs to comply with the law required that the ISPs pay for the necessary changes themselves. Because the costs are born by the individual ISPs, there are no concrete numbers for the total cost of compliance. Estimates have ranged from 1 to 5 cents per subscriber per month ($7 million – $35 million per year) to $7 billion dollars for university compliance. Significant extra costs are required on the client side for law enforcement agencies to receives the data, including up to $30,000 per year for equipment to receive the data and up to $20,000 per month for the T-1 lines required by some providers to receive the data.