Tag Archives: CALEA

FCC to Stress CALEA

FCC Chairwoman Jessica Rosenworcel circulated a draft Declaratory Ruling within the FCC that will enhance and enforce the Communications Assistance for Law Enforcement Act (“CALEA”).  This law requires carriers to secure their networks from unlawful access or interception of communications, including cybersecurity attacks. Chairman Rosenworcel also released a notice to carriers to ask ISPs to strengthen their cybersecurity measures as a result of the recent evidence that China has infiltrated ISPs. The proposed Declaratory Ruling would require carriers to submit an annual certification to the FCC showing they have created, updated, and implemented a cybersecurity risk management plan.

CALEA has been in place since 1994 and originally provided a mechanism for law enforcement to conduct lawful wiretapping of ISP networks. The law has often been referred to as a government backdoor into telecommunications networks. On its surface, CALEA requires a subpoena from the FBI to wiretap an ISP end-user customer, although there are those in the government who argue that the law also allows for warrantless searches in some situations and even allows for mass surveillance of a communications network.

CALEA was originally intended to provide a way for the government to surveil digital phone calls – a new technology in the early 1990s. The law has been expanded over time to include VoIP, texting, and all broadband traffic.

This warning puts all ISPs on notice that they must be CALEA compliant. CALEA compliance requires two steps. First an ISP must have a CALEA manual on file at the FBI that describes the specific method that is available for law enforcement to wiretap them.

Carriers can allow wiretapping in one of two ways. First, it can own gear and software that will allow it to respond to a law enforcement wiretap in real-time. Very few ISPs have this capability for reaching all customers. The alternative is to use a mediation device that will be installed in the network that will gather and format the information the government is seeking. There are vendors who will contract with an ISP to have this gear in place within 24 hours.

I know there are many small ISPs who never created a CALEA manual. I also suspect that there are companies that act as ISPs, such as large corporate or government networks that do their own connections to the web without an intermediate ISP. For CALEA purposes, I think anybody that directly controls a block of IP addresses and who sends and receives traffic directly from the web should be CALEA compliant.

I also know a lot of ISPs have not updated their CALEA manuals at the FBI. They may have filed the manual decades ago and forgotten they even have a manual. The ISP might have changed technologies and added markets and not identified these changes to the FBI. Anybody with an existing CALEA manual should look at it and update it as needed.

I don’t normally peddle CCG service in these blogs, but the FCC and the government as a whole are about to get extremely serious about the Chinese hack of our telecommunications networks. Please contact me if you need to create or update a CALEA manual to make sure your company is compliant. The Declaratory Ruling is going to be approved soon by the current FCC or the next one, and you should start now to be able to say that you are compliant with the CALEA portion of the annual cybersecurity attestation.

A Regulatory Level Playing Field?

European_UnionThere is an interesting discussion worth noting occurring in Europe right now – regulators there are asking if regulations that apply to traditional telecom providers ought not to also apply to companies offering similar services on the web. This discussion is the culmination of many years of lobbying by telecom companies asking for a ‘level playing field’. The executive branch of the European Union is expected this week to propose that online services be subject to the same regulation as companies that offers similar telecom services.

What might that mean for web companies? It might mean that if Skype or Google Voice allows people to make ‘telephone calls’ that these providers might have to provide their customers access to dialing 911. It might require that any online service that gives their customers a telephone number might have to allow customers to keep that number for other purposes (number portability). It might even mean that web companies might be subject to some of the provisions of net neutrality.

It’s easy to think that voice-related regulation of telecom companies is largely a thing of the past. Telecoms in the US have asking in a number of states to be deregulated for voice purposes – a trend that has accelerated since the FCC declared that landline voice is no longer a dominant service.

And certainly the days are gone when the FCC and the state Commissions regulated the price of every telecom product and set a lot of the rules about how a telecom company had to interact with customers. The most draconian aspects of telecom regulation have been relaxed, and in many cases are gone completely.

Yet there are still a lot of rules that apply to telecom companies both here and in Europe. There are rules about 911 and safety issues. There are the CALEA rules that require telecoms to comply with law enforcement surveillance of customers. There are privacy rules, and truth-in-billing rules and numerous other rules that telecoms are still expected to comply with, even as they are free to sell or bundle their products in any way they want.

The European Union is asking some good questions – and if this is adopted these same questions are going to get asked here in the US as well. Why, if Skype sells themselves as an alternative for service should they not have to provide the ability for a customer to dial 911? Why shouldn’t any web-based voice provider not have to comply with the same requirements for privacy, law enforcement or number portability as a landline or cellular telco?

Of course, given a choice the telcos would probably rather that these remaining regulations not apply to them. There is certainly a big push from the big US telcos to get out from all voice regulations. But there are at least some aspects of telecom regulation that are not likely to go away. It’s been proven many times how 911 saves lives. And there is a general belief among regulators that privacy and billing rules protect citizens from telco abuses. And law enforcement is unlikely to bend on the requirement that a telco of any sort help them implement a wire-tap order from a judge.

It’s interesting to me that the regulations here and in Europe are so similar. But I guess that a lot of regulation is the result of trying to address the same issues. For example, if customers have a right to privacy, then there are only so many ways this can be applied to a telephone customer.

The bottom line is that if this is implemented in Europe, and if the web-based companies are able to comply with these regulations, then I think we can expect that same concept to find it’s ways here in a few years. At the end of the day regulators like to regulate and there are a whole lot of voice-like services today on the web that are not subject to some of the basic things that are regulated for every other provider.

The Security / Privacy Battle

SpyVsSpyEvery time there is some traumatic terrorism event like what just happened in Paris there is a renewed call by governments for better surveillance and security measures. And every time that happens, the advocates of privacy sound a loud warning. What I find most interesting about this back and forth between the two sides is that it’s not events or even public policies that are driving the battle between security and privacy, but technology.

Just during the last decade there has been a number of technologies that have assaulted our privacy – encryption, big data, cloud computing, and advertising spyware. And we are fast approaching new threats from drones and from Internet of Things sensors everywhere.

The real battle between security and privacy happens when we introduce new innovations that can invade our privacy followed by countermeasures against those new technologies. There are plenty of politicians on both sides of the privacy issue who think that creating new laws is the way to protect privacy. But there are no laws that are going to flexible enough to keep up with the new threats we are constantly seeing in the real world.

Consider the traditional privacy laws. There have been wire-tapping laws on the books for decades which are now completely obsolete. The FBI convinced the FCC a few decades ago to create a set of laws called CALEA that gives the FBI the right to subpoena ISPs and get the records of suspected law breakers. ISPs and telcos spend a lot of money to stay compliant with these rules and yet I can’t think of one of my clients that has actually gotten a CALEA request from the FBI. ISPs do often get requests from local law enforcement asking for calling records under older wire-tapping laws, but not a peep out of the CALEA folks.

And this is because those laws were obsolete before the ink was dry on them. The CALEA rules were written not long after we had migrated from dial-up to DSL and there was no such thing as the dark web and disposable cell phones and all of the other ways that serious criminals use to avoid law enforcement.

What typically happens with a new technology is that it gives one side – the police or the bad guys – a temporary advantage. But there is always a technological counterpunch as somebody on the other side figures out how to defeat and neutralize each new technological development.

Edward Snowden showed us that law enforcement sometimes is so desperate for an edge that they collect data illegally in violation of the basic rights granted to US citizens by the fourth amendment. But even that is only a temporary edge. There are now numerous groups developing strategies to counteract widespread government surveillance.

There have been numerous attempts to pass surveillance and security laws starting with the Patriot Act. But industry experts say that most of the laws that try to give the government more power are ineffective, again because technology moves a lot faster than legislative bodies.

So what we see is a cat and mouse game. The NSA spies on us and so companies like Apple develop encryption that makes it hard or impossible for the NSA to gather anything useful. And there are more and more web services that either automatically encrypt or which offer that as an option.

It seems that the privacy advocates are winning the long term fight, and this is because there are ways around almost any tool the government or big business can use to spy on people. I’ve read several articles recently that talk about how even in China people are finding ways to bypass the strict security of the Great Firewall of China. But the fight is a long way from over because there are always going to be tools that come out that can be used to spy on people and there will then be ways to defeat those measures. We are likely to see this battle for decades to come.

Should the FBI Be Able to Wiretap the Internet?

There is currently a government task force that is working on proposed legislation that would give the FBI the ability to ‘wiretap’ data. This is very different from what is available today. Today, ISPs are required to comply with the ability to turn over electronic records by a series of laws referred to as CALEA, which is from the Communications Assistance for Law Enforcement Act. Under a CALEA an ISP might turn over emails or a list of the web sites that a given customer has visited. ISPs generally retain such data for 60 – 90 days for all customers and it is then automatically deleted unless law enforcement requests it. But CALEA requests generally are for historical data and are not ‘wiretaps’ when it comes to data usage. This new proposal would give law enforcement live access to a customer’s data in the same way that phones have been historically wiretapped. And this is a law with teeth. The proposal includes a $25,000 per day fine for companies who aren’t wiretap capable, with those fines doubling after 90 days for non-compliance.  There are a number of issues with this idea.

It Goes Against the Direction of the Industry

The business world is rapidly heading to the cloud with data. There is a long list of benefits of using the cloud and businesses get it. But before a business will send sensitive data out of their control into the cloud they generally encrypt it (or they should). Companies are not going to put sensitive financial data, trade secrets and things like legal correspondence into the cloud if there is any chance that other parties can somehow crack and read the data. The whole point of encryption is that only the parties involved can unencrypt it.

It seems like the FBI law would forbid this kind of encryption. This would have a ton of ramifications on the industry. Businesses are going to refuse to put sensitive information into the cloud if it can’t be encrypted. This means that they will probably continue to use company-specific LAN storage rather than the more efficient cloud. Further, company lawyers are going to advise companies to not use the cloud if everything there can be wiretapped. Today a subpoena is required to get information that a company keeps on their own servers. But a wiretap at an ISP could be done without the knowledge of the person or company being investigated. No corporate attorney is going to agree to let a company expose themselves to being investigated through the back door just to gain the advantages of using a cloud service.

The FBI’s idea will also put all of the companies that supply encryption out of business. There are a number of businesses that sell encryption to cell phones such as Cryptocat, Silent Circle, Red Phone and Wickr. There are many software packages that can be used to encrypt data files such as Folder Lock, SensiGuard, Safehouse, SecureIT, Cryptoforge and many others. And almost every maker of carrier class transmission equipment, servers and related software has an encryption product.

It’s Costly

One of the biggest issues with the proposed bill is that it casts a far wider net of companies who must comply with a wiretap than who must comply today with CALEA. Today CALEA applies to the companies that supply a basic data pipe to a customer, to whoever is the physical ISP. This may be a telephone company, cable company, wireless ISP or cellular provider. But every firm who must meet CALEA today is a carrier of some sort. They have a physical hub where they perform ISP functions. These hubs are the sort of places where CALEA makes sense.

But the proposed law would impose a more complex obligation on other web-based platforms like Facebook, Google, Yahoo and AOL. Those are all big companies and one might assume that they can all afford to do this, and you might be right. But the same requirements would apply to much smaller firms and start-ups who store and or process customer data. It’s going to be technically challenging for a web-based platform to give live access to data. They just are not configured that way. And the cost to design a system to enable that is going to be costly and inefficient.

The cost of compliance will deter future small start-ups. And if you don’t think that is true, let me give you a real life example of when CALEA costs became an issue for a small carrier. It is very difficult for a small ISP to comply with CALEA on their own, so there are companies who sell CALEA compliance. If you get a CALEA request they overnight you a black box that rides next to your core servers and captures the data that law enforcement wants. This kind of service costs about $600 per month. I have a small City client who wanted to become an ISP just to serve themselves, some other local government agencies and some non-profits. Since they were facility-based using their own servers then CALEA applied to them. They almost decided against doing this since the CALEA fees ate up most of the monthly savings they were trying to bring to their town. I know that is a very tiny dollar example, but I foresee the new requirement to be much more costly than CALEA. Small firms will have a very difficult time creating the ability of live data wiretaps and this is going to stifle small web firms.

It Goes Against the Basic Premise of the Internet

The main premise of the Internet is that it is a decentralized network. The wiretap proposal relies on some of centralized hub in order to implement a wiretap. There has to be a place where you can guarantee that the data the government wants to see will flow. That is a whole lot harder than it sounds and it would end up resulting in some fundamental changes in the way that Internet traffic flows. And that could be the costliest impact of all.

The traffic on the Internet keeps growing at nearly exponential rates. Carriers have been able to keep up with the bandwidth demands because they have upgraded the networks to be more and more efficient over time. This change would go in the opposite direction and would make the network more inefficient.

I fully understand and appreciate the needs of law enforcement. But this could be one of the biggest unfunded mandates ever if it ends up impeding the efficiency of the Internet. The Internet is now a fundamental part of everyday life and is a lifeline for most businesses.

It just seems like a colossally bad idea to me to impose a costly change on everybody that is intended to only catch a few bad guys. Particularly when the smart criminals will avoid these wiretaps. They will find a black market way to self-encrypt their data or they will avoid the web altogether. So this is really just a proposal to catch the dumb criminals. It seems like too great a cost for such a paltry goal.