Recent leaks to the New York Times, as reported in September and October, indicate that the Obama administration will next year be pushing for sweeping expansions of the Communications Assistance for Law Enforcement Act (CALEA). CALEA facilitates government surveillance by, among other things, requiring companies subject to the law both to design their systems so that the government can easily plug in and intercept communications in real-time and to provide assistance to the government in these efforts.
A task force comprised of representatives from DOJ, Commerce, the FBI, and other agencies, are discussing amendments to the law. These changes would greatly expand the reach of CALEA, would significantly increase the costs of non-compliance for covered companies, and would include other requirements which may fundamentally change business models for companies promising encryption and decentralized communication services.
The most groundbreaking revisions under discussion would greatly expand the types of businesses to which CALEA will apply. Currently, CALEA applies only to “telecommunications carriers,” which the law defines as entities: (1) engaged in the transmission or switching of wire or electronic communications, or (2) providing “commercial mobile service.” 47 U.S.C. § 1001(8). Under the substantial replacement provision (SRP), the FCC may also designate as telecommunications carriers companies that provide a service that supplants a substantial portion of local telephone exchange service. Under this SRP authority, the FCC has designated broadband Internet providers and VoIP providers as telecommunications carriers, finding that they supplanted a user’s need for a local telephone exchange service. See In re CALEA and Broadband Access & Services, 20 F.C.C.R. 14989 (2005); American Council on Educ. v. FCC, 451 F.3d 226 (D.C. Cir. 2006) (upholding FCC’s designation of broadband and VoIP providers). The New York Times article, apparently relying on a well-placed source, reports that officials seek to expand CALEA coverage to “all services that enable communications.” This would extend CALEA to cover a broad swathe of nontraditional communications companies, particularly those on the Internet—for example, e-mail and instant messaging providers, social networks, and peer-to-peer communications services like Skype.
The revisions would also arm the DOJ and FCC with significantly stronger enforcement powers. Although a carrier’s failure to comply with CALEA is currently punishable by court and FCC fines, 18 U.S.C. § 2522(c), In re CALEA and Broadband Access & Services, 21 F.C.C.R. 5360, 5390 (2006), the DOJ has traditionally not pressed the issue against carriers with faulty CALEA systems, preferring to preserve a working relationship in order to facilitate future CALEA requests. However, a New York Times article reports that FBI officials have grown frustrated with CALEA system failures at two major carriers, and that the FBI’s technical assistance budget—spent to help carriers fix bugs in or retrofit their wiretapping systems—is close to $20 million annually. Two specific proposals are circulating within the task force to address these issues: retroactive fines on carriers, and the ability to impose FBI engineering charges upon the carriers. These proposals signal that the DOJ will begin shifting to carriers more costs of technical CALEA compliance, which may force carriers to more proactively manage and update their CALEA systems.
According to the New York Times articles, other proposals circulating within the task force include:
· Requiring that communication services offering encryption must be able to decrypt them upon government request. This would bring US law in line with the UK Regulation of Investigatory Powers Act 2000 (RIPA)’s similar requirement, an issue of considerable controversy across the pond.
· Requiring that peer-to-peer communication services design a way to accommodate government wiretap requests. This proposal could undermine the very nature of peer-to-peer communications, as it would require re-centralization of such communications.
· Requiring foreign providers that offer services in the US to make their systems available for government wiretaps.
The proposals are in very early stages, and it is certainly quite early to be reading the tea leaves. As leaked, though, the proposals would represent a sea change in government surveillance law, imposing significant compliance costs on both traditional (think local exchange carriers) and nontraditional (think Facebook) communications companies. The fairly specific leaks to Charlie Savage at the New York Times, including the leak that the bill will be introduced next year, are suggestive of trial balloons, so we should start to see some action soon. Grab some popcorn and/or call your lobbyist.