Summary of the FCC's CALEA NPRM
August 9, 2004. The Federal Communications Commission (FCC) released its Notice of Proposed Rulemaking and Declaratory Ruling (NPRM & DR) [100 pages in PDF] regarding imposing CALEA obligations upon broadband internet access services and voice over internet protocol (VOIP) services.
This article reviews some of the highlights of this NPRM. The articles that follow review in more detail some specific sections of the NPRM. The following is a list of the titles of articles on this NPRM:
The NPRM is 100 pages, single spaced, with 426 footnotes. This article, and the articles that follow, do not review everything that is in this NPRM. The NPRM also addresses the obligations that the CALEA imposes upon telecommunications carriers and how these might be extended to information services, the CALEA's safe harbor standards, the application of the CALEA to satellite networks, and cost and cost recovery.
The FCC issued this NPRM in response to the petition for rulemaking [83 pages in PDF] submitted on March 10, 2004 by the Department of Justice (DOJ) and two of its components. The 1994 Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to "shall ensure that its equipment, facilities, or services that provide a customer or subscriber with the ability to originate, terminate, or direct communications are capable of expeditiously isolating and enabling the government ... intercept, to the exclusion of any other communications, all wire and electronic communications carried by the carrier ..."
In other words, the CALEA provides that telecommunications carriers must design their equipment and networks to facilitate lawfully conducted wiretaps and other intercepts. Statutes other than the CALEA address what intercepts are lawful.
The DOJ petition requested that the FCC, in effect, expand the scope of the CALEA to also cover broadband service providers, voice over internet protocol (VOIP) service providers, and others. The DOJ petitioned the FCC to require various entities to design and modify their networks, hardware, software, and equipment in a manner that enables the DOJ to more easily intercept VOIP and other internet based communications. See, story titled "Summary of DOJ Petition for Rulemaking to Expand the CALEA to Cover Information Services" in TLJ Daily E-Mail Alert No. 873, April 9, 2004.
The FCC adopted, but did not release, this NPRM at its August 4, 2004 meeting. It released the text on August 9. Comments will be due 45 days after publication of a notice in the Federal Register. Reply comments will be due 75 days after publication in the Federal Register. The FCC has not yet published this notice in the Federal Register.
See also, story titled "FCC Adopts NPRM and Declaratory Ruling Regarding CALEA Obligations" in TLJ Daily E-Mail Alert No. 953, August 5, 2004. See also, stories titled "FCC Legislatively Expands Scope of CALEA Obligations" in TLJ Daily E-Mail Alert No. 953, August 5, 2004, and "Powell Discusses Brand X Case" in TLJ Daily E-Mail Alert No. 954, August 6, 2004.
First, this NPRM is not all that it asserts. The NPRM states that it implements the CALEA. This mischaracterizes much of what is in the NPRM. It makes tentative conclusions that are more in the nature of legislative amendment of the statute. The NPRM states that it gives effect to the intent of Congress. This mischaracterizes much of what is in the NPRM. It makes tentative conclusions that are either contrary to the intent of the Congress, or that address issues that were not considered by the Congress when it passed the CALEA in 1994. The NPRM states that it is intended to remove uncertainty and bring clarity. This NPRM adds uncertainty.
Perhaps the most significant items in this NPRM are the two threshold tentative conclusions that broadband internet access services (BIAS) and managed voice over internet protocol (VOIP) are subject to the requirements of the CALEA.
The NPRM's analysis upon which these tentative conclusions are based is also important. It builds upon the substantial replacement clause in the CALEA's definition of "telecommunications carrier". The CALEA provides that its requirements only apply to a "telecommunications carrier", and that its requirements do not apply to "information services". The substantial replacement clause provides that certain services provided by certain entities are subject to CALEA requirements if their service is "a replacement for a substantial portion of the local telephone exchange service".
The NPRM gives an interpretation to this provision that is inconsistent the plain meaning of the words that make up this clause. Nevertheless, this interpretation provides the FCC with the basis for concluding that broadband internet access services (BIAS) and managed VOIP services are subject to CALEA requirements. But, in addition, this interpretation does two other things. First, the construction contained in the NPRM so changes the meaning given to the substantial replacement clause that it will enable the FCC and DOJ to sweep many other services and applications that are not discussed in the NPRM into the coverage of the CALEA. Second, this strained construction, as Commissioners suggested at the August 4 meeting, may provide the grounds upon which the final rule will be vacated by Court of Appeals.
Next, the NPRM asserts that it rejects the DOJ's requests regarding other and future services. These requests drew the harshest criticism from commenters. However, the rejection may be more illusory than real, because of the NPRM's substantial replacement analysis. That is, the NPRM's analysis is not simply that BIAS and managed VOIP services are substantial replacements, and hence subject to CALEA requirements. The NPRM's analysis is to first give new meaning to the words in the substantial replacement clause, and then apply this newly invented meaning to BIAS and VOIP services. Under the NPRM's newly created meaning, BIAS and VOIP services are found to be substantial replacements.
But, the meaning given to the substantial replacement clause is so inclusive and open ended, that if it is incorporated into the final order, it will enable the FCC and DOJ to employ it to accomplish much of what the DOJ had sought with its future services request.
Next, while the NPRM addresses the threshold questions of whether BIAS and certain VOIP services are subject to the requirements imposed by the CALEA, the NPRM does not provide, or propose, details regarding what technologies will be swept into the CALEA regime. The NPRM states briefly that it "does not propose attaching CALEA obligations to services or applications that ``ride over´´ the underlying broadband transmission, such as e-mail storage, web browsing capabilities, and Internet gaming." Yet, the NPRM goes on to conclude that certain applications that do "ride over" (a term that the NPRM does not define) the broadband transmission are subject to CALEA requirements. Moreover, the NPRM does not even mention most information services, technologies and applications that might "ride over" broadband transmissions.
The NPRM also contains a significant proposal regarding enforcement. It states that "We consider whether" the FCC "may take separate enforcement action against telecommunications carriers, manufacturers and providers of telecommunications support services that fail to comply with CALEA." Yet, the statute gives enforcement authority to the judiciary, not the FCC. Were the FCC to become the arbiter of enforcement disputes, the power of the DOJ over carriers and providers of information services would be greatly enhanced, because, as this NPRM demonstrates, the FCC is far more likely to sustain the enforcement requests of the DOJ than a federal judge.
The NPRM also contains a notable proposal regarding the processing of court orders, the installation of surveillance equipment, the operation of surveillance activities, and other activities related to carrying out surveillance and intercepts. The NPRM suggests creating a new category of service provider to perform these functions. The NPRM seeks comment on this, but does not indicate how the rules contained in a final order might implement this proposal.
Basically, there are now two types of entities involved in the wiretap process -- law enforcement agencies (LEAs) and telecommunications carriers. LEAs seek information, get court orders, and then serve them upon the telecommunications carriers that maintain the networks. This NPRM proposes a third category. It would include private companies, such as VeriSign and Fiducianet, that would provide what the NPRM calls "intercept management". The inclusion of a proposal regarding these private intercept management providers in this NPRM is significant for several reasons, none of which are addressed in the NPRM.
First, the DOJ did ask for this section in its original petition or reply comments.
Second, if implemented, the development of these private intercept management providers would change the structure of surveillance. In particular, the legal regime regulating the searches, seizures, wiretaps and other surveillance, of which the CALEA is just one part, builds in safeguards to decrease the likelihood that surveillance powers will be abused. These restrictions and rules are directed at LEAs and telecommunications carriers.
However, many of these restrictions and rules would provide significantly less incentive to private intercept management providers to play by the rules. This would require the Congress to step in and write amendments to the various surveillance related sections of the Criminal Code and Foreign Intelligence Surveillance Act (FISA), to take into account the new surveillance functions being performed by private intercept management providers.
It may also be important to note some of the topics that are not addressed by this NPRM.
First, while the CALEA only applies to a "telecommunications carrier", and the most important part of this NPRM is its discussion of what it means to be a "telecommunications carrier", this NPRM has nothing to say about recent court opinions that address the meaning of "telecommunications carrier". The Brand X case is acknowledged only in one footnote. (Also, both Commissioners Michael Copps and Jonathan Adelstein raise it in their separate statements.) The Vonage case is not mentioned.
October 16, 2003. The U.S. District Court (DMinn) issued its Memorandum and Order [PDF] in Vonage v. Minnesota Public Utilities Commission, holding that VOIP service provider Vonage is an information service provider, and that the MPUC cannot apply state laws that regulate telecommunications carriers to Vonage. The Court wrote that "State regulation would effectively decimate Congress's mandate that the Internet remain unfettered by regulation." The conclusion that a VOIP service provider offers an information service, rather than telecommunications service, would prevent state and federal government entities from applying rules that apply to telecommunications, such as those pertaining to the filing of tariffs, cross subsidies, unbundling, wiretapping and other electronic surveillance by the FBI and other law enforcement agencies, and 911. See also, story titled "District Court Holds that Vonage's VOIP is an Information Service" in TLJ Daily E-Mail Alert No. 760, October 17, 2003.
On October 6, 2003 the U.S. Court of Appeals (9thCir) issued its opinion [39 pages in PDF] in Brand X Internet Services v. FCC, vacating the FCC's declaratory ruling that cable modem service is an information service, and that there is no separate offering as a telecommunications service. See also, story titled "9th Circuit Vacates FCC Declaratory Ruling That Cable Modem Service is an Information Service Without a Separate Offering of a Telecommunications Service" in TLJ Daily E-Mail Alert No. 754, October 7, 2003.
The position taken in this NPRM, which is supported by the three Republican members of the FCC, is that "telecommunications carrier" has one meaning in the context of the Communications Act, and an entirely different, and inconsistent meaning, in the context of the CALEA. The Brand X and Vonage cases are not CALEA related disputes.
Second, there are two preliminary issues upon which the NPRM does not seek comment. The DOJ petition, as well as comments and reply comments reveal that there is considerable factual dispute over these issues. There is the issue of whether telecommunications carriers and information service providers are now capable of providing the intercept capabilities for new technologies, and are complying with lawful intercept orders. The DOJ and other LEAs argued that service providers are not providing capabilities, and evidence is being lost. On the other side, many carriers and services providers vehemently disputed these allegations in their comments.
There is also the issue of the extent to which new information services are harming efforts by LEAs. The DOJ and other LEAs argued that their efforts are suffering. On the other side, a few commenters argued the opposite, that new technologies now enable law enforcement to obtain more information, and do more with it. The PSTN provided the LEAs with access to conversations, while new technologies also enable the transfer, and hence interception, of large quantities of data. New technologies also electronically store communications that the PSTN never stored. Finally, new information technologies enable LEAs to electronically store, analyze and access the data that it obtains.
The NPRM notes in passing that some commenters disputed that they are not facilitating lawful intercept orders. The NPRM does not address whether or not new information technologies also further LEA's efforts.
The NPRM merely states that "Advances in technology, however, most notably the introduction of digital transmission and processing techniques and the proliferation of wireless and Internet services, such as broadband access services, have challenged the ability of LEAs to conduct lawful surveillance." The NPRM makes no findings, and does not ask for any comments, regarding these two disputed preliminary issues.
It appears that the FCC has decided these two issues in favor of the DOJ without so stating.
Finally, this is a permit-but-disclose notice and comment rule making
proceeding. This NPRM is FCC 04-187 in ET Docket No. 04-295 and RM-10865.